Computers

xrayspx's picture

Satellite

Music: 

New York Dolls - Trash

This should buff right out. My old man's a television repairman, he's got this ultimate set of tools...

Edit: Natalie took another one. There's this mounting plate on a collar attached to the main support. That whole thing is ruined. Also, I like the neighbor's pristine reference implementation in the background.

xrayspx's picture

Simple location aware ssh tunneling for Chrome (Mac)

Music: 

Hall and Oates - Private Eyes (Seriously, it just came on randomly)
and really, just as I finished formatting the stupid script, Big Brother from Humanwine was playing.

This is both a nice toy to have in a Big Brother Is Watching sense, and a glaring example of why one should never log in and use a Mac (or any other system obviously) as an Administrator. Just have a Regular Guy account, and escalate to Administrator/Root when needed. For example, this tool could be inserted by a script to cause all your browsing traffic to route through a proxy server of an attackers choosing. If you're not running as an Administrator, you can't write the file without escalating. (Example of the risk, though it wouldn't help here, since there is LCE to root...goddammit Apple...)

I had a use case recently where I wanted to have multiple copies of Chromium start in different profiles and with different proxy settings. I'm getting to the point at which I don't think that's really feasible, in that any new instance will assume the proxy settings of any already running instance.

BUT, I did get some cool location aware-ish proxying set up. Since one use case involves laptops, I'd like to see it use a local proxy when I'm home, and a remote proxy when I'm not at home (hosted VPS for instance).

I'm using ssh to set up a SOCKS5 proxy, and push all traffic including DNS through the tunnel, ssh'ing to different hosts based on different local system IPs. I have it checking en0 and en1 and if their IPs match my home subnet, it ssh's to a local system, if they are anything else, it will run against a publicly hosted system to which I can ssh.

Next step is to clean up after itself, so when you run Chromium (or Chrome), it will detect IPs, ssh to the appropriate host, and connect using that tunnel. When Chromium closes, it cleans up the SSH session so it's not just hanging around.

To use - Have a local and remote host you can ssh to using keys, and which allow you to forward. On the Mac, navigate to /Applications/Chromium.app/Contents/MacOS/. Rename Chromium to Chromium-bin. Drop this script in, chmod appropriately, and name it Chromium. Now when the Chromium app is run, it runs our script to set up proxies and launch the browser:


#! /bin/bash

ip0=`ifconfig en0 | grep -v inet6 | grep inet | awk '{print $2}' | awk -F "." '{print $1"."$2"."$3}'`
ip1=`ifconfig en1 | grep -v inet6 | grep inet | awk '{print $2}' | awk -F "." '{print $1"."$2"."$3}'`

if [ -z "$ip0"  ]
  then
   if [ "$ip1" = "192.168.30" ]
     then
       ssh -C2qTnN -D 8181 username@192.168.30.241 &

       proxypid=`jobs -p`
       /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

       kill $proxypid

      else

        ssh -C2qTnN -D 8181 username@publichost.com &

        proxypid=`jobs -p`
        /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

        kill $proxypid

      fi

  elif [ "$ip0" = "192.168.30" ]
    then
      ssh -C2qTnN -D 8181 username@192.168.30.241 &

      proxypid=`jobs -p`
      /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

      kill $proxypid

  else

      ssh -C2qTnN -D 8181 username@publichost.com &

      proxypid=`jobs -p`
      /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

      kill $proxypid

fi

xrayspx's picture

TV Cabinet

Music: 

Curtis Mayfield - Superfly

Last winter we had some of our barn renovated into a new living room. Natalie has gone crazy with the retro look in here, and we just put in the second-to-last piece, a good looking spot for the TV (I'm still nagging her to just drop the hammer on an Eames lounge...).

We had been looking for a while for a '60s hi-fi console, but she found them too big, and they're really not deep enough to fit things like computers and large receivers. My requirements were 18" for the PC to fit comfortably, for instance. At one point I told her to give up on those, and just look for dressers that matched the depth requirement, here's what she found, for $55:

For reasons that aren't entirely clear to me, I decided that Step One was to rip the pressed board back off. We still have it, and it should honestly probably go back on with appropriate holes drilled. I really don't remember what I was thinking.

