Category Archives: Tech

The geek is strong is this one

DNS-based mitigation for Samsung SwiftKey keyboard vulnerability

I was just listening to the discussion of the Samsung SwiftKey keyboard vulnerability from Security Now! episode 513, and I came up with a simple DNS-based mitigation that a user could implement to protect themselves.

The Vulnerability

Without any user interaction, the user’s phone makes a plaintext http GET request to a SwiftKey update server, and this request can be hijacked and malicious code injected into the phone by any man-in-the-middle bad actor. According to NowSecure, the discoverer of the vulnerability, the request looks like this:

GET http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/az_AZ.zip

DNS-based Mitigation

With a rooted Android phone, a user could edit their /etc/hosts file to redirect the hostname of the update server (skslm.swiftkey.net) to localhost, preventing the http GET request from ever leaving the phone. In other words, the user is hijacking the request to the update server before a bad guy gets the opportunity to do the same.

With a non-rooted phone, there are DNS Resolver apps that can be installed that do the same kind of redirection to localhost.

Will this kind of mitigation work? Since I don’t have an Android phone to test against, this is just a thought experiment for myself.

Backup Your Dropbox Files with rdiff-backup

The Problem

Teresa and I use a single Dropbox account to share files between our computers. I also use the same account to store (and sync) plain-text notes on my iPad and iPhone (I use the apps PlainText and iA Writer). In case things go wrong with these apps, the syncing, or with Dropbox itself, I want to backup my Dropbox files and keep past snapshots of the backups so I can go back in time.

The Solution

rdiff-backup can do this. It is a command-line tool written in Python that:

…backs up one directory to another, possibly over a network. The target directory ends up a copy of the source directory, but extra reverse diffs are stored in a special subdirectory of that target directory, so you can still recover files lost some time ago. The idea is to combine the best features of a mirror and an incremental backup.

To make this all happen, I have Dropbox installed, signed-in, and running on my Linux desktop/server, which runs Ubuntu 11.04 Natty with Gnome 2.

Install rdiff-backup thusly:

    # aptitude install rdiff-backup

I use the directory /backup/ to hold all my backup targets, so I can run rdiff-backup like this:

    $ rdiff-backup  \
        --exclude $HOME/Dropbox/.dropbox \
        --exclude $HOME/Dropbox/.dropbox.cache \
        $HOME/Dropbox /backup/Dropbox

Every time I run rdiff-backup like this, it creates a new snapshot of my Dropbox files. Old snapshots are kept until I decide to purge them (if at all). To purge any snapshots older than two months, for example, I run this command:

    $ rdiff-backup --force --remove-older-than 2M /backup/Dropbox

I run the above two commands in an @hourly crontab script to keep this all happening automatically.

Browsing Past Snapshots

rdiff-backup has its own commands for digging into the files stored in the past snapshots, but it requires exactly knowing the filenames and backup times. Another tool, rdiff-backup-fs solves this problem by mounting the rdiff-backup backup directory as a FUSE filesystem, allowing me to grep and find my way through a directory tree of all snapshots.

After installing FUSE and rdiff-backup-fs, I mount my Dropbox snapshot tree with this command:

    $ rdiff-backup-fs ~/mnt /backup/Dropbox

Note that the order of the arguments for mounting source and target are backwards compared to the canonical mount command.

A long listing of my 10-oldest snapshots looks like this:

    $ ls -lF ~/mnt/ | head -10
    total 0
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T05:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T06:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T07:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T08:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T09:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T10:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T11:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T12:00:01/
    dr-xr-xr-x 1 root root 4096 2013-03-10 13:52 2013-01-06T13:00:01/

I can then explore all my snapshots at once with any tools wish.

When done, I unmount the rdiff-backup-fs filesystem with:

    $ /bin/fusermount -u ~/mnt

Dell laptop BIOS update using FreeDOS and ISO Master

I recently needed to update the BIOS on a Dell Inspiron 630m laptop. The file, available from Dell support, is a DOS executable named MX51_A04.EXE.

I had two problems with this file: (1) Windows would not boot, so I couldn’t run the file using Windows. (2) The laptop had no floppy drive, so I couldn’t easily boot into DOS.

Now, one can solve this problem by booting from a FreeDOS LiveCD to run the file. But then you have to figure out how to get and run the MX51_A04.EXE file from within the FreeDOS environment. Various websites suggested methods using USB flash drives, but I couldn’t get this to work.

Instead, I was able to add the file to the LiveCD ISO image before I burnt the CD. Here’s how it worked:

  1. Download the FreeDOS LiveCD called fdfullcd.iso (153MB).
  2. Under Linux or Windows, install and run ISO Master.
  3. Load the fdfullcd.iso in ISO Master and then add the MX51_A04.EXE file to it.
  4. Save the modified ISO under a new name.
  5. Burn the modified ISO to a CD and boot from that.
  6. When you boot the laptop using this modified FreeDOS LiveCD, be sure to choose the LiveCD mode and not the install option.
  7. Once you have a DOS prompt, the command X: will switch you to the X: drive, where you’ll find the contents of the CD and the BIOS update file.
  8. Run it, cross your fingers, and reboot.

A Better Online Dictionary

[die.net]

I like using the online dictionary at die.net because it’s fast and clean.

It’s easy to query, also. Just append your word to the end of the URL. For example:

It describes itself as offering “free cross-referenced definitions, spelling correction, and word searches from WordNet, Webster’s, FOLDOC, and a variety of specialized sources.”

