Screensavers

I often leave my work computer unattended. I'm a very focused individual, so when I start working on a project that takes me away from my desk, I often forget to logout or lock the computer. Thank goodness for screensavers. I currently have my screensaver setup to lock my display after a brief five minutes in order to deter onlookers and pranking hackers (hello inverted mouse and Spanish menus).

I'm a fairly young navigator in this digital relm, but I'm not too young to remember peering through an ancient portal of cathode ray tubes. Not that long ago our desks were largely occupied by these enormous boxes; on the inside, an electron gun shot particles at the phosphor on the back of the screen causing tiny points of light to appear. In order to save the phosphor screen from being permanently marked by being shot repetitively at the same point, screensavers were invented to add variety. From the endless (and impossibly designed) brick mazes to the simple bouncing balls (will they ever collide??), screensavers became an outlet for creativity and personalization.

Over fifty years ago, science fiction author Robert Heinlein predicted screensavers (and much more) in his novel Stranger in a Strange Land:

"They went to the living room; Jill sat at his feet and they applied themselves to martinis. Opposite his chair was a stereovision tank disguised as an aquarium; he switched it on, guppies and tetras gave way to the face of the well-known winchell Augustus Greaves."

No aquariums at work for me, I sport a simple "blank" screensaver. What's important to me is the "Lock screen when screensaver is active." So when I returned to my desk today after a trip to the land of the Sun (it's actually very dark and windy there, especially now that the land is owned by the Oracle), I was shocked to find my computer unlocked and vulnerable. I quickly sat down, moved my mouse towards the menu bar to check my screensaver settings... and BAM, screen locked. Weird? Then I realized that the screen didn't lock until I had moved my mouse out of my Windows 7 virtual machine into my Linux host. Looking around for a solution, I discover this.

By default, VMware Workstation prevents the host screensaver from activating when the virtual machine is in full screen mode. This would appear to be all fine and good unless you're like me and full screen doesn't mean using both monitors. I usually work with a Windows 7 VM on the left and my host on the right monitor.. so when I leave the mouse over in the VM, my host's screensaver won't activate until I move the mouse out of the VM. This would allow full access to the VM (since I'm relying on the host for the screensaver) and allow any observers to see any notifications or open programs on my host screen. A partial solution would be to add a screensaver to my VM, but this adds more annoyance when I minimize it for any length of time and have to re-authenticate.

To fix my screensaver problem, I added the following lines to my /etc/vmware/config:
mks.fullscreen.allowScreenSaver = "yes"
mks.x.screenSaverTimeout = 290

This enables the host screensaver even when the virtual machine is enabled as well as ungrabs the keyboard and mouse focus from the VM after 290 seconds (just 10 seconds under 5 minutes) insuring that the host screensaver will indeed activate after 5 minutes.

Keep your screens safe fellow navigators!

Goodbye: A Linux Distribution Identity Crisis

When Ubuntu 11.04 was first released, Ubuntu fans around the world immediately were split. Some welcomed Unity with open arms and praised its ingenuity while others screamed "blasphemy!" and threatened to leave for another distribution. I've read so many reviews, comments and rants about Unity that frankly, I grew uninterested. Now that some time has passed and I've actually spent some time at work and at home using Unity, I'm ready to counter review all of the blogging professionals (celebrate blogging procrastination!).

First, I should say that I'm a newborn baby to the world of Linux. A little over a year ago, I installed Ubuntu 10.04 on my netbook and decided I should learn Linux. It was NOT love at first sight. Gnome 2 felt dated in comparison to my recently upgraded Windows 7 desktop. The command line was completely new to me and I couldn't figure out why anyone would prefer using it. My wireless card didn't work out of the box and I spend hours blindly launching commands I had found on forums (sudo rm -rf /*.. jerks). Two months later, I installed Ubuntu on my desktop. I had fallen in love. Looking back, I don't know how I ever completed tasks without Linux. The Linux way is the only way. And as far as Ubuntu is considered, it's got an excellent repository thanks to Debian and a huge user support base. Linux is now my safe place - sometimes I launch a shell as root just to feel powerful.

