A helper note for family and friends about your connectivity to the Internet from July 9 2012

This is a note targeted at family and friends who might find that they are not able to connect to the Internet from July 9, 2012 onwards.

This only affects those whose machines were are running Windows or Mac OSX and have a piece of software called DNSChanger installed.  The DNSChanger modifies a key part of the way a computer discovers other machines on the internet (called the Domain Name Server or DNS).

Quick introduction to DNS:

For example, you want to visit the website, http://www.cnn.com. You type this in your browser and magically, the CNN website appears in a few seconds. The way your browser figured out to reach the http://www.cnn.com server was to do the following:

a) The browser took the http://www.cnn.com domain name and did what is called a DNS lookup.

b) What it would have received in the DNS lookup is a mapping of the http://www.cnn.com to a bunch of numbers.  In this case, it would have received something like:

http://www.cnn.com.        60    IN    A    157.166.255.18
http://www.cnn.com.        60    IN    A    157.166.255.19
http://www.cnn.com.        60    IN    A    157.166.226.25
http://www.cnn.com.        60    IN    A    157.166.226.26

c) The numbers you see in the lines above (157.166.255.18 for example) are the Internet Protocol (IP) number of the server on which http://www.cnn.com resides. You notice that there are more than one IP number.  That is for managing requests from millions of systems and not having to depend only on one machine to reply.  This is good network architecture. For fun, let’s look at http://www.google.com:

http://www.google.com.      59    IN    CNAME    www.l.google.com.
http://www.l.google.com.    59    IN    A    173.194.38.147
http://www.l.google.com.    59    IN    A    173.194.38.148
http://www.l.google.com.    59    IN    A    173.194.38.144
http://www.l.google.com.    59    IN    A    173.194.38.145
http://www.l.google.com.    59    IN    A    173.194.38.146

http://www.google.com has 5 IP #s associated to it but you notice that there is something that says CNAME (stands for Canonical Name) in the first line. What that means is that http://www.google.com is also the same as http://www.l.google.com which in turns has 5 IP#s associated with it.

d) The beauty of this is that in a few seconds, you got to the website that you wanted to without remembering the IP # that is needed.

What is this important? If you have a cell phone, how do you dial the numbers of your family and friends?  Do you remember by heart their respective phone numbers? Not really or at least not anymore You probably know your own number and a small close group (your home, your work, your children, spouse, siblings).  Even then, their names are in your contact book and when you want to call (or text) them, you just punch in their names and your phone will look up the number and send out.

The difference between your cell phone directory and the DNS is that, you control what is in your phone directory.  So, a name like “Wife” in your phone could point to a phone number that is very different from a similar name in your friend’s phone directory.  That is all well and good.

But on the global Internet, we cannot have name clashes and that is why domain names are such hot things and people have snapped up pretty much a very large chunk of names during the dot.com rush in the late 1990s.

Now on to the issue at hand

So, what’s that got to do with this alarmist issue of connecting to the Internet from July 9, 2012?

Well, it has to with the fact that there as a piece of software – malware in this case – that got added to those running Windows and Mac OSX.  In all computers, the magic to do the DNS lookup is maintained by a file which contains information about which Domain Namer Server to query when presented with a domain name like http://www.cnn.com.

For example, on my laptop (which runs Fedora), the file that directs DNS looks is called /etc/resolv.conf.  This is the same for a Mac OSX file and I think it there is something similar in the Windows world as well. Fedora and Mac OSX share a common Unix heritage and so many files are in common.

The contents of my /etc/resolv.conf file is:

# Generated by NetworkManager
domain temasek.net
search temasek.net lan
nameserver 192.168.10.1

The file is automatically generated when I connect to the network and the crucial line is the line that reads “nameserver”. In this case, it points to 192.168.10.1 which happens to be my FonSpot wireless access point. But what is interesting is that my FonSpot access point is not a DNS server per se.  In the setup of the FonSpot, I’ve got it to look up domain names to Google’s public DNS server whose IP #s are 8.8.8.8 and 8.8.4.4.

