Back to Top

Monday, December 28, 2009

How to save/restore iptables rules on Ubuntu?


This might be an obvious thing to old Linux-heads out there, but it sure caught me off-guard, so there might be some use in spelling it out:

iptables-save and iptables-restore do not actually save/load the iptables rules to/from an external file. You are responsible for redirecting the output of iptables-save to a file and modifying the interface-up scripts such that it is loaded before the given interface comes up.

The Ubuntu documentation tells you how (although, it also was the source of my confusion) - the following commands should be executed as root, so don't forget to sudo su first:

  1. Save your rules in a file: iptables-save >/etc/iptables.rules
  2. Edit your interfaces file (substitute your own favorite editor here): nano /etc/network/interfaces
  3. Add a pre-up command to restore the saved rule. The fully configured file should look similar to this (the bold line is the one added):
    auto eth0
    iface eth0 inet dhcp
      pre-up iptables-restore < /etc/iptables.rules

HTH. And remember - security is a process / mindset, not a state. Always test the configuration changes you've done, don't just assume that everything went ok because you didn't receive error messages.

Saturday, December 26, 2009

How eco-friendly is a BMW?


The short answer is: I don't know :-)

While I was watching National Geographic, I caught a glimpse of the BMW "Efficient Dynamic" advertisement campaign. The claims made by this campaign were quite extraordinary and - being the cynic that I am - I thought: hang on, this sounds too good to be true. The claims as I recall were:

  • BMW reduced fuel consumption by 16%
  • This reduction is more than twice the reduction achieved by the next premium segment competitor
  • This reduction is more than twice the average reduction obtained by the industry

Being an aspiring skeptic I decided to look into these claims, but being the lazy ass that I am, quickly gave up after making a mental list of what would be involved (finding out what they mean by "premium segment" and who their competitor were, finding a reliable source of data, etc). So, instead, I turned to math to see if all these claims can be true at once. So, in math-talk we have the following data:

  • BMW = 16
  • Lets suppose that we have three competitors A, B and C with A being the closes to BMW
  • A, B and C are in the interval [0, 100]
  • BMW >= 2*A
  • BMW >= 2 * AVG(BMW, A, B, C)

Then I turned to the OpenOffice Solver which promptly came up with an answer: A=8, B=0, C=0. Starting from this I came up with a more plausible-looking solution: A=7, B=5, C=5.

What does this mean? That - mathematically speaking - the claims made might be true. As always - trust, but verify. These simple mathematical tools are available to everyone and can be used to unmask the more extreme false claims (of course, just because a claim is mathematically possible, it doesn't make it necessarily true). Go search for information. You should find it - since it wants to be free!

Picture taken from maazbot's photostream with permission.

Recouping your data from a hung program


Scenario: you are typing away in your blog editor on Ubuntu doing a (somewhat) Flash-heavy post. You make the mistake of hitting "Preview" and the blogging software hangs. How can you get your post out?

  1. Find the PID of your blogging software
  2. Coredump it (gcore [PID] - this will create a file called core.[PID] in the current directory) - sidenote: interestingly, coredumping doesn't actually kill the application - this makes me wonder about thread safety... What guarantees does gcore make about the consistency of the dumped state? Probably none... This isn't important in this case, since the program is hung for good.
  3. Use a hex editor (GHex for example) and search for a part of the blogpost. You will probably find it multiple times, but you can easily identify one occurrence which has a complete copy.
  4. Copy the blogpost from the hexeditor
  5. Profit!

Hope this saves somebody from retyping their text!

PS. This can be applied to other programs too where the storage format is "human readable" (like text editors - as opposed to spreadsheet editors). An other trick you might try is to search for the string as Unicode (since more international-aware programs might store it as that). While GHex doesn't support this directly, you can manually insert the 00 bytes between the Latin characters. An other option would be to run strings on the coredump file with different --encoding options.

Friday, December 25, 2009

Congratulation to AV-Comparatives!


AV-Comparatives is an independent, well-known and well respected testing organization in the AV/Anti-Malware field. They recently published two reports and one meta-report:

Go read them if you have questions like "which product is the best for me?". Thank you Andreas for providing a great and impartial service.

PS. One surprising thing for me was the high detection rates in the dynamic test - upward of 90%. This indicates that either I'm too much of a cynic or that their crawler system still has room to improve - I would expect AV products to be around 60-70% effective against new threats.

