Thursday, August 18, 2011

"Lo mashalon ko jala dala kisi ne" - Prasoon Joshi

Below is Prasoon Joshi's beautiful poem "Lo mashalon ko jala dala kisi ne" on the current rise of the country against corruption. I heard it on TimesNow during Arnab's newshour on Aug 18th. As an aside, if anybody is interested I used the Hindi language ITRANS method on my Ubuntu 10.10 for keying in the poem. It works like a charm.

लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

है शहर ये कोयलों  का
ये मगर ना भूल जाना
लाल शोले भी इसी बस्ती में रेहते हैं युगों से
रास्तो मैं धूल है
कीचड भी है पर याद रखना
ये जमीन धुलती रही
संक्लप वाले आसुओं से
मेरे आंगन को है धो डाला किसी ने

लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

आग बेवजह कभी घर से निकलती ही नही है
टोलियों जत्थे बनाकर चींख यूं चलती नही है
रात को भी देखने दो आज तुम सूरज के जलवे
जब तपेगी ईट तब ही होश में आयेंगे तलवे
तोड़ डाला मौन का ताला किसी ने
लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

The poem is also available at A video is available at

Wednesday, February 16, 2011

Ghostnet, Stuxnet, What next ??

I recently attended the 18th NDSS conference in San Diego from Feb 6-9, 2011,  which was keynoted by Liam O' Murchu, a Stuxnet expert from Symantec. Though the technical details about Stuxnet have been available since long, I found the talk exciting for the larger lessons that were shared from the whole episode. Below is a mix of notes from the talk and my ramblings. Warning: experts on this topic may find it boring !

By Symantec's own admission, Stuxnet is probably the most complex piece of targetted threat seen to date. It contains seven methods to propagate:

  1. Using USB drives, which contained a rootkit exploiting a vulnerability in windows explorer's handling of .LNK files. 
  2. By exploiting a print spooler vuln
  3. By exploiting MS08-067, which allowed remote code execution on a vulnerable MS Windows 2000, XP or 2003 server by sending a specially crafted RPC request. 
  4. Spreading via Network shares. 
  5. Using P2P sharing for updating itself and for communication between different infected machines on a network. 
  6. By exploiting hard-coded passwords in WinCC (a Siemens software for SCADA process visualization). 
  7. Spreading via Step 7 projects (the IDE used for programming PLCs).

In essence, Stuxnet used 4 zero-day exploits, 1 known exploit, 3 rootkits, and 2 compromised certificates (from JMicron and Realtek semiconductors) to sign the rootkits. 

Stuxnet is not a 'yet-another-worm' that randomly goes about accumulating vulnerable machines for spam/DDoS gains or brownies for its perpetrators. Its highly-targeted nature - targeting specific uranium enrichment facilities in Iran - suggests a focused military-style operation involving (a) extensive and careful intelligence gathering and planning, (b) a structured software design and development cycle and (c) an extensive test cycle involving various hardware and software. In addition, Stuxnet's highly configurable architecture (~430 different settings) gives its controllers incredible control and precision over its lethality and spread. Apart from its technical sophistication, Stuxnet convincingly demonstrates the oft-quoted "threat from targeted attacks " and acts as the quintessential bellwether of times ahead. While its predecessors, like the Chinese cyber-espionage network Ghostnet, brought to light the new face of remote-controlled espionage in the 21st century, Stuxnet ups the ante many notches by demonstrating the lethal potential of targeted cyber-power.

Stuxnet is the first known malware to target control systems hardware (PLC). PLC (Programmable Logic Controllers) are critical elements in industrial automation and are traditionally programmed from a Windows control PC which is air-gaped - disconnected from any network - for security. In my opinion, Stuxnet big achievement was in bridging the air-gap.

Key to Stuxnet's success lay in the detailed understanding of its target gathered during the intelligence gathering phase. Stuxnet had clear understanding of (a) the PLCs being used (Siemens s7-300, s7-400), (b) the detailed configuration within PLCs controlling the uranium enrichment, and (c) the software development environment (Step 7 from Siemens) and the methodology used for developing and deploying code.

