Found out how I got hacked originally

I run a tool on my server which creates charts based on basic server vitals, like free disk space and CPU load averages.

It’s called cacti, and it’s great.

Except, apparently this security hole allowed the hacker who originally broke into my server to get in. He was able to execute arbitrary commands via the good old URL string hack. (He did the same thing as is described in there: wget’ed his own script which added a new user for himself and added him to sudoers, and then connected via ssh).

In my latest upgrades, I saw that this cacti bug’s been fixed.

Scary stuff. Computer security, these days. How does a php script have code which can run an arbitrary command? My Java Servlets never have a way to run command line apps by way of specific arguments in the URL string. Sigh. In *nix we may have [basically] all-or-nothing security (that is, if you discount ACL support)–but knowing this, please prefer “nothing” to “all”, for crying out loud!

False alarm

I thought my server was hacked this weekend, but I think in reality someone on Peer1’s network took my IP address by accident, caused an IP conflict, and because I detected ssh running on a non-standard port, I assumed I had been rooted. In fact, when I returned to my machine today, I found no such rooting, and chkrootkit reported nothing. What really freaked me out was that I found vsftpd running on port 21, but wouldn’t accept any of my usernames/passwords, so I really assumed I had been rooted. But here I am, and nothing has been changed.

Whew, I guess?

Talk on Outsourcing

I recently gave a talk on outsourcing for Computer Advocacy @ NYU, entitled:

“Offshore Outsourcing: Roots in Corporate Power.”

It was meant to be an introduction to the subject, to precede the film screening we had of Greg Spotts’ “American Jobs.” I’ve posted the talk’s slides to my web server in SXI (27K) and PDF (212K) formats.

In the talk, I tried to show how outsourcing can be seen as stemming from the gradual ascendancy of corporate power in the world, beginning with the first laws enabling corporate personhood to today, when corporations pit governments against one another for who can provide the least humane economic regulatory system (which are then spun as “pro-business”–think, for example, of China’s inexistent environmental legislation, and how many high-pollution businesses have moved their shops there).

When corporations first gained rights as legal persons, they began to win cases in which they secured their right not to be regulated, and then began to win ideologues with a vision of the corporation which freely moves around the world, hiring all the labor it can find. Key to this vision, however, is that governments are helpless and defenseless–that they should not have the power to regulate corporations, since any such regulation creates an unfair situation in the global neoliberal “free market.” I try to make it clear that the end goal of this experiment is a global corporate state, in which labor laws and life/work balance simply doesn’t exist, as we all strive to be “more competetive” for corporations whose urge to lower cost will never disappear.

p.s. check out the book mentioned in my talk, Gangs of America by Ted Nace.

Got bored with Descartes and Spinoza, wrote a patch to powernowd

While I was studying, I noticed that I wasn’t exactly happy with the cooling/cpu frequency scaling on my laptop. I use a nice program called powernowd which scales my CPU speed up and down depending on various factors related to system load. But I didn’t like how my setup was kind of “all or nothing.” When I am plugged into AC, I switch to “performance” mode which just runs me at 100% CPU frequency all the time (making my laptop hot, my fan noisy, but my machine fast), whereas when I’m unplugged I switch to “userspace” mode, which lets powernowd kick in, and he jumps about from 400mhz to the full 1.6Ghz based on load, keeping the machine cool but also making it feel a bit sluggish since if I’m overloading my CPU at 400mhz it’s already “too late” to pump it up, it will have already felt slow for at least an instant.

So I have this conflict: hot and responsive, or cool and sluggish. I thought, well, I must be able to come to a compromise.

I decided to take a look at powernowd’s code, and it turns out it’s written quite straightforwardly. Within 30 minutes of tinkering, I had a patch that did what I wanted. With another 30 minutes, I polished it and made it quite commitable.

Basically, I added a new mode called “COOLING” to powernowd, which runs your CPU a few notches below your full frequency (which I call your “cool_spot”), based on the following approach:

  • if you have two frequencies available, you normally run with the lowest.
  • if you have three frequencies available, you normally run with the second from highest.
  • if you have four frequencies available, you normally run with the third from highest.
  • if you have five or more frequencies available, you normally run with the fourth from highest.
  • if your load goes above your specified trigger (“highwater” in the code), you jump to highest frequency. When it lowers (“lowwater”), you go down to your cool_spot, but not below it.

On my machine, I have 5 frequencies (1.6Ghz, 1.5Ghz, 1.4Ghz, 1.2Ghz, and 400Mhz), and so I normally am running at 1.2Ghz. This new COOLING mode runs while I’m plugged in, and keeps my machine nice and cool but still lets it immediately respond when I want to do something, like a workspace switch.

I then hacked the init.d script to have a BATTERY and AC mode, and switch between AGGRESSIVE and COOLING modes accordingly. Now, when I’m unplugged, I get the best battery life and pretty good performance, and when I’m plugged in I get a cool notebook with good performance.

