Using Statistical Analysis to Create Intrusion Detection

Professor Avishai Wool presents a system that protects GNU/Linux machines from intrusion and malicious program code by using statistical analysis and policy files defining a program’s normal behavior, and if that program deviates from said behavior the system stops it.

Since the analysis is hooked into standard GNU/Linux build tools and uses the source code to derive the policy the system is said to guarantee zero false positives. A system of this type is cited to be able to perform protection from threats long before traditional anti virus solutions has categorized them, and with far less penalty to system performance.

Here’s a list of links for further reading:

Mounting devices with UUID identifiers instead of using /dev paths

I don’t know why, but from time to time drivers are assigned other “/dev”-paths on my ubuntu 6.10 LTS GNU/Linux server. I think a removable USB driver might have something to do with it…

However, when that happens it is a complete pain in the a$$ because if the driver is relocated, the system cannot find it and if it is mentioned in /etc/fstab the system reasons (justly so, I might add) that if it can’t find the drive it should pull the emergency break and jump into a rescue prompt (where mostly everything is disabled), letting the user (that’s me) deal with the problem.

I usually press the CTRL-D command exiting the shell and getting back to the boot process praying that no vital driver was lost. (I’m not really a guru, just a poor guy trying to make live a little easier).

For some reason (touch wood!) the drives with the boot image or with system specific things on them has never been moved around this way. Usually its the USB drive itself (when I still had it in the fstab) that has moved (I’ll get back on how to make it auto-mount in a later post) or in this latest case, one of the back-up drives.

However, there’s a solution. If you run GNU/Linux you might have seen it in your fstab-file. The use of a UUID to do mount instead of the regular /dev/something. My desktop computer’s fstab looks like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options> <dump>  <pass>
proc            /proc           proc    defaults  0       0
# /dev/sda1
UUID=e1f37856-6cfd-43f9-bea0-d4c2e43afe29 /     reiserfs notail,relatime 0  1
# /dev/sda6
UUID=64549135-a478-4aef-bb2a-da37d245dd9c /home reiserfs relatime        0  2

From this rather confusing array of characters (I had to shrink the spaces in order to fit it on the site) you can determine that there’s three devices mounted at start up (proc, sda1 and sda6, I’ve got even more, but the exact number of devices are not interesting for this discussion).

The proc device always resides at the file system “proc”, and it does not have nor need a UUID. However the sda1 and sda6 devices are regular hard drives (formatted with reiserfs) and they can change designation, for instance if I start rearranging my sata-cables or start a USB drive in a USB slot with a lower ID than those of my sda drivers (I’m guessing on that one but I’ve seen it on my server so…) These are therefore interesting to mount not by their dev-names but by their UUID’s. The UUID are stored on the drive itself and it wont change unless the drive is reformatted. The drive can be moved, turned off, turned on, it will still have the same UUID.

So, using UUIDs are a good idea when I want to create my new, drives-moving-around-proofed server configuration. The first step is to determine what UUID the drives have. This is done with the following command:

sudo vol_id -u /dev/something

I had problems finding “vol_id”. It was not in the PATH, and could therefore not be run like above. I did a locate (locate vol_id) and found it in “/lib/udev” so I prepended that path to my command. I’ve also to determine how to get the UUID from a swap partition, but for now I’m happy to have the infringing drives on UUID and hope the swap wont move (perhaps with the extra 2GB of memory I also stashed in it will need the swap even less, but anyway)…

You won’t be able to determine the UUID of any drive part of a software raid configuration (but then again, the software raid is able to do its own magic locating of drives regardless of their sd-number — trust me, I’ve done that as well — so they won’t need a UUID anyway — wouldn’t surprise me if raid uses the same scheme behind the scene though)

Let’s look at the changes I did in my fstab file (always make backups before you start messing with this file! If you fail to set it up correctly your system will probably not start at all so have a live-cd handy before trying to do this!):

/etc/fstab before I changed it (just a part of it)

# /etc/fstab: static file system information.
#
# <file system> <mount point>    <type>   <options>           <dump>  <pass>
proc            /proc            proc     defaults            0       0
/dev/sdc1       /                reiserfs notail,user_xattr   0       1
/dev/sdc5       /home            reiserfs defaults,user_xattr 0       2

