Tomorrow in retrospect (A journal by Erik Zalitis)

The future ain't what it used to be

As I got older and hopefully somewhat wiser, the feeling of history repeating itself got stronger. I can't say that I know it all or seen it all. Far from it. But I believe so much is lost when we fail to learn from history or even taking it into consideration. I often discuss my hopes and fears for the future as if they have already occurred, hence the name of this journal. Here you'll find my thoughts on politics, IT-security, technology and some personal musings.

Note: This authoring system is homegrown, so all functions are not yet written. Next up: commenting system.

(2012-01-26) HAM-holiday

HAM-radio is a hobby that can last a lifetime. When I got my license last year, I started out as most newbies do and was content just to talk with nearby amateurs on the 2M and 70CM bands. Those bands are good for the rookie as they require very little in the way of antennas and setup. I frequently used the local repeaters as well. From there most new hams eventually find new bands and modes to explore. Pretty soon I set my eyes on the shortwave bands.

On shortwave you can speak to your own country, nearby countries and if the conditions allow: the whole world. The trick is that shortwaves frequencies allows for something called skip. This phenomenon is not just something you find on the shortwave, but shortwave is where most of the interesting HAM-radio traffic is going on, so it’s the natural place to hang around. I won’t get to technical here, but skip is what makes broadcast beyond the horizon possible. Now, the pesky ball we all live on is round, and this puts a limit on how far a radio-transmission may reach before disappearing into the blue yonder. But then there is “skip”. Some atmospheric layers (known as D, E and F-layers) cause radio waves on some frequencies to bounce rather than just disappear into space. To simplify it: Assume that I live in country A and country B is adjacent to country A. Country C is far on another continent and there’s no way for my transmissions to reach there, because of the horizon-problem. But the transmissions may actually bounce off of the atmospheric layers and skip country B, “landing” in country C. Unless my antenna position and transmission power allows for it, no one can hear me in country B, but I can be heard in country C. And here’s why “shooting skip” is so popular: there’s no easy way to know exactly how well it works or who that may listen. The skip conditions can be monitored thanks to online weather services, but exactly how well it works out at a given moment, you will have to find out by experimenting. There’s something “Forest Gump” of the whole situation. You never know what you get out of the radio box when you tune in.

This I know: shortwave reception is troublesome in big cities. I live in Stockholm in Sweden and northern Europe is not a bad place to be for a HAM-operator, but the city poses two big challenges for me: RF pollution and antenna placement. RF-pollution can be, but is not limited to: my neighbor’s plasma TV, the nearby underground station, computers, poorly built power supplies and even the ventilation system in the building across the street. It’s bad, but can be handled. The worse problem in my case is the fact that I live in a flat. I can’t setup 40 meters of long wire because I don’t have a yard. Now, there are ways around this as well, but the situation is not as good as one could hope for. However, my family owns a house in the country. A few weeks ago, I packed my HAM-stuff and spent my vacation in northern Sweden, and that’s the story you’re about to hear.

The preparations

The first semi-portable rig I assembled was battery powered and mounted inside a sturdy backpack. It worked well, but was too cumbersome to carry around. I figured that I would probably spend my time inside of or near a building, so I simplified the setup a bit. The antennas I use are two homemade random wires I created by cutting 25 meters of loudspeaker wire into discrete lengths. I created two antennas from the original cable. The first random wire has a radiator length of 20 meters and a ground cable of 12 meters. The second antenna has a radiator of 8 meters and a ground wire of 5 meters. I use the remaining 5 meters for my loudspeakers at home. The longer of the antennas is used for the 80 and 40 meter bands and the shorter one for is the 20 and 10 meter bands. Now, you can’t just connect the antenna-wires to the radio and expect it to work. My HAM-radio comes with a rather standard unbalanced connector, which I have connected to an antenna-tuner. From the antenna tuner I have connected a 10 meter long feed cable that goes in a 4:1 balun. A balun, or balanced to unbalanced transformer, is the box that the loudspeaker -cables are attached to in one end and my feed cable is attached to in other end. The antenna tuner is used to tune the antenna. All normal HAM-radios are built to function with an antenna that has an impedance of 50 Ohms. The problem is that impedance is a function of the frequency you’re transmitting on and the length of the antenna. To be perfectly resonant and thus present the radio with an impedance of 50 Ohms, the antenna length must match the frequency. This is a big oversimplification, I know, but basically that’s what it’s about. Most antennas are compromises of some sort. If you want to broadcast on the 80 meters band, the perfect antenna should be a multiple of 80 meter. A half wavelength dipole for the 80 meter band should thus be 20 x 2 meters long. The calculations can be very complex for some types of antennas and even in this case, it calculation comes with a twist. The optimal length is (wave length / 2) * 0.96. I have no idea what the reason for removing 4% of the expected length is, but it’s said to be an optimal solution for most radios. My antennas are random wires and not strict dipoles. When I designed them, I didn’t expect to be able to control the environment in which they would be used, so the random wire felt like a simpler and more flexible construction to me.

The radio itself is a Yaesu 857D. It covers all relevant shortwave bands, 2 meter and 70 cm and comes with all the modes you need and then some. The radio features fair filtering capabilities and comes with everything you expect to find in a shortwave radio. In short it’s a well-rounded performer that neither excels nor underperforms in any situation.

Going there

Now you know a little bit about the stuff that went into my backpack before I went away on vacation. The family house in the country is actually close to one of the more popular ski-resorts here in Sweden, but this time I wasn’t there for the skiing. As I came up rather late and it was dark, I didn’t feel like setting up the antenna. I just tossed the radiator and the ground wire on the ground to see if it worked. In spite of this poor setup, the reception on the 80 meter band was great. I didn’t want to try to broadcast with the antenna still on the ground, so I spent the evening listening. As the light of day came back in the morning I installed the antenna between the house and a nearby tree. A dipole or random wire must be mounted at a height of at least ¼ of the wave length you intend to tune into. But I had no way of reaching 20 meters above ground with the equipment I had in possession. The antenna placement was therefore hardly optimal, but for my purposes it would do.

My intent was mainly to work on the 80 meter band. Spanning the frequencies 3,5 to 3.9 MHz, this band has some interesting skip-properties. On daybreak, the skip conditions deteriorate and confine transmissions to a local area. In my case, this meant Scandinavia and the northernmost parts of Germany. As soon as the sun sets, the rather silent band comes alive as Europe lights up like a Christmas tree. However, for me the day time was the time I was looking forward to. In the morning and until the sun begins to set, there are a lot of “rag chewing” going on. “Raw chewing” is a HAM-term for a general discussion as opposed to competitions or tests. Think of it as a predecessor of today’s internet chat. Only they’re often more technical in nature.

