Updating to Ubuntu Edgy Eft on the HP nx6125

I’ve had Ubuntu Dapper (6.06) running on my HP nx6125, and I just updated to the brand new 6.10 version called Edgy Eft. Most things seem to be working just fine, but the monitor never came back to life after suspending the computer. ubuntoforums.org is a good place to start searching when running into bugs like these, and found someone having similar problems. In the nx6125’s case this seems to be the silver bullet:

Edit the /etc/default/acpi-support (sudo getid /etc/default/acpi-support) and set SAVE_VBE_STATE to false.

I’ll update this post if I find other problems running Edgy. The “noapic” parameter doesn’t seem to be necessary anymore by the way.

 

Busting wireless security myths

As wireless 802.11 networks grows in popularity the number of insecure private and business networks skyrockets. Setting up a small hotspot is usually a matter of plugging in the wireless Access Point (AP) and you’ll have full access. This unfortunately means that everyone else has too, unless you know what you’re doing. As a natural consequence of this, there are a lot of myths out there on how you can keep the Evildoers off your network. Most of them have a base in reality, but if you don’t have all the facts they can give you a false sense of security as they might not be as bullet proof as they seem. Let’s go through some of them Mythbusters style:

Adding a MAC filter will let you decide which computers get to connect

MAC addresses are supposed to be the physical address of your computer’s (or AP’s) network adapters. Letting the AP have a list of physical cards which are allowed to connect seems like a good idea. Unfortunately MAC addresses are a) always transmitted in the open regardless of any encryption, and b) can be overridden in a lot of configurations. In other words, an attacker can listen for what MAC addresses are connected to the network, and then assume one of these identities. It would be best for the attacker to find a MAC which either leaves the network or is generating little traffic, since that computer (or strictly speaking the network adapter) of the “victim” and the attacker will be one and the same as far as the AP is concerned. Traffic bound for one of them will be received by both with ensuing messiness.

Conclusion: Busted! It will keep your random bypasser from connecting to the net, but won’t stop anyone really wanting in.

Setting the AP to not broadcast the SSID will keep people not knowing what it is from connecting

While knowing the Service Set ID is necessary to connect to a wlan, it’s not really a secret. Like the MAC addresses it’s transmitted in the open without any encryption, but unlike the MAC it’s not transmitted with every packet. Instead it’s included in the handshake when someone connects to the network, so you’ll be safe as long as no legal users ever connect to you network. Clever.

Conclusion: Busted! Again, it’ll keep the random jokers away but that’s about it.

WEP encryption is of no use

Cracking a WEP key doesn’t take much time in a network with a lot of traffic, and with packet injection techniques an attacker can even generate the traffic necessary for the crypto analysis to work without really being part of the network. There are however two upsides to WEP encryption as opposed to the two previous methods. 1) Cracking the wep key is without a doubt BREAKING into the network in a (il)legal sense, and 2) you won’t be transmitting your emails and surfing habit to anyone that might be passing and not inclined to crack the key.
Conclusion: Busted! It’s useless in the same way that locking your front door is useless if you’ve got windows in your house. Not the perfect analogy since someone bashing in a window can’t remain undetected.

WEP: Breakable but not completely without use

WPA2 is better than WPA

While WPA is an attempt to patch up the gaping security holes in WEP and still run on old hardware, WPA2 is rebuilt from the ground up with heftier encryption and message authentication using the AES algorithm which at the present has no known theoretical weaknesses. Since it had to be designed to run on old hardware WPA’s TKIP encryption and “Michael” authentication algorithms are inherently weaker, but no practical attacks have to my knowledge been suggested.

Conclusion Confirmed! If your hardware supports WPA2, there are no reasons not to choose it over WPA. However, there’s no need to panic just yet if it doesn’t.

You can’t touch me! I’m using WPA(2)!

