Latest Event Updates

Useful Linux Commands To Benefit All

Posted on

As a true GNU/Linux user I always hear things from other users beside me. Well yes, aside from the usual swearing and cursing the day the mother-board was created. I am talking about other things I hear. For example the following:

  • Repeated key strokes of “UP + ENTER”
  • Moans of "Maximum allowed open files, wtf is that? I’m confused"
  • Subtle murmuring of "Why is this always showing only in IPv6?"

It’s these things that I hear and it’s the part that no one (at least the primates I encounter in the jungle) do not have the intellectual curiosity to research if there is a better way to perform that task. So just to help a little I am going to publish my small list of most useful GNU/Linux commands to help all primates, apes and monkeys alike (I consider my self a gorilla… I have seen some yetis but they seem to know Linux and use weird things like Slackware and DSL)

Find the number of open files for a given process.
ls -al /proc/fd | wc -l

Find the number of open sockets for a given process in-case the above was under the limit.
ls -al /proc/fd | grep socket | wc -l

Increase the limit of number of open files per process, here we use 2048. Damn why would a process open 2048 files at a time? Feels like a leak….
ulimit -n 2048

Amazing magic with the watch command. Monitor a command and set an interval in second. The below command executes ls -l every 1 seconds to monitor any file changes in the directory. (wow my hand doesn’t hurt anymore)
watch -n 1 'ls -l'

View all network connections on IPv6 and IPv4, or just remove -i6 to just see IPv4.
lsof -Pnl +M -i6 -i4

Show all folders in a directory and how much space they take up and display their sizes in bytes and sort by size
du -s * | sort -g

Be a complete jerk and get the CPU usage to 100% at constant rate! ๐Ÿ™‚
ping -l 10000 -s 10 -q -f localhost

Please remember to look at the MAN pages for these commands to further customize them to your needs.

Advertisements

WhatsApp is WhatSucks

Posted on Updated on

One of the most popular cross-platform mobile application used as a replacement for messaging and sharing multimedia is under scrutiny of being insecure. Yes, we are talking about none other than WhatsApp. Now we have seen previous instances of idiocy here but the victims there are mostly financial institutions and their reputation, which not a lot of people really care about.

It has been reported by Sam Granger that WhatsApp on Android uses your phone IMEI to generate its passwords:

md5(strrev(โ€˜your-imei-goes-hereโ€™))

Then a little later it seems WhatsApp did something about it! By reading the comments section of Sam Granger’s blog it seems it no longer works. Yeah… WhatsApp actually did something about it! Great… but hold your excitement it seems that everything is not what it seems.

Recently reported by Ezio Amodio that WhatsApp on iOS is back up to their old password trickery again. This time they are using the iPhone’s MAC address to generate the password like so:

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Our dear friends at H-Online have verified the blog post and well just being on H-Online is something important.

So what sucks about WhatsApp ? Their security, your privacy and their embarrassment.

UPDATE
Commenter posted a link to pastebin with the most curious title Reverse Engineering: How WhatsApp (not) Securing Your Data It’s a great read and there are George Carlin references too! Can’t get better than that, cryptography, sarcasm, George Carlin and nifty rev-engineering.

Bypass Qualys and Acunetix Using GWT

Posted on Updated on

We all heard about vulnerability scanners such as Qualys and Acunetix and how they’re at the forefront of security! Right until they hit a website created using the Google Web Toolkit otherwise known as GWT.

Trying to scan a web application created using GWT with Qualys or Acunetix results in utter failure. With all the propaganda being spewed out by those companies on how advanced they are, they cannot even properly scan a GWT web app. It’s not like GWT is something special, it’s just JavaScript, Ajax, HTML5 and CSS all smashed together.

People have even raised the issue that GWT built apps are not supported by Acunetix as is shown in this issue. Poor thing has no replies and is date from last year. Yes, this is how much Acunetix cares.