Finally all was setup and tested and it was time to find one of those discussion-rings. At this time I want to remind you that HAM-radio generally is not full duplex. What I mean is that you can transmit or you can receive but not the same time. You’ve probably seen or even used a walkie-talkie at some time. Remember how you have to push a button to speak and the release the button to listen to the reply? This button is called PTT or “push to talk”. The legal side of HAM-radio does not put that many technical restrictions on how you may use your radio. So there’s nothing hindering you from use a setup that allows you to simultaneously listen and transmit. But the PTT is still the “least common denominator” and this means that conversations over the HAM-radio work a little bit different than over phone. In HAM-lingo a conversation is called a “QSO” and when more than two stations participate in a “QSO”, it becomes a “ring”. Generally the person who started the QSO also owns the frequency for the time being. They often “rotate” who is allowed to speak at a given moment, so that every participant waits until their call sign is called up. The systems works, but in the beginning it may feel a bit intimidating when your call comes up even when you have no idea what to say. If the QSO only have two participants, there’s no need for any list, as the conversation just flows back and forward between them.

After a while you find out that many of the rings start at a preset time and many of the rings have had pretty much the same core participants for the last 20-30 years. The best way to learn is to tune in a listen. A good HAM keeps a log of his/her QSOs. My first QSO was at 07:30 on 3623 MHz as I checked in to the Nomira-ring. The first 5-10 minutes you could hear faint communication in Polish in the background, but as the sun rose the conditions changed so fast that they were gone and that just left the Nomira-ring on the frequency. Whereas my reception was good to great, I was quickly reminded of the suboptimal antenna-placement when I hit the PTT. Most of the participants could hear me, but the not all of them. At full power (100w) the signal reports I got back was ranged from fair to good from those that could hear me. I was still satisfied and continued to look for other QSO’s after the Nomira-ring had concluded their daily “rag chew”. Nomira is a Christian HAM-radio organization and they’re very nice and helpful people and made me feel right at home on 80 meters. During the few days I was on vacation I participated in a number of rings and QSOs and also tuned into a few “pirate radio”-stations. Among them was a station claiming only to broadcast 2 hours per year, calling themselves “Radio Mistletoe”. This and many other interesting things is what make HAM-radio such a fascinating hobby. Should I ever get tired of “rag chew”, there’s a plethora of other activities out there such as CW (Morse code of radio), RTTY/PSK32(data transfer), SSTV and contests.

The radio amateurs of the world have a long history of inventing new technologies, helping others in distress and generally breaking boundaries. I’m proud to follow in my grandfather’s footstep and while I’m an agnostic atheist, the idea of him sitting on a cloud and listening in on his grandson’s transmissions while muttering “… Humph!... Back in my time…” really amuses me.

Tags: HAM, HAM-radio
Posted 2012-01-26 by Erik Zalitis, changed 2012-01-26 by Erik Zalitis

(2012-01-15) Looking back at the 2010s

All eras are defined mostly in hindsight. A number of years later people may laugh at it, shake their heads or just get that “dreamy look” in their eyes when they think about it. If you think about the 1950s, you have an era which everyone has an opinion about. Even those that weren’t even born back then (I sure wasn’t). We may laugh at the commie scares and the crazy times when people feared the atom bomb. And it looks even worse when you think about the wars and the segregation. Exactly what it looked like and if it indeed did look the same way depended on where you were in the world.

It’s 2012 now and as always we live in the ultra-now. It will take a number of years until we can look back and think about it. What do you think we’ll love, like, hate or just don’t care for when we look back at the 2010s?

A few years ago I was worried about the surveillance spreading throughout our cities, networks and society. I concluded my blog post by noting that this is something we may have to sit through and hope that we learn something from in the end. That’s still my opinion, and the dark clouds are still gathering. They almost fill up the whole sky by now. The Internet gets more and more regulated. Not a month goes by without new words like SOPA, PIPA, Hadoopi and IPRED. The politicians and private sector managers are not the enemies, because they’re us! They’re citizens in the same society we are. Some of them may want to capitalize on our fears, but most of them believe in what they’re doing. The road to where we're heading is paved with the best of intentions. And still, we know it's not going well and it's not going in the right direction.

It doesn’t matter that we’re safer now than ever, the fears are still there. Whatever we don’t feel we fully understand and control, must therefore be tamed. The Internet fits this description, and so do the public streets and the places where we meet. All those must be controlled and any and all risks must be eliminated. Yesteryear’s anger over cameras that go everywhere and having to sacrifice our privacy is now just an irritated mumble. This is where we’re going, and it’s painfully apparent. What isn’t so apparent is where we will end up and how much it’s going to cost us.

But I worry more about how the mentalities change over time. We have not only come to accept things that we couldn’t dream of tolerating 10-20 years ago. But we also demand to know everything about everyone. Dostoyevsky once wrote that “The degree of civilization in a society can be judged by entering its prisons”, and if the fear, paranoia, loss of freedom and decline of justice in our society continue that may one day be something we all get a firsthand experience with. “Innocent” is just a word. Just like “civilization” and “society”.

Tags: Security, society, philosophy
Posted 2012-01-15 by Erik Zalitis, changed 2012-01-21 by Erik Zalitis

(2012-01-08) Comic book review - ”Pogo Possum – through the wild blue yonder”

A review of ”Pogo Possum – through the wild blue yonder”
Book: ”Pogo Possum – through the wild blue yonder”
ISBN: 978-1-56097-869-5
Pages: 290
Author: Walt Kelly, Jimmy Beslin et.al.
Publisher: Fantagraphics
Released: December 2011.

What am I reviewing here? Is it Pogo Possum as a comic or the collection album that Fantagraphics finally released in December 2011? The answer is that it will be both, but first let’s take a look at the book. Walt Kelly’s comic strip “Pogo Possum” ran from 1949 until 1975, almost two years after Walt’s death. Beside the daily comic strips that were published in newspapers all over the US there have been over 30 comic albums released and a number of collections as well. After the comic ended, there has been no attempt at publishing all daily and Sunday-strips in one set of volumes. In 2007 that changed as the publisher Fantagraphics announced that they would give the world the whole story from the very first Pogo Possum daily comic strip until the very end including the colored Sunday strips, all in 12 volumes. But time went by and the first volume failed to appear. They claimed to have serious problems finding all the strips in a usable condition and we waited. The first volume would cover the Pogo from 1949 – 1950, so we’re talking about something that’s 60 years old. In the end it took until fall of 2011 until they finally managed get the book released. And it has been worth the wait, I tell you…

The first thing I notice about the book is the good quality, its sturdiness and a binding that seems to be built to last. Only time will tell off course. The book comes with a foreword, editor’s notice, an index for each week covered of the comic itself, a separate section for the Sunday strips and finally the “predecessor” of Pogo that ran in the New York star newspaper before it folded. Most of the strips look great and have high contrasts and (for the Sundays) vibrant colors. Sometimes the colors may be a bit too vibrant and there are a small number of the daily strips that lack some sharpness and have an odd contrast range. But those are minor flaws hardly worth mentioning. The overall restoration work is amazing and makes no attempts to improve on the original so that it looks like it was made on a computer. It may come as no surprise as members of Walt Kelly’s own family have been enrolled in the project.