While there are no known weaknesses (at least exploitable ones) in the system or encryption primitives, you need to realize that no system is stronger than its secrets. Most home users and small business are probably using WPA(2) in Pre Shared Key (PSK) mode, where the security is based on the supplicants knowing a secret key or a passphrase which is manually entered in the AP and the clients. This secret is then used to set up a common encryption key during the handshake between the client and AP. However, this process is part of the standard and well documented, the handshake can be recorded by an attacker using a standard packet sniffer and the only actual secret is the passphrase. This means that if a handshake is recorded and the passphrase is weak because it’s subject to a dictionary attack, the whole system falls apart. In other words, your super secret WPA2 network with super secret passphrase “Volvo” might very well take less time to crack than your average WEP based wlan.

Conclusion: If you don’t know what you’re doing: Busted!

You can’t touch me! I’m using WPA(2) in Enterprise mode with none of that shared key nonsense!

While an attacker might well be powerless today, there’s nothing stopping him from recording all the traffic for future analysis if he’s really determined. If your data is so sensitive that you cannot possibly accept that the data you transfer today might be decrypted 5 years into the future when a new weakness with today’s system is discovered you really shouldn’t be broadcasting it. That’s the key word right there – you are BROADCASTING your secrets in the hope that no one ever will be able to decrypt them. If you think that sounds like a bad idea, I would recommend sticking to the good old cables as of now, or at least use some form of upper level encryption like VPN and pray that that too will stay infallible.

Conclusion: As of right now, it’s Confirmed. If you’re willing to bet your secrets that it will remain confirmed forever and you don’t have any attackers that are very patient, then there’s nothing to worry about in the wlan department.

That’s it for now. While this might lack the explosions, walrus mustaches and the occasional beautiful women of the real Mythbusters, you’ve got to admit that wireless mythbusting is far more fun! For the whole family!

 

Åre Mountain Mayhem 2006

Heaven is a place on Earth

I just got back from four fantastic days freeriding during the Åre Mountain Mayhem festival. The trails were spectacular and varied, ranging from fast berms and jumps through lovely technical singletrack to a few very nice downhill sections. We obviously spent most of our time riding, and since we do roll around in the dirt at times I’m not too inclined to riding with my camera equipment in my backpack. I did however find a few hours to spend behind the camera instead of behind the bars. Click the images for larger versions.

Unknown rider jumping on the “blue” slope Kälkspåret. Fast and popular trail with lots of berms and jumps. I’m personally more at home in more steep and technical sections… Like all the red and black trails. Good God, I want to live there!

Cancan in the slopestyle competition.

Eject, Mailman, eject!

I have no idea what this is called, but it doesn’t look too healthy.

Tabletop.

Nohands backflip. Oh, and I’m clueless when it comes to dirtjumping. Feel free to correct me ;)

We’re already trying to figure out how we can squeeze in another trip to Åre during this semester. How can we possibly stay away?

Åre bike park
Mayhem

 

Ubuntu Linux on a HP nx6125 laptop

I recently bought an affordable HP nx6125 laptop and I’ve spent the last few days trying to get Ubuntu linux 6.06 (dapper) to run acceptably on it. Since it’s taken days it’s safe to say that not everything has gone super smooth, but a lot of the time has gone by trying to figure out just what the problems were in order to fix them. If I had to do it all over again today the whole thing shouldn’t take more than your average installation of Windows. So if you’re trying to get linux to run on your nx6125 I’ve got a few pointers to reduce your workload. I would assume some of them are are valid for other laptops with similar specs too.

1) Start by updating your BIOS. The downloads can be found here.

2) Download Ubuntu. Even if your nx6125 has a Turion64 CPU, stick with the x86-version, since you’re more likely to find working drivers with the standard version. I would think you’d be hard pressed to find a preformance gain with the 64bit version too.

3) Important. If you just boot from the CD the system will run really, really, really slow. On the CD menu press F6 to edit the boot parameters, and add “noapic” (not to be confused with “noapci”). Without this the installation will take hours. I couldn’t resize the preinstalled Windows partition, which might have worked with this option enabled. Once installed you might have to add this option to the GRUB bootloader too. Run “sudo gedit /boot/grub/menu.lst” and add “noapic” to the end of the line that says “kernel /boot/vmlinuz-(…) quiet splash”.