As you can see the situation is not as clear on this machine as it was on my desktop machine. Here sdc is the main system drive and that alone is a, well not a worrisome problem, but a slight discomfort… sdc never moved around, but being that I have a bunch (8 or 9) sata-cables in a large but far-from-large-enough case I’m bound to switch them around one day or another…

Anyway, using the above vol_id command to get the UUIDs of the drives, I’ve updated my fstab to look like this (still only partial fstab but you get the idea):

# /etc/fstab: static file system information.
#
# <file system> <mount point>    <type>   <options>           <dump>  <pass>
proc            /proc            proc     defaults            0       0
#/dev/sdc1
UUID=716cf691-dabd-4894-8e46-bc02b4c092b4 /     reiserfs notail,user_xattr   0  1
#/dev/sdc5
UUID=9587a32e-ebb2-45ab-9e68-7a66cf43d6b4 /home reiserfs defaults,user_xattr 0  2

Unfortunately I have the same problem as above, the lines wont fit in the editor (or on the site) if I tabulate them correctly, but hopefully you’ll still be able to connect the dots. Every group of white spaces (space, or tab) in the file counts as a field separator. I’ve commented out the “/dev/sdc…” section, added a line feed and replaced it with the “UUID=…” section, and then left the rest of the line intact.

This makes sense since I’ve replaced one identifier (“dev/sdc…”) with another (“UUID=…”). So, after the original “dev”-version of the file has been safely backed up, the entries in the original “/etc/fstab” has been checked and double checked, it’s time to restart and pray this will actually work. :O

Here’s a few links you might want to check out before you give it a try:

Good luck!

Update: If, however, you’re using LVM, you’ll get stable device names and you should mount these instead. If you use LVM-snapshots you’re going to get two or more volumes with the same UUID, and in that case you should absolutely not use UUID mounting.

Four Still lifes

A couple of years ago, when I’ve just about purchased my Nikon D50 I snapped off a number of “still life” like pictures. These are the sometimes unusual things you just happen to have lying around in an otherwise rather uninteresting apartment.

Still life 1: Pile of laundry
Still life 1: Pile of laundry

This is obviously one of the first things I snapped a picture of. After looking at the picture closer I realized it was a rather nice picture, selection of subject excluded. Anyway, as far as I’ve been able to determine there’s no underwear on the picture, and no insanely dusty socks, so I hope it’s at least PG-13 😀

The thing with this picture I like is that the object in center, the pile of clothes are actually adding a kind of calm from the rather detailed background. It feels kind of backwards, and perhaps it is.

Still life 2: Knick-knacks
Still life 2: Knick-knacks

This is a bunch of knick-knacks lying around on my desk. Among other things you might notice a burnable CD box, a can of 5-56 universal oil and an ear cleaner rubber thingy. I’m especially proud of the bizarre factor that one adds. To my defense I might add that I used it to dust off my computer… you squeeze it and it blows air…

The ear thing sits atop an ancient letter scale, a bit crooked from being in my possession. I inherited it from grandpa who got it sometime in the fifties…

Still life 3: Bookshelf
Still life 3: Bookshelf

This is one of my favorite pictures. A classic book picture, true but still… it has a kind of uneven, haphazardly-piled impression to it that I really like.

What you probably don’t know is that this is my unread-books “pile” or part of it anyway. The thing you can’t see on this picture is that all the books are quite dusty…

Too much work makes Hoakzie a dull boy!

Still life 4: Fruits
Still life 4: Fruits

Okay, I confess: I’m a sucker for the classics. The only extenuating circumstance would be that there’s no banana or pine apple in there. And that the “cloth” in the “basket” is in fact a dish towel mom gave me when I moved away from home…

Electornic Art’s Spore sued because of its DRM

Electronic Art’s game Spore was on September 22nd hit by a class action lawsuit because of its DRM (Digital Restrictions/Rights Management). Or actually the fact that the DRM was secretly installed and made uninstallable.

However, I am fairly certain the lawsuit wont fly. EA told those buyers there was a DRM involved, and they have since then provided an uninstaller for the DRM.

I think we, consumers, should stop buying games with DRMs, and instead protest against the use of DRMs. If we don’t we’ll end up in a world where every software we run are for hire and nothing, not even the contents of our own harddrives, are our property. That would be a bit like hosting a virus or a parasite… unwanted, unpleasant and uncalled for.