But enough about the past! I could have gotten a lot more hits if I had immediately published this, but let's be honest: there's no way to know if you like interface changes immediately. Sometimes features and changes grow on you, sometimes you grow to hate what you initially loved, and sometimes you start to miss the old ways; geeks are fickle. These days the default Gnome 2 Ubuntu setup looks pretty dated. Windows XP dated (No! Say it isn't so!). Sure, some people like a simple layout without all the bells and whistles, but even I like some extra features and slick GUI's as long as usability isn't lost. Canonical also wants to compete for more desktop users (Linux is still largely viewed as the operating system for web servers).

Enter Unity.


By default, Unity looks pretty slick. The left side application launcher is nice looking and fairly typical of modern day OS X / Windows 7 launchers. The use of vertical space rather than horizontal space is interesting, and the way that applications pile up on the bottom when it starts to fill up is pretty genius.

Out with the old, in with the... left side application launcher?

The quick search feature is similar to the OS X's Spotlight or Windows 7's search bar. It's a welcome addition that I wish was just a tad bit faster. I hated the application lens in 11.04, and I hate it just as much in 11.10. Sure, you can use the search feature for optimal application launching, but what if I'm not entirely sure what I'm looking for? Enjoy large amount of clicking and scrolling - I'm already missing the old style Gnome 2 application menu. Then there's the useless "Most Frequently Used" applications that appear as soon as you click the Super Ubuntu Button.. and guess what? They're all programs that are already on the launcher. So now I have to further dive into these "lens" to find the applications I want. Needless to say, it's my least favorite part of Unity.

The other big change in Unity is the use of global menus. Similar to OS X's implementation, the menu bar is no longer attached to the application but instead sits on the top panel. Global menus are nice because you can always immediately move your mouse to the top panel for their location, as well as the pixel space they save. Unfortunately, the implementation in Unity defeats the first benefit. Instead of always showing the global menu, Unity developers decided to hide the menu until you hover over it. This causes me to spend more time to get to the menu I want. I'm not sure I follow the logic either, since there's nothing else in the top panel, why not show everything? There already feels like there's an excess of wasted space on that top panel! Also, not all apps use the global menus yet.. but I'm sure as developers continue to update their software in the repository this will change. Also, since I'm a dual monitor junky, the space the global menu saves is lost by replicating it on both screens.

But what is my biggest woe about Ubuntu's Unity? The fact that I can't control how it looks anymore. Sure, I could uninstall Unity and rebuild the desktop environment, but one of the things I liked about Ubuntu was how it made Linux accessible without taking away the magic of choice. I personally take Unity as a stab at us power users - it's easier to modify the Windows 7 desktop environment! Also, if I'm rebuilding the desktop environment, I might as well create my entire build from scratch (hello Slackware fans!). And while I'm not completely apposed to the idea, I have too many computers to manage and too
much actual work to be building all my machines from scratch.

<sigh>

And there's so many other great distributions out there..

...is it time to move past Ubuntu?

Past my first love?

<looks down at my feet, shuffling from side-to-side>

Yeah.

"Socially" overwhelmed and tired of you

I have been busy visiting family and traveling the past two weeks, and consequently been away from my social media life. Since today was the first day I've been home in awhile, I decided to take today off from work and school projects and do some catch up with my Internet life. After awhile of clearing out my unread messages, Facebook notifications and Twitter mentions, I closed all my tabs (a kind of digital cleansing) and browsed over to Hulu, only to be met by this:

I don't know if it's because I've been away from the Facebook and Twitter racket for a few weeks, but I was instantly annoyed by this pop-up. How much more information about ourselves could we possibly share?

"The web is at a really important turning point right now. Up until recently, the default on the web has been that most things aren't social and most things don’t use your real identity. We’re building toward a web where the default is social."  ~Mark Zuckerberg

Frankly, I'm feeling a little "socially" overwhelmed. Social networking websites for me are a great way to share messages, pictures and other media with my family and friends, but some details need to be kept to yourself. I don't call my mom everyday and give her the minute details of my day, why would I tell all my Facebook friends what shows I'm watching? It seems that social networking sites want you to be your annoying little sister's friend who posts every detail of her exciting life.