Update: I’ve updated to Ubuntu 6.10 (Edgy Eft), and the noapic switch doesn’t seem to be needed anymore. If you’re installing Edgy from scratch, you can probably skip this step unless the installation runs really, really slow and the system fan runs wild.

4) Getting the laptop’s internal wlan adapter to work is tricky to say the least. It’s a Broadcom unit called BCM4318. I finally got it working following this thread the Ubuntu forums, but not on the first go and it’s still not fully stable and only supports 802.11b (11 Mbit). There’s also an approach using ndiswrapper, but I couldn’t get that to work at all. As of right now I’m borrowing a Atheros 5212-based 3Com PCMCIA card. This worked like a charm (almost) right out of the box.

5) This is a bit experimental, but I had some problems with the wlan adapters not waking up or functioning 100% after suspending the PC or putting it into hibernation. These went away after editing /etc/default/acpi-support (sudo gedit /etc/default/acpi-support in a terminal) and setting “ENABLE_LAPTOP_MODE=true” instead of false which is default.

6) The default ATI graphics driver works reasonably well in 2D mode but turn those fancy screen savers off. I have no need of it, but 3D support can be enabled by installing the fglrx drivers for full 3D support even with the tricky integrated Xpress 200M based card the nx6125 is equipped with. The procedure is explained in this post, once again on the Ubuntu forums. You also might want to check out the wiki he’s refering to for a more detailed explanation. But the current fglrx drivers breaks the sleep, hibernate and suspend modes. I haven’t installed them since these are more important to me than 3D on my laptop.

Update: The fglrx 8.25.18 drivers released 26th of June 2006 supports the Xpress 200M chipset. I’ve installed it as described in this post, and it seems to work as advertised. I havent had any problems with suspend or hibernate, but I can’t see any difference in 2D performance either. I am however not able to adjust the screen brightness anymore using the laptop’s fn+f9/f10 buttons, and I can’t seem to find any other way of doing it either.

All in all Ubuntu 6.06 works reasonably well on the HP nx6125. It does take some fettling to get it going, but all in all it’s not bad. The Broadcom wlan and the ATI graphics are the only real problems as of now, and hopefully they’ll be fixed one day too. With the 3Com PCMCIA adapter on board really have no gripes with this setup at all.

 

SecuROM voes

SecuROM and Star Force are two of the more popular forms of "copy protection" schemes for computer games. The system is based on making you insert the correct DVD or CD each time you want to launch the game, and SecuROM's or StarForce's task is to make it harder to make a copy or image of the original media which stands up to validation. Fair enough. DVD-ROM is fast becomming a horribly inefficient, expencive and archaic way of content distribution, so I guess a horribly inefficient, expencive (in terms of usability) and archaic way of authentication is just fitting.

However, it stops beeing fine when my legal games stop working as a result of a broken "copy protection" scheme. The DVD-unit in my PC is a Samsung TS-H552U DVD Burner which is less than a year old. All other DVD-ROMs work just fine, but it runs it to a lot of problems just trying to read the "copy protected" DVDs. I've had some problems previously with Splinter Cell 3: Chaos Theory, which uses StarForce v3 (3.4.71.19) according to gamecopyworld. However, the real problems didn't show up until I bought Hitman: Blood Money, which uses SecuROM v7 (v7.00.00.0018). When I insert the DVD, 9 out of 10 times it won't be able to recognice the DVD at all. You can hear it starting to spin the disc slowly, and then resetting the laser position ad infinitum.

…zum zum wock-wack……zum zum wock-wack……zum zum wock-wack……zum zuuum wock-wack……zum zum wock-wack……zum zum wock-wack……zum zuum wock-wack….

That won't get on your nerves.

End result: A "copy protected" game where the legal copy is probably harder to use than an illegal one. Nice going, people.

When you do manage actually play the game, Hitman: Bloody money is a pretty amusing in a Léon sort of way. You're obviously a hitman, and after each mission you get a fake newspaper report about the hit with phrases like "It concerns the authorities that all of the victims were brutally excecuted by shots to the head." According to violent computer game zealot Jack Thompson you have to be a computer gamer or a hitman to shoot people in the face. Well Jack, that might be true. It's not becauce of the violence in the video games however, but having to wade through the layers of incomptance that is "copy protection" every time you try to start the game would send Mother Theresa over the edge.

