Category Archives: Tech

tmux — a super quick “getting started” “cheat sheet” for screen users

Google didn’t find this for me. Google FAIL, Internet FAIL. No computer biscuit for you!

If you’re a pretty fundamental screen user then this is about all you’ll need to start out with tmux:

Goal screen tmux
Start named session: screen -S mysessionname tmux new-session -s mysessionname
Attach-to (and detach) named session: screen -rd mysessionname tmux attach-session -dt mysessionname
Detach from session from within: ^A then d ^B then d

Why use tmux over screen — I have no idea yet! At the very least the default scrollback behaviour seems to be more user-friendly. On that note while you can shift-PgUp/PgDown well enough as in a normal terminal it keeps resetting to the bottom. I’m not sure if this behaviour can be disabled but I found that ^B-then-PageUp takes you into a useful scrollback-view-mode that you can get out of by simply pressing q.

Scrollback aside, I’ve only just started to try to use it, thus this post… nothing against tmux so far!

It’s newer, shinier, and supposedly more eXtensible than screen. Yippee?

Those tmux command lines are just crying out for some shell aliases.

More: Google for it, this is just “baby-steps” bootstrapping information here… there’s plenty of advanced information out there. Want vi-like scrollback navigation?

(The first few Google results I checked didn’t actually provide the useful details with respect to working with named sessions.)

There, super-rare tech entry from me. It’s been years. That’s what a head-cold, no alcohol, and 1.5 litres of coffee does to you… productivity!

Skype Spam!

Note: This entry has been restored from old archives.

Not new news, but the first time this has happened to me. A Skype chat from “Online Notice ®” just popped up and told me:

Evil Skype Message

Evil Skype Message

A bit suspicious maybe?! Especially given that I’m not running any of the “Affected Software.” They’re trying to work me into a panic though it seems “Your system IS affected, download the patch from the address below! Failure to do so may result in severe computer malfunction.” Bullshit!

Visiting the URI shows a page that appears to run a scan and tells me, with a nice HTML/CSS generated “window” that looks just like an XP alert box, that I have a bunch of malicious software installed. Eeep! Next thing it tries is to sell you a 20 USD product they name as “Windows Software Patch – Scan & Repair”. Attempting to close the “window” pops up a real dialogue that says “Don’t close this window if you want your PC to be clean.

Evil Skype Website

Evil Skype Website

The final product page is registered to a Russian address and the page pushed via Skype is registered to a US address. Neither seems to be actively trying to exploit browsers, but, regardless, I wouldn’t visit either from an non-sacrificial system. In fact, the final site is well documented as a pusher of spyware known as ScanAndRepair:

  • SpywareRemove — removal instructions.
  • ZDNet blog — mostly identical to what I’ve seen, from November 2007.
  • McAfee — with a “please don’t sue us” disclaimer that says the program may have legitimate uses, bullshite.
  • CA — CA isn’t as insecure in their classification of this crapware.

Note that the sites are plastered with “ScanAlert” branding. This is actually a reputable security company (but not one that sells an AV product) recently acquired by McAfee. Don’t trust the branding you see on a website, be sure you have the right URL.

Please never buy any software that comes to your attention via email or Skype/IM, most especially never buy it by following links from either source of information! If you’re not running AV software on your ‘doze boxes go out and get some, but from a reputable source (over the counter or online from a known and trusted retailer), and stick to a brand name you’ve heard of. Then keep it up to date or it useless! (Debate about general brokenness of AV software aside, for the moment I still think it is better to be running AV software than not.)


Note: This entry has been restored from old archives.

This is my somewhat long-winded reflection on the SANS GSSP-C certification. I signed up in September ’07, did the exam in London on December 5th, waited 8 weeks for my results, and eventually found out that I passed quite safely. The log below was written in parts, before taking the exam, then after taking the exam, then concluded once I got the results. It has been mixed up a little in the editing, but mostly retains this chronology.

