The Slightly Disgruntled Scientist

...now 7% more viral!


A Hybrid Kali/Debian Wheezy Live Distro

| Comments

There are two things that I particularly love doing: security auditing, and tinkering with live distributions. It is very intriguing to see exactly how weak or strong your own electronic devices are against various attacks, and sometimes very contrary to expectations.

This is, of course, an extension of my usual love of seeing exactly what new and strange things I can get my old electronic devices to do, which brings us to live distributions. Live distros are simply operating systems designed to work from removable media, usually across multiple, different devices. For example, I once turned an old laptop into an ethernet/wireless bridge for my games console, by creating a live distro that ran off a USB stick. Boot with the USB stick: it’s a bridge! Without the USB: it’s my old laptop again! This gets even better if you’re dealing with embedded systems, systems with no permanent storage, etc.

(Live distros are also a gateway drug to stateless distributions, which are absolutely fascinating for repeatable engineering processes, testing, compliance, etc.)

Kali is Amazing

Given these two interests, it’s amazing that I hadn’t heard about Kali Linux until last week. Kali is a Debian-based OS, primarily designed for live usage, that is all about security testing.

So what?

Anyone who has ever tried security testing from their main OS knows what a pain it can be. Patch these drivers. Downgrade these packages. Install this thing from git. Oh no it sprayed random files all over your meticulously managed distro lol oops sorry not sorry…

But Kali gives you a nice, safe live distro, complete with patched drivers, recent kernels, up-to-date software, etc. Run it, mess around, hack on whatever, check to see if the router you bought from that dodgy shop in Ultimo patched a nasty WPS vulnerability, then reboot back into your normal day-to-day OS.

I felt like a ninja. In a tuxedo. WITH POISON DARTS.

There Was But One Problem…

…and that was, Kali didn’t work too well on my machine. When using the virtual consoles (accessed by ctrl+alt+f1), I would have missed or repeated keystrokes. I couldn’t do serial debugging when running under Qemu. There were extra utilities that I wanted to install, and some cruft that I wanted to remove. Then I discovered that Kali actually provides instructions and repositories for building your own Debian-based live image.

At this point I’m just drunk on sheer technological possibility.

I’ve used live-build a lot before, and it’s a wonderful tool. Its major drawback is that it’s a fast-moving target, and Kali seems to be a little behind. Using the instructions on the website proved problematic with the version of live-build (4 point something) in Debian Wheezy (which is what I use for packaging and certain kinds of tinkering).

When I tried simply using live-build with the Kali repos as the main package source (as per their git repo), the live-config hooks didn’t run, which meant the live user wasn’t set up, the serial console wasn’t available, and so on.

Hybrid Time

I decided to take a different approach: to try building a normal Debian Wheezy live image instead, with the Kali repos included as extra repositories. The Kali updates to specific packages would be installed where they supercede the Wheezy ones (or I could use APT pinning), and I could have fine-grained control over what got installed or use Kali’s metapackages if I wanted.

I called the result Dart (re. my ninja comment above), and it seemed to work… sort of.

It worked in that I got a live image with some of Kali’s tools installed. Unfortunately, some of them didn’t work like they did on Kali’s ISO image.

Reaver Issues

The most reproducible example I could find (of tools not working the same) is Reaver, a tool for checking vulnerabilty to weaknesses in the Wifi Protected Setup (WPS) feature.

Under Kali’s ISO it associated with the access point just fine and proceeded to crunch through PINs for hours (although I never let it run long enough to see what the result was):

root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.
root@kali:~# killall wpa_supplicant
root@kali:~# ifconfig wlan0 down
root@kali:~# airmon-ng start wlan0 ${CHAN}


Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
3692    dhclient


Interface   Chipset     Driver

wlan0       Unknown     rtl8723be - [phy0]
                (monitor mode enabled on mon0)

root@kali:~# iwconfig wlan0 channel ${CHAN}
root@kali:~# iwconfig mon0 channel ${CHAN}
root@kali:~# reaver -i mon0 -e "${ESSID}" -b ${BSSID} -c ${CHAN} -vv -S

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK

…etc. But under my live image, it couldn’t complete the WPS transaction and repeatedly loses association:

root@dart:~# service network-manager stop
network-manager: unrecognized service
root@dart:~# killall wpa_supplicant
wpa_supplicant: no process found
root@dart:~# ifconfig wlan0 down
root@dart:~# airmon-ng start wlan0 ${CHAN}

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
5953    dhclient


Interface   Chipset     Driver

wlan0       Unknown     rtl8723be - [phy0]
                (monitor mode enabled on mon0)

root@dart:~# iwconfig wlan0 channel ${CHAN}
root@dart:~# iwconfig mon0 channel ${CHAN}
root@dart:~# reaver -i mon0 -e "${ESSID}" -b ${BSSID} -c ${CHAN} -vv -S

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)

This is on the same machine, with the same router (a TP-LINK TD-W8960N with fully updated firmware), sitting right next to the computer (so I know it’s not signal level). The wireless adapter is a RTL8723BE — notorious for working poorly under Linux, but the fact that my first attempt worked suggests that this isn’t the problem.

