Author Archive for jad

zzzZZZ

Published
by
jad
on August 28, 2008
in OS X
. Comments

This feels over engineered but…

I have always wanted to be able to put my Mac Pro to sleep using the power button on the Dell display I have connected to it. If you put the Mac to sleep and then turn off the display it will wake the mac up again due to the USB disconnect of the USB hub in the display.

I came across sleepwatcher which allows you to do stuff like this

Create a config file containing something like 

timeout=100
idle=if [ `system_profiler SPUSBDataType | grep "Apple Keyboard" > /dev/null; \
    echo $?` -eq 1 ]; then /usr/local/sbin/sleepwatcher -n;fi

(I have my Apple Keyboard connected to the USB hub in the display.) Then edit the sleepwatcher Launch script to use that config file - make the launch command look like this

/usr/local/sbin/sleepwatcher -d -V -s /etc/rc.sleep -w /etc/rc.wakeup -f /config/file

Restart sleepwatcher and press the power button on your display and wait 10 seconds…

Now must just remember that this will occur whenever I disconnect the keyboard.

DNS Spoofing

Published
by
jad
on August 19, 2008
in DNS
. Comment

At IETF 72 in Dublin I gave a demonstration of DNS spoofing based on the attack on DNS described by Dan Kaminsky. I was able to successfully inject a fake DNS record in to the cache of a name server with a fixed port in a few seconds and sometimes in well under a second. 

Bert Hubert published a description of the math behind this attack on namedroppers and I have been playing with the spoofer to see how close I can get the experiment and theory. 

I ran my spoofer on a network consisting of three machines linked by a cheap gigabit switch. The attacker was on a Mac Pro, the target nameserver was on a Mac Book Pro and the authoritative server, that the attacker was pretending to be, was on a old FreeBSD box (100Mb). I used DUMMYNET to simulate a longer link to the authoritative server (delay = 30ms).

I ran the spoofer 1000 times and plotted a histogram of the frequency of success against time.

The pink bar shows the median of all the times recorded. If I recall my A level maths correctly, this should coincide with the 50% chance of success predicted by the math.

The math presented by Bert Hubert considers the expansion of the binomial 

Ps = probability of success on a single attempt

Pf = probability of failure on a single attempt

( Ps + Pf )^n = 1

Expanding this and remembering that the sum of all the terms containing success = (1- the term for always failing) leads to the probability of combined success

Pcs(n) = 1 - (1 - Ps)^(n)

We know that n = T/W so we get 

Pcs(t) = 1 - (1 - Ps)^(t/W)

Bert Hubert tells us that Ps = (D*R*W)/(N*P*I) where

     I: Number distinct IDs available (maximum 65536)

     P: Number of ports used (maximum around 64000 as ports under 1024
     are not always available, but often 1)

     N: Number of authoritative nameservers for a domain (averages
     around 2.5)

     R: Number of packets sent per second by the attacker

     W: Window of opportunity, in seconds.  Bounded by the response
     time of the authoritative servers (often 0.1s)

     D: Average number of identical outstanding queries of a resolver
     (typically 1, see Section 5)

I used the following values
I=65535
R=36000 - From looking at the traffic I was sending
W=0.030 - From the settings I gave DUMMYNET
N=1.0 (I fixed this)
P=1 (I fixed this)
D=1
Plotting this on the same graph as the histogram gives:

The blue circles are the predicted probability of combined success (Their y axis runs from 0 to 1 and is not shown). As you can see the predicted 50% chance (black cross lines) occurs slightly before the median but it is fairly close.

In order to improve things I added an extra term to the equation to account for the time that the window is closed (This is due to the spoofer taking a bit of time to notice that it has been unsuccessful and to try again). So:

n = T/(W+Wc)

Ps = (D*R*W))/(N*P*I)

where Wc is measured to be about 0.003 seconds. The graph now looks like

That seems like good agreement to me. The median in this case is 1386ms.

BTW: The graphs were plotted using R.  This is the code I used

#Plot a histogram of frequency of success against time
mydata <- read.table("/tmp/speed-test-30ms",header=TRUE)
#Plot both on a single graph
h <- hist(mydata$time,breaks=100,plot=FALSE)
plot(h,freq=FALSE, xlim=range(h$mids),ylim=range(h$density),
    sub="Histogram showing time to success of real spoofer (pink line shows median)",
    main="DNS Spoofer Performance",
    ylab="Density", xlab="Time/ms")
abline(v=median(mydata$time),col=70)
#Plot Bert Hubert's math
D=1.0
R=36000.0
W=0.030
Wc=0.003
N=1.0
P=1
I=65535
Ps <- ((D*R*W)/(N*P*I))
Pcs <- function(t){1 - (1 - Ps)**((t/1000)/(W+Wc))}
par(new=TRUE)
nx <- sample(h$mids)
y=Pcs(nx)
#Scale plot to same as histogram
my=max(y)
ny=y*max(h$density)/my
plot(nx,ny, xlim=range(h$mids),ylim=range(h$density),col="blue", ann=FALSE)
#Calculate time for 0.5 chance
time5 = 1000*(W+Wc)*(log10(0.5)/log10(1 - Ps))
abline(v=time5)
abline(h=0.5*max(h$density)/my)

log(0.5) and the OS X calculator

Published
by
jad
on August 13, 2008
in OS X and is it me?
. Comment

The OS X calculator is one of my favorite applications and I use it every day for work (I find  the binary display in the programmer view especially useful). So I was very surprised when I noticed that it was giving me the wrong answer for log(0.5). I was getting log(0.5) = 0.301 when it should be -0.301. Strangely 1-log(0.5) was correctly shown as 1.301. Well today I discovered that this only happens if you enable “Show Separators” in  the View menu.

Does anyone else see this or is it just me?

sshd on OS X

Published
by
jad
on July 22, 2008
in OS X
. Comments

I have been trying to understand how the SSH server settings are controlled on Leopard. To turn sshd on you tick the remote login box on the sharing preference pane. You can then control which users are allowed to log in by selecting them in the “allow access for” section.

But where does it store the settings? Traditionally you would have added a clause like

AllowUsers jad
 to /etc/ssh/sshd_config. However OS X does not do this, instead it adds a file called
/private/var/db/dslocal/nodes/Default/groups/com.apple.access_ssh.plist
containing what appears to be a list of users in the remote  login group. I have no idea what uses this file. Is it a modified  version of sshd or is something cleverer at work?
And, what was wrong with the old way?

MacSpeech Dictate

Published
by
jad
on July 15, 2008
in delicious feed
. Comments

I am dictating this post using MacSpeech Dictate. It is amazing and much better than I expected at understanding what you’re saying. In addition to dictation it also allows you to control your computer, with commands such as “open mail” and “put this computer to sleep”.

When you are controlling your computer you have to be careful to use the correct language and it does take a bit of getting used to but it’s quite easy. There is an on-screen list of commands to refer to and most of them are fairly intuitive.

As far as I can tell MacSpeech Dictate seems  to work in all applications. I have used it this morning in TextMate to write an XML document. Speaking “open angle bracket” is almost as easy as typing angle bracket. And long sections of text are obviously much easier to speak.

MacSpeech Dictate is able to detect commands during spoken text. Adding punctuation is easy, to add a full stop just say “full stop”. Correcting mistakes can be a little painful but can be done. Deleting a single word is done by saying “forget word” and deleting the last chunk of text that you dictated can be done by saying “forget that”.

It is really good in iChat. Being able to speak is exactly what you want when writing a chat message.

However, don’t forget to read what you wrote because it can make mistakes!