Don't listen alone!


Do you like Linux? Do you listen to podcasts? If you've answered yes to both of those questions, you should know what LUG Radio is (if not, do a quick checking - I promise you that it will be worth it!).

The bad news? They stopped it in 2008. The good news? A documentary titled "Don't listen alone!" - a great title if I may say so - about it just came out! So watch it below (sorry for splitting it up into 10 minute segments, but YouTube limits you to this):

Or go over to Jono's site and watch it from (my problem with is that their delivery method seems to be much less bandwidth friendly - I've got constant "buffering" even on connections where YouTube HQ clips play fine) or download it from You can also read up on how the documentary was created (on Linux!) here.

Finally, if you still miss their voices (as I do), head over to ShotOfJaq or to FLOSS weekly and you will be pleasantly surprised!

PS. Offtopic rant: I'm all for open formats and such, but when - after days of searching! - I can't find a tool which supports the OGV container (or the Theora codec for that matter) properly, I'm tempted to give up on them! On the AVI/XVID/h264 side there is Avidemux for example... Finally I had to re-encode the whole video into AVI/XVID just be able to chomp it into 10 minute segments.



A long overdue "linky" post:

Internet Guide |

Posted: 22 Oct 2009 04:55 AM PDT

Dyn (of DynDNS) is also getting in the internet content filtering business.

About the Fitbit

Posted: 23 Oct 2009 11:10 AM PDT

BorderWare ReputationAuthority

Posted: 23 Oct 2009 12:09 AM PDT

Petabytes on a budget: How to build cheap cloud storage | Backblaze Blog

Posted: 22 Oct 2009 11:25 PM PDT

Sucuri information security (BETA)

Posted: 22 Oct 2009 11:16 PM PDT

Wall Street (1987)

Posted: 22 Oct 2009 11:04 PM PDT

TeamViewer - Free Remote Access and Remote Desktop Sharing over the ...

Posted: 24 Oct 2009 02:21 AM PDT

On the Effectiveness of Aluminium Foil Helmets: An Empirical Study

Posted: 26 Oct 2009 11:05 PM PDT

BrightCloud - OEM Hosted Security Services

Posted: 26 Oct 2009 08:47 AM PDT

Bill & Ted's Excellent Adventure (1989)

Posted: 26 Oct 2009 08:07 AM PDT Masterminds of Programming: Conversations with the Creators of Major Programming Languages (Theory in Practice (O'Reilly)) (9780596515171): Federico Biancuzzi, Shane Warden: Books

Posted: 30 Oct 2009 08:20 AM PDT Programmers at Work: Interviews With 19 Programmers Who Shaped the Computer Industry (Tempus) (9781556152115): Susan Lammers: Books

Posted: 30 Oct 2009 08:20 AM PDT Coders at Work (9781430219484): Peter Seibel: Books

Posted: 30 Oct 2009 08:19 AM PDT Mobile Malware Attacks and Defense (9781597492980): Ken Dunham: Books

Posted: 30 Oct 2009 08:19 AM PDT Crimeware: Understanding New Attacks and Defenses (9780321501950): Markus Jakobsson, Zulfikar Ramzan: Books

Posted: 30 Oct 2009 08:19 AM PDT

ldd arbitrary code execution - good coders code, great reuse

Posted: 30 Oct 2009 08:19 AM PDT HACKING EXPOSED MALWARE AND ROOTKITS (9780071591188): Michael Davis, Sean Bodmer, Aaron LeMasters: Books

Posted: 30 Oct 2009 08:19 AM PDT Malware Forensics: Investigating and Analyzing Malicious Code (9781597492683): Cameron H. Malin, Eoghan Casey, James M. Aquilina: Books

Posted: 30 Oct 2009 08:18 AM PDT

The Old New Thing : What this batch file needs is more escape characters

Posted: 30 Oct 2009 01:55 AM PDT

Much like the universe, if anyone ever does fully come to understand Batch then the language will instantly be replaced by an infinitely weirder and more complex version of itself. This has obviously happened at least once before ;)

Eric Filiol - Analyzing Word and Excel Encryption [PDF] : ReverseEngineering

Posted: 02 Nov 2009 01:40 AM PST

This is very cool! It demonstrates how security is based on some basic assumptions (ie. consecutive versions overwrite each-other) and when those assumptions are broken (you can recover multiple versions), the security itself is compromised. Ergo, you must make as few assumptions as possible and check them as thoroughly as possible. Paranoia helps!