Every time I see a +1, a "Connect to Facebook" or a "Sign in with Twitter," the words content overload comes to mind. Maybe it's that I don't care enough about you! Honestly, I don't care what you watched on Hulu. In fact, I don't care what celebrities you liked or what products you +1'd (not sure of the correct vocabulary for that one). If I did care, I'd probably already know it from my real, in-person social interactions with you. Or maybe if I did value your opinion on a product, I'd shoot you a text asking your opinion. But I don't like the idea of my web experience being bombarded with "2 of your friends liked this articles! Check it out!" In fact, what scares me even more is that not only will I be bombarded with social networking everywhere, but that my entire web experience will be decided by... you. I'll be honest: I don't really trust you with my web browsing experience, and my daily "News Feed" of you further justifies these feelings!

 In the end, it's not Facebook, Google, Twitter, or any future social media giants that are slowly causing this distaste in my mouth: it's you. Sure, these Internet brand names have caused me some annoyances. The excessive need to change features every two months without fixing features that have been broken for years slightly irks me and the occasional disregard for security and privacy causes me concern. But I am also not disillusioned about social networking sites: I am the product and advertisers are the customer. I understand my role in this environment, and accept a little bit of privacy loss to be able to easily connect with my friends. It's you I don't understand. It's you that makes me shake my fist in the air. Your obsessive need to click "Like" on every page you read. Your constant Gowalla updates on Twitter revealing your every step on earth. The three hours you spent tagging every single picture of me and commenting on each one. It's too much.

In the end, social networking sites have led me to disconnect with people, become a little less social online, and separate myself from a web environment where your footprint is everywhere.

And you are to blame.

For me, the social networking honeymoon is over. We've had our laughs and good times, but now you are starting to nag a little bit too much. Your cute little suggestions are starting to overwhelm my daily commute on the web, and my very Internet presence is being defined by you. Sure, you still "Like" me, but we never talk anymore. I'd love to be social with you, but knowing what you watched on Hulu last night just isn't the relationship I wanted. I'm sorry, but it's over.

A simple story of how awk, grep & cut saved an evening

The story goes like this: My wife needed to make a 20 minute picture slideshow with some simple effects and titles, all set to music. Since I rarely use any kind of video or picture creating software, I went to the Ubuntu repositories. My first result was a neat little program called Imagination. Plain and simple, Imagination lets you create picture slide shows with a few effects and the ability to add music. I loaded up the hundreds of photos she wanted to sort through into the program and set her loose on the newly installed program.

After coming home from class last night, she mentioned that she couldn't figure out how to edit down a song's playback time in the program as she wanted to sample a few different songs at different points in the slideshow. I sat down and looked around the GUI to discover that this was a feature lacking in Imagination. Bummer! Good thing she hadn't spent much time adding effects.. but she had shortened her list of photos to be used by a couple hundred and was not looking forward to sorting through all of those photos again.

But unnecessary repetitive tasks are illegal in my house, so I broke out the command line fu and took a look at the project file Imagination created. To my delight, I discovered that Imagination uses a very simple text layout throughout its project files:

.....

[slide 1]
filename=/home/user/Desktop/SlideshowPics/DSC00114.JPG
angle=0
duration=1
transition_id=19
speed=4
no_points=0
anim id=0
anim duration=1
text pos=4
placing=0
font=Sans 12
font color=0;0;0;1;

[slide 2] filename=/home/user/Pictures/2011_Spring/IMG_0504.JPG
angle=0
....

Excellent! All I needed to do was remove all the unneeded data and produce a list of the photos that my wife has finally decided on using. Looking at the biggest folder of pictures that other people had given her for the slideshow, I could see that each photo used a different naming convention, but most of them appeared to be JPG images. To further investigate, I used ls -1 | wc -l to list each file on a new line and then count each line. My result showed that I had 956 files in the SlideshowPics folder. When I used ls -1 | egrep -i '*.jpg' | wc -l to count how many of those files were JPGs, I was happy to see 956 reappear. No need to worry about using diff here!