…zum zum wock-wack…

 

Quick-fix music

nytimes.com recently posted a insightful article about how mp3s as a medium is forming modern music: Tool’s ‘10,000 Days’ Recalls the Good Old Days of CD’s. Tool’s new album is just what is says on the tin – a proper album, in contrast to a lot of the single-serving-idol-stand-alone-hits which is getting pushed onto the consumers (not listeners, consumers) these days. Much like Pink Floyd and the like did in the 70’s and the 80’s, Tool has once again released something that won’t sound very good played on the radio or as a single track. And it’s fantastic! It can’t really be enjoyed in fragments – you need to listen to it in its entirety, and you’ll need to run through it several times before you even can hope to get it. It’s an experience. Try finding one of those on iTunes.

 

Linksys WRT55AG wireless router problems

So, you’ve bought a Linksys WRT55AG Wireless A+G router, and now you’ve realized it doesn’t work properly. It drops the wireless connections on random intervalls, it suddenly refuses to open new connections to the outside world and it even crashes completely from time to time! The all round fix for these sorts of problems is always “Just update the firmware!”, but without a firmware update in sight you’re kinda stuck. But fear not! Follow these tricks to at least make this rubbish piece of… kit at least possible to use.

Hey! Stop dropping my wireless connection!

The dropped wireless connections was my first indication that things weren’t all like they should be. They came as a complete surprise too, since the WRT55AG was set up to replace its younger brother, the Linksys WRT54GS, which I had been running for months without a glitch (as soon as the firmware was updated). The 55AG however, would drop the wireless connection up to several times an hour even if the signal quality was excellent. This made it completely useless to do anything but surf the web, as the connection would be down for ~5 seconds while the IP-address was renegotiated through the DHCP-server and all TCP-connections would be broken. Try streaming video, playing games or even staying connected to MSN, IRC or ICQ-servers… Frustrating!

Well, even if this technically doesn’t stop the router from fumbling up the connection to your wireless adapter, it does make the connection drops really hard to spot. What you need to do is set the adapter’s IP, gateway and DNS-addresses manually, instead of relying on the DHCP-negotiation. These addresses are set either in your network adapters software or under the properties of your adapter in the Windows Control Panel -> Network connections -> Right click on the wireless adapter -> Properties, select TCP/IP and press the Properties button.

If you’re not sure what these addresses should be you can follow these instructions as long as you’re already connected to the router:

1) Log onto the router. This is done by opening a web browser and typing in the address http://192.168.1.1 if this hasn’t been changed in the router’s configuration. If it has, you can find the router’s address in Windows by pressing Start -> Run -> type cmd and enter -> ipconfig and enter. The “Default gateway” is your router’s address. The default password is “admin” with no username.

2) In the router’s web configuration utility, press Status -> Local Network. You should see something like this:

DHCP Server DHCP Server: Enabled
Start IP Address: 192.168.1.100
End IP Address: 192.168.1.149This signifies the lower and upper limits for the IP-addresses the router gives out through DHCP. Choose a random address between 192.168.1.2 and 192.168.99 (or *.150 - *.255) as your network adapters address. Mine's 192.168.1.64, with the subnet mask 255.255.255.0.

3) The "Default Gateway" should be your router's address, probably 192.168.1.1.

4) You can get away with setting the DNS server(s) to your router's address too, but I've seen certain Windows installations acting funny when this is done, refusing to look up several addresses at a time and stuff like that. If you experience such problems set the proper DNS addresses directly. You'll find these in the router configuration by once again pressing the "Status" tab. Under the "Internet connection" tab you'll find something like this:

DNS1: 217.13.7.140
DNS2: 217.13.4.24
DNS3: 217.13.4.24
It's usual to have several DNS-servers. The router supports three, your Windows adapter probably just two. Use two if your ISP supplies them.

There you have it. The router will still technically drop the connection from time to time, but instead of a several seconds long blackout and dropped TCP-connections you'll just experience a short latency burst.

Hello? Hellooo?