Zoomorama - Tech Crunch Web Trends

Posted: 02 Nov 2009 01:20 AM PST 97 Things Every Software Architect Should Know (9780596522698): Richard Monson-Haefel: Books

Posted: 08 Nov 2009 10:00 PM PST

C++ horrorshow - Educated Guesswork

Posted: 08 Nov 2009 10:21 AM PST

This is why I do Java and not C++ - because I'm not smart enough to comprehend such stuff.

Welcome to the BeaEngine Sweet Home - x86 x86-64 disassembler library - (IA-32 & Intel64)

Posted: 08 Nov 2009 10:01 AM PST

The Periodic Table of Bloggers - Slope Of Hope with Tim Knight

Posted: 12 Nov 2009 03:56 AM PST

Create your own Wallpaper - X3 Studios

Posted: 12 Nov 2009 03:15 AM PST

Achmad Z's Archives: Simple report on this month's Google Pagerank update

Posted: 12 Nov 2009 03:10 AM PST

Yet an other Google PR widget. Nice one, since it only includes a link.

The Old New Thing : Little-known command line utility: clip

Posted: 12 Nov 2009 11:45 PM PST

It's official! Perl rocks if even Raymond Chen uses it :-)

DealExtreme: $12.99 Bluetooth 2.0 A2DP AVRCP Stereo Music Receiver and Handsfree (Black)

Posted: 14 Nov 2009 10:56 PM PST

Recommended by Geourge Ou

winexe homepage

Posted: 13 Nov 2009 11:48 PM PST

PSExec for Linux - no Samba needed either!

TrojanHorse.jpg (JPEG Image, 700x558 pixels)

Posted: 17 Nov 2009 02:57 AM PST

Via Schneier:

This posting includes an audio/video/photo media file: Download Now

F-Secure Browsing Protection Portal

Posted: 19 Nov 2009 10:08 PM PST

Oh, the irony - Andrew's PostgreSQL blog

Posted: 20 Nov 2009 03:40 AM PST

YouTube - Umbrella Timpuri Noi

Posted: 08 Dec 2009 10:32 PM PST

YouTube - Timpuri noi - Emigrant USA[1992]

Posted: 08 Dec 2009 10:31 PM PST

YouTube - Timpuri Noi Victoria with Lyrics

Posted: 08 Dec 2009 10:31 PM PST

Timpuri Noi - Tata - Trilulilu Video Muzica

Posted: 08 Dec 2009 10:29 PM PST

Video: Douglas Crockford — The State and Future of JavaScript (YUI Theater)

Posted: 08 Dec 2009 10:29 PM PST The Customer Is Not Always Right: Hilarious and Horrific Tales of Customers Gone Wrong (9780740785788): A.J. Adams: Books

Posted: 10 Dec 2009 10:28 AM PST Why We Suck: A Feel Good Guide to Staying Fat, Loud, Lazy and Stupid (9780452295643): Dr. Denis Leary: Books

Posted: 10 Dec 2009 10:07 AM PST Everybody is Stupid Except for Me (9781606991589): Peter Bagge: Books

Posted: 10 Dec 2009 10:06 AM PST -- Home

Posted: 10 Dec 2009 09:38 AM PST

Software White-Listing Request

Posted: 10 Dec 2009 09:35 AM PST

Prezi - The zooming presentation editor

Posted: 10 Dec 2009 04:38 AM PST

Maker SHED from MAKE Magazine,, and Maker Faire

Posted: 13 Dec 2009 11:25 AM PST

Free DNS service - Easy, web-based domain manager -

Posted: 13 Dec 2009 02:07 AM PST

PHP Advent 2009 / JSON Gotchas

Posted: 15 Dec 2009 02:03 AM PST

Loved the pun: "eval has the same metaphone key as evil"

DNS History

Posted: 18 Dec 2009 05:54 AM PST

If broken it is, fix it you should : High CPU in .NET app using a static Generic.Dictionary

Posted: 21 Dec 2009 07:56 AM PST

.NET version of ConcurrentModificationException: consuming 100% CPU :-)