So now that I know that all of the files in the SlideshowPics folder are JPGs, and all the image files from her camera are JPGs, I can work on this Imagination project text file to retrieve the names of used photos. First thing's first, I only want lines with filename= , so I grep for "filename=" which gives a nice list of all the files. Rather than make my wife retrieve all of the files on the list manually all over again to move them into another program (a task that might put the preparation of dinner in danger!), I decide to copy all of the pictures she wants to use for her slideshow into one location on the Desktop in a empty folder called AwesomeSlideShow where she can easily add them all to whatever program she decides to use. In order to do this, I first need to get rid of the filename= preceding the file location.

When I first started using Linux, I probably would have done this using awk or sed (all the cool kids use 'em!), but thankfully I was quickly introduced to the much simpler cut utility. Using '=' as my delimiter and selecting field 2 (everything to the right of '='), cut -d'=' -f2 happily gives me the long list of file locations without the preceding variable name:

/home/user/Desktop/SlideshowPics/DSC00114.JPG
/home/user/Pictures/2011_Spring/IMG_0504.JPG
/home/user/Pictures/2010_Fall/HouseWTree.jpg
....

Now all that's left is to copy them into one location! To do this, I utilized awk to form my output to be "cp /file/location/of/jpg ~/Desktop/AwesomeSlideShow". In the end, the final command line fu simply came down to the following:

grep filename= img_slideshow | cut -d'=' -f2 | awk '{print "cp \"" $0 "\" ~/Desktop/AwesomeSlideShow"}' > movePics.sh

As you can see from above, I outputted the text stream to movePics.sh, and ran the file: bash movePics.sh . Bam! Done and done! Five minutes of fu and another hour or two of time is saved and my wife loves my geeky self just a little more!

Amazon Kindle Forensics

As technology becomes more ubiquitous, everyday objects are being replaced by their computer alternative. The way we relax, interact with media and contact friends has greatly expanded as large desktop computers are quickly being replaced with inexpensive, low power applications that are easily carried in our pockets or placed next to a cup of coffee on the living room table. Even specialized applications such as the Amazon Kindle, a device specifically designed by Lab126 for reading books, have additional features such as an MP3 player and Internet browsing capability. In the case of a criminal investigation, devices such as these serve as valuable sources of evidence. In this post, we take a detailed look at the hardware and software of a 3rd generation Kindle in order to reveal the wealth of information that even a specialized device could provide in a forensic examination.

The Blood and Guts

As seen above, the Kindle utilizes low energy consumption E Ink Pearl technology, interfaced through the use of a Epson EINK controller (1A), to present users with a crisp, clear screen for long hours of reading. The device is powered by a 3.7V 1750 mAh Lithium Polymer battery (1B) that is controlled by a Freescale MC13892 power management chip (1C) and lasts approximately three weeks to one month (depending on how often you turn pages and have the wireless/3G turned on). As with most mobile and embedded electronics, the Kindle utilizes the ARM-11 architecture through a Freescale i.MX353 532 MHz applications processor (1D), as well as Samsung DRAM (1E). Additionally, the Kindle houses a Wolfson Microelectronics WM8960G stereo codec (1F), 1W speakers (1G) and a headphone driver chip (1H) for audio purposes.

The Kindle 3 allows for Internet connections using the built in Atheros AR6102G wireless card (1I) (which supports 802.11bg and WEP, WPA and WPA2 encryption) and access to AT&T's 3G data network (called Whispernet by Amazon) using a AnyDATA DTP-600W modem (1J). Users browse and interact with web pages using the WebKit-based Internet browser. Just like any device seized in a forensic investigation, it should be treated like all other mobile devices with networking capabilities. The device should be stored in a shielded environment so that the device cannot access any network as this could cause changes such as overwriting metadata or connecting back to the owner in order that it can be disabled.

Getting into some GBs
The Kindle provides the user the ability to plug the device into a computer via a USB micro-B connector port (1K) to interact with the device. For storage, the Kindle has 4 GB of internal Samsung flash memory (1L) of which approximately 3.05 GB is visible and accessible for user content. The user content portion of the Kindle that automatically mounts as a regular USB storage can be imaged just like any other USB device. For our purposes, a combination of a write-blocker, the USB cable provided with the Kindle and the Linux command line tool dd were used to create a forensic image of the 3.05 GB storage portion of the Kindle.

The results of the dd image show that the drive is formatted as a mkdosfs\FAT32 file system.