I have a small concession to make: I was born after Mr. Kelly died, so my knowledge of the comic strip is fairly limited and I started reading it just a few years ago. Also, I’m not a native English writer, so please forgive me my sometimes weird grammar.

What about the comic strip itself? As it has ended, we now know how it evolved from the humble beginnings in 1949 until the very end. This collection covers the two first years, 1949 and 1950 and shows how the comic begin finding its form. It’s amazing to see that almost all of the important characters were there from the start or at least came into the story early on.
The different story arcs centers around a number of characters living in the Okefenoke swamp in Georgia and how they deal with how they always misunderstand themselves, the others and what’s really going on. After a while I get the feeling that the characters are more like concepts and ideas that Walt Kelly plays around with than real characters. He often throws in the events of the day, like in the arc where he lets the incompetent “scientist” of the swamp, Howland Owl, try to create an “Adam Bomb” (Atom bomb) out of a yew and a geranium. Yewranium sounds like Uranium when pronounced and that alone makes up the base of the whole story arc. Unlike many other comic strips that either tell lengthy stories or just resort to be gag-a-day comics, Pogo Possum uses variable length arcs. Those arcs continue until Walt Kelly obviously gets fed up with them and changes the subject. Sometimes the story smoothly transitions over to another one and sometimes it just shifts gears without using the clutch. Various events also frequently “spawn” new characters into the story as they are needed. Some of those characters never reappear, whereas other join the back of the queue until a “Deus ex Machina” is needed. Walt Kelly once jokingly said that the “characters work for another comic” when they’re not in Pogo Possum, and why not? The characters apparently know that they’re actors in a comic story, and sometime even use the edges of the panels to lean against or to do things like using them to strike a match against.

The main (and thus always recurring) characters are just a handful with literally hundreds of extras filling in whenever they’re needed. But the one lead character of the story is the eponymous Opossum who is known as Pogo by his friends. He has a mostly kind and gentle demeanor. His best pal Albert is an alligator who smokes cigars, tries to intimidate the others but is deadly afraid of alligators and refuses to calm down even told he is one himself. Then we have the “only sane man” in the swamp, Porky Pine. What counts as sanity in the swamp may be discussed, but in relative terms he fits the bill. Porky, like Eyeore in Winnie the Pooh by AA Milne, is in a permanent state of gloom and depression. This is in stark contrast to the constantly untroubled mind of Churchy La Femme, the turtle whose mind is free of both common sense and any trace of intelligence. Howland Owl considers himself a scientist and a scholar, which he may be the only one in the world that actually believe. He can barely read, has no idea where science ends and urban legends start and will seldom if ever doubt himself for any reason. Some of the other main characters take a little longer to get into the story. Miz beaver, Deacon Muskrat and Miz Mam’selle Hepzibah make their respective appearances in the story after a while. And last but not least, the “bad guys”, Seminole Sam (salesfox) and Wily Katt (Wild cat) pop on in. The characters are often drawn like they were in motion. Walt Kelly used to work as an animator for Disney, and it shows! Every character changes their pose and facial expression dynamically between the panels and Kelly is very able to make them look like they’re running, walking or falling even when printed on paper.

In my opinion the best part of the whole comic is the dialog. Walt Kelly’s grasp of mid-west US dialects seems, to say it kindly, to be lacking, but that’s actually a great thing. Pogo Possum sports a non-existent, yet very understandable flavor of American-English. And I’m pretty sure that Walt Kelly knew exactly what he was doing, as the dialog is extremely vibrant with all its playing with words, double meanings and droll jokes. Some characters even have their own word balloons that mirror their way of talking. Okefenokian, as I would like to call it, is its own language that may count as “Engrish” by today’s standard. If you get stuck reading something, just say it aloud and it should become clear what they’re really saying. Walt Kelly is just a much a great writer as he is a great artist.

In this first volume, the direction that Pogo would later on take is not yet clear. While there are some political jokes already from start, the comic later became politically very active and challenged many of the things Walt Kelly felt was unfair or plain wrong. I look forward to rereading his take on Joseph McCarthy that should be in the next volume if I’m not mistaken. A fair warning though, as Pogo matured it included more and more references to the political stage of the day. When you read future volumes from Fantagraphics you might want to have a reference book or perhaps access to the Internet at hand. I’m not a US-citizen, so far I have already had resort to the Internet to understand what some jokes are about more than one time.

Many lesser strips use their first panels to “build up” to a punch line in the last panel. Pogo on the other hand may or may not give you a punch line in the last panel, but you won’t notice you had so much fun getting there.

Final verdict: 10/10. A well-executed tribute to a masterful comic.

Tags: Pogo Possum, book review
Posted 2012-01-08 by Erik Zalitis, changed 2012-01-21 by Erik Zalitis

(2012-01-08) What is going on at ERICADE?

It's been very quiet on this site for the last 3-4 months, but a lot have happened in the background. In late of October 2011 I decided to take a large portion of the services offline. This did not include any essential services such as the mail-system and the name lookup service (DNS).

During the fall of 2011, I rebuilt most of the services from scratch, which has taken a lot of time. During this time, the radio station has been offline and all news pages have been static.

The radiostation came back on the air on the 30th of December. As of now all services have been restored except for a few that have been retired.

The mail service has been kept update and is running the latest stable build of Kerio Connect.

I've changed the SSL-certificate for secure.ericade.net, which rendered a few cosmetic error messages until all services were properly changed.

The radio station is now running the new ShoutCast 2.xx streaming-software.

The role playing forums have been retired and will not come back.

A few minor issues still must be addressed, but as of now, we're back on track and back on the air. Enjoy!

Tags: Service announcement
Posted 2012-01-08 by Erik Zalitis, changed 2012-01-08 by Erik Zalitis

(2011-09-14) Ten years of security

A few days ago a milestone flew by: it was ten years since the World Trade Center attack. Much happens in ten years, but in the world of security so much has changed that I can’t help but wonder if a time traveler from 2001 would be able to recognize the world of 2011.