I had thought that perhaps the router was locking out my second attempt simply due to order, but trying it again a day later I don’t see anything different. In both cases the wash utility could see that WPS was enabled and not locked (which was consistent with what the router told me).

I am aware that there’s a trick you can do with aireplay-ng -1 ... and reaver ... -A to maintain association, but that doesn’t actually help here. And, more to the point, it wasn’t necessary on Kali, so what’s different?

The version of Reaver is the same (1.4-2kali9), and custom building a package from SVN head doesn’t help either. The kernel is slightly different (3.18.3-1~kali4 on Kali’s ISO, 3.18.6-1~kali1 on my image), but injection still works (according to aireplay-ng).

I don’t know what else might be different. I can’t find any other configuration tweaks or suchlike that might affect this.

Kali Metapackage Problems

To this point I’d been carefully selecting individual Kali packages to suit my needs and adding them to config/includes.chroot/package-lists/kali.linux.chroot. I figured I might be able to solve my problems by installing some of Kali’s metapackages, so first I tried:

kali-linux
kali-linux-wireless

Didn’t help. So then I tried going for broke and just adding kali-linux-full. Surprise surprise, that caused exactly the same problem as building an image directly from the Kali repositories! None of the live-config hooks were run, so I couldn’t log in to my live image!

What Next?

So at this point… I’m stumped. I’d like to stay with my Wheezy based image if possible, but it really looks like there’s an incompatibility between Kali and Wheezy’s live-build tool. But I still find it very strange that reaver (and certain other tools) work on one image but not another, even though the package itself (and, as far as I could tell, most of the dependencies) is the same.

So if anyone has any suggestions on how to debug this further, I would love to hear them!

Technical Analogies are Usually Garbage

| Comments

Analogies are a hugely important part of science communication. When done well, they can catalyse that “light bulb” moment for students. They can be an excellent way to convey the irreducible, interacting factors in a physical system. They can emphasise the primary point of a lesson. Or they can present an old idea in a new way, that might finally help a student to understand some tricky concept.

And then, there are politicians trying to talk about technology.

And politicians really only bother to talk about technology when they are trying to foul it up.

And when politicians are trying to foul up technology to satisfy an agenda, they will not carefully communicate difficult concepts in an accurate and enlightening way.

Politicians, and those who quote them uncritically, don’t talk in analogies to simplify things. They do it to make their awful agendas seem reasonable. They choose analogies by deciding on the outcome they want to sell, and working backwards to find some contrived situation that fits it.

The elephant in the room is, of course, that not everyone actually understands technology. Shouldn’t politicians do their best to communicate these concepts to a lay audience? But… they’re not doing that. They never are. Reject this premise.

I’ll illustrate this with an example: the Internet.

But I Don’t Know what an Internet is!

Say I want to usher in new laws to enforce mandatory metadata retention by telecommunications companies. What this means is: your internet service provider will be required, by law, to record certain parts of your internet data so that government organisations can inspect it at some later date. But which parts of your data actually qualify as “metadata” and will be recorded? Well, that’s a good question.

The big argument against mandatory data retention is that it is mass surveillance, an invasion of literally everyone’s privacy that can be all-to-easily abused. So if I were a politician, and I wanted to defuse this argument, I would try to sell the idea that there are two classes of internet data: the really personal kind that any patriot might want to keep secret, and the impersonal kind that can only betray you if you’re doing something evil or treacherous.

In other words, I would insist that “metadata” is in a fundamentally different class to “data”, and I would choose analogies to suit this distinction.

The Australian Liberal Party, and in particular Tony Abbott, love the analogy of snail mail. There’s a letter: that’s personal. They won’t look at that. Indiscriminate tampering with the post is widely regarded as taboo amongst even the most ardent security-state-loving conservative voters. But then there’s the writing on the outside of the envelope. That’s pretty safe! No one who is, well, doing the right thing would care about that being read! Or recorded by the post office! Or being accessed by hackers used by police!