Huh? What does this mean?  Simply put, when I type in http://www.cnn.com on my browser, that name’s IP# is looked up first by my browser asking the nameserver 192.168.0.1 which is the FonSpot will then return to my browser that it should go ask 8.8.8.8 for an answer. If 8.8.8.8 does not know, hopefully 8.8.8.8 will give an IP # to my browser to ask next.  Eventually, when an IP # is found, my browser will use that IP # and send a connection request to that site. All of this happens in milliseconds and when it all works, it looks like magic.

What if you don’t get to the site?  What if the entry in the /etc/resolv.conf file pointed to some IP # that was a malicious entity that wanted to “hijack” your web surfing?  There is a legitimate reason for this. For example, when you connect to a public wifi access point (like Wireless@SG for example), you will initially get a DNS nameserver entry that belongs to the wifi access provider. Once you successfully logged into that access point, then your DNS lookup will be properly directed. This technique is called “captive portal”. My FonSpot is a captive portal btw.

The issue here is that those machines who have the malware DNSChanger have the DNS lookup being hijacked and directed elsewhere.  See this note by the US Federal Bureau of Investigation about it.

It appears that the DNSChanger malware had set up a bunch of IP# to redirect maliciously all access to the Internet. If your /etc/resolv.conf file has nameserver entries that contain numbers in the following range:

85.255.112.0 to 85.255.127.255

67.210.0.0 to 67.210.15.255

93.188.160.0 to 93.188.167.255

77.67.83.0 to 77.67.83.255

213.109.64.0 to 213.109.79.255

67.28.176.0 to 67.28.191.255

you are vulnerable.

Here’s a test I did with the 1st of those IP#s on my fedora machine:

[harish@vostro ~]$ dig @85.255.112.0 www.google.com

; <<>> DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 <<>> @85.255.112.0 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34883
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        464951    IN    CNAME    www.l.google.com.
www.l.google.com.    241    IN    CNAME    www-infected.l.google.com.
www-infected.l.google.com. 252    IN    A    216.239.32.6

;; AUTHORITY SECTION:
google.com.        32951    IN    NS    ns2.google.com.
google.com.        32951    IN    NS    ns4.google.com.
google.com.        32951    IN    NS    ns3.google.com.
google.com.        32951    IN    NS    ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.        33061    IN    A    216.239.32.10
ns2.google.com.        33061    IN    A    216.239.34.10
ns3.google.com.        317943    IN    A    216.239.36.10
ns4.google.com.        33297    IN    A    216.239.38.10

;; Query time: 305 msec
;; SERVER: 85.255.112.0#53(85.255.112.0)
;; WHEN: Sun Jul  8 21:40:07 2012
;; MSG SIZE  rcvd: 242

Some explanation of what the is shown above. “dig” is a command “domain internet groper” that allows me, from the command line, to see what a domain’s IP address is. With the extra stuff “@85.255.112.0″, I am telling the dig command to use 85.255.112.0 as my domain name server and get the IP for the domain http://www.google.com. Currently 85.255.112.0 is being run as a “clean” DNS server by the those who’ve been asked to by the FBI.

Hence, what will happen on July 9th 2012 is that the request by FBI to give a reply when 85.225.112.0 is used, will expire. Therefore the command I executed above on July 8th 2012 will not return a valid IP number from July 9th 2012. While the Internet will work, there would be people whose systems have been compromised to point to the bad-but-made-to-work-OK DNS servers, will find that they can’t seem to get to any site easily by using domain names. If they instead used IP#s, they can get to the site with no issue.

A quick way to check if your system needs fixing is to go to http://www.dns-ok.us/ NOW to check. If it is OK, ie your system’s /etc/resolv.conf is not affected (or the equivalent for those still running Windows).

See the announcement from Singapore’s CERT on this issue.

Exposing localhost via a tunnel

I came across this tool, localtunnel, that offers a way to expose a localhost based webserver (for example) to the internet. It is a reverse proxy that brings you to your machine way behind a firewall by bouncing off of a externally reachable host running localtunnel.

I tested it out on my Fedora 16 laptop (all I had to do was to run “gem install localtunnel” as I had ruby already installed).

I like the idea, but am not entirely convinced about the security exposure.

Public consultation on proposed Data Protection

I am really glad to see that call for public consultation for the proposed Data Protection act in Singapore.  The closing date for submission is 5pm October 25th to the Ministry of Information, Communications and the Arts.