Here’s some other reports:

http://hothardware.com/News/Spores-DRM–ClassAction-Lawsuit-for-EA/

http://www.techradar.com/news/gaming/ea-faces-class-action-lawsuit-over-spore-drm-470850

http://www.1up.com/do/newsStory?cId=3170131

http://www.crunchgear.com/2008/09/25/ea-facing-class-action-lawsuit-over-spore-drm/

Earth Overshoot Day

Oops! We used up the last resources of our planet yesterday… Should I be worried since it was my birthday? :O (Or perhaps I have completely other reasons for concern?)

http://www.ameinfo.com/169573.html

http://www.worldchanging.com/archives/008701.html

The concept was apparently invented by Global Footprint Network. Here’s a link to their overshoot page: http://www.footprintnetwork.org/gfn_sub.php?content=overshoot

Balking Talkwards

I woke up this morning after having gotten about 5 hours of sleep, however, I’ve snoozed wildly for about two hours so I was in fact in real trouble. Crawling to the edge of the bed and forcing my legs over the side I happened to look at the clock which simply confirmed my creeping suspicions: I was late beyond repair and then some.

I fell back on the bed on my back moaning. Just as I realized I was on my back, and with no snoozed clock at that the thought popped up in my head: “This will bad endly…” (No that’s not a translation or anything, I’ve been known to have my mind invaded by English from time to time.)

Which brings me to the topic of this post: Talking backwards, or as the proper phrase would be, Balking Tackwards (in forgiving circumstances it can be paraphrased to: Balking Talkwards… if that is indeed the purpose of the backtalking…)

Basically what you do is swapping consonants, nouns, vowels or even whole words. If there’s only one of them just switch its place. Don’t let things like word limits stop you, you can take a word like unseemly and turn it into suneemly as easily… Here are a few examples, I am sure you can come up with tons of more!

Phrase

Meaning

Variants

Bad endly

Bend Adly

End badly

Stackbabbing hassole

Backstabbing asshole

Ass-stabbing Backhole 😀

Earl Startly

Start early

Tart Searly

Heal a voter icicle

Steal a motor vehicle

(no this isn’t really talking backwards… or is it? And I can’t see it entering gangsta rap any time soon either :o)

Even though the baby-talk factor is pretty high, the purpose, if an exercise like this one needs a purpose, is to have fun until something like balking talkwards, or badding endly comes up.

One warning however. Don’t do this if your are over 65. They might come and take you to the doctor and/or home if you talk like this… (I’m looking forward to it myself…)

Disassociating .EXE-files

Windows doesn´t work as it used to after I associated the .exe-extension to putty.exe...
Windows doesn´t work as it used to after I associated the .exe-extension to putty.exe…

I am clumsy. I can only confess. But I still think what I did should not be possible to do. I mean, it’s not like having a foundation is optional when building a house… why should running exe-files as executables be an option?

Okay, this is what I did: I have an exe-file (putty.exe) sitting on my windows start-menu (oh did I forgot to mention this was a problem in Windows? Sorry…) However, I happened to move the folder where this file was located. Not so good perhaps because now, of course, the link to putty fails.

So, I right clicked it and selected properties, trying to figure out if there was a way to redirect the link. There was… kind of… there was the “Open With” button. I thought, hey, that could be it, let’s try it and see what happens. So I clicked it, opened it and selected putty.exe. It didn’t work.

Or, well. Windows did what it thought I wanted it to do. The dialog I’ve quickly scanned before selecting a file was the dialog for reassociating the .exe extension … with putty.exe. This, however, was not in Windows liking, so now whenever I click an exe I get the dialog here to the left.

It would have been really bad if I hadn’t done one good thing that day. I installed cygwin… and weehoo… windows programs can be started from cygwin. Phew! I can tell IT-support the problem is solved… almost!

At least one good thing. The problem is rather easily solved. Let’s see if I can remember the steps the rather stressed out support technician went through. Open “My Computer”, select “View” in the the menu and go to associations in the dialog. What we want to do is associate the “Application” association (There are a number of other “Application”-associations but we never touched them… and if they haven’t been changed, don’t touch them, and if they have, I’ve no clue what extension they should have so … don’t touch them…)

Since this is a “built-in” association it won’t be in the list of associations, we have to create it again (?!). Click “New” and in the new dialog enter “EXE” as the extension and from the drop down select “Application”. Don’t push any buttons! Without having to push any buttons, but with the kind mercy of the Gods of Windows, a message that the “EXE association has been changed” will appear along with a button to reset it to the default settings. Push the “reset”-button.