Anyway, we shimmed the drawer holes so things would fit flat without taking out the drawer track. The goal was to do as little damage to this thing as possible, just in the case we want to use it as a dresser, or re-sell it or whatever later. None of those things are going to happen. Here's that interim state:

And a wider view of how it fits in the room:

To cover the holes I had suggested some cool amp grille cloth fabric, but we actually had some pretty good stuff on-hand. It also has the advantage of not having a really tight pattern, so if it's stretched more in parts, you can't tell. The grilles are then held on by cabinet magnets. So the extent of the modification of the dresser is 12 screws to hold the metal plates the magnets stick to:

Done:

I may take some black cloth and add it to the inside, just to block 100% of the LED light when all the room-lights are off, but with the lights on, you can't see anything.

xrayspx's picture

Name your vulns better

Music: 

George Clinton - Yank My Doodle

Drupalgeddon is silly, but at least it gets the point across that something is wrong and you must go fix it right now. Heartbleed, Shellshock, POODLE... not so much. At least we all had a heads-up that "some horrible SSLv3 attack" was coming even if no one knew specifics.

We've had enough this year already. Who wants a do-over on 2014?

xrayspx's picture

GoFlex Headaches

Music: 

click-click-click-bzzzzzzzzzzzz-WHACK

A couple of weeks ago the drive in my GoFlex home finally died. It had had some filesystem corruption earlier this year, so I pretty much knew it was coming. I replaced the drive, and started making rash decisions. All the stupid factory junk software is disabled, but the big change was that I formatted New Drive with EXT3, since they were using NTFS (on Linux) for some unholy reason that I will probably never understand.

Well, now the drive seems not to sleep, and the drive LED blinks continuously. It doesn't vary at all, so I'm not convinced it's activity related, but there's also no LSOF on the machine, so I'm a tiny bit blind. I think a lot of the issue with Old Drive was that I was writing syslog to it from all my local hardware, which prevented it from ever spinning down. I'd like to prevent that with New Drive by sending all my shit to a Raspberry Pi instead (Raspberry Pi runs extremely well off the USB port from the GoFlex, and it also does a great job of running Privoxy).

I'm looking at ps and netstat -pnat output, and don't see anything which should necessarily be slamming the drive. Meanwhile, I need to go find an ARM lsof binary I can drop on this thing.

xrayspx's picture

Post Purchase Comparison Shopping

Music: 

The Ettes - Teeth

This is just what the world needs, another smug mac owner. Since people seemed not to believe I do my homework and continue to offer me platform advice, I went and priced up an HP with the same specs as my new Pro.

All said and done, including stupid $250 for AppleCare, my new machine was $3248, delivered. The HP equivalent, a Z420 Workstation, was $3,707 + $45 shipping. That's for 6 core Xeon, base 6GB of memory (CRUCIAL...), 1TB 7200RPM drive, 1GB ATI card.

So $500 more for a machine with an OS I hate dealing with, sounds like a pretty good bargain. Oh, and it says right on the page that the NIC won't work with Windows 8, so that's pretty swell.

Lenovo would sell me a similar config, with a 4-core 3.30Ghz CPU for only $100 more than my machine, I couldn't get exactly the same 6 core Xeon in the S30 workstations I was looking at.

I think I'll take the bargain Apple product, thanks :-)

Overall though I'm pretty happy. Moving the software-RAID1 set between machines was just "move the drives, they work", which I didn't really expect.

Now, here's a Stack of Macs:

Fixed Tags:
xrayspx's picture

They Don't Make 'Em Like This Anymore

Music: 

Thu, 08/01/2013 - 7:33pm - It's the last of the big V8 Interceptors. csFlickr

Last of the big V8 Interceptors. I had to grab a new Pro before they decided only to sell those insane coffee magnets with no internal drive bays. Last one lasted 7 good years, here's to another computer in 2020.

Fixed Tags:

Attack me? Attack you.

Music: 

The computer in the top of this security video is infected with malware and is currently attacking Natalie's site. Also it's in Vietnam. There were more exciting things happening earlier, but it never occurred to me to screen grab them. Since that one sucks and is boring, here's another one of the store front. Looks like medical supplies.