It is believed that Stuxnet was delivered initially  via USB to a small number of industrial process control companies connected to the uranium enrichment plant. Contractors from such companies write the actual PLC programs (as Step 7 projects) on workstations connected to the corporate LAN. Stuxnet thus spread using zero-day network exploits to as many LAN workstations possible. Workstations containing Step 7 were then infected by hiding a dll (containing the PLC rootkit) into a Step 7 project such that the dll got loaded as soon as the project was opened.  Stuxnet then relied on the Step 7 project zip file being transferred across the air-gap to a Windows control PC via removable media like USB. Once on the control PC, Stuxnet modified the PLC as necessary, making sure to hide its modifications.

There  were 100k infections reported worldwide with more than 60% coming from Iran. It is believed that infections outside Iran were not intentional and probably spread due to infected Step 7 projects shared between contractors in various countries. Additionally, the zero-day .LNK vulnerability proved widely successful. It is believed that Stuxnet managed to finally infect the Natanz and Busheir plants in Iran and there was a reported shutdown of Natanz. An IAEA report states 1000 centrifuges in Natanz were offline in Nov 2009 which is close to the type of PLC configuration that Stuxnet was targeting. 

Stuxnet increases the bar for security professionals and system architects by derailing the commonly held belief of air-gaping critical systems for providing extraordinary security. My personal opinion is that Stuxnet,  in some way, only reinforces what Albert Einstein famously quipped, "Every day, man is making bigger and better fool-proof things, and every day, nature is making bigger and better fools. So far, I think nature is winning".  The lesson for security professionals is thus simple: Air-gaps don't exist! There will be a human (read fool) bridging the gap.

With the world racing towards making things 'smart', from smart washing-machines to smart power grids, one really wonders whether all this 'smartness' will end up making us look dumber than ever. The landscape seems to be shifting faster than we can grasp it.

The last decade witnessed has already witnessed the rise in politically motivated cyber attacks like the Titan Rain (2003 - 2005),  DDoS attacks on Estonia (May 2007),  DDoS attacks on Georgia (August 2008),  Chinese cyber-espionage network Ghostnet (May 2009), Operation Aurora (Dec 2009-Jan 2010), Stuxnet (July 2010), Operation Payback (Dec 2010). The question is: What next?

Tuesday, December 1, 2009

Observations and Suggestions using Chromium OS - Part 1

I synced my old repository and updated it to the Developer build (Mon Nov 30 4:35:10 UTC 2009). Build was successful. I copied image to a USB and booted my Acer Inspire from USB.

  1. Boottime was about 12 seconds from USB. But still great!
  2. My network did not connect at boottime so had to login using the local username and password. This happened every time i booted. Maybe the network settings will get saved once i boot from a local harddisk.
  3. Once logged in i had to manually select my network and then login to gmail etc. etc. using my google credentials.
  4. I then connected my Acer to a 19'' widescreen with 1440x900 resolution. Had to use xrandr to get the screen resolution right but was no fuss. Used the following command:

    $ xrandr --output VGA1 --mode 1440x900 --rate 60.1

  5. Tested using youtube, google docs, google reader, picasaweb, a couple of flash-heavy sites (, google chat, google books, google wave. Everything seemed 'much much' faster than same accesses via firefox.
  6. Clicking on PDFs opens them up in google docs. But trying to download did NOT seem to work.
  7. For adjusting sound, had to use alsamixer from commandline to get the sound volume up. I wish there was a sound button in the GUI itself for the same.
  8. Could not figure out how to setup my network printer to print my google docs.
  9. While playing a youtube video it felt as if the browser crashed and then recovered itself. I cannot describe what exactly happened unless i debug this further.
  10. Could not play any silverlight videos. I guess the plugin will come someday.
I have started seriously using this as my preferred OS for my netbook even  though i am running it off a USB. It actually doesnt feel any different at all. It is a fresh new experience and thats what makes it exciting i guess.

  • It strikes me now after using Chromium OS that we were actually having redundant software for most needs all the while. If the browser is capable of showing photos, opening PDFs, editing documents, playing music, videos and games then when the heck have any other software. What is missing if you are a programmer, is a platform for developing and testing software in the popular languages. But maybe even that can be incorporated into the browser easily. For example, a tab of the browser could upon up as a text editor and perhaps google could host a variety of popular compiler and library stacks to compile,link and run code (think like LAMP stacks but for developing code). A user then just submits his code and gets his output. Ofcourse, such a system would require careful thought and design as there are many many issues to be tackled. But just a thought.
 On a side-note, i remember that i read somewhere a couple years ago that Blake Ross (the firefox guy) was working on an operating system called Parakey which was pretty similar in spirit to Chromium OS. Dont know what happened to that. Anybody?