You’re A Grown Up, Use Grown Up Words

You know what’s a good way to describe the internet? By describing the internet. There’s a protocol called the internet protocol that’s used to direct small amounts of data (packets) from one computer to another. There’s a protocol called the transmission control protocol that’s used to make sure the packets are assembled and given to the correct application at the destination. And then… there’s… more. A lot more. But these two protocols — together referred to as TCP/IP — are, basically, the internet.

Even if you found that confusing, even if you didn’t understand that at all, even if you need an analogy to wrap your head around the concept… well, you’re going to have to learn it some time.

You can explain things without an analogy. You can. People won’t instantly understand it, but they won’t with an analogy either.

There comes a time in every analogy’s life when it’s time to grow up and reveal what the words really mean. That is, when we simplified things to “envelope” and “letter”, we need to still remember which of the real concepts correspond to which parts of the analogy. Brandis explicitly mentioned “web addresses”… So is TCP the letter, and IP the envelope? But that can’t be right at all; the IP packets contain both the address information and the actual data. So is the envelope the TCP part? The government really doesn’t seem to be insisting that telcos keep logs of every single TCP packet exchanged, so… probably not.

This is one problem then. An envelope is a physical object that is pretty much defined by having an inside and an outside. This fundamental distinction is what makes the metaphor so palatable, but it doesn’t even remotely correspond to how the internet actually works. Sure, it has distinctions: there is the internet protocol part of the data, there is the transmission control protocol part of the data, etc. But this has absolutely no correspondence with the “inside/outside” distinction used in the analogy.

Since the government can’t tell us which part of the stream of TCP/IP data is the outside of the envelope and which is the inside, the analogy just doesn’t work. It’s not a way to elucidate technical concepts to an audience without expertise — it’s a way to confuse the audience to push an agenda.

At this point you might accuse me of being disingenuous though.

There are higher level (ie. more abstracted) protocols than TCP. For example, when you visit a webpage, you’re using the hypertext transport protocol (HTTP). Your computer:

  • sends some IP packets to your router (and beyond) that…
  • establish a TCP connection to a server like heeris.id.au, over which…
  • requests like GET /brandis-is-an-idiot are sent, and then…
  • the server sends you the contents of the page you requested.

The politician’s analogy might well work in reference to one of these higher-level protocols then — perhaps HTTP or email? The address used in the TCP layer will be subject to data retention, but not the contents of the HTTP session. So TCP = envelope, HTTP = letter…?

No, that can’t be right: the full URL (uniform resource locator) that you see in the address bar contains both the host (used by TCP) and the resource (used by HTTP):

       the TCP part (ie.
       envelope) contains
       ⬐  this   ⬎
http://heeris.id.au/brandis-is-an-idiot
                    ⬑      this      ⬏
                    is in the HTTP part
                    (ie. the letter)

By their own analogy, they’re going to have to “open” the TCP/IP “envelope” to “read” the HTTP “letter” to extract and retain the full URL. Brandis explicitly mentioned recording web pages in one of his interviews.

The whole metaphor breaks down no matter which protocol you try to apply it to. The email address is just another line in the same stream of data containing the contents. And so on.

Someone’s Going to have to Actually Do It

And here we get to another problem, and the crux of why such an analogy is garbage: they have their analogy, but they didn’t even start from a real concept. They are literally implementing an analogy as policy.

Think about it: at some point, after these laws are passed, someone is going to have to actually sit down and write some code to do this, and nobody knows what they’ll be implementing.

We know they don’t know, because when Brandis or Abbott or anyone advocating for data retention are directly asked about this, they spew utterly incoherent nonsense.

But I Still Don’t Know what an Internet is!

You know what? If you want to advocate for a fundamental change in how a technology functions, if you want to enforce expensive, sweeping, invasive tampering with a major class of infrastructure, FUCKING LEARN HOW IT WORKS.

Here’s another tip: if a politician is speaking to you like you’re a child, maybe don’t take it at face value like a chump. Yes, you. Yes, even if it’s the Prime Minister. Yes, even if it’s Scott Ludlam. Yes, even if you are a child. Especially if you’re a child.

Because if your goal is to stop certain kinds of crime, and you notice that criminals use the internet to communicate, then if you waffle on about envelopes and letters and tubes and traffic and don’t understand what’s involved: you will NEVER, EVER actually achieve your stated goal anyway.

Next time some technologically illiterate mouthpiece tries to argue about “the outside of an envelope,” or somesuch, insist that they talk details. Because there is only one way to become immune to misguided agendas pushed through puerile analogies: it is to simply not need them.

Taxpayers’ Money

| Comments

The phrase taxpayers’ money is often deployed as the clincher in political discussions where a politician has little other justification for their policies. (So, most discussions.)