I do not yet have a position per se and do welcome comments on this blog. I will be happy to submit a consolidated feedback.

Next thing I want to see happen is the Freedom of Information Act being enacted.  I am sure when the parliament sits later this month, the Worker’s Party will bring that up since it was one of their key points in their election manifesto.

 

 

 

 

 

Is Vietnam blocking Facebook?

I am sitting at a lounge in Ho Chi Minh City’s international airport and connected to the wifi. Interestingly, I cannot reach facebook.com.  Here’s the dig and traceroute info:

$ dig www.facebook.com

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> www.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15351
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.		IN	A

;; AUTHORITY SECTION:
www.facebook.com.	86400	IN	SOA	vdc-hn01.vnn.vn. postmaster.vnn.vn. 2005010501 10800 3600 604800 86400

;; Query time: 17 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu May 12 19:11:39 2011
;; MSG SIZE  rcvd: 96

$ dig facebook.com

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;facebook.com.			IN	A

;; AUTHORITY SECTION:
facebook.com.		86400	IN	SOA	vdc-hn01.vnn.vn. postmaster.vnn.vn. 2005010501 10800 3600 604800 86400

;; Query time: 15 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu May 12 19:12:16 2011
;; MSG SIZE  rcvd: 92
# traceroute facebook.com
facebook.com: No address associated with hostname
Cannot handle "host" cmdline arg `facebook.com' on position 1 (argc 1)

# traceroute www.facebook.com
www.facebook.com: No address associated with hostname
Cannot handle "host" cmdline arg `www.facebook.com' on position 1 (argc 1)
# dig @8.8.4.4 www.facebook.com

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> @8.8.4.4 www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22333
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.		IN	A

;; ANSWER SECTION:
www.facebook.com.	1	IN	A	69.63.189.26

;; Query time: 128 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Thu May 12 19:18:37 2011
;; MSG SIZE  rcvd: 50

Once I turned on my sshtunnel, I can get to facebook not otherwise. Interesting.

Managing open source skepticism

I had an opportunity to speak to a few people from a government tender drafting committee on Wednesday.  They are looking at solutions that will be essentially a cloud for a large number of users and have spoken to many vendors.

I was given an opportunity to pitch the use of open source technologies to build their cloud and I think I gave it my best shot. I had to use many keywords – automatic technology transfer (you have the source code), helps to maintain national sovereignty, learning to engage the right way with the FOSS community, enabling the next generation of innovators and entrepreneurs and preventing vendor lock-in.

By and large, I think the audience agreed, except for one person who said “yeah, now it is open source, but it will become proprietary like the others”. Obviously this person has been fed FUD from the usual suspects and I had to take extra pains to explain that everything that we, Red Hat, ships is either under the GNU General Public License or GNU Lesser/Library General Public License.  The GPL means no one can ever close up the code for whatever reason. I am not entirely sure I managed to convince that member of the audience. In a lot of ways, this is the burden we carry as Red Hatters in explaining our business model and how we engage with the FOSS community etc.

Glad to have participated in the Cloud Workshop in Penang

I am pleased to have spent two days at the National Cloud Computing Workshop 2011 held in Penang, Malaysia April 11-12 2011. Targeted at the Malaysian academic community, it offered some insights to the initiatives that the various universities in Malaysia are undertaking on rolling out an academic cloud that is being set up with a fully accountable Malaysian identity and access framework.  I think this bodes well for their plans to push for a Malaysian Research Network (MyREN) Cloud that is hoped will be a way to encourage the collaboration of both faculty and students in sharing knowledge and learning. I was particularly pleased to have been invited to speak about cloud technologies from a Red Hat perspective as well as to introduce the audience to the various open source collaboration and empowerment work Red Hat is doing from the Community Architecture team. When I mentioned, during my talk, about POSSE and Red Hat Academy as well as “The Open Source Way” and “Teaching Open Source“, I could sense a level of interest from the audience in wanting to know more.  And true enough, the post-talk q&a focused a lot on “how can we take part in POSSE”.  Looks like it is going to be a few POSSEs in Malaysia this year! Let the POSSE bidding process begin!