In the “spam” entry above, some of the sources include the Free On-Line Dictionary of Computing, the Virtual Entity of Relevant Acronyms, and the Jargon File.

Which editor should I learn?

On serverfault.com, Rory McCann asked, “What’s the best terminal editor to suggest to a Unix newbie? i.e. not vi or Emacs.”

This answer, which purposefully ignores the original poster’s restriction, says it best:

My take is still Emacs or vi. Even for a beginner.

Why?

Because time invested in learning an editor is productive only as long as you keep using that editor. All those less expressive options are poor choices for the long run, and will be abandoned eventually. At which point the time spent learning them is wasted, and the user still has to learn Emacs or vi.

In other words, the best (most expressive) tool for the job is one of Emacs or vi, and so you’ll eventually switch to one of them. It ultimately doesn’t matter which one you choose, but you would be smart to invest yourself into learning one of them.

For the record, I’m a vim user, and I love using it.

How to Disable Autosave in WordPress

The autosave feature in recent versions of WordPress (versions 2.5–2.7) is actually a misfeature:

… A misfeature is not a bug. Nor is it a simple unforeseen side effect; the term implies that the feature in question was carefully planned, but its long-term consequences were not accurately or adequately predicted (which is quite different from not having thought ahead at all).

The improper functioning of the WordPress autosave has bitten me several times. It’s supposed to prevent you from losing work by periodically saving your blog edits in the background, when in fact it has caused me to lose work by its very operation.

[WordPress Logo Inverted]

Basically, the most recent edits made to a blog entry often get dropped when you go to “Preview” or “Publish” the entry. In other words, during either of these two operations, it reverts you to what it had autosaved in the past and the new edits are lost. The frustrating thing is that most users would expect the “Preview” operation if not the “Publish” operation to properly save what’s in the edit box. So often, you might end up publishing an incomplete or incorrect version of your blog entry without even knowing it.

This is madness. Let’s stop it.

Find the following four files in the wp-admin/ directory of your WordPress installation:

  1. page-new.php
  2. page.php
  3. post-new.php
  4. post.php

and comment out the following line:

wp_enqueue_script('autosave')

by changing it to:

//wp_enqueue_script('autosave')

This will disable the autosave feature in the WordPress user interface.

A secondary part of the solution, too, is to always hit “Save Draft” before hitting “Preview”. I’m not sure if this is strictly necessary, but now I’m paranoid.

Thanks to Allen Day and William Lone for showing me how to do this.

Jason’s Alternator Story

My friend Jason Rule was in Edmonton for the Father’s Day weekend and had a funny trip back from Edmonton to Calgary. In his own words, here is what happened.

[Alternator photo by goodharbor. Used with permission.]

While driving in Edmonton, I noticed at one point my alternator light go on… It just happened for a second and I did not really think anything of it. Later as I was leaving the city, the light was about 50% on, so basically it’s putting out some power—the exact amount the car needs. By the Edmonton International Airport, the light was on and I was running on battery power (the battery power was making the spark for the engine).

I went into conservation mode and turned off all electrical systems but the radio.

Around Red Deer, the engine started skipping a beat and the radio died. There was not enough power to spark the plugs… I pulled over (leaving the engine running) and quickly wired up my second battery to the engine by the wires I had pre-installed years before. The car’s back to life!!! I turn off the radio and keep driving.

It starts raining… I try using the windshield wipers, but there is so little power, they take about 10 seconds to cycle. So, with no fan (defog) and no wipers… I continue.

I need to stop in Didsbury where Brooke’s dad lives. I needed to pick something up and get as much power as possible. About 10 km from Didsbury, the dash fails, no speedo, nothing… About 3 km from Didsbury, the car is skipping again. I am approaching a stop sign and go to apply the brake. The power going to the brake lights makes the engine quit. As I was still travelling fast, I pop the clutch and get the engine running again. I then stop the car with engine breaking and the ebrake. I just get to the house and park in front of her dad’s truck.

Without explaining what I was doing, I start his truck and start transferring as much power as possible via booster cables into the car battery. I also start charging the second battery via a charger…. How long to wait… it’s 8 p.m. and the sun is going down. By 9:45 p.m., it will be dark and I will need headlights and I will be screwed… But, I need as much power as possible.

I pull out almost all of the circuit breakers from the fuse box. At 8:15 p.m., I start driving, extra battery not connected, car battery driving the engine. There are no electrical systems at all…

I make it to just north of Airdrie. Engine, with no warning, fails… Poor steering and brakes (that was a surprise). I pull over and remove the primary battery and install the secondary battery. I tried to start the engine, but there is not enough power to turn the starter…. I get out of the car, push it backwards, down the little hill I was on… Pop the clutch and the engine is running… I’m off.

I make it to Deerfoot and McKnight. Engine again quits… I pull over and call Brooke. The Deerfoot Trail is nuts as cars are going by at nuts speeds. She comes quickly and now it’s about 9:30 p.m. I pull the extra battery from her truck and throw it into the car. The car starts and we start driving—Brooke following me and being my lights.

About five blocks from home, car again fails… We load the gear into the truck and leave the car there for the night… We come back the next morning with a charged battery and drive home.

Two points to this story:

  1. All that crap I carry in my car sometimes comes in very handy.
  2. MacGyver himself would have been proud!

— Jason

My First Bug Report

I recently submitted my first bug report to the Debian Project, regarding mod_dav and apache2. It was accepted by the maintainers of the relevant packages, and they’re taking the necessary steps to fix it.

So I’m proud of my little contribution. 🙂 Yay for me! Yay for Debian!