Back in 2001, we had Nimda knocking down our web servers while we were still recovering from the effect of the dot com crash with no end in sight. Enron went under and MCI/WorldCom crashed. Then came the outbreak of worm attacks and the second coming of the Spamocalypse. Internet became so common, that even our grandmothers and grandfathers started using it for everything. When the worm attacks finally subsided, the web browsers became the target and the malicious code went from one trick ponies to multi vector attack-wielding one-man armies. Proving that we had learned nothing, we made more and more of our software reliant on an “always on” Internet connection. Playing a computer game without the proverbial intravenous connection to the big cloud simply wasn’t possible anymore.

The sheer volume of software security patches we had to apply went from scattered showers every now and then to flowing like the Niagara falls. Music and movies, both legal and illegal, also flowed to our computers through bit-torrent, ITunes and services too many to name.

Ever quest, World of Warcraft and the numerous clones of those games merged the idea of user communities with gaming and forever changed gaming from a solitary pastime to a social thing. Talking about communities; we went from IRC, to forums to blogs, to MySpace, to Face Book to Twitter. Everything could be found with Google and that included your house and maps of your neighborhood. And don’t forget that Internet is for porn! Security wise, porn sites have always been bad news and many careless users got virus when searching for sex. Like in the real world. YouTube came from nowhere and suddenly you could find all those TV-clips and obscure songs you though were lost forever. RIAA and MPAA were none too amused.

The governments of the world woke up as from a nightmare of falling helplessly through the space of libertarian Internet-fueled direct democracy and acted in panic. In the name of fighting terrorism and child pornography without any idea on how to actually make any difference in the matter, laws were enacted. Surveillance became ubiquitous and the corporate world followed suit as RIAA declared war on … everyone. Especially grandmothers and young girls who had downloaded the latest crappy boy band songs. Someone calculated that if RIAA were right about the value of pirated songs, a normal IPOD full with copyrighted music would be the most valuable object in the entire world.

China grew larger. India became a preferred destination for businesses jumping on the off shoring band wagon. Many other “low cost” countries followed suit and the global talent pool grew quickly. This and many other changes caused the software market to boom.

People met, fell in love and even “lived together” on the Internet. But Internet also taught us to fear everyone we didn’t know or understand and to stick to places where people always agreed with us. The trend of publishing the identities of condemned criminals gained traction and then went so far as to publish the names of those suspected of something. The gossip and rumor machine had landed on the Internet. How many people that were innocently accused of being criminals, psychopaths or pedophiles and such will probably never be known, but history will judge those spreading such rumors! Mark my word! But people also used their newly found soap box to judge and criticize wars, injustices and other wrongdoings they felt had been done.

Apple reemerged like it was the Phoenix bird complete with new, stylish feathers. Microsoft screwed the pooch and called the offspring Windows Vista. Eventually they saved their faces with Windows 7. The protests against the regulation and secrecy of governments and corporations changed form and suddenly we had entered the era of Wiki leaks. It was the logical next step from governments and corporations spying on people while people were spying on each other. Could authors such as Agatha Christie or Raymond Chandler have dreamed of a society where spy gear would be dirt cheap and everyone could spy on anyone? The Internet allowed people to be as infantile as the felt like and behind the false security of “being anonymous” some of them made ruthless comments on blogs and comment sections. But anonymity also helped to who were hindered to speak freely and thus started a war between those preferring anonymity and those demanding civility. Terms such as anonymizers, onion- and garlic routing entered the common discussion. Hacking also grew another worrisome skill: targeted attacks. Remember the attacks against Iran’s nuclear program? At least that’s what I believe it was. Half-life 2 was delayed because a hackers were able to get hold of some of the source code and Sony got whipped real hard as hackers broke into their gaming network bringing the PS3 community to a grinding halt. Google in China…. I could go on… But let’s continue.

The media landscape got its own overhaul when the emerging Internet based media outlets forced the traditional media to step into the virtual realm. We saw Internet giving power to everyone who was ready to grab it before anyone else did. Most of this came out rather well in my opinion, but we also had to contend with hackers, shady businesses, scams, criminals, Nazis and nationalists and off course everyone with the audacity of voicing a different opinion than our own. The Internet didn’t collapse and neither did the e-businesses, proving the strength of human adaptability. We simply learned to be careful and to survive when it wasn’t enough. Some of our experiences were hard earned.

If all this caused democracies to shake in their foundations, the dictatorships sometimes even fell. It wasn’t the Internet that brought them down, but empowered people feeling strength through hope. Hope was also in the air when the United States of America got its first black president, who appealed to the younger audience with his Blackberry and his Twitter feeds. Anyone here who wants to write new lyrics to the Billy Joel song “We didn’t start the fire”?

The release of Apple’s Iphone led to the rebirth of the PDA. Suddenly everyone had a portable computer and calendar that also doubled as a … phone… Google competed with their own operating system for mobiles called “Android” while Microsoft tried its best to keep up with them. Bronze is the second loser. Right now it’s all about the “apps”, you know buying simple software commodities for cheap money to extend the usability of your cell phone or just to make it look even sillier. And it all integrates into the fluffy, furry critter known as the “cloud”. And now we have finally come to the present day and our journey ends for now. Ahead lies the future, but that’s a story for another day.

It pains me to realize that I probably forgot half of everything that has changed the world for better or worse since 2001. And I feel sorry for those innocent people that died in twin towers as well as for the rest of us that had to feel the pain and fear afterwards. But in all, it has been an interesting ten years that have also held a lot of positive changes. And there has never been any shortage of work for us in the IT-security corner of the IT-world.

TTFN, Erik Zalitis

Tags: Politics, IT-Security, philosophy
Posted 2011-09-14 by Erik Zalitis, changed 2011-09-14 by Erik Zalitis

(2011-07-17) The faulty towers Q-code

I readily admit, I didn't check if someone else have already thought of this. I was pretty sure I was the first HAM to suggest this, but it just popped into my head, so I'm posted it here. Sure enough, it even exists as an official code, but my version is funnier.

First off: what is a Q-code?

In short, it is a set of codes originally used in wireless telegraphy to create shortcuts to many of the common things you needed to ask or inform others about. Most of the codes are questions and answers about radio conditions, frequencies and other important stuff. An example:

QSY? means "shall I change the frequency?"
QSY (without the "?") means "change your frequency to ........."

Off course the last statement is followed by a proper frequency.

Sooooo... Here it is:

QUE? - Do you have any idea what you're doing?
QUE - I have .... idea what I'm doing.