The executive summary:

  • I passed, answering 84 of 100 questions correctly.
  • I barely studied, but I had read the “right book” previously.
  • I’m a security-aware developer in the infosec sector who works with C regularly.
  • I’m not convinced of the value of the certification to individuals.
  • But I think that it can be a valuable benchmark tool for large companies.
  • It worries me a lot that the “pass mark” is only 63.
  • Don’t get me wrong, I do think it’s generally a good thing – read on…


There’s just no amusing way to say, ‘I have a CISSP’.
MCSE is to computers as McDonalds Certified Chef is to fine cuisine.

If you’ve had any technical exposure to the ‘net it’s likely you’ve come across snide phrases like these (especially in witty email sigs if you’re on mailing lists of a security or Linuxy nature.) In certain groups these “qualifications” have little respect. But are they really as bad as all that? Is it a case of there being a few bad apples in the barrel damaging the reputation of the good MCSEs and CISSPs? The MCSE seems to be almost universally mocked. Maybe I just know the “wrong people”, though it isn’t all hearsay, I’ve had to deal with a couple of MCSE-holders who had less of a clue about kicking XP into shape than I did (and I don’t know much about Windows.) I can’t comment on CISSP at all from any personal exposure to the breed, it’s certainly popular in the IT business sector and certainly unpopular in more underground security circles.

Personally I’m not going to judge people by the acronyms they choose, often these things are a business or work necessity. That they choose to publish their acronyms in email signatures? Why not? Sitting an exam, regardless of merit, seems more worthy of note to me than most of the other crap people put down at the butt-end of their messages.

You can probably gather that I’ve never really been “into” these certifications myself. On average “my group” (covering a group of pretty hard-core C/C++ applications/systems/kernel developers) really doesn’t have much time or respect for them to there’s never been any motivation to take an interest. But I can’t say that every opinion I’ve heard comes with complete and logical justification.

From about mid 2007 SANS started pushing the “GIAC Secure Software Programmer” certification, the “GSSP”. This initially comes in two flavours: Java and C (but with plans for Perl, PHP, C++, … Befunge?) That’s where the “C” comes from. This is the first time I’ve seen a certification that seemed particularly relevant to my day to day work. I decided to give it a whirl, since there’s no other way to really know what to think about these things.

A Rant on the Philosophy

Going into this I wasn’t sure what to expect. How do you measure up a coder’s security abilities with 100 multiple choice questions? How do you wrap something as complex as “secure coding” in this format? On lists there has already been some discussion showing up regarding the merits of the new certification. The main non-troll argument is “you just can’t measure this with a multi-choice exam”. I think, as seems to be the main defence, that the definition of “this” is what needs looking at. The detractors seem to take the definition as of “this” as “l33t security dude“. On the other hand I think, in agreement with the defence, the certification is best seen as a filter to sort people with a clue from the totally clueless. The value? In the shoes of someone hiring it’s a nice measure that you don’t have a total newbie sitting in front of you. For larger companies I think it could be a good tool to discover where weaknesses lie in your developer farm. (So, like Hyenas to a sick Zebra, your HR people can cull the weak! No, really: so you can properly target training and awareness programmes.)

Alas there is some marketing and up-speaking from SANS that does paint a little bit of a “silver bullet” picture around the certification. It’s easy to see where the detractors get their iffy feeling about the whole thing. Remember that SANS/GIAC aren’t charities, they have to sell this idea — and in this situation a little of the technical reality is lost to marketing drive.

I think this push has the potential to significantly weaken the value of the GSSP, “certify your coders and you’ve solved your security issues”. Having coders who can pass a test and who’re aware of bad practices is different from having coders who’re contentious in the application of their knowledge. It isn’t a replacement for peer reviews, regular code audits, code ownership, and plain old responsibility! I think that there is strength in the GSSP if viewed as one part of a more holistic approach to creating secure software. Don’t push it on your developers as yet another management hurdle shoehorned into their schedule! The last thing you want to do is say: “We’re hiring this expensive contractor in a suit you’ll talk at you for an hour every Friday for the next month, then you’ll take an exam. If you don’t pass your exam you’ll get a smaller bonus.” Yes, companies actually do do this, I’ve seen the insanity first-hand.