And this good folks is how my problem was solved. I came a cross a few “regedit-hacks” but I wouldn’t recommend them unless this solution doesn’t work. Also, make sure to reboot after you’ve reset the association because for me assorted things like remote desktop links and some such started to get broken after a while. (Don’t ask. I have no clue why!)

Good luck and don’t experiment with your computer, naughty! You can break something for real…

Has the Large Hadron Collider destroyed the world yet?

You may have heard of the Large Hadron Collider or perhaps concerns about its safety, and if not you may still have come across this funny web page to test if it has destroyed the world yet.

Check the source for the last one as well, there are a few laughs. Their test to see if the world has ended is:

if (!(typeof worldHasEnded == "undefined")) {
    document.write("YUP.");
} else {
    document.write("NOPE.");
}

If the undefined variable worldHasEnded is not “undefined” then there’s some really spooky stuff going on… like the end of the world… otherwise we’re all safe and sound. In the same spirit I’m offering a test for world destruction for Java (and possibly C++ and other object oriented languages as well):

System.out.print("Has the Large Hadron Collider destroyed the world yet? ");
if (this == null) {
    System.out.println("Yes!");
}
else {
    System.out.println("Nope");
}

Is the object running this test not existing any more… then risk is neither is the rest of the world…

Of course, we’ll have to wait until sometime in the end of October or beginning of November before they actually start colliding protons… and then perhaps the world will end…

Review: Children of Glory (4/5)

Children of Glory (2006) (IMDB, Amazon), or Szabadság, szerelem, as the original is named, is about Karcsi Szabó (Iván Fenyö), a member of the Hungarian Olympic water polo team. How he meets Viki Falk (Kata Dobó), falls in love with her, gets involved in the 1956 Hungarian revolution against the Soviet Union and finally goes to the Olympics to play the Soviet Union water polo team in what will become known as one of the bloodiest matches in the history of water polo.

You can read the whole review by clicking the below link, but there may be spoilers in that text…

Continue reading Review: Children of Glory (4/5)

Naivized by Linux

I’m all for Linux. Really. I love it, even though it’s from time to time a hate-love. However, I just realized one thing Linux has done to me that isn’t so good when you are forced to work and live in Windowsland.

I’ve become totally naive when it comes to certain aspects of the Windows world.

A couple of weeks ago I was looking for a program to help me keep my local hard drive synchronized (or in fact, backed up) to the network drive. A few factors have made this an issue for me, bad network performance but also the ability to just pick up your laptop and not worry about network connection to mention a few.

Anyway, I browsed around, moderately annoyed trying to avoid all the $oftware in favor for something simple that could do the job but wouldn’t cost money… just like home in Linuxland, right?

So I came a cross one really promising piece of software (no need to mention which since they’re not lone sinners :o), downloaded, tried it out and thought… hey this works! It had good integration with the desktop and a clean and simple UI and simple yet powerful features.

Great. Then today I spoke with a colleague who had been on the same mission and told him this was good software. He was rather surprised, since he had long ago figured out the software was not at all free (even though it’s listed as free software on several places, and they say it is free). The surprise will come after 30 days when the software stops working, for all intents and purposes unless you pay them money.

There’s nothing bad with companies asking for money. After all, I ask for money for working for a company, so the company should ask for money for selling my work, right? However, the serious problem is the lying part of the deal, where software companies say they are delivering free software where in fact they aren’t. In my case it ended up wasting several hours setting up the sync for real and would have wasted even more time had I been caught unaware when the 30 day trial was up. This, the lying seems, to me, to be a direct symptom of the software development model used…

There are no such thing as a free lunch, not even in the Linux world, but there you pay with time, and your apps aren’t programmed to stop work after 30 days. They might, because you’ve downloaded beta software, but that’s because some one did not program, or program right, not because someone did.

Anyway, I was baffled, totally unprepared and realized Linux naivized me! Wooh!

%d bloggers like this: