White snow | against the black ice...

BruCON is an annual two-day conference by and for the security and hacker community. The conference offers lectures and workshops on a multitude of topics like computer security, privacy, information technology and its implications on society. It takes place at the Surfhouse in Brussels, Belgium on September 18 and 19.

Tickets should be purchased asap as from the 1^st of July the price raises from €180 to €250. The staff didn't forget students ! Their price is €50 till the 1^st of July.

The presentations on IPv6 security, MPLS hacking, Cyberwarfare, Social engineer techniques, Cloud Computing Security, Open source Information gathering, Dangers of Social networks, and much more, there will be interesting workshops and other events.

Unfortunately I won't be able to go as I'll be in Canada because of a wedding. But count me in for the second edition!

A friend just blogged about his successful attempt to reverse engineer his solar-cells inverter to grab stats out of it. He says:

The inverter (the device that converts DC into AC) is a SolarMax C-series. It has a 2-line LCD display that gives out some basic information: current, voltage, power; produced energy today, this month, this year, … This is very useful information, but is a bit hard to access. The instruction manual reveals that there is a computer interface available to read out its data. Naturally, I wanted to explore this!

The interface is physically an 8P8C (usually called RJ45). Electrically it’s a serial interface. The manual isn’t exactly clear whether it’s an RS-232 or an RS-485 interface. After some mailing and calling, the people at Sputnik Engineering just mailed us the pinout diagram and document (both in German); it appeared to be RS-232. Their website even has a free utility called MaxTalk to read out the data!

Read the full post here. If you'd like to see scripts to generate graphs of the electric production you should ask it in his comments.

For some time I've been a serious promoter of free internet everywhere. Nobody can deny how practical it is to take your laptop/phone and be able to browse the web without extra UMTS/3G connection.

Being from the principle that you can't get what you don't give I share my internet for a few years. For simplicity and laziness I did it the dirty way: Two wireless SSIDs , WPA2 and unencrypted, connected to the same LAN. My own traffic being fully encrypted from the laptop to the AP, but anonymous people would have full access to my network. It was not something I really liked.

As I just moved in and have brand new internet it was time to configure this correctly.
The plan is the following:

• Create two networks: one private, one public
• The networks should not be able to communicate
• Don't buy extra hardware (aka use only my Linksys)

Change firmware to DD-WRT

I did this a long time ago, but if you didn't do it yet check out the official DD-WRT website for the firmware and manuals.

The two SSIDs

In the Wireless > Basic Settings page click on Add in the Virtual Interfaces section. Your newly created interface will have the name wl0.1. The primary wireless is still called wl0.

Don't forget to configure encryption on your primary wireless in the Wireless > Wireless Security page.

Splitting the private and public network

On the Setup > Networking page create a bridge called br2. Enter the IP address of the router in that network. (this should be a different network than your private net.). Apply Settings.

In the Assign to Bridge section of the same page click on Add and choose br2 then wl0.1. Apply Settings.

Activating a DHCP on the public network

At the bottom of the Wireless > Basic Settings page you can add another DHCP server. Make sure it's connected to the br2 interface.

Firewall changes

We need to add a few rules to our firewall to allow and block traffic.
To make sure this is executed at boot I added the following rules in Administration > Commands of the webinterface.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -I FORWARD -i br2 -o ppp0 -s 192.168.107.0/24 -j ACCEPT
iptables -I FORWARD -i br0  -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

Now is the time to test everything. Try to connect to your private network, browse the web. Now join the free-internet SSID and try the same. Try connecting to a host in your private-net, this shouldn't work.
It's not a bad idea to reboot your router once more, just to be certain everything is set correctly the day you have a power outage.

Consequences

There are a few consequences by opening your internet connection to outsiders. Here's an exhaustive incomplete list:

• Limited download: a visitor can download a ton of traffic on your account. Make sure you don't have to low limits. I've never had issues with this.
• Limited speed: someone else can slow down your internet. I've never had issues with this. You could solve this with the QoS features of DD-WRT.
• Illegal behavior: people could use your connection for illegal activities

To protect myself from the illegal activities I plan to set up a portal page using the NoCatSplash feature of DD-WRT. I also plan to log every mac-address that connect to my wireless and the timestamp.

You might have noticed BackTrack 4 Beta is out for a few days. Since it brings some interesting new features I planned to upgrade/reinstall my BT3 USB to the latest edition.

For the Linux users there is a quick install guide that enumerates the different commands needed to setup the system.
Having at that precise moment only a Windows system laying around I had to follow another procedure. The easiest way is the following:

1. First format your partition as FAT32. Windows refuses to format partitions bigger than 30GB in FAT32 (to force users to use NTFS). It's only a GUI limitation so you can still use the CLI to format d: /fs:fat32.
2. Now download Unetbootin. It's a kind of assistant to install ISO's to your USB disk. (Thanks for the tip Security4all)
3. In Unetbootin choose Disk image and specify the path to the BT4b iso file.
4. In the Type I had to choose manual as Unetbootin didn't detect my disk as USB disk.
5. Just press the OK button and wait.

I noticed there was no bootloader installed on the USB disk so I had to to this manually. It's fairly simple:
Browse to the disk located on your computer and execute the d:\boot\bootinst.bat script. The script will try to autodetect the drive letter and will ask a confirmation. Double check it and confirm.

Now boot your system from the USB disk and here it is: BackTrack 4 beta.

Last weeks we had serious performance issues on a server we're renting with a few friends. That server happens to be running mechelenblogt.be, an evolving website both on number of visitors as on codebase/features. (it runs drupal).

Originally the server wasn't scaled for such load (Intel(R) Celeron(R) CPU 2.66GHz, 512MB RAM) and we thought the performance issues were because of the many images and extra visitors. Fortunately Floris found out the cause was a not-so-performant SQL query.
(yes, I know, we could have seen it by looking at the mysql-slow-queries log, but you usually think about that when it's too late)

The bad query was:

SELECT SQL_NO_CACHE drupal_comments.comment, drupal_comments.cid as cid, 
       drupal_node.title, drupal_node.nid, drupal_comments.uid, 
       drupal_users.name as name_known, drupal_comments.name as name_anonymous 
  FROM drupal_comments 
 INNER JOIN drupal_node ON drupal_comments.nid = drupal_node.nid  
 INNER JOIN drupal_users ON drupal_comments.uid = drupal_users.uid 
 WHERE drupal_node.comment > 0 
   AND drupal_node.status = 1 
 ORDER BY drupal_comments.timestamp DESC
 LIMIT 0 , 6;
Showing rows 0 - 5 (6 total, Query took 1.9932 sec)

You can see the query took almost 2 full seconds, totally unacceptable.
When analyzing the query there is only one thing that can be the cause of the slowdown, the ORDER BY drupal_comments.timestamp DESC. Executing the query without the ORDER BY confirmed it: Query took 0.0011 sec

If you want to test the performance of a query you need to use the SQL_NO_CACHE. Cache will not be used and you can trust the timings MySQL gives you. If you don't disable the cache, the second time you'll run the query you'll have a blazing fast result.

Ok, how can we improve this? Functionally I want to get the last rows from the drupal_comments table joined to a few other things. It looks like in the internal datastructure MySQL considers tables as kind of maps with no specific order, so there seems no query to say 'SELECT * FROM table TAIL 6'.
The drupal_comments table has a field called cid, so why not playing around with that?

First try, ORDER BY cid instead of the timestamp. Unfortunately this doens't change a lot. Still 1.5 to 2.0 sec.

Second try, try the ugly WHERE drupal_comments.cid > ((SELECT MAX(cid) from drupal_comments) - 6). This subquery will get the highest 'cid' number and subtract 6 from it, giving me the last 6 comments.

SELECT SQL_NO_CACHE drupal_comments.comment, drupal_comments.cid as cid, 
       drupal_node.title, drupal_node.nid, drupal_comments.uid, 
       drupal_users.name as name_known, drupal_comments.name as name_anonymous 
  FROM drupal_comments 
 INNER JOIN drupal_node ON drupal_comments.nid = drupal_node.nid  
 INNER JOIN drupal_users ON drupal_comments.uid = drupal_users.uid 
 WHERE drupal_node.comment > 0 
   AND drupal_node.status = 1 
   AND drupal_comments.cid > ( ( SELECT MAX( cid ) FROM drupal_comments ) - 7 )
 ORDER BY drupal_comments.timestamp DESC
Showing rows 0 - 5 (6 total, Query took 0.0019 sec)

Woohoo, this seems to work !
This query has a few drawbacks and bugs. One I can immediately think of is missing comments when one has been deleted. To catch up this problem you could get more results with the cid search and LIMIT the number of results. Here's a new query:

SELECT SQL_NO_CACHE drupal_comments.comment, drupal_comments.cid as cid, 
       drupal_node.title, drupal_node.nid, drupal_comments.uid, 
       drupal_users.name as name_known, drupal_comments.name as name_anonymous 
  FROM drupal_comments 
 INNER JOIN drupal_node ON drupal_comments.nid = drupal_node.nid  
 INNER JOIN drupal_users ON drupal_comments.uid = drupal_users.uid 
 WHERE drupal_node.comment > 0 
   AND drupal_node.status = 1 
   AND drupal_comments.cid > ( ( SELECT MAX( cid ) FROM drupal_comments ) - 12 )
 ORDER BY drupal_comments.timestamp DESC
 LIMIT 0 , 6;
Showing rows 0 - 5 (6 total, Query took 0.0017 sec)

As you can see the query is still blazing fast and one possible bug has been eliminated. I still wonder if there is a better way to get those last rows... Anyone has a better idea?

Are you also one of those complaining about having to go abroad for a decent security conference?

Stop worrying, BruCON is finally here. It's the first Belgian security conference taking place on the 18th and 19th September.

Security researchers: Check out the Call for Papers:
Visitors: Keep the date free in your agenda and subscribe to the blog and RSS feed.

Did you notice speakers get interviewed before FOSDEM?
Check out these interviews:

• Rob Savoye (Gnash)
• Martin Odersky (Scala)
• Pieter Hintjens (OpenAMQ)
• Victor Stinner (Fusil)
• Simo Sorce (FreeIPA v2)
• Max Spevack (Fedora Project)

More will probably come later...