Is there an alternative? There must be! Start by getting actual developers behind the scheme, not some outsider in a suit. I could keep going on my thoughts here, but maybe another time. The point, as relevant to this entry, is these are my thoughts in the couple of months thinking about this before taking the exam. (In fact, in bulk, actually written prior to sitting the exam.) I wasn’t going into this as a fanboy, as usual my scepticism runs high.

Practicalities Prior to the Exam

The obvious starting points are the handbook that enumerates the exam content and (if still up) the webcast. The webcast is particularly useful as it involves Robert Seacord who’s one of the heads behind the exam and responsible for a highly relevant book on the topic. The ‘cast covers the sections you’ll find in the exam, the content, and the topic weightings.

The content of the blueprint seemed straightforward, the everyday issues that any C developer should be thinking of. I resolved not to worry much about study since it would be most interesting to see how I’d “rate” just going into this thing and giving it my best shot. So, in essence, my pre-exam “practicalities” were minimal. Just like in my Uni days, study is something for other people to fret about. (I don’t claim this is a good philosophy!)
Claiming a total lack of study would be dishonest, a few months ago I read Robert Seacord’s Secure Coding in C And C++.

Through several weeks of morning coffees I gradually made my way through this volume, it’s a good size for a morning-espresso(s) book. The content is a little dry, so it took a while to get through despite being fairly short (early in the morning it can seem far more profitable to stare into your espresso than to read about buffer overflows!) This is particularly relevant to the exam given the author’s involvement with the GSSP, and it turns out there is a strong symmetry between the content of his book and the topics enumerated in the GSSP-C handbook. So in a vague and fortuitous sort of way I’d covered some study content. For potential studiers it is a good starting point, but not all details covered in the exam are covered in this one book.

I can’t comment on the other books recommended on the SANS site as I’ve read none of them. On the website front one stands out, the CERT Secure Coding Initiative and especially the related Secure Coding standards web site. The latter is a wiki aimed at developing a secure coding standard. The content of the wiki covers much of the GSSP-C exam blueprint, in fact one of the major contributors is Robert Seacord. (You’ll see a prominent advertisement for his book in the sidebar.)

My Qualifications

So minimal study hey? What are my “qualifications” going into this exam then, what sort of person is being tested here?

I “learnt” C in around 2nd year of Uni, though IIRC none of the courses I took ever taught C specifically (we had a 2nd year C++ course). That was about 7 years ago. Through Uni I played with C a lot, mostly through an interest in some Linux systems and applications. Before completing Uni I also taught practical classes in “Programming Practice” to 2nd years, that was all in C (what a nightmare!), I learnt a lot of little details then to keep ahead of the syllabus.

Since Uni, as a developer, I’ve coded in C fairly often but not in a continuous or hard-core sense. I’ve used C++ and Python more often, but in the months leading up to the exam was mostly dealing with plain C. I also spend a fair bit of time auditing C code and working with/in 3rd party code, which is often pretty terrible. The context of this work has been that of being a development/research/integration(/pre-sales shudder) engineer for a startup/research/OEM company in the network security sector for several years (approaching 5.)

In essence, I consider myself a competent and security-aware C coder who still has a lot to learn. Neither a security expert or a C expert though, in my opinion expert is a pretty strong word.

The Big Day

So on Wednesday December 5th, just before 9AM, I walk into a room at the EcXeL centre in London. I wasn’t sure what to expect, being at a huge convention centre I was thinking it’d be a uni-eqsue exam situation, a huge cold room with a couple of hundred people sitting at little desks. I figured there’d be a pile of finance sector wage-slaves sucked into the process by this time. But the bandwagon, if it is to become such, had only just started rolling — this was the first exam held in Europe after all. I expect the big corporates will have their own in-house sessions arranged anyway. I walked into a room where only 12 people would be sitting an exam, and, if I counted right, just 5 of them were there for the C. The others doing the Java version, but that’s no surprise since there’s a pretty high demand for Java people in the City.