So, you just lost the ability to make new connections to the outside world and no web servers are resonding? But you can still use your local network and log onto the router via the web interface?

This can be "fixed" by logging onto the router, and selecting Status -> IP Renew under the "Internet connection" header. Or selecting Setup -> Save settings. Other selections probably work too. My guess: some buffer has gone full, and it's flushed when the router reboots. *sigh*

Hello?! Hellooooooooo?!

So, everything just stopped, and you cannot connect to the router. It's crashed. The lights on the router keeps blinking merrily like there's nothing wrong, but it's gone. Pull the plug, wait a minute, reinsert. Come to think of it, this is how I fixed my C64 when that crashed. No, wait a minute. That had a proper power switch.

In conlusion, if you're on the lookout for a 802.11a router, get something else. You might also want to check out the User Opinions at CNet's. If you already own one it can be learned to live with. Much like most diseases.

 

Why authentication exclusively based on social security numbers is a Bad Idea

A while back I got called on my cell phone by some rather unpleasant saleswoman who wouldn’t take no for an answer. Luckily, it’s possible to stop this sort unsolicited advertizing in Norway by registering in the Brønnøysund Register Centre’s “Central Marketing Exclusion Register“. However, much to my surprise, the online registration didn’t require more than my Norwegian social security number (ssnr) as an identification. Now, why is this a bad idea? Isn’t your ssnr supposed be your identification number and a secret? Well, your ssnr is secret, but ssnrs as a whole isn’t. The Norwegian ssnr is 11 digits, the first 6 is the persons birthday and -year (ddmmyy), the next 3 is basically a counter over the births that specific day (which also acts as a gender flag since women are given even numbers and men odd) and the last two a checksum. In other words, it’s easy to compute random valid Norwegian ssnrs.

I’ve written a small Java ssnr-calculator as a proof of concept. It’ll calculate about 80 valid ssnrs for a given date. The text parsing is a bit basic, so I can only guarantee valid ssnrs for actual dates between 1900 and 1999. Now, before you get any fancy ideas, logging onto the system with someone else’s ssnr might as far as I know be considered a crime since it can be interpreted as identity theft or something else entirely. And even if it isn’t illegal you really shouldn’t. Just don’t.

This means that while it may not be trival to pin any ssnr to a specific person, it is trivial to find a ssnr belonging to some random Norwegian. Thus, it’s possible for an attacker generate valid ssnrs and log onto the system as those poor sods and potentially change their status. A determined attacker can undermine the whole system by generating a large number of ssnrs and using a botnet and some patience change a large number of entries. I’m sure the good folks in Brønnøysund has some nifty system logs and intrusion detection systems, but given enough time and bots for the attack the poisoned entries could be made pretty hard to spot.

Now, this isn’t the most critical of systems. To put it into perspective the Norwegian Internet Banks had similar security holes making it possible for an attacker to log onto random accounts a few years back. The system is never the less unnecessarily vulnerable, and can be taken down. However, there is an easy fix. As mentioned it’s relativly hard to pin a ssnr to a specific person or the other way around*, so if the registration process asked for your name in addition to your snnr, the possibility of a large scale attack like this would be thwarted with miniumum inconvenience to the normal users. Life can be easy.

The Brønnøysund Register Centre was informed of the weakness a week before this post.

*It’s actually easier than one would think. In 2002, there was 55400 births giving an average of 150 births a day. Thus, if you know the persons birthday and -year and its sex you’ll end up with about 75 possibilites, and expect to find the correct one in 32.5 attempts on average. Still, way too complex for a large scale attack on a system like this. You can read more about the Norwegian social security numbers at matematikk.org.

 

So, they have the Internet on computers now?

Thank goodness! Finally! Another blog!

Then why should you waste your time reading the ramblings of this madman? Well, I’m currently studying informatics at the University of Bergen, and my I’ll be starting on my master thesis within the topic of computer and information security in the autumn of 2006. I’ll try to write occasional clever little tidbit about security and other things I find interesting. Or amusing. Or annoying. Expect articles about photography, politics (probably contained within the world of copyright laws), music, movies and games and the occational rant about badly designed user interfaces.