The dots should be replaced with a number on a scale from 1-5. The scale values are:

0 - Que?
1 - no
2 - a feeling I may have an
3 - a faint
4 - fair
5 - an illusion that I have an

0 should not be used, but it will be, believe me.
All values below 2 are always honest.
All values above 1 may indicate that the other station is clueless.
Higher values technically mean the other party should have more of an idea or clue what they're doing. If this really is the case is unclear at best.

The "que?" comes from the character Manuel in Faulty Towers, one of the best TV-shows ever. Please understand that it's not meant as a racist comment. If you have seen the TV-series, you'll understand that it's clearly not the case! He is one of the more sane people in Faulty Towers, which when compared with John Cleese's character, doesn't say all that much.

Full disclosure
The code actually exists in real life and is at least a bit funny:

QUE? means "Can you speak in ... (language), - with interpreter if necessary; if so, on what frequencies?"

QUE means "I can speak in ... (language) on ... kHz (or MHz).".

http://en.wikipedia.org/wiki/Q_code

Tags: HAM radio, humour
Posted 2011-07-17 by Erik Zalitis, changed 2011-07-17 by Erik Zalitis

(2011-07-13) Mother Nature's view on security

Why won't we ever get rid of vulnerable software and hardware? What does it take to make everything perfectly secure? Most people I ask those questions respond by saying it cannot be done and I think they’re right. But why do we still act as if there was a way to make all security problems go away?

I think there are a lot of different reasons that causes us to push forward to remove all risks by being “proactive”. To be proactive is thus to solve any problem before it appears, right? If so, why do we need early warning system to be proactive? Just let that sink in for a moment.

If you detect a problem before it gets critical, you're not really proactive. You’re reactive, but reacting in time. The word “proactive” means to “(…) initiate change rather than reacting to events.” 1) In order to be proactive, you cannot ever look at any values or logs, because the moment you detect that something heading the wrong way, you're reacting to an event. The only true way to be “proactive” is to be Nostradamus. And his track record is … well … almost entirely wrong.

So, what's the point of this discussion? I’m not trying to discourage early detection of problems or forward planning. Those two factors can really increase reliability and uptime for any system. The problem is that we see any problem “getting through” as a total failure.

Good security involves protecting a system in proportion to the loss a compromise would cause. This is in many of the security books you can read. By implication, a sound security plan accepts that enough resources spent by an attacker will give them a good chance to actually succeed. This also means giving up the pipe dream of never getting hacked or having a system failure.

If Mother Nature applied for the position of system administrator, no one would hire her.

- "So, how would you make sure the network can handle an intrusion?”
- "I would let it happen and let the devices that survive remain online afterwards."

Not exactly what you want to hear from your system administrator? Still, that's how it’s done in reality. When an intruder is successful, smart people learn how it was possible for the intruders to get through and then they adapt their infrastructure to cope with the new situation. And sometimes they still get hacked again, until their security is good enough to stand the test of time. But this cannot last either, because any security stance will weaken over time. So the cycle repeats as long as there are enough dangerous risk agents around. There is a reason risk management plans include terms such as “annual rate of occurrence” and “single loss expectancy”. Security planners actually expect attacks to be successful more than once in the life time of an organization. With as little exposure of vital systems as possible, smart and fast detection of attacks, forward planning (this is as close to “proactive” you get in reality) and reduction of complexity of the systems; you can mitigate your risks. But eliminating them? Please! Not even Mother Nature would try to do that! Instead plan ahead and learn how to survive when it happens while still upholding a good security regiment.

Anyone talking about “zero tolerance” or “proactive security” is either blind or not telling you the truth.

1) http://www.thefreedictionary.com/proactive

Tags: IT-security, philosophy
Posted 2011-07-13 by Erik Zalitis, changed 2011-07-13 by Erik Zalitis

(2011-06-15) Can't see the forest for the logs?

Do you remember those old analog TVs, where you could pull the antenna cable out to look at the whirling static of white and black dots? For all intents and purposes, what you see is more or less random and no one could possibly call what you see on the TV-screen “information”. Or could they? Actually, when we talk about “information”, we often mean “useful information”. The bad news is that it can be hard to know what is useful now or in the future.

When working with computer generated logs, this can be disastrous. Logs? I’m not talking about the kind that used to be trees. Many applications store informational, warning and alert events in files or databases. Those databases and files are what we call logs. We often install systems and applications without thinking why and what should be written into them. All logs can give potential clues when we try to track an intrusion or when we try to find the cause of a failure. But when the time comes to look for those clues, they may not be there for us and there are quite a few reasons for that:

We have no plan why we log
Ask operations and they tell you logs are for troubleshooting. The guys in security talk about auditing and forensics and the web master needs to know how the site is doing on the big market called the Internet (assuming we’re talking about a web site, off course). Logs can cater to all those needs, if we set the system up that way. But that is a job for an IT-architect and should be done long before the system is actually built. At this time I want to remind you that organizations should have a set of written policies dealing with security and rules. This is outside the scope of this discussion, but the relevant parts of the security policies must be used to decide how to build the logging architecture.

We wait too long
Logs are often setup to start overwriting the oldest entries after some time or when they get larger than a preset size. In short, we could be too late to actually see something, since the log data has been erased. The solution is to understand what will use the logs for and how much history we need. This should be decided when we design the system and must be applied system wide. Yup, I’m repeating myself, I know!

We log all the wrong things and forget to log the right things
Did you know that the web server Microsoft Internet Information Services 6.0 doesn’t log the referer (yes it’s spelled that way!) tag by default? The referer (sic!) tag can show the address of the site the user was surfing on, when he clicked on a link to your site. It’s probably not so interesting to log just for security purposes, but it is very important if you want to know which search phrases or sites link to your site. Do you only log failed logon attempts? Then you won’t know when they actually managed to break in.

We fail to understand the consequences of our settings
If you setup your logs to rollover after a specified time or size, you don’t have to worry about them filling up the disk. Computer criminals know that this is a common practice and often try to hide their tracks by generating a massive amount of events in relevant logs until they rollover and delete the evidence. If we allow it to fill up, an attacker may be able to cause a system to fail by generating events until the system cannot log anything more. If we don’t transfer our logs to a secure system, an attacker that succeeds in taking over a system can destroy all evidence by clearing the logs. And if we do transfer the logs, the total cost of ownership goes up. All choices have their merits and flaws.

We log inconsequentially
The days of everything being “one server – one system” are long gone. Many larger systems consist of servers, network equipment and even cloud services working in unison. We must make sure we log everything as dictated by the policy on all parts of the system where possible.

… And my favorite: we have no idea what to do with it!
Ok, so you now have megabytes of data at your disposal. Whether you want to detect problems and security issues before they happen or want information enough to nail the attackers afterwards, you can seldom just rely on reading the logs manually. You need tools, procedures and scheduled time for it. This is a huge area and there are hordes of free and commercial products and appliances that can help you finding what you’re looking for or hide it from your eyes by being totally useless tools. The right tools for intrusion detection may be totally useless when it comes to troubleshooting stability issues.