I have Mexican security cameras from infected machines too, but it's night there just like it is here, so those feeds are way more boring.

xrayspx's picture

Well that was funny

Music: 

I'm no longer forwarding cookie thieves to Natalie's site. I had been fussing around trying to make IPTables block all the botnet machines, and when that didn't work, I was just using deny rules in Apache, which sucked, because my include file of blocked hosts was 100,000 or so. That's in addition to the default "Block all of China, India, Eastern Europe" rules I apply. It also sucked because I'm still serving pages and so there were tons of ESTABLISHED, FIN_WAIT1/2, etc. connections, most of which were holding open Apache processes, which was crushing my machine.

The reason IPTables wasn't working turned out to be because of the VPS solution used by 1and1. There is a hard limit of 400 rules on the host, and I can't work around that, so I can't use IPTables with huge blacklists, at least, not that I've figured out.

What I'm doing now though is to use the LimitExcept directive to only allow GET requests in the virtual host which does the rewrites for nataliecurtiss.com. So now those fuckers are all just getting 403's or, in some cases, 500's (don't know why that is).

So yeah that was fun. A case has been opened with SquareSpace, since this attack traffic was all really directed at them. And the only logical thing I can think of is that the attackers are trying to guess session cookies of site admins who aren't explicitly logged out of their site admin tools. This would let the attackers exploit any XSS inherent in code generated by SquareSpace, or use the targeted site to infect more end user machines for this botnet.

Still, it's an awful lot of trouble to go to just to get your hands on Natalie's what, 12 legitimate users per month?

Now I just have a zillion connections in TIME_WAIT, but at least my site seems quick, all my services seem to be working at full speed ahead, and I'm going to stop thinking about this shit for a while. I'm not going to bother figuring out why I can't set tcp_tw_reuse to clean up all those TIME_WAITs.

Update:
The 500's are because I didn't set an auth-type for the user to be able to POST. Well, fuck 'em, they get 500's, since I never want anyone to ever do anything but GET, everything else can DIAF.

Fixed Tags:
xrayspx's picture

It's Statistical Outlier Saturday

Music: 

This is an odd Saturday. I got up at 7:15. That's not right. I'm still not supposed to be awake yet.

My site has been having problems this morning, serving pages, running cron, delivering mail... turns out that even though I don't host Natalie's site, I do redirect "nataliecurtiss.com" to "www.nataliecurtiss.com". So far today I've served 252,974 (presumably malicious POST request) redirects to her site. She has had 975,000 page views so far this month. That's also not right.

While looking that over, I checked my flickr stats. 900 flickr views so far today on really odd referrers, like "http://www.flickr.com/photos/xrayspx/with/9093592988/", usually I do around 50-100/day, not that busy.

Right now I'm flipping a quarter until it lands on its edge. Later I'm gonna go buy some lottery tickets.

Update:

Mmmmmm, cookies, hundreds of thousands of cookies:

POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 500
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: nataliecurtiss.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: SS_MID=162751ed-f2cf-4fdd-8b7c-814881282033hiwadjls

3No6hNrnQwi3zWrY/ZWMWh2SJnHKBItrrv+v3wpU3Jd1+I0hy9KM995Po4TM8f+m
4rMZ+hJt9O4MWe5VdHOzMfFmLZsISqrff6cdnnWEIzGWS8szILditQVvkUGdB2kH
B15aLXiROS4ZZ6RZpeMgfUJbzXCwwGL5RBQcaZDKF2VnMtY8A/VnXsTo0OiT9oQ8
Prnijbzg6O9GMr2gT6sNsNCikOjqy073b8z2NbCGUaYog+1qVHgoLOgTNtRM1PFD
8Zxv4qxjHIImJDBUZPbzceycZ1qP79xVkIemkBWTLt1mu8KvuzMty9AzWyhQDi7X
3wa6vfTr4bwcZNq3zm4U8G1CxtyAJiIMVMLhVSUK/6dGELU5o8YIWiDsq6faey7G
blZlukaXQjr5OKNzklqsuL5Pcor2pAOJ7zyB/LP+z/8SttCi+XGemUo3mxdgVPjn
XKj0ArRJCIy0RvngpOabPewOdEtgSFO8Gjs=

Fixed Tags:

Pages

Subscribe to RSS - Computers