Of the exam content itself there isn’t much I’ll say as, logically, you agree to an NDA as part of taking it. Don’t worry about it branching out horribly from the “blueprint” in the handbook, it didn’t. You might want to worry a little that some questions lean a little towards the qualitative, rather than quantitative, side. But this might merely be the delineation between a good secure coder and someone who can merely recognise instances of bad practice. Given an example with multiple flaws, all of which make you shudder, which flaw is the worst? I had some difficulty with some of these and similar questions that required rankings of flaws and solutions, and classification of flaws. There were also a couple of questions that essentially required knowledge of security “glossary terms”, this is one area where a bit reading up on things in the suggested references is really going to help (I winged it as best I could since the terms tend to be fairly self explanatory.)

Reflecting on the Exam

Just going through the questions was worthwhile in a couple of ways. First, it highlighted some small gaps in my knowledge right away when either a question completely stumped me or I saw something and realised I didn’t really know what should happen with any certainty. Second, I recognised my strong reliance on manpages, I simply don’t commit much detail to memory when it is always handy the ubiquitous “dev” manpages. Over years, gaining more C coding experience, I imagine the manpage reliance will diminish. But anyway, you’re unlikely to find yourself working without manpages — so long as you don’t go making assumptions surely you’re OK?

Other gaps include: “terminology” and “severity”. The former is just knowing the right collection of glossary terms, best gained through more reading I supposed. The latter is a bit of a funny one, when presented with code containing several of the worst mistakes a coder can make I think “this code is crap, it’s all bad”. But you’re asked to pick the most severe flaw. Which one is it? The one that, in the right circumstances, could give an attacker arbitrary-code execution? The one that can reliably make the program crash (DoS) 100% of the time with the right input? I can’t answer these ones comfortably, as far as I’m concerned all the flaws are bugs that must be removed, none are acceptable.

It does seem they had some trouble coming up with their 100 questions as there was quite a lot of repetition and a few questions that felt like “filler.” I assume they need a corpus much larger than 100 in order to randomise the exam content between sittings.

The Results

“Results will be sent in the post 6 weeks after the exam. Results will not be made available over the phone or Internet.”

Waiting, waiting, waiting… Given it was filled in on one of those machine-marked sheets I’m surprised there’s a six week waiting time. Especially surprised that I didn’t get the results until more than 8 weeks later. The whole Christmas/NY thing was in the middle though, so I guess we can write off two weeks. But even then it seems a long time to deal with less than 20 exams.

The results arrive in an envelope with SANS on the front and even a real stamp from the USA. I know what it is right away and eagerly tear it open right away, “Congratulations!” is says. “Ah,” I think, “so I didn’t totally waste my 200 quid.” The letter is short and to the point, I passed the exam and a certificate “will follow under separate cover.” Whatever that means, I assume the translation is “in a separate envelope.”



The envelope also includes a separate sheet with your final results and summary of how you performed in the different parts of the exam. In the end I got 84 questions right, I guess you could call that 84%. It turns out that the “passing point” is 63, so I passed pretty safely. Looking down the breakout there’s no one area where I did particularly badly, and also none where I answered all questions correctly.

Section    Mark    Out Of
Secure interaction with environment 21 23
Resource management 17 28
Filesystem IO 10 13
Employment of specific security measures 8 10
Concurrency 5 6
Understanding data-types 11 15
Handling error conditions 4 6
Code correctness and style 8 9
TOTAL 84 100

So, that’s it. Passed.

Personally I think getting 16 questions wrong is pretty bad. “Secure coding” is mostly rather black and white, getting things wrong at all is insecure coding. I have to admit that it kind of scares me that the pass threshold is 63! That means that someone can be 37% insecure and still pass. In other words, people getting this certification could be more than twice as insecure as I am.

Is is Worth It?

Too early to tell really. I got a couple of good things out of doing the exam: I noticed some gaps in my knowledge of what it was testing, and I found out what sort of barrier the exam sets. Whether it “furthers my career” in any tangible way is going to be hard to measure (just like measuring “secure coding”!) It probably won’t make much difference, since most places I’m likely to work will be pretty “geek” (so possibly fairly dismissive of “certifications.”)