This post in one sentence: thought applied before action saves the future.

Tags: IT-security, logging
Posted 2011-06-15 by Erik Zalitis, changed 2011-06-15 by Erik Zalitis

(2011-06-14) Coming along just fine

My computer controlled radioshack is almost done.

I still have to resolve an issue with sporadic heavy background hum when transmitting QRO on some shortwave frequencies. It's a problem with the microphone preamp and should be easy to resolve.

Everything else works like a charm.

Tags: HAM Radio
Posted 2011-06-14 by Erik Zalitis, changed 2011-06-14 by Erik Zalitis

(2011-06-06) The case for "Net tops"

I'm sure you all remember when the "mini computer" frenzy hit the world. It was in 2008 and the fact it was called a "mini computer" shows how little we remember history. I bought an Asus Eeepc 900 in 2008 and I wasn't particularly impressed by it. Still it did work and could be used to read documents and watch movies. The thing with those cheaper systems was that they had slower processors, smaller hard drives and less memory but they were dirt cheap. In my opinion, they later started going in the wrong direction with this. When the next generation of net books/mini computers, whatever you want to call them, came out they had better specifications, a larger frame and a higher price. This nullified the whole idea as they became slightly cheaper, low end versions of real PCs. Just add 30% to the price and you get double the performance. The next step was the iPad and its PC clones, but this is another story altogether.

In spite of all this, the trend of cheap computers with less of everything is still going strong thanks to the popularity of home entertainment systems. Many of my friends have bought cheap "bare bone" PC-boxes and connected them to their TVs with good results. The latest iteration of those cheap boxes is commonly known as "Net tops" and fills a gap between thin clients and normal desktop PCs. Now is surely a good time to be a media consumer!

But I see something else as well: an affordable platform for home experiments. Finally you can buy a cheap system and dedicate it to a specific task. When I needed a computer to control my HAM radios, spending money on a regular PC was out of the question. So I bought a MSI Wind DE220, a small framed PC with very modest specifications. It comes with Windows 7 home premium, which I tore out a replaced with a more expensive Windows 7 edition because I needed the remote desktop function which Windows 7 home premium doesn’t have. At this time I must explain why I choose Windows at all. Normally this would have been a good candidate for Linux, but as my favorite Ham Radio software only runs on Windows, I had to do it this way.

(The "Net top" PC may have laughable specs, but it's perfect for its simple task. Gamers must look elsewhere for good hardware.)

I've set the system up to automatically start all necessary services and take control over the radios as soon as it's turned on. The radios are connected through a "DigiMaster USB TWIN CT62 CAT Interface" USB interface and the sound is routed through a Rig blaster Duo box, allowing full control from the net top. The Rig blaster is a decent piece of hardware, but it's not as good as it should be. For an example: I don't understand why I can only use the switch on the box to select which radio to transmit through when all other functions can be controlled from the computer. Well, anyway...

(Nice weather we’re having! Also, note the Rig blaster in the lower portion of the picture.)

The point with this setup is that it enables me to broadcast from wherever I happen to be. Most of the time it's no farther away than my main PC in my living room. But no matter my physical location, I can see what's going on and even start transmitting through a remote desktop connection to the "net top".

(The remote desktop connection puts me in front of the "net top" even if I'm not there. Until teleportation devices are invented, this is how it must be done.)

For rig control, the weapon of choice is Ham Radio Deluxe. This fantastic piece of software lets me control the radios and handles all aspects of it except the transfer of sound. For that purpose I use IPSound. This setup may seem a bit odd, but it does have a reason. I've two radios setup to scan for transmissions. They're not routed through the net top, but instead directly to a pair of speakers in my living room. The third radio, a Yaesu 897D, is directly controlled by the “net top” through a remote desktop connection. This way I can initiate transmission wherever I happen to be, but when I'm home and just want to listen, I only need to turn on the speakers.

The idea to have just one interface for rig control and another one for sound and PTT is a bit unorthodox. I had the DigiMaster before I got the Rig Blaster. Also the DigiMaster is the better rig/CAT control, so that’s why. This post is not about setting up HAM radio equipment, but because you may be reading this because you intend to try something like this, remember that USB-ports are sensitive for RFI! You should make sure that the equipment is properly setup and that you have taken measures to limit interference and ground loops. Improper setup may damage the USB hub in the computer.

So what's the point then? Well, this is just one of many ways you can benefit from cheaper hardware. Do you remember the time when software was dirt cheap, because it was considered part of the hardware? Then the software was "disconnected" from the hardware and then started to branch into different categories like "operating system", "applications" and "server applications". With the "cloud" and its promises of "Everything as A Service" this is bound to change again. But for the "do it yourself"-crowd, there's no time like now!

Links for further reading

DigiMaster USB for Yaesu
Rigblaster
Ham Radio Deluxe

Tags: Ham Radio, Net top, IT
Posted 2011-06-06 by Erik Zalitis, changed 2011-06-06 by Erik Zalitis

(2011-05-18) A lesson in troubleshooting

Troubleshooting and investigation have a lot in common, and I touched the subject a few months ago in a story called “The power of inference”. Now, here’s a true story that is not really related to IT, but that I think you might find interesting.

About a month ago, I got my HAM (Amateur radio) license. But my interest in radio began much earlier, when my grandfather showed me how to operate one of his old radios. It was a large “National HRO sixty” shortwave receiver that had previously been installed in the Bromma airport control tower in Stockholm. If you wanted to change which wavelength band you wanted to listen to, you had to physically remove a cassette and switch it for another cassette that held the necessary circuits to allow the radio to receive that particular band. My grandfather had worked for many years for the Swedish telecom- and radio authority “Telegrafverket” (Later Telia) and was himself a radio amateur.

All radio amateurs get a unique call sign assigned to them by their country registrar when they take and pass the exam(-s) required to operate as a radio amateur. When I finally was about to get my own license, I decided to find my grandfather’s call sign. He became a silent key in 1994. In amateur radio slang a radio amateur that has died becomes known as a “silent key”. This goes back to the days when you used a telegraph key to transmit Morse code. So my grandfather is now known to the amateur radio (“HAM”) community as SM0HAE (SK). Simplified: SM is Sweden’s country code (SA – SM actually). 0 stands for the Stockholm area. This is where the operator has his home but he can off course broadcast from another location, although this has to be noted by him during the broadcast. HAE is the part uniquely identifies the operator. (SK) means that the operator is no longer among the living. Well, on with the story…

I was able to find his information through a service called HamCall Net and that could have been the end of the story. But it wasn’t. As this information was quite old, it had most likely not been registered through the Internet. One interesting thing was that his “QTH” or broadcast location was noted along with the rest of the information. I fed the latitude and longitude into Google maps and ended up… nowhere. The map centered on some trees on the side of the road, a few miles away from a small town called Perstorp. It just didn’t make sense. Then the troubleshooter in me awoke. I spoke to my mother and asked her about it. She was quite sure he had never had a house in our around Perstorp.