I’ll probably post the patch after my midterms…

Development under Windows: why so painful?

It’s really weird. Lately, I’ve been doing so much development in a *nix environment, that doing the development in Windows is really painful for me. I don’t have any of my good old UNIX tools, I don’t have hotkey-optimized user interfaces, I don’t have speed and control. But more than anything else, I don’t feel like I know what’s going on under the hood.

Today, to take a break from reading Philosophy, I decided to work a bit on this little Java Servlet project I’ve been hacking on. (Will be “released” later.) At some point this past summer, I decided to remove Linux from my main desktop machine and just consolidate all my Linux data onto one machine–this made my life easier so I didn’t have three total (one Windows, two Linuxes) places where my shit could be. But the sacrifice is that my laptop screen is small, so sometimes I want to develop with a big screen and thus want to use my desktop.

Web development, especially, makes sense for me under Windows, since I’m comfortable with the major graphic and web design tools (Photoshop, Dreamweaver, Illustrator) and don’t think the Linux “equivalents” (GIMP, Bluefish, Inkscape) are good enough.

But I decided–may as well have the code open on Windows too, since it’s not C hacking I’m doing, but Java. So I installed Eclipse, and the J2EE, and got cracking.

But under Windows, there are all sorts of gotchas. When my UNIX tool craving gets really bad, I need to drop into cygwin, which isn’t so bad. But without good workspace switching (I have VirtuaWin, but it kinda sucks), and without a customizable window manager, I am really much slower. But here’s the other weird thing I ran into. After awhile of coding, I realized that Eclipse wasn’t reading my JavaDoc information for the JDK (no cool descriptions in my autocomplete tooltips). So I go snooping around the preferences file and can’t find anything, I enable a billion options but no luck. But then, eventually, I realize that it’s very possible Eclipse is using a different JDK. In fact, I look in the dialog, and Eclipse is using some J2SE environment that some other application installed, not the J2EE I installed right before Eclipse. And that J2SE is missing the Java API source code and JavaDoc comments.

The reason this seemed so non-obvious to me is because I’m not used to systems which are completely fucking disorganized. Say what you will about Linux not being user friendly, but, by God, you won’t find it likely to find two different JDKs installed on my machine, and even if you do, only one will be getting used (thanks to Debian’s “alternatives” system). Every application on Windows statically compiles, includes its own libraries, and spews its shit all over the file system and registry. No database tracks it, so your system is a fucking nightmare.

I couldn’t even do a reasonable search to find the JDK I needed, either. It turns out it was in C:\Program Files\Sun\j2sdk1.4_02, which may not sound so bad, but considering on Linux I just think, “Where are libraries stored? /usr/lib” and then in there I think, “What is what I’m looking for called? j2sdk” I quickly find any Java environments in /usr/lib/j2sdk1.x-sun.

On my Linux system, which has not that much installed, I just ran a du -hs /usr/lib/ and got 1.7GB. That means on my relatively lightly-loaded Linux system, 1.7GB of raw 0s and 1s are sitting there waiting to be used as SHARED libraries. Meanwhile, on Windows, there could be any amount of duplication of the equivalent libraries, floating around in various Program Files directories.

I can’t believe there are acutally some Linux critics that believe we should be going in this direction, eliminating things like emerge, apt, and rpm and instead just have statically-compiled binaries that come with their own binary libraries and have users duplicating this stuff across their system. Not only is it insane from the point of view of giving control to the user, but it’s also just plain wasteful.

One of my Pet Peeves, as expressed by WWW creator, Sir Tim Berners-Lee

“Anyone who slaps a ‘this page is best viewed with Browser X’ label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network.” — in Technology Review, July 1996

Politics in early hours

I just had a long political discussion with Josh who was visiting New York for the weekend. It went on until just 20 minutes ago, till 5 am. Wow.

I guess the discourse is still alive. Somewhere.

Meanwhile, when I got home i couldn’t help eyeing websites like DemocracyInAction and GetActive, and thinking, that’s where I want to work.

We’ll see. To sleep, for now.

Windows Installer is Evil

I think the most evil thing about modern desktop computers is drive letters. Why didn’t Microsoft rid itself of this horrible concept earlier?

I’m working at a client’s house, trying to upgrade laptops from Windows 2000 to Windows XP. So, the last time I was here, I allocated 10GB of space at the front of the drive for the new system drive for XP. Now when I use the Windows installer to format it as NTFS, it marks it as “F:” Partition3. Which means, when I install XP, the system drive will be F:, and then when I eventually rid myself of the existing two drives, the system will break (probably with the infamous INACCESSIBLE_BOOT_DEVICE stop error).

So, the trick I’m going to use to get around this is prior to installing Windows, I’ll boot off a boot CD, hide both existing NTFS partitions, reboot, install Windows on the now-drive-C:, and then unhide those partitions later so that they show up as D: and E: (I hope).

Argh. The least the installer could have done is allowed me to hide the drives from within here. It takes for-ever to load up the Windows installer again.