Is it worth US$499? Maybe not to the individual, unless it becomes wide-spread for companies to require this qualification for new hires I don’t think it matters much. On a CV, going into the right sort of job, it probably makes for a reasonably good differentiator. (Or may mean nothing, depends on the sort of shop you’re applying for — I know of people in security who’ll filter people out if they seem to make a big thing of having a CISSP.) As far as judging the value goes, I’m a “special case” — I place a high value on satisfaction of curiosity and doing this exam did that for me (I’d probably have to give myself a good slap for not taking study seriously if I’d not passed though.) I also think there’s value in it having highlighted a few things that I didn’t know, but, as the results above attest, I don’t seem to be missing any whole zones of knowledge. It would be nice to know more about the questions I answered incorrectly, since otherwise it is hard to pick up on what I might need to research to bridge the gaps. Anyway, it helps that the GBP is nice and strong against the USD!

If one thing concerns me above all else it is that 63% pass mark. I seriously don’t think that someone getting 37 questions wrong should be considered a “secure software programmer.” In fact, I’d be more comfortable with an 85% cut-off (which would rule me out, so maybe 80%.) As an employer, if someone was talking up their GSSP-C I’d want to see their itemised results before giving much weight to it. Given my experience from taking the exam I’d consider a mark of 70 to be pretty borderline, but I’d consider it a good starting point for someone in a more junior C development role. (Update: 2008-04-08: My name is finally on the list, along with 18 others at this point in time. A rather short list! It’d be interesting to know how many people have sat the exam. Of the 19 “analysts” at this time, 4 people scored higher than me, one with 85 and three with 86.)

I think that the GSSP-C can have a much higher value to a large company wanting to gauge the abilities of its herd of coders. I imagine that if you’re pushing 100 people through the certification you’d get a discount!

It seems a little funny that they’re going to have a different exam for the GSSP-C++ … while there are some C++ specific security concerns most issues are the same as for C (no surprise, right?) It smells a little like milking the “secure programmer certification” for all the $$$ they can get. I’m a cynical bastard. I’m far from the first person to be critical about the GSSP though, in fact SANS SSI has a page devoted to critics, and I’m glad of that. The existence of that page makes me more confident in the certification and the process that gave birth to it. Though it was last updated in April 2007, I’m sure there must have been more critical feedback since then! (Note also that the page covers the C/C++ split and discusses why it was split and the related difficulties.) It’s also clear that the technical people behind this test, and SANS in general, are serious, concerned security professionals. If anything we can hope that the existence of things like the GSSP will raise awareness of secure programming methods and give the world more such professionals.

Mobile Media Ubiquity

Note: This entry has been restored from old archives.

I’m sitting on the train right now watching a bunch of 9 year old boys displaying their flashy mobile phones to each other. Thinking back almost 2 decades ago, when I was 9… change is interesting. If only they didn’t make the things speakerphone capable, I’ve never liked wearing headphones in public places but the alternative these days is listening to kids playing off their favourite pop and hip-hop artists against each other (backed up by constant PSP sound effects). If nothing else, we certainly live in a noisier world now. No music sounds good coming out of these devices with added screech and crackle and truncated range, but this isn’t just about listening to the music of course.

The 9 year olds were just replaced by a bunch of 12 year old boys who’re watching South Park on their mobile phones. Will wonders never cease?

I’m not complaining, I was late to enter the mobile market (2003) but my first mobile phone was an all-bells-and-whistles, touchscreen, 3G, Motorola A920 brick (now a less bricky A1000). I was able to watch videos on my phone before most people I know (and they’re mostly geeks) — back in Sydney I often used it to check out movie trailers before heading to the cinema. It’s not the newness of the tech that’s interesting, geeks have had this stuff for years, it is the sudden ubiquity. These kids don’t even have iPods anymore, they don’t need them.

I’ve noticed more and more people in the gym without iPods too, the same trend applies: they’ve been replaced by phones (it might be a different story in a trendoid gym in a trendier area). What has higher value, the supposed sexiness of an iPod or not having to carry around an additional gadget? Phones are getting sexier anyway. Thus the iPhone? There’s so much potential for wringing money out of these kids. Media/Games/Software … the hard part is getting them to pay rather than just working out how to rip everything off (it only takes one l33t kid to knock 100+ out of the market, and it isn’t hard to be l33t). The answer must be to make paying easier than ripping off, which is easy to say but the hard part is “how?”. The music industry seems to think this can be done by making the ripping-off harder; and they just move from one DRM total-failure to the next.

Referrer Spam? Hah Hah

Note: This entry has been restored from old archives.

Something’s playing with me…

       Client IP                                       GET URL     REFERRER STRING
 --------------- --------------------------------------------- -------------------                                     /2006/12/                         /Entries/Tech/General               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html                         /Entries/Tech/General               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html                         /Entries/Tech/General               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html                         /Entries/Tech/General               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html                         /Entries/Tech/General               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html               /Entries/Tech/General/index.rss /Entries/Tech/General/Referrer_Spam_Worm.html

This started earlier this month and coincidentally it’s hitting a post about a potential referrer spam worm. Targeted silly-buggers or chance? Chance I’d guess — possibly thanks to an amusing search string choice? The user-agent is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)” in all cases.

Note that visiting those IPs hits CPanel entrances in two instances but just default/dead account pages in the other cases. I’m guessing these are owned server systems – or just host XSSed junkcode of some sort.

I guess I’d better report them.

In other news I was horribly sick last week (well, about as sick as I ever get: head feeling like a sack of wet cats had taken up residence, throat like I’d been swallowing crushed glass and all-over body pain rubber-hose style). Also, we now have a 27U rack in the study. And I thought my days of living with racks had ended with EvilHouse (domain name now seemingly defunct – I guess we’ve all left those “evil” days behind us then).

*sigh* So it’ll be good to get back on track with some work tomorrow, things are moving again.

vim: Binding C-i bad for tab

Note: This entry has been restored from old archives.

In the unlikely case that anyone made use of the C-i binding I suggested for toggling vim 7.0 spell-checking they may have noticed that it messed with the use of their tab key! So it turns out that tab and C-i are the same thing from vim’s point of view!

Choose a different combo. Like C-c for *c*heck, or C-s for *s*pell, that’s surely better! Meta maybe?

I’m now using C-a:

" Set spelling language.
set spelllang=en_gb
" Toggle spell checking for the current buffer with Ctrl-i
map   :setlocal invspell
imap   :setlocal invspella

Note 1: The ‘i‘ at the end of the imap is now an ‘a‘ so that the insert position comes back the same.

Note 2: The C-i is only a problem for the imap and if you remove that you can then use C-i or tab in command mode to toggle spelling and live without the ability to toggle spelling when in edit mode. This’ll clash with any other command mode binding of tab of course, but I have none. I like to toggle in edit mode though so I’ll stick with C-a for now (hrm, what does it clash with?).


Of course, a few minutes later I try to use C-a for it’s normal purpose, incrementing a number under the cursor. I use this surprisingly often. *sigh*

Vim 7.0 Can Spell!

Note: This entry has been restored from old archives.

I’ve been using an external spell-checking plugin for vim for some time now. Today I upgraded my systems to vim-7.0, to do this on Debian Sarge (stable) add to /etc/apt/sources.list:

# Backports  - A "Pin" in preferences file required is to prefer backport pkg.
deb sarge-backports main

And add to /etc/apt/preferences:

Package: vim
Pin: release a=sarge-backports
Pin-Priority: 999

Package: vim-common
Pin: release a=sarge-backports
Pin-Priority: 999

Then do an apt-get update and apt-get install vim.

Start up vim and do :help spell for full documentation! The first thing you’ll want to know to play with it is turning it on: setlocal spell spelllang=en_gb (for real English, surprisingly it also has en_au). It will highlight unknown words, for suggestions sit the cursor on the word and type z=.

I didn’t see anything immediately obvious in the doco for simple on-off toggling of the spell-check mode. So I knocked up this little bit of vim-code to toggle the spellcheck with Ctrl-i (more obvious combos already taken) for the current buffer (i.e. on/off is maintained independently for each buffer). This is now^W^Wwas in my .vimrc:

" Toggle spell checking for the current buffer
function ToggleSpell()
    if &l:spell
        setlocal nospell
        setlocal spell spelllang=en_gb
map   :call ToggleSpell()
imap   :call ToggleSpell()i

It’s a good thing that vim can spell, because I shore can’t.