The gut feeling told me there had to be a mistake somewhere, but numbers couldn’t be totally wrong. I used Google and some other tools to quickly get the latitudes and longitudes of all locations where I knew that he had either worked or lived. The numbers were all significantly different from the Perstorp location. Then my eyes fell on the grid locator that was also present in the text.

Latitudes and longitudes are cumbersome to read or telegraph over the radio, so most radio amateurs use a shorthand notation of their location. This is called a “Maidenhead locator” or “Grid locator” and it’s not nearly as precise as the latitude/longitude system. If my theory was correct, the correct location had to be nearby and my mother provided me with the final piece of the puzzle. She pointed out that my grandfather had worked at large broadcast facility in Hörby, which was fairly close to Perstorp. I calculated the locator for Hörby and compared it to the one pointing to odd location near Perstorp and sure enough:

JO66RD (Hörby)
JO66QD (Perstorp)
JO99AH (Stockholm)

The Stockholm location of his home was very different but the Hörby one differed with just one single character. That solved the mystery for me. Had this been a criminal investigation or some serious research done by an honest journalist, it would have been just a lead to follow. But I felt no need to check any further. This was just a fun little “mind game” that took 15 minutes and proved that you don’t have to go to great lengths to solve a “mystery”.

There are a few lessons to be learnt here:

1) Get the setting.
I knew that we were talking about broadcasting locations, so antennas had to be involved. And antennas are generally located where a person works or lives. You can’t just put an antenna up on any building and expect it to not be taken down.

2) Get the information – but not all of it
You collect enough information, you get a haystack that may or may not contain a needle. Ask yourself if the information HELPS your investigation or not. Be ready to go back to the sources if you end up in a dead end. When you work with computers it means: please SAVE the logs and data to a secure location. Logs often get overwritten over time and data changes.

3) Have a problem? - take a break
Your brains get locked in a rut after a while. When you just can’t seem to solve a problem, taking a break for a few minutes, hours or for a day gives you new insights. Remember to avoid thinking about the problem during the break.

4) Talk to others
It was my mother that gave me the final piece of the puzzle. Had she not told me that he had worked at the Hörby transmitter; I would probably been unsuccessful in finding the explanation to the weird location.

5) Put yourself in their position
I envisioned someone typing the information into a computer after reading it from a piece of paper. One small typo or unclear handwriting is all you need to get it wrong. But I didn’t expect more than one or two incorrect characters, and I was right.

There is more than this to troubleshooting. As a matter of fact, I’ve mostly covered the information gathering/investigation phase of the troubleshooting process. But still, it matters a lot how you get and analyze information.

Good luck! SA0BTZ signing off...

Tags: HAM Radio, troubleshooting
Posted 2011-05-18 by Erik Zalitis, changed 2011-05-18 by Erik Zalitis

(2011-05-02) rm -r -f /bin/laden

What happens now?

Tags: Politics
Posted 2011-05-02 by Erik Zalitis, changed 2011-05-02 by Erik Zalitis

(2011-04-26) How to read a Microsoft security bulletin

If you read security bulletins, you’ll probably come across a number of terms that everyone just accepts. But how many of them do you really know? I’ve compiled the explanations from some of my other texts to give you a brief rundown of what you must understand when you read a Microsoft Security bulletin.
One bulletin may describe a fix for many vulnerabilities.

Maximum Security Impact

This category tells you what is the worst thing an attacker may be able to do to a vulnerable system.

“Denial of service”
An attack that causes a system to fail, stop responding or to slow down to a crawl is known as a “denial of service attack”. The most common way to perform this type of attack is to overwhelm the system with a large amount of repeated requests. A vulnerability that allows an attacker to take a whole system or service down by sending a few malformed requests is said to have “Denial of service” as its “Maximum Security Impact”.

“Elevation of privilege”
This category contains vulnerabilities which can be used to give an attacker more privileges and permissions on a system. The most common way this happens is when an attacker starts out as anonymous (not authenticated) and then uses an exploit to make himself an administrator. This is sometimes known as “rooting” a system after the Unix super user known as “root”. This category of attack can sometimes also be used to impersonate another user.

“Remote Code Execution”
A vulnerability that allows for users to run a program or script on a system when they’re not logged in to it on the console, is known as a “Remote Code execution” vulnerability.

“Information Disclosure”
Some vulnerabilities allow you to retrieve information that you normally shouldn’t be allowed to get. An example could be when you can read the contents of an asp-script or read files that require permissions you do not have.

Microsoft Exploitability Index

As all of you know, Microsoft rate their vulnerabilities on a scale ranging from low to critical. They call this the "Maximum Severity Rating". But it's far less common knowledge that they also have an "Exploitability Index" rating on every bulletin.

An example:

"MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
CVE-2009-1536
3 - Functioning exploit code unlikely
A denial-of-service tool is likely. However, functioning exploit code for remote code execution is unlikely."

The Exploitability index for this vulnerability is 3, which is the lowest rating.

- A rating of 3 means the exploit code is unlikely work. It may cause an effect, but it will probably not work well enough to allow for something like remote code execution. Example: if the exploit only works 1 time out of 100 when you attack a system, it is not considered a stable exploit.

- A rating of 2 means that the exploit code work but will not be successful often enough to be considered stable.

- A rating of 1 means that the exploit code will work repeatedly.

Here’s the official guide to software updates from Microsoft:
http://support.microsoft.com/kb/824684/en-us

Tags: Microsoft Security bulletins, IT-Security
Posted 2011-04-26 by Erik Zalitis, changed 2011-04-26 by Erik Zalitis

(2011-02-12) Night time photography

This Brännkyrka upper secondary school in southern Stockholm and I'm quite satisfied how this picture came out. I've not applied any processing except cropping. The photo was shot in the night.

For some reason it looks somewhat blurry when scaled down to 400 pixels. Sorry about that.