  • Have a sound button in the GUI for adjusting volume.
  • Have a key accelerator (like Ctrl+/? from google reader) to display Keyboard shortcuts.

Friday, November 20, 2009

My notes, screenshots and first impressions on Google Chromium OS on VMware!

I was eagerly awaiting the release of Googles ChromeOS (Chromium OS). Google opened up the source at about 10:30AM today and i have it compiled on my Ubuntu 9.04 and working on my Vmware Workstation. Phew! The following are my notes, screenshots and first impressions of the whole experience.

Updates : A few corrections based on comments by Ethan.
Updates:  I have uploaded my VMWare  disk (.vmdk) here. Its about 350MB tar gzipped. MD5 Checksum is  8b158acfff42572dce632fdcb0707009. To use this vmdk one needs to first create a virtual machine and give the path to this vmdk file as the logical disk. Note that this is NOT .vmx but .vmdk. Thus you cannot open this file in VMWare directly. You will need to create a virtual machine.

ChromeOS Getting Started Documentation 
The documentation is pretty neat and things worked out-of-the-box for me. I did not have to hack even a line of script. Started by watching the videos and reading the documentation here.

My compile environment was a Ubuntu 9.04 ACER Aspire Netbook. I actually wanted to get ChromeOS running on the same Netbook but the documentation suggested that the Chrome install process will nuke the entire harddrive and so i opted for creating the VMWare Disk Image instead.

Building the Image
The whole process, right from reading the initial documentation to getting up the VMWare took me about 5 hours and most of it was spent creating the chroot environment, compiling the packages and the kernel. After that, the image building and the creation of the VMWare Disk was pretty quick.

Running ChromeOS on VMware

1. Bootup Time 
    Ofcourse, running it on VMWare meant that i could not test its claimed bootup speed! But the bootup definitely 'felt' faster relative to my other OS bootups on VMWare. ChromeOS creates a file called /home/chronos/chrome_startup.log which showed bootup time as 47seconds. I believe that is good on VMware.

    2. Login Prompt

      The login prompt is plain and simple blue with two boxes for username and password.I noticed two things here:
      1. The username/password could be your gmail credentials.That means that your Google account could act as a profile store.Does this mean someone can use a ChromeOS device only when online? Or only having a google account? I am not sure as of now.
      2. It also accepts the username/password that i created while i was building the code. I think this option would be disabled for regular users.

      3. Login Using Google Credentials

      To begin with, i logged in with my Google credentials and was presented the following error page saying that the security certificate for was revoked. My login had succeeded.

      This seems to be like a bug to me but i will have to do some more trials before concluding that this is a real bug.

      4. Login Using regular credentials
      I tried logging in with the testuser account that i had created earlier. That seemed to work fine and i finally got presented with a functioning chrome browser.

      I could login into,, etc. with my regular gmail credentials and could operate my account as usual. No problems. Things even seemed a tad faster in my slow VMWare.

      5. Some UI features

      From the above screenshot, its clear that all the user sees when he logs in is the chrome browser interface. There is no desktop and no icons. The only icons that i could spot are 4 on the top right: time, an inactive icon, networks and a drop-down menu. A single chrome icon exists to the top left. Clicking on it takes you to Google Shortlinks which i believe is Googles replacement for desktop icons with links to Google Products. Smell a monopoly in the making?
      Update: Ethan points out that it will be far from a monopoly because whatever is web-based would be supported. I agree but i would like to wait and watch and would be happy to be wrong.

      6. Task Manager and Resource Stats

      Clicking on the top gives an option to open the Task Manager which looks as below. This is pretty much the standard task manager except that we see a lot fewer tasks in it. Also, it hints at the multiprocess nature of the Chrome browser.

      Clicking on Stats for Nerds shows an additional memory usage view. This is equivalent to typing about:memory in the browser tab. I don't understand everything in the stats yet but will dig in later. For example, i don't understand what  Proportional Memory is.

      A minor point: the note in the above figure states that other browsers like IE and Firefox will also be shown here if they are running. This could be due to the fact that the Chrome browser code-base used is the one used for Chrome on desktops. Or maybe they really intend to do that in the future ?