A quick scan of some vim doco moved me to simplify the above toggle to:

" Set spelling language.
set spelllang=en_gb
" Toggle spell checking for the current buffer with Ctrl-i
map   :setlocal invspell
imap   :setlocal invspelli

Duh. :)

Update 2:

Silly me, there is a slight problem with binding C-i in vim.

Aussie Police Have Weird Web Primates

Note: This entry has been restored from old archives.

Sometimes I bump into something on the web that makes me wonder…. Like the news bulletin posted here: MAN ARRESTED AFTER SUSPICIOUS DEATH – CROWS NEST. We used to have the occasional gelato at that bar, it was just up the road from our home in Wollstonecraft. I suspect the guy, now dead, even served us our gelato sometimes. Sounds like there is a story behind that murder “It is believed the victim and alleged offender are known to each other.”, the alleged offender was found nearby clutching a knife.

But just look at that URL:


(Additional line-breaks/white-space my own of course.)
Sorry I had to subject you to that… sq_content_src? Equals something that looks like base64? (Note “%3D” is a URI encoded “=”.) Hrm:

$ echo 'aHR0cDovL2N1c3RvbXNjcmlwdHMucG9saWNlLm5zdy5nb3YuYXUvbmV3cy9kZXRh
aWxzX21lZGlhLnBocD9NZWRpYUlEPTg0MTk=' | openssl base64 -d


If you visit the URI you get basic HTML for the news story, which is dumped verbatim into the page at the link above (i.e. including , etc).

I guess they want to make sure the input URI can’t stuff up the site URI? But we do have URI encoding designed for this very purpose, in fact they even use it for the “=”! Or maybe they want to hide the content URI? I can’t see why, and if this is the reason they chose a pretty dumb method.

It turns out that they’re not too dumb, a basic attempt at getting them to show content from another website failed. Bummer, this entry would have been so much more fun otherwise (and being arrested upon arrival in Australia would have been good too!). It is probably best not to poke police websites too much, personal experience (police questioning and a court appearance as a witness when a friend was being put through the judicial wringer) has taught me that the NSW police wouldn’t know what an Internet was if it bit them on the arse. In fact, such knowledge is considered highly suspicious, virtual proof of criminal tendencies.

Referrer Spam Worm

Note: This entry has been restored from old archives.

Looks like a new worm has hit the ‘net, or a new feature for existing botnets – one possibly dealing in referrer spam. I have a very strange collection of recent HTTP referrers from a variety of client IPs. All with the user agent string “PycURL/7.15.5″ (cURL for Python). In total 16 suspicious referrers coming from 30 different source IPs (a variety of dynamic ISP IPs, web proxies, etc). The spammy referrers in question:

Some of them are URLs that I wouldn’t expect to be in spam ( So I wonder if there is some other nefarious motivation here. I wouldn’t try visiting any of those URLs, just in case, especially if you’re using IE. On inspection of some of them I don’t see anything unusual (the one is plain HTML, some CSS, no JS or VBS). Also the requests are to a variety of different pages on my site, so maybe this is just obfuscation for something that is actually a harvester or form-spammer spider. The possibilities are endless, however it seems unlikely that it would be something benign.

Hits using PycURL started on Dec 3rd. On the 3rd a variety of URLs were hit, there were no referrer strings. This wave was of 39 hits over an 8 minute period and involved 10 different client IPs. Then on the 4th, about 12 hours after the last hit on the 3rd, another two waves came. The first wave was 2 minutes long and made 18 hits to different URLs from 12 different source IPs using my own domain name as the referrer. The second wave on the 4th lasted only one minute, and made 10 hits from 5 IPs with the same properties as the previous run. Then finally, early this morning after a 3 day break, there have been 34 hits. from 8 IPs with the difference that seemingly random and strange referrer URLs have been used for 18 of the hits delivering 16 unique referrer domains. This final blast was spread out over a 20 minute period.

Some skript kiddie playing with his botnet? Evolution of a nefarious web spider in development?

LinkSys WAG54GS Is Crap

Note: This entry has been restored from old archives.

