Archive for the ‘how to’ Category

Mac OSX — the most insecure OS around

Friday, August 7th, 2009

A year ago, I gave up on Windows. I was tired of the nervous eggshell feeling with anti-virus software, security patches, and a machine that would mysteriously be slower and slower no matter what I did.

Because of MacOSX Unix roots, I made the switch to MacOSX confident that my personal computer would be safe.

This faith has been severely shaken. I now regard MacOSX as one of the most INSECURE operation systems.

MacOSX has a dangerous default DNS/DHCP configuration. Even worse, this dangerous configuration can not be fixed from the UI. Even the command line fix is difficult. And worst of all Apple is aware of this and does nothing.

There are 5 bits of background you should know:

  1. DNS is a fundamental part of the internet. DNS is the ‘name resolution’ service that converts ‘mail.google.com’ into the ipaddress: ‘74.125.19.19′ which is what your computer really uses to contact GMail servers so you can read your email. This conversion from the human readable ‘mail.google.com’ to ‘74.125.19.19′ is analogous to the post office converting the postal address on your snail mail envelope to a Zip+4 encoding that is printed at the bottom of the envelope. This encoding is what is actually read by the postal service mail sorting machines to determine where your snail mail goes. Now imagine that the postal service’s encoding machine was compromised. This compromised postal encoding machine was changed so that no matter what the Zip+4 code was supposed to be the machine always encoded the location of Dick Cheney’s house. As a result, all your mail that was processed by that compromised postal service would go first to Dick Cheney. Dick Cheney would get a chance to open all your snail mail, read it, copy it, etc. He could then reseal the original envelope, reencode the envelope with the correct barcode and put the envelope back in the postal service system to be delivered to the correct address. so that no matter what address you had actually printed on your envelope. All this would happen without you being aware of the problem nor able to stop it from