On day two, I was invited to take part as a panelist with some of the other speakers to discuss the future of cloud in Malaysia and to throw up suggestions and ideas about what they could be targeting. One of my two suggestions was to first create a “researchpedia.my” as a definitive wiki-based resource that brings together the various research activities in Malaysia in the private and public universities as well as public-funded research institutions. The key is in a site that is wiki-based so that there are no unneeded bottlenecks in updates etc and helps with keeping the information current.  The second suggestion to the audience was to consider the various Grand Challenges and see if any of them are interesting to be picked upon. What is needed is to aim really high so that at least you will land on the moon if you miss. Aiming only to land on the moon may result in you landing in the ocean!

Overall, I think the organization was good. I am looking forward to the presentation materials of the speakers to be made online and to the next event!

Cloud for Academics

I am pleased to have an opportunity to speak from both a Red Hat and an open source presective about cloud technologies to the academic community in Malaysia.  

Clearly there is a lot to convey and I am hopeful that they have an appreciation that they can and are welcome to participate in cloud-related projects.  I hope that they’ve understood that projects such as Delta Cloud and related projects that they could direct their students (undergrad orgrad) to participate.  

For the benefit of all, here are some links that would be good to explore:

• Deltacloud http://deltacloud.org
• Condor http://www.cs.wisc.edu/condor/
• Project Hail http://hail.wiki.kernel.org/
• Apache Qpid http://qpid.apache.org/
• StormGrind http://www.jboss.org/stormgrind.html

I was also asked about what Red Hat does for academics and was a prefect shoe-in to introduce both POSSE and Red Hat Academy.  Hopefully I will be run a POSSE in Malaysia really soon.

SMS spam

Am always tickled to receive spam via SMS.  The first one this year came on January 8th and reads as:

+353866030616: Nokia celebrated 40yrs. Your Mobile Number has won 600,000 pounds in Nokia Awards. claimcode: EMAJN.To claim your prize send email to nokia_40years@live.com

And a second one today, March 10:

+447031835929: You have been awarded 500,000 British Pounds in the 2011 Shell Intl Mobile Draw. To receive your prize, contact Dr Williams via email:shellwin11@live.com

I pity the cell phone owner who is raking up an SMS bill because the phone got compromised.  I wonder if it is a w7 phone?

 

Unfiltered feed from Al Jazeera

If you are running Fedora or Red Hat Enterprise Linux, you can watch the raw feed from Al Jazeera using this script:

======>8=====cut here=============

#!/bin/sh

rtmpdump -v -r rtmp://livestfslivefs.fplive.net/livestfslive-live/ -y “aljazeera_en_veryhigh” -a “aljazeeraflashlive-live” -o -| mplayer -

======>8=====cut here=============

Save the preceding into a file called for example, aljazeera.sh and change the permissions to x (chmod +x aljazeera.sh) and then you can run it as ./aljazeera.sh

Enjoy.

Security breach of addons.mozilla.org

Thanks to Mozilla for this pro-active reporting of the security breach.  If any of you reading this blog have an account on addons.mozilla.org and have not received this note, please take action.

Mozilla Add-ons  date Tue, Dec 28, 2010 at 8:34 AM subject Important notice about your addons.mozilla.org account

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure
of your information which occurred on December 17th. On this date, we
were informed by a 3rd party who discovered a file with individual user
records on a public portion of one of our servers. We immediately took
the file off the server and investigated all downloads. We have
identified all the downloads and with the exception of the 3rd party,
who reported this issue, the file has been download by only Mozilla
staff.  This file was placed on this server by mistake and was a partial
representation of the users database from addons.mozilla.org. The file
included email addresses, first and last names, and an md5 hash
representation of your password. The reason we are disclosing this event
is because we have removed your existing password from the addons site
and are asking you to reset it by going back to the addons site and
clicking forgot password. We are also asking you to change your password
on other sites in which you use the same password. Since we have
effectively erased your password, you don’t need to do anything if you
do not want to use your account.  It is disabled until you perform the
password recovery.

We have identified the process which allowed this file to be posted
publicly and have taken steps to prevent this in the future. We are also
evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the
infrastructure security team directly at infrasec@mozilla.com. If you
are having issues resetting your account, please contact
amo-admins@mozilla.org.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security