We don’t, the MP will say, as they remove their monocle and begin polishing it, want to waste taxpayers’ money.

Some will even go so far as to claim that it is a fundamental right, equal in importance to the right not to starve to death.

I am all in favour of rights, the Prime Minister (Tony Abbott) said. I am also in favour of the rights of taxpayers not to have their money abused.

That’s a right now, huh? We’ll come back to that.

It’s interesting that it’s even referred to as taxpayers’ money, rather than citizens’ money. By definition, once tax is paid, it’s no longer owned by the payer. And when I say by definition, I mean the definition of pay, not of tax. That’s the entire point of paying, really.

And while there isn’t really any fundamental right for taxpayers to avoid having their money abused, there is a widely recognised right that everyone should have representation. And this means that tax revenue is owned by every citizen, to an equal extent — no more by a citizen who pays more tax than one who doesn’t pay any at all.

What this language really means is, we believe that those who pay more tax are entitled to a greater say in public policy, no matter whether it’s sensible or not.

The irony is that invoking taxpayers’ money is pretty much always used to justify irrational use of tax, through policies that are emotionally satisfying to the wealthy but end up costing more and being less effective than alternatives. And nonsensical allocation of public funds clearly is an abuse of taxpayers’ money, so for all the posturing about it, anyone using this phrase doesn’t actually respect such a right after all.

Punching Above Our Weight: Not Actually a Good Thing

| Comments

There is an oft-repeated phrase you might hear if you hang around disgruntled scientists for long enough, and it’s that “Australian science really punches above its weight.” I certainly heard or read it dozens of times while doing research for science policy, and it was always said in this proud and hopeful tone, like this is a good thing.

I don’t think it is.

Punching above your weight is a colloqialism that refers to boxing. Boxers are typically divided into classes by their weight, and a boxer who punches above their weight is one who is unexpectedly strong compared to others in their weight class. A very similar colloquialism might be “gets more bang for your buck.”

It’s worth noting, then, that Australian scientists tend to use the phrase that evokes the image of an overlooked underdog fighting for recognition, rather than the phrase associated with sleazy sales pitches. It also implies some sort of struggle or competition, as though our scientists are in a violent, high-stakes battle with scientists from other countries. That’s really the opposite of how global science is meant to work.

All it really means though is this: even though we don’t invest much public money in scientific research, we get an unexpectedly high return from it.

So isn’t this a good thing? Why shouldn’t we proudly proclaim this as we dance around the ring?

Ubuntu + Mac: Pure EFI Boot

| Comments

Don’t need the wordy tutorial? There’s a shorter version.

I recently bought a Mac Mini 6,1 (late 2012 model) to replace the giant tower PC I was using as a household server. Oddly enough for an Apple product, out of all the small-form-factor PCs around with a decent amount of power, it was by far the cheapest.

When I installed Ubuntu Saucy (13.10), I was initially faced with an unbootable system, which I eventually got to work. When Ubunty Trusty (14.04) came out I was hoping things would go better. Sure enough, there was a +mac variant installer available (buried behind several download pages), but ths used legacy BIOS booting. The non +mac variant simply gave me an unbootable system again.

This wasn’t good enough for me! I used Mike Hommey’s Debian EFI boot instructions, and adapted them for recent Ubuntu systems. The result was a Mac Mini that would boot Ubuntu Trusty in pure EFI mode, with no rEFInd and no OS X, and with an Ubuntu entry in the Mac’s bootloader menu.

Thank you Mike. They were excellent instructions.

Note that I’ve only applied this process to my situation: single-booting Ubuntu Trusty (14.04.1) on a Mac Mini 6,1. If you’re knowledgeable enough, you should be able to use this to dual/multi-boot, or boot other Linux distros, or use other Mac devices. But I haven’t tried any of that myself, so be prepared for some surprises.

Why EFI? Why Not rEFInd?

Because I can. Because of aesthetics. Because I’m an engineer, and if there’s a simpler way to make something work, I’ll try to find it.

If the legacy BIOS boot mode works for you, and you don’t want any fuss, use it! If rEFInd works for you, use it! These instructions are for people who just want to try it out, or perhaps for installer developers who want a starting point for a more general process.

Are there any benefits at all then? Sure:

  • I couldn’t actually figure out how to install rEFInd without keeping OS X installed, which meant giving over about 100GB of my 500GB drive to it. No thanks.
  • The Mac bootloader firmware seems to boot about 30s faster.
  • You have access to various EFI-related utilities.
  • You can make yourself a pretty Ubuntu entry in the bootloader menu!