      I couldn't navigate any further and could not find out additional shortcuts or additional interesting options and settings. Will need to dig more in the documentation to see if there are more interesting peeks here and there.

      7. Browsing of files

      The file browser is contained in the Chrome browser itself. Typing file:/// in the address bar shows the root file system as seen when browsing a remote directory. Not the best way to navigate a local file system i guess.

      8. Shell and command line tools

      To get to the command line, one has to press Ctrl+Alt+T. Frankly, i could not figure out how to navigate back to the GUI or to other open command-line and i had to keep doing Ctrl+Ds on the command line to get back to the GUI.
      Update: Ethan points out that typing exit takes us back to the GUI. It is essentially the shortcut Ctrl+D.

      The most irritating aspect to me was that standard utilities like ifconfig, route etc. were missing.
      Update: I missed this completely. You can access all of these commands by using sudo as Ethan pointed out correctly. Thanks for the correction. 

      I could use vi, python and the standard shell builtin commands as far as i tried. Also, I found apt-get and dpkg  installed but it would not let me install any packages using apt-get (the locks were read-only). I am not sure if this is intentional or a bug.

      Thats all i could get my hands on for today but this is the beginning and the exploration would continue.I will be digging into the documentation and source code and keep reporting nuggets of information as and when i discover it for myself.

      ChromeOS is exciting and would get even more exciting in the coming months and years. I remember my Professor telling us in class that systems should be like 'Toasters' i.e. it must not be required to read a manual to operate it. ChromeOS is definitely a step in that direction. Also, the lean philosophy adopted by ChromeOS should reduce the burden on end users as far as managing and securing systems is concerned. Ofcourse, there will be newer challenges but atleast ChromeOS reduces the surface area of problems.

      I think Google needs to watch out and not make ChromeOS a Google-Centric product. That may not be well received by consumers already struggling to break free of existing monopolies.

      Monday, November 16, 2009

      What can we learn from Craigslist?

      Ref: Why Craigslist is such a mess?

      There is lots to ponder, learn and unlearn from Craigslist in this new information age. The following are a  few simple lessons that i extracted from the following quotes in the above referenced article on Craigslist. The article is a great read.

      Lesson 1:  We may not have a single definition for doing good business but we can all agree on the fact that businesses exist to serve the public.

      But seen from another angle, craigslist is one of the strangest monopolies in history, where customers are locked in by fees set at zero and where the ambiance of neglect is not a way to extract more profit but the expression of a worldview.

      Lesson 2: David(s) have, are and will always trump Goliath(s) in every age.

      It is difficult to overstate the scale of this accomplishment. Craigslist gets more traffic than either eBay or Amazon .com. eBay has more than 16,000 employees. Amazon has more than 20,000. Craigslist has 30.

      Lesson 3: People work the best when they are allowed to work.

      The long-running tech-industry war between engineers and marketers has been ended at craigslist by the simple expedient of having no marketers. Only programmers, customer service reps, and accounting staff work at craigslist. There is no business development, no human resources, no sales. As a result, there are no meetings. The staff communicates by email and IM. This is a nice environment for employees of a certain temperament. "Not that we're a Shangri-La or anything," Buckmaster says, "but no technical people have ever left the company of their own accord."

      Lesson 4:  If there are sufficient economic incentives, things will get done. Doesnt matter what side of the fence you are.

      Captchas—distorted words that can be interpreted by humans more easily than by machines—tamed spam on craigslist for a while. Then it came back full force, not because the spammers had solved the difficult problem in artificial intelligence but because they had hacked an easier problem in global economics

      Lesson 5: Simplicity and usability go hand and in hand. K.I.S.S always works.

      Without a computer science research department to work on evil-fighting algorithms, or a call center to take complaints, Buckmaster has settled on a different approach, one that involves haiku. The little poems he has written appear on the screen at times when users might expect a helpful message from the staff. They function as a gnomic clue that what you are seeing is intentional, while discouraging further conversation or inquiry.Attempt to post a message that is similar to one you've already entered, and this may appear:
      a wafer thin mint
      that's been sent before it seems
      one is enough, thanks

      The slight delays in cognitive processing that these haiku cause are valuable. They open a space for reflection, during which you can rethink your need for service.