Camera Model Canon EOS DIGITAL REBEL XS
Shooting Date/Time 2011-01-20 23:22:25
Shooting Mode Manual Exposure
Tv( Shutter Speed ) 30
Av( Aperture Value ) 8.0
Metering Mode Evaluative Metering
ISO Speed 100
Lens EF-S18-55mm f/3.5-5.6 IS
Focal Length 55.0mm

Tags: Photography
Posted 2011-02-12 by Erik Zalitis, changed 2011-02-12 by Erik Zalitis

(2011-02-12) One photo - many stories

Two days ago, Stockholm was caught in a snowstorm and went from "spring will soon be here" to "winter wonderland". People trying to go anywhere didn't think it was so wonderful, though. But that's not the story here. At about 11pm I looked out my kitchen window and felt that this was pretty as a picture. Having returned to my long lost hobby of photography, I could not resist bringing out my new camera. The picture above is the result.

I have not tried to do any processing except cropping and it's all for a good reason. What you see above is a picture taken in the dark night with a very long exposure time. The shutter had to be opening 30 seconds to produce visible light from the darkness of the night.

Using this picture as a template, let's see how small adjustments makes soo much difference.

The only thing I did here was desaturating the picture which made it black and white. It looks a bit under exposed, but my point is not to make more than one correction at a time, so it's not that I forgot to brighten it. Black and white photos are often very expressive. When I look at such a picture it feels "cleaner" and more distinct to me. I believe its a psychological thing. It also feels sharper and more "artsy". As a bonus, I don't have to think about color correction. :)

Here I have tried to correct the white balance and give it a bit of warmth. Given that I don't have much in the way of good digital processing software yet, I wasn't able to make it work as well as I wanted. I'm not too happy about how it turned out.

Is it day already? If you only saw this picture, you would have had no way of knowing it was taken in the night. And I've taken this liberty to brighten it a bit as well.

Conclusion
Ok, I know full well that I haven't done enough digital processing on those pictures, but my point was to show how different the same photo can look with just some minor adjustments. The original picture is at 10.1 Megapixel and has been scaled down for the web.

Here are the stats for the original picture if you're interested:

Camera Model Canon EOS DIGITAL REBEL XS
Shooting Date/Time 2011-02-10 22:57:49
Shooting Mode Program AE
Tv( Shutter Speed ) 30
Av( Aperture Value ) 5.0
Metering Mode Evaluative Metering
Exposure Compensation 0
ISO Speed 100
Lens EF-S18-55mm f/3.5-5.6 IS
Focal Length 18.0mm
Image Size 3888x2592
Image Quality RAW
Flash Off
White Balance Mode Auto
AF Mode One-Shot AF
Picture Style Standard
Sharpness 3
Contrast 0
Saturation 0
Color tone 0
Color Space sRGB
Long exposure noise reduction 0:Off
High ISO speed noise reduction 0:Off
File Size 9358KB
Dust Delete Data No
Drive Mode Continuous shooting

Tags: Photography
Posted 2011-02-12 by Erik Zalitis, changed 2011-02-12 by Erik Zalitis

(2011-02-09) It's a server, damn it...

... and not a clown car!

(Picture above) Let's hope this is not the desktop of your public web server.

This post relates mostly to Microsoft Windows, but the general topic of this discussion should be valid for most operating systems.

The days of Nimda, Blaster and Sasser are long gone and good riddance to them. Don’t get me wrong, there have been many worm attacks since and there will be more of them in the future. It’s just that worms spreading from system to system have joined the back of the queue. Old system administrators like me fondly (not really) remember running with CD-roms trying to disinfect PCs after pulling the plug on the network. Last time I had to do that was somewhere around 2002 or maybe it was 2003.

A few years later I was dumbfounded when vulnerabilities came out that could be used by worms and no wide-spread attacks ever appeared. If you take a look at the exploits being used on the Internet you might see a pattern emerging: more and more of the attacks mix types. That is, they use more than one attack vector and often combine different kinds of exploits. The reason is probably two-fold: better security defaults on servers and the need of a flexible approach to circumvent security. The first one is simply that products are better secured out of the box with less attack surface. Most operating systems either firewall listening ports or don’t have any open ports when installed. Services are better secured out of the box as well. The mixed approach simply means that “modern” attack code exploit vulnerabilities in conjunction with other vulnerabilities and also tries to avoid the most obvious network attacks. An all out “scan and attack everything you see on the network” is likely to be thwarted by firewalls on the hosts and intrusion detection systems. Remember the download.ject-attack? It exploited a vulnerability in Microsoft IIS to plant exploit code that attacked any un-patched clients surfing to the infected web server. That was frightening back in 2004. 1] But today that’s a pretty common way for an exploit to work. By exploit I mean a program that uses one or many vulnerabilities to attack one or many systems. What it does with exploited systems and how it gets there defines what it should be called, but terms like “virus”, “worm”, “backdoor” or “malware” are sometimes too precise. Real exploits have blurred the lines between those terms for a long time now.

But this is really nothing new; those mixed attacks have “evolved” from simple things like worms scanning for open ports to “morphs” that use different approached to “attack the desktop rather than system”. The most obvious attack vector nowadays is through a web browser and that has been the truth for many years now. All browsers I know of have had a number of vulnerabilities and the ways most of them use plug-ins aren’t helping either. So long story short: a server that often have people logged on at the console is a more “juicy” target than one that is administered remotely. And don’t think “Remote Desktop” or “Terminal Services” won’t count, they do! Whether you connect to a server with RDP, a shell over SSH or actually sit on the console doesn’t matter that much. There is some confusion with the nomenclature when it comes to logons, so let me sort them out. In Windows, when you logon to the desktop, it counts as an “interactive logon” regardless if you do it locally, over remote desktop or over remote desktop in console mode. In contrast: access to a Windows server through, let’s say, a web service counts as a network logon and will not give you a desktop. This is quite a bit of an oversimplification, I know.

Citrix and terminal servers pretty much have to allow interactive logons or they wouldn’t work, but way too often people logon to normal production servers interactively. And it gets worse, many administrators I have known (including me at times) like using the servers as extended desktops.

The solution is easy but painful:
- Don’t allow the server network to access the Internet unless needed. And if so, only to selected sites or services.
- Don’t administer the server from itself on a day-to-day basis. Remote administration is preferable.
- Logout when you’re done.
- Don’t surf to the Internet from any server unless it’s a part of its operation.
- Don’t leave a pile of unorganized scripts and programs strewn all over the server.
- Don’t install software that is meant to be used on a workstation.
- Respect network flow rules and network zones!

Those tips are just meant to foster a more secure approach towards administration of servers. There are many best practices and processes that should be implemented. So in short: treat your server as a workstation and it shall be attacked like a workstation.

1] http://en.wikipedia.org/wiki/Download.ject

Tags: Security best practise, Windows security
Posted 2011-02-09 by Erik Zalitis, changed 2011-02-09 by Erik Zalitis

Older posts