[Update 2007-03-19: LinkSys have finally released an official firmware update for the WAG54GS! It is available from the LinkSys site. The lying buggers have it dated “12/05/2005″. I have not had the opportunity to install the firmware and see if it makes the WAG54GS less crap!]

I’ve traditionally been a fan of LinkSys routers, especially those distinctive blue ones with devil-horn wireless antennae. But I must say, the WAG54GS Wireless-G ADSL Gateway has proven to be a little turd of a device.

I bought it when I got to the UK, it has the latest official firmware, it regularly (several times a day) stops routing packets. It really is quite remarkable that such a total piece of shite could have made it through QA. It just stops, the lights stop flashing (but all stay on), the web interface doesn’t respond, it usually wont even respond to pings when this happens (although sometimes it does).

I’ve read vague reports from others on the ‘net regarding similar behaviour so this doesn’t seem to be an isolated occurrence. There is talk of a “better firmware” that can be built from source; the little fecal box runs Linux apparently (just confirmed that, there are instructions for getting a shell prompt on the box out there). But roll-your-own firmware is just too much piss-farting around for a device that should “just work”, if I wanted that I’d have bought a dumb ADSL modem and a mini-itx machine for Linux! Some forums indicate that an unreleased firmware version (1.00.08) is available for download, maybe I’ll give that a go (but a post on that same forum says that 1.00.08 was a problem and 1.00.06 worked better). What I wonder is: if this “better” firmware has been around for so long why is the severely broken 1.00.06 version still the latest official one! Surely any bugfix is worth releasing properly; I suspect the unreleased version is unreleased for a reason.

The OpenLinksys site seems promising – but the lack of English is a bit of a barrier for me.

All in all my conclusion is that the WAG54GS is excremental in nature and it appears that LinkSys are in no hurry to do anything about it.

My recommendation: Don’t buy it! If it is from LinkSys and isn’t a little blue devil-horn box it isn’t worth the risk.

Note: To get a shell on the thing:

  • Hit
  • And telnet

Where ’′ is the IP address of your WAG54GS. Everyone seems to think the ‘adslctl info –stats‘ command is exciting. I’ll leave that one to the ADSL geeks – I’d just like the bloody thing to do its job!

Oh, it also has really shitty wireless range – another area where it is significantly defective when compared to the devil-horn versions.

Finally, some interesting stats from the device (with 1.00.06 firmware):

Linux Kernel:
"OS": BusyBox
Flash Size: 4096k
CPU: Broadcom BCM6348 V0.7 (bogomips: 253.44)
Memory: 13652 kB
Filesystem: cramfs
Interfaces: eth0, lo, ppp0, wl0, br0 (bridging eth0 and wl0)
Interesting Processes: 
 mini_httpd - The link is "I'm feeling lucky"
 utelnetd (presumably not normal)
iptables highlights (the full set is *large*):
Chain INPUT (policy DROP)
target     prot opt source   destination
DROP       tcp  --  anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere anywhere state RELATED,ESTABLISHED
REAIM_IN   all  --  anywhere anywhere
INPUT_UDP  udp  --  anywhere anywhere
INPUT_TCP  tcp  --  anywhere anywhere
DOS        icmp --  anywhere anywhere icmp echo-request
ACCEPT     all  --  anywhere anywhere state NEW
Chain DOS (6 references)
target  prot opt source   destination
RETURN  tcp  --  anywhere anywhere limit: avg 60/sec burst 120 tcp flags:SYN,RST,ACK/SYN
RETURN  udp  --  anywhere anywhere limit: avg 60/sec burst 120
RETURN  icmp --  anywhere anywhere icmp echo-request limit: avg 60/sec burst 120
LOG     all  --  anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[Firewal l Log-DOS] '
DROP    all  --  anywhere anywhere
Chain SCAN (2 references)
target prot opt source   destination
LOG    all  --  anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[Firewal l Log-PORT SCAN]'
DROP   all  --  anywhere anywhere
Chain DNS (1 references) (in nat)
target prot opt source   destination
DNAT   all  --  anywhere random 50% to:
DNAT   all  --  anywhere to:

What a strange way to deal with DNS, it hands out its own IP address via DHCP but why not just hand out the external DNS IPs?