Posted: 21 Dec 2009 02:04 AM PST

Learning Advanced JavaScript

Posted: 21 Dec 2009 01:58 AM PST

Hivelogic - Top 10 Programming Fonts

Posted: 21 Dec 2009 01:44 AM PST

Mish's Global Economic Trend Analysis: Oh, CRE: Holiday parody of the song O Christmas Tree

Posted: 21 Dec 2009 01:42 AM PST

Monday, December 21, 2009

Schneier videos


Bruce Schneier is always fun, and together with Markus Ranum he is extra fun (sidenote: although it is title "face-off", they agree more than they disagree):

And here are some Schneier only videos (the first video has some audio problems in the first 3 minutes, but it gets better afterwards):

Open Rights Group: Bruce Schneier Security Talk from Open Rights Group on Vimeo.

Open Rights Group: Bruce Schneier Security Talk (Q&A) from Open Rights Group on Vimeo.

Friday, December 18, 2009

New challenges


2925822482_8c27197ba5_b After missing the announcement for the second part of the Network Forensics Puzzle (yes, I’m subscribed the feed now!) I would like to regain your trust by bringing two other contests to your attention:

Bonus content:

Have fun!

Picture taken from ChrisDag's photostream with permission.

A game of Chinese whispers


3558167656_06bb48a9f9_o Yet an other example of real-life Chinese whispers in the security journalism:

A Hungarian online news site published an article titled “Hackers tried to steal user data from Amazon” (here is a somewhat usable automatic translation for the non-Hungarian speakers). I assume that the information went like this:

What happened –> What the security company has written up about it –> What the “journalist” understood –> What s/he actually wrote.

What actually happened is that an Amazon EC2 rented to a third party was being used as a C&C server for a botnet. No Amazon user data compromise here, move along (also, this isn’t a new phenomenon at all).

To top it off, the article talks about the security issues involved in cloud computing. Surely they are paid by buzzwords / paragraph :-p.

As if you needed further proof that a large percentage of the news out there is false, even when there is no intent to “spin” it. Newer attribute to malice what can be explained by stupidity I suppose...

Picture taken from bignoseduglyguy's photostream with permission.

Twitter hacked


It had to happen, didn’t it? I’ve fired up Pidgin with the microblog-purple plugin, only to get an “invalid certificate” error for twitter. I’ve quickly became nervous, since a quick digging indicated that I was getting the wrong IP address for the domain

My first thought was: “I’ve been compromised”. After quickly verifying my hosts file and my DNS entry, all seemed fine on the surface. My second thought was: “my DNS server was compromised”, so I’ve done the same lookup using OpenDNS and the new Google DNS, both coming up with different (but wrong) answers. Finally I’ve checked out a couple of other HTTPS sites and they seemed fine. So I took a deep breath and (putting my faith in NoScript and RequestPolicy) visited to find the following page:


Quick analysis:

  • This seems to be a “good old” defacement
  • A very likely scenario is that they somehow compromised the DNS registrar account (phising, dumb password reset, etc) and changed it to point to an other IP.
  • Currently I’m seeing a couple of different IPs out there for the domain:
  • The correct address seems to be, so if you put the following line in your host file, thing should start working again (you might need to do an ipconfig /flushdns if you're on Windows):
  • The above is a hackish solution, and I would recommend using it only in life-and-death situations :-p. It is the best to let Twitter handle the incident and make sure that everything is cleaned up.
  • It is unclear when exactly the defacement happened, but it must have been in the last 10 hours or so. It might have been specifically targeted so that it is late in the day in the USA so that the reaction is delayed.
  • According to Google Translate (Babelfish doesn’t know Arabic unfortunately) the text below the picture says:

    Ok, so I'm a big ignorant idiot. The official language of Iran is Persian (also known as Farsi or Parsi), not Arabic. Thank you to Anonymous for pointing it out. According to this article the text in the picture says:

    This site has been hacked by the Iranian Cyber Army (on the flag)
    The USA thinks they control and manage internet access, but they don't. We control and manage the internet with our power, so do not try to incite the Iranian people (under the picture)
    Some people also seem to have screenshots with English texts on them.
  • The rogue server doesn’t seem to respond to any Twitter API requests, so it doesn’t seem to be that they were going after usernames and passwords (which they very well might have done, considering the number of users who click trough SSL certificate warnings), but just to be on the safe side, change your password and don’t use the same password on all the sites!