Disk /dev/sdd: 3282 MB, 3282272256 bytes
4 heads, 16 sectors/track, 100167 cylinders
Units = cylinders of 64 * 512 = 32768 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdd1 1 100167 3205336 b W95 FAT32


The root of this mount point contain the following directories:
/audible - location of audible books
/documents - location of books, reading files, user notes and highlighted areas
/music - location of audio files that can be played using the experimental music player
/system - location for system specific files and user's settings
The Kindle supports the following formats: Kindle (AZW), TXT, PDF, AA, AAX, MP3, unprotected MOBI, PRC, HTML, DOC, DOCX, JPEG, GIF, PNG, BMP and RTF. Additionally, the Kindle can store any data just like a standard USB storage device.

Evidence in the user storage
Further investigation of the system folder reveals numerous files that could provide valuable evidence in a forensic investigation. Within /system, a JavaScript Object Notation file titled "collections.json" is automatically created by the Kindle. This file contains the list of user's collections (a way of organizing books on the system) and the files each collection holds. The collections are listed with a SHA-1 hash attached to each. Additionally, the system folder contains the "userannotlog" file which shows the title, position and time stamp information of the last book viewing.

Within the system folder, the "com.amazon.ebook.booklet.reader" folder contains the "reader.pref" file and "sidecar" folder. The "reader.pref" file contains similar information as the "userannotlog" file: last date the Kindle was used, dictionary preference and last book read. The "sidecar" folder holds Kindle buddy files: files that store data (often metadata) that are not supported by the source file format. Finally, the "Search Indexes" folder within the system directory contains numerous binaries files including the "Index.db" file. The majority of "Index.db" is unreadable, but at the end of the file are the names of files loaded onto the storage area. When a file is loaded onto the Kindle, a log of that file name is appended to "Index.db" and is not removed from the log even when the file is deleted. This means that files that have been deleted or removed from the Kindle still leave evidence on the device. It is unknown how many characters "Index.db" stores before it starts overwriting the earliest entries.

Beyond the user storage area
The rest of the 4 GB flash memory storage contains the Kindle operating system. In order to gain access to this part of the system without removing the flash memory from the board, a program call usbNetwork can be loaded onto the root of the user accessible mount. This program was a part of the collection of debugging commands used during product development and was made available in the Kindle's open source code. These commands are activated by turning debugging mode on: going to the home menu on the Kindle, pushing the delete key to open a search bar, typing ";debugOn" and pressing enter. Once activated, a list of commands, none of which are available on most consumer versions, are available to the software debugger. The only command left active on the consumer version of the Kindle 3 is the "~help" command which shows the following:

Some early version of the Kindle 3 were left with all the debugging commands still installed and many users jailbreak their Kindles and use the debugging mode to run other programs. A popular method of jailbreaking a Kindle will leave a folder called "usbnet" in the root directory of the user storage mount.

Once the usbNetwork program is installed on the Kindle, typing the commands ";debugOn" and "~usbNetwork" into the Kindle creates a USB network connection between the Kindle and a workstation using a Linux operating system (specific USB drivers are required on the Windows operating system) . Once connected, a telnet link between the workstation and the Kindle can be created:

This allows root access to the Kindle operating system even though the root password is unknown. This method of gaining access to the entire 4 GB of flash memory is not useful for a forensic investigator since installing the program will cause changes to the system. Fortunately, removal of the flash memory is relatively easy to perform and does not cause any damage to the device. Jailbroken and early releases of Kindles with debugging commands still active are even easier to image since commands are able to be sent to the Linux operating system on the Kindle. On these devices, turning debugging mode on and issuing the following command will create a forensic image of the entire Kindle device, including the operating system area:

~exec dd in=/ of=/mnt/us/fsdump.bin bs=1024"


The Kindle 3 runs on a lightweight distribution of the Linux kernel entitled "Linux kindle 2.6.26-rt-lab126" that contains limited Linux binaries:

The Kindle uses the Das U-Boot bootloader to bootstrap its operation system into memory. The version of Linux on the Kindle is built on BusyBox v1.7.2, a subset of Linux that combines tiny versions of many common UNIX utilities into a single small executable and is frequently referred to as the "Swiss Army Knife of Embedded Linux." BusyBox builds are found on many small, embedded systems that require size-optimization due to limited resources.