Qualys has no mention on GWT support, but I can assure all that they do not have any support. Mainly because I developed a large GWT web app and we tried scanning it with Qualys and it fails numerous times. It cannot even get past the log in page. Issues were raised like months ago and it seems they’re struggling.

Why is this bad?

Well according to InfoSecurity Magazine most open-source frameworks have security vulnerabilities. Most get used in mission critical applications and the user or company may not know that vulnerabilities exists nor if new versions were released that fixed those. This being said, according to InfoSecurity Magazine Google Web Toolkit was downloaded 17.7 million times with known vulnerabilities and this was dated in April 2012. So that means GWT version 2.4.0 has the vulnerabilities and maybe people should read the changelog of release candidate 2.5.0.

XOR is NOT Cryptography

Posted on Updated on

During my many years of developing software, working with opensource projects and using GNU/Linux systems you tend to do something odd. Yes, at times you tend to do something that causes your eyes to skim through letters and words dedicated to educating you about a subject. Well I’ll be damned, they call this “reading documentation” ๐Ÿ™‚

So yes, I assume many other developers spend as much time as I do, or anyone else, doing expected things like reading Linux MAN pages, manuals and all sorts of technical docs to gain a better understanding of a topic at hand.

Then what happens, you find the most retarded practice ever being used by some of the largest and most trusted software companies in the world. During my work I have encountered a financial software that was purchased (company names shall not be mentioned) that was written in Java. Being curious about how these things work I browsed the files and found a file named PasswordCryptography.class … Yeah, that’s what I’m talking about. Lets take a look.

So we whip up JAD and decompile that class file. I was expecting to see amazing algorithms being used or maybe some sort of custom crypto methods … you know, things like that. What did I see…

  • AES256 ? …… no
  • Blowfish ? ….. no
  • TripleDES ? ….. no
  • Not even regular DES ?? …. nope

What did I see? I saw XOR OBFUSCATION of passwords using a key that was embedded right into the java class file. At this point I was ready to jump out any window given it was open and large enough.

This is their idea of “cryptography”

for(int i = 0; i < aa.length; i++)
{
    int k = aa[i] ^ key[j];
    int l = (k & 0xf) << 4;
    int i1 = (k & 0xf0) >> 4;
    aa1[i] = l | i1;
    if(j < key.length - 1)
         j++;
    else
         j = 0;
}

WTF? And here’s the part that really kills me. Why call it “PasswordCryptography” ?? I would have been perfectly fine if the file was called “InsecurePasswordXorObfuscation” … ok ok too harsh, how about “PasswordObfuscation” Of course, you know the programmer must have spent a lot of time coding, testing, coding and re-testing this that it was sooooo hard it had to have been cryptography! And thus decides to name the class “PasswordCryptography” and then this somehow passes all engineering stages, peer review, unit tests …etc and ends up being a part of one of the largest financial software solutions in the world and your password is protected by cryptography XOR obfuscation. Anyone after reading Encryption Matters will know how to reverse the obfuscation.

Even when I was a beginner it took no less than 1 hour to google “password encryption” and figure out that I could just download a jar file, import it and make a 1 line function call to encrypt a password using REAL encryption.

Eclipse Tooltip Issue with Ubuntu

Posted on Updated on

First off I want to say that I really hate Ubuntu. You install Eclipse on Ubuntu 12.04 and load it up to do some coding and only to be faced with the most annoying problem: black tooltip background. Sounds stupid? yes, as stupid as the distro is. This is the only distro I encountered that presents this problem with eclipse.

Either way, solving it was not as easy as installing Ubuntu! You have to go to the directory that holds the ubuntu themes, in my case it was “/usr/share/themes/Radiance” and edit the gtk-2.0 and gtk-3.0 css settings files and reset the background color of tooltip to #F5F5B5.

Someone was so nice as to post how to do this here

This got me on my way to putting my eye balls back in the sockets when I debug code. I still feel that Ubuntu, while easy to install is annoying to modify.

……….. Gentoo Rules!