Update: As of now all seems to be back to normal and all the DNS servers return the correct IP address. I’m waiting for an explanation in Twitter (mostly because I’m interested in how it happened :-)).

Update: Twitter acknowledges the hack on their blog and say that they will provide more information as it becomes available (however they erroneously affirm that the API were working correctly – they weren’t, since they used the same DNS record to contact Twitter – in fact this is how I’ve became aware of the hack).

Bonus: what sources can you use to investigate such incidents?

  • First of all, be suspicious of SSL certificate errors! I know that they (sadly) are quite common these days, but be vigilant!
  • Check that the problem is not at your end. Check that you have the correct DNS server (there are a couple of malware families out there which set a custom DNS server for the machine to control the users browsing destinations). Check that the given hostname is not present in your hosts file (again, there are a couple of malware families using this method to misdirect users)
  • Check what the IP address should be, by using domaintools for example (and looking at the server stats page)
  • Try looking up the DNS name using several DNS servers (this might not work if your network filters DNS queries):
    # nslookup
    > set type=ANY
    > server
    > server
  • An other option is to use the vURL service to fetch the suspicious webpage from different location and compare the results with what you are seeing.

Using these methods you can quickly ascertain with pretty good accuracy where the fault lies and take appropriate action. Have a safe holiday everybody!


  • Read about the subject on the TrendMicro Countermeasures Blog.
  • Some more links to information and the source of the defaced webpage at Hacker News.
  • SANS posted about in issue in the diary.
  • I've update the translations, thanks to Anonymous
  • Twitter posted an update about the issue. It doesn't many more details, it does however give a timeframe for the problem: between 21:46 and 23:00 PST . There are some rumors out there that somehow (phising?) the correct password to the DNS management interface was obtained and it was used to modify the records. Twitter still has the original blogpost up saying that API's were not affected, but this is not true! If you've used a third party Twitter client and you've clicked trough the certificate warning (or maybe it doesn't use TLS at all), your password might have been compromised. Currently there is no evidence that the rogue server was logging passwords, but until the time some forensics is done on it, there is no sure way to tell if this was the case (since it is trivial to configure a webserver such that it responds with a 404 error, while still logging the details of the request).
  • Arbor Networks posted a related article.
  • Sucuri has also posted about the issue. They have a nice little network monitoring / alerting system. You can also use them as a third-party information source.
  • ISS X-Force (part of IBM) has also a nice writeup about the incident.
  • Brian Krebs has an informative writeup on the SecurityFix blog about the issue which quotes Dyn's (the host for the Twitter DNS) CTO as saying: "Someone logged in who purported to be a legitimate user of their [DNS] platform account and started making changes", further strengthening the probability that a Twitter employee's email account was broken into via some mechanism.
  • There is also a lot of confusion out there, as it always is the case with (security) news. I've heard someone saying that "why did the DNS host allow the redirection of Twitter to a host in Iran?" - just to clarify: even though the hack was claimed by the "Iranian Cyber Army" (which might not mean anything! it could be your nerdy neighbor), the server it was redirected to was in the US.


Picture taken from pugetsoundphotowalks' photostream with permission.

Thursday, December 17, 2009

Discount Codes UK review


These days most online shops offer the ability to use discount codes at checkout and get a price reduction anywhere from 5% to 50%. These codes are announced in various media (like podcast or blogs), but even if you don’t follow the particular program, it is rather easy to find them with a search engine.

Given these premises, sites like Discoount Codes UK are welcome. I didn’t use their services personally, but it is well organized with direct links from the discount code to the store where you can use it and good reputation on sites which track such things (MyWOT, Norton SafeWeb and SiteAdvisor). For added safety I would recommend entering the addresses of the shops manually, rather than using the provided links. So there you have it: discount codes at your finger tips with the possibility to get a couple of percents off. And even if some don’t work, you have nothing to loose by trying to use them. Again a word of caution, especially around holiday shopping: be cautious and either use big-brand shops (like Amazon) or thoroughly check out the given shop (using a search engine and searching for phrases like “[shopname] complaints”, “[shopname] problems”, “[shopname] fraud”, etc). Better safe than sorry!

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).