I had a strange problem lately with weak Debian openssl keys. When I upgraded openssh-server host keys regerated, but since they are depended on host data, generated key is always the same and ssh server blacklists them making host unreachable via ssh.

If you get output similar to this, you are in trouble:

root@black:~# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Host key 9d:83:3a:62:25:0d:c4:e9:81:b0:5a:de:47:3e:b0:e7 blacklisted (see ssh-vulnkey(1))
Host key 27:cc:9a:f2:e3:be:0d:44:94:fa:86:60:36:dc:04:2e blacklisted (see ssh-vulnkey(1))
Restarting OpenBSD Secure Shell server: sshdHost key 9d:83:3a:62:25:0d:c4:e9:81:b0:5a:de:47:3e:b0:e7 blacklisted (see ssh-vulnkey(1))
Host key 27:cc:9a:f2:e3:be:0d:44:94:fa:86:60:36:dc:04:2e blacklisted (see ssh-vulnkey(1))

First step was to install dropbear (which comes in dropbear Debian package) and change port in /etc/default/dropbear to something other than 22:

# change to NO_START=0 to enable Dropbear
NO_START=0

# the TCP port that Dropbear listens on
DROPBEAR_PORT=1022

This will allow us to connect using ssh -p 1022 black if something goes wrong (and from my expirience it will).

Then, generate rsa and dsa keys on some other host using:

dpavlin@tab:/tmp/black$ ssh-keygen -t rsa -f ssh_host_rsa_key -C black
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ssh_host_rsa_key.
Your public key has been saved in ssh_host_rsa_key.pub.
...
dpavlin@tab:/tmp/black$ ssh-keygen -t dsa -f ssh_host_dsa_key -C black
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ssh_host_dsa_key.
Your public key has been saved in ssh_host_dsa_key.pub.

and copy them over using dropbear which still works:

dpavlin@tab:/tmp/black$ scp -P 1022 ssh_host_* root@black:/etc/ssh/

now restart openssh-server with

root@black:~# /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.

and you can test your normal ssh connection to port 22 and remove dropbear server.

I have written about data migration from disk to disk before, but moving data off the laptop is really painful (at least for me). This time, I didn't have enough time to move files with filesystem copy since it was painfully slow and transferred only 20Gb from 80Gb of data in two hours. I seen 3M/s transfers because of seeking in filesystem, so something had to be done!

So, let's move filesystem images. Limiting factor should be speed of disk read. Have in mind that 100Mb/s full-duplex network (over direct cable) will bring you just 12Mb/s which is much less than normal laptop 5400 rpm disk can deliver (around 30Mb/s of sequential read -- you can check that with hdparm -t).

Since I'm coping data to RAID5 array, I can assume that any operation on images will be much quicker than seek times on 5400 rps disk which is in laptop.
Let's see which partition we have on laptop:

llin:~# mount -t ext3,reiserfs
/dev/mapper/vg-root on / type ext3 (rw,noatime,errors=remount-ro)
/dev/sda1 on /boot type ext3 (rw)
/dev/mapper/vg-rest on /rest type reiserfs (rw,noatime,user_xattr)

First start netcat (on machine with RAID array) which will receive image. I'm using dd_rescue to display useful info while transfering data... If you don't have it, just remove it from pipe.

root@brr:/backup/llin-2008-01-12# nc -l -p 8888 | dd_rescue - - -y 0 > boot.img

Then start transfer on laptop:

llin:~# nc 192.168.2.20 8888 < /dev/sda1

Repeat that for all filesystems like this:

root@brr:/backup/llin-2008-01-12# nc -l -p 8888 | dd_rescue - - -y 0 > root.img
llin:~# nc -w 1 192.168.2.20 8888 < /dev/vg/root

root@brr:/backup/llin-2008-01-12# nc -l -p 8888 | dd_rescue - - -y 0 > rest.img

llin:~# nc -w 1 192.168.2.20 8888 < /dev/vg/rest

While you are waiting for copy to finish, you can use dstat, atop, vmstat or any similar command to monitor progress, but I came with this snippet:

root@brr:~# watch "df | egrep ' (/backup|/mnt/llin)' ; echo ; ls -al /backup/llin*/*.img"

which produce something like this:

Every 2.0s: df | egrep ' (/backup|/mnt/llin)' ; echo ; ls -al /bac...  Mon Jan 12 23:30:21 2009

                     125825276 112508688  13316588  90% /backup

                      82569904  22477768  60092136  28% /mnt/llin

                      25803068  24800808    740116  98% /mnt/llin.img/root

-rw-r--r-- 1 root root 45843283968 2009-01-12 23:30 /backup/llin-2008-01-12/rest.img

-rw-r--r-- 1 root root 26843545600 2009-01-12 23:07 /backup/llin-2008-01-12/root.img

I decided to rsync files, since I already had 20Gb of them in file system. First you have to recover journal (since we where coping live devices, journal isn't finished and loopback device won't allow us to mount filesystem):

root@brr:/backup# e2fsck llin-2008-01-12/root.img 
e2fsck 1.41.3 (12-Oct-2008)
llin-2008-01-12/root.img: recovering journal
llin-2008-01-12/root.img: clean, 689967/3276800 files, 6303035/6553600 blocks (check in 4 mounts)

root@brr:~# e2fsck /backup/llin-2008-01-12/rest.img 

root@brr:~# reiserfsck /backup/llin-2008-01-12/rest.img

If you don't want to wait for reiserfs to finish check, you can abort it when it starts checking of filesystem because we only care about first step which will recover journal.
Next, we will mount images (read-only) using loopback:

root@brr:~# mkdir /mnt/llin.img
root@brr:~# mount /backup/llin-2008-01-12/root.img /mnt/llin.img/ -o ro,loop
root@brr:~# mount /backup/llin-2008-01-12/boot.img /mnt/llin.img/boot/ -o ro,loop
root@brr:~# mount /backup/llin-2008-01-12/rest.img /mnt/llin.img/rest/ -o ro,loop

And finally rsync rest of changes to directory

root@brr:~# rsync -ravHS /mnt/llin.img/ /mnt/llin

After that, I used files to start OpenVZ virtual machine which will replace my laptop for some time (if you know good second-hand laptop for sale, drop me an e-mail).