Within the Linux file system, numerous mount points are created:

The /proc/cpuinfo text file states that this version of the Kindle uses the ARMv6l (part of the current ARM11 family) processor with 6TEJ architecture and is built on the Amazon MX35 Luigi Board Revision 35020 (the Kindle 2 was built on the Mario board). Interestingly, after copying the /etc/passwd and /etc/shadow files from the Kindle Linux operating system, merging them with the unshadow tool and brute forcing them with Jack the Ripper, it was discovered that the password for the "framework" user on the Kindle 3 is "mario."

In addition to this system information, numerous files were found that contained valuable user data not available on the user storage mount. The file /var/local/browser/cookies stores a text log of all the Kindle WebKit browser cookies:

The file /var/log/wpa_supplicant.wlan0.log lists the device's wireless connection history including SSID names and timestamps. The location /opt/amazon/resolution/ stores the GIF files used for the Kindle screen saver. Finally, the file /opt/amazon/ebook/prefs/search_prefs lists the users preferred search engines (Google and Wikipedia are the system default).

Just another device to add to the evidence list
Just like any other device, the Kindle is a wealth of forensic information (and a good place to hide evidence). The user storage mount on the Kindle contained valuable time stamps, 3.05 GB of storage area, and a logging file listing all files that had been uploaded to the device. Even more evidence could be collected in the operating system area of the flash storage device where browser cookies, wireless connection history and search engine preferences were found. This investigation showed that even small, specifically designed devices like the Kindle can hold valuable evidence for a forensic investigator. As the amount of these types of devices increases, detailed documentation on each is essential in order to perform timely forensic investigations. So I hope my investigation is valuable to someone out there!

Dual Screen (TwinView) Gaming in Ubuntu/Linux

I just bought the latest Humble Bundle from Frozenbyte (there's still time for you too!) since I wanted a couple of games to play on my Linux machine. I already own Trine for Windows but at the cool price of $howevergenerousifeel, it saves me from rebooting my machine over to Windows (never a pleasant day). So I downloaded the game, put on my wizard hat and gaming goggles, and fired up the game. By default, I could see that the game was detecting the full resolution of my monitors combined (3840x1200). This should be expected if you're using TwinView to display both monitors. TwinView literally tricks your video card into thinking both monitors are really one giant display, making dual monitors even more awesome and/or difficult depending on your given situation.

In this situation, I only want to have the game be displayed on my left monitor (1920x1200). But when I launch the game at this resolution, it sits the game's display smack in the center of the intersection of the two displays, making me stare straight at the edges of the two monitors. Why? Because my video card thinks I am using one giant monitor and so it sits the game directly in the center according to that resolution. So how do we fix this? Well, one option is to not make the game full screen and just play the game maximized on the screen we want it to display on. But that's hardly a solution. Let's take a look at our X11 config file (/etc/X11/xorg.conf). If you scroll down to section "Screen", you'll see something that looks like the following:


Section "Screen"
Identifier "Screen0"
Device "Device0"
Monitor "Monitor0"
DefaultDepth 24
Option "TwinView" "1"
Option "TwinViewXineramaInfoOrder" "DFP-0"
Option "metamodes" "DFP-0: nvidia-auto-select +0+0,DFP-1: nvidia-auto-select +1920+0"
SubSection "Display"
Depth 24
EndSubSection
EndSection


If it looks a little different, don't worry. These settings are usually automatically created when you use NVIDIA X Server Settings or a similar tool to configure your dual monitors. So the settings of interest here is the metamodes. The format for this option is: "metamodes" "resolution of left most monitor, resolution of right most monitor". In my automatically created settings, my left most monitor has been titled DFP-0 and given an automatic resolution at location (0,0), and my right most monitor has been given an automatic resolution at location (1920,0). To solve our problem, we add two new "metamodes":

Option "metamodes" "DFP-0: nvidia-auto-select +0+0,DFP-1: nvidia-auto-select +1920+0;1920x1200,NULL;NULL,1920x1080"

Each semicolon indicates another "metamode". The "1920x1200,NULL" mode is used when a resolution of 1920x1200 is requested, resulting in the left most monitor only being used. The "NULL,1920x1080" mode is used when a resolution of 1920x1080 is request, resulting in the right most monitor only being used. In the case where both of your monitors are the same resolution, there would only be reason to create one extra mode instead of two since only one other type of resolution would ever be requested besides the default.

Now when I launch Trine at 1920x1200, I don't have to stare at the split between my two monitors! Leave a comment if this helps or you have any questions. Happy gaming Linux fans!

I survived CCDC.

I had the opportunity to participate in the Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) over the past weekend as the back-up captain and Linux admin for GWU. It was a great learning experience and I'm sad that it's my last year in school and won't be competing next year. You can read more about the competition here, but it's basically a weekend where students (the blue team) are given a network of insecure machines and services that need to be protected and are relentlessly attacked and exploited by a group of professional penetration testers (the red team). CCDC could be more accurately titled "A weekend of crying for security newbs." For those of you that competed on the blue team, you know what it's like to celebrate when more than 50% of your services are running and you still have control (or at least think you do) over the majority of your machines.

This year's GWU team was very new to CCDC. Two of our members had competed before, but the rest had never been a part of a hacking competition before. On top of that, we had people (including myself) who are very new to security and IT as a whole, plus a couple of freshmen that were new to computer science and the idea of security. Our team worked really hard preparing to secure the services that these operating systems were supporting and many late nights were spent in the lab writing up guides.

The first day of competing was especially painful. Lots of hours had been put in to learning how to secure services, what passwords would be used, and what firewall rules were the best to use. I had written up some great rules for iptables and our firewall guy was feeling good. The second we got on our machines, we felt overwhelmed. Too many processes were running on our machines, we had trouble accessing our Nagios and kiosk boxes, the DNS Window's box was already not resolving requests, and none of the Linux boxes allowed as to scroll upward through our command history so typing commands was more tedious than expected. At some point, we lost control of our firewall and had to reset it. This really hurt our score right away as we weren't prepared to reset the machine or knew how to find rules that red team had placed there. By the end of the first day, our team looked pretty discouraged and morale was low.

The second day was much more enjoyable. After a great speech by our team captain, Michelle Monsees, we walked down into the pit with a new attitude: we were going to have fun today regardless of the outcome. And we did! The night before, as we were leaving our network, one of our team members captured video of red team member Georgia Weidman putting a CD into our machines. We decided to call over "law enforcement" and file a report on the physical break-in. To our delight, an arrest was made (a first in CCDC history) and red team had to sit out for 30 minutes. While our firewall guy removed all the scripts that red team had placed in his start-up config, I got to do what I love: incidence response! I found a phone home script on one of our Windows boxes that was hidden with a Notepad.exe file on the Desktop. I also got Wireshark and nmap running and was able to file a couple of incidence response forms as well as better monitor what was happening in our subnet.

My favorite attack by the red team was Georgia's attack on the power. To my knowledge, every team failed to realize that our Ethernet came from a power strip that had an IP address. Georgia was able to log into them with the default password and turn the power on and off at her discretion. This should serve as a reminder to everyone working in security: it's not just desktops and servers that have IP addresses that can be used to attack your network!

Another attack vector our team lost numerous times was our kiosk that sat outside our network and were more susceptible to physical attacks. Red team installed Deep Freeze on all the blue team's kiosks, keeping us from making any permanent fixes to them. Here we see Red Team hacker Jesse Varsalone hanging around our kiosk who quickly slips his USB drive into his hand:



Another interesting activity was the “CEO” interview. Each school had to send their captain into a meeting with the “CEO” of our company with three memos. A lot of teams weren't prepared for this and either sent other members to act as the captain or couldn't take the heat of the angry CEO. Our team did really well at this and had the second highest score for this event. The “CEO” made the important point at the end of the day saying that “it's the business, stupid,” and that's really what our IT infrastructure is working to support. It's not the mission of IT, it's the mission of the business that our decisions need to be based on.

The final day was long, but much more enjoyable with our new attitude. As the last 5 minutes of the competition were counted down, our team loudly sang the chorus to Chumbawamba's Tubthumping: "I get knocked down, but I get up again.."

Congratulations to the University of Maryland for winning the Mid-Atlantic CCDC! Take down the competition at Nationals!