   25C3: Nothing to hide
   25th Chaos Communication Congress
   December 27th to 30th, 2008
   bcc Berliner Congress Center, Berlin, Germany

This year, I was for third time at Berlin for Chaos Communication Congress and concluded that predictions for 2009 and beyond shouldn't be based on magic ball - you can just extrapolate from things that was presented at 25C3. So, I borrowed William Gibson's quote for title of this post.

Digital hacking

PowerLineCommunications (PLC, or ethernet-over-powerlines) is really coming. There are devices available in MediaMart and/or Saturn, and IEEE is in process of standardization. Face it: we are moving towards world in which we will have just one cable between device and wall for both power and ethernet (up to 200Mb/s).
FAIFA: A first open source PLC tool is good introduction to field and example of tool to see parts of network.

Chip Reverse Engineering is easier than ever. If you are designing hardware system and depend on security through obscurity (hope that nobody will be able to read your chip design) this is just no longer truth. We know that from last year's 25C3 Mifare presentation, but this year we saw that it's getting so easy that you really have to have enough silicon to provide real security.
Watch Chip Reverse Engineering for overview of tools which we have available today.

RF fingerprinting enables us to detect hardware differences between devices which is result of small imperfections in manufacturing which enables us to identify devices from same manufacturing run.
Watch RF fingerprinting of RFID to find out how that works for 802.11 devices and RFID passports.

While we are on security topics, it seems that php is getting taint support if only for security analysys. Vulnerability discovery in encrypted closed source PHP applications provides fascinating step-by-step introduction into php reverse engineering from php opcodes back to source code. I can't wait for release of tools mentioned in talk!

Hacking telecommunications

Although I'm not really interested in hacking of iPhone (because I don't believe in closed devices) it was interesting that only single weak link in security (even before boot loader) can bring whole system down.
Hacking the iPhone explains how they did it, and interesting part is that they have some knowledge of broadband part (needed to implement sim unlock) which might be also useful for other devices.

Anatomy of smartphone hardware is great introduction into smart phone class devices.

Harald Welte who did this lecture and who we know from iptables, Openmoko and Sputnik is now moving to Running his own GSM network by attaching Siemens BS-11 microBTS (base transciver station, that park on telco poole) to Linux using A-bis telco protocol.
Running your own GSM network and presentation files are essential material to understand why it's bad idea to forget that device needs to (cryptographically secure) verify is it connecting to right network. If you put all your intelligence and trust in network itself, you will get 3000+ pages of documentation but not security.

DECT network and phones are designed after GSM, and they can check for validity of network. Unfortunately, with cheap 23 EUR card, you can be your own base station and ask phone to ignore encryption if you want to. This involved reverse engineering chip's encryption (I told you it's easy tease days) and writing linux driver for PCMCIA card, Hardware part of lecture is in german, but slides are in english, and even without that part it's really interesting.

Advanced memory forensics: The Cold Boot Attacks provided overview of technique and special attention to crypto keys recovery from partially decayed memory. video

Console Hacking 2008: Wii Fail once more reinforced my feeling that you can't really design completely secure system. video
On the other hand, I really liked idea that Play Station 3 is only console which hasn't been hacked just because it can run Linux natively. As we all know from MD5 considered harmful today where researchers created MD5 collision for CA which got enough mention already.

coreboot: Beyond The Final Frontier is nice introduction to free bios replacement which includes utility to flash bios on most motherboards under linux called Flashrom which I must give a try. video

Scalable Swarm Robotics sometimes it really important to make real robots to test in real world. video

State of the world

One of benefits of CCC is that you can also hear a lot of topics unrelated to digital hacking.

Climate Change - State of the Science which provides great overview and points to possible solutions giving us at least some hope.
I bet you didn't know that half of people in Berlin doesn't own car...
Since there isn't official recording of lecture, I'm providing mirror of Climate Change - State of the Science stream dump for future reference.

Flying for free introduced me to wonderful world of gliders which reminded me a lot to boat sailing but in 3D.
Mirror of stream dump from Flying for free will introduce you to bits of magic that birds knew all along...

Not Soy Fast: Genetically Modified, Resource Greedy, and coming to a Supermarket Near You explains a lot about soy that we or our animals eat. video

Life is a Holodeck! is one of rear lectures that I would really like to see myself because streams of holograms can't bring you real 3D feeling...
Although presenter HoloClaus is somewhat stiff at beginning it is nice overview of technologies used and current state of art which involves computer rendering of 3D objects in full color with resolution of 500 lines per millimeter. Of course, you can also make holograms from real objects if you want to have 2 tons heavy stand for it, special laboratory and SOP which includes:

• put object on 2T stand
• go to coffee for 20 minutes so it can sattle
• press button to take H1 hologram

Work which involves coffee as part of it can't be that bad :-) video.

Back to somewhat computer related topic, All your base(s) are belong to us provided me with update on current state of the art in DNA sequencers. video

Wikileaks is archival side for whistleblowers. video

See you at CCC next year?

All in all it was well spend time (and much more interesting that OSCON 2008, at least for me. Conference was very crowded, and I ended up listening to all lectures over stream and/or recording. However, being in Berlin is unique experience, but it doesn't make sense for less than 10 days, so I won't make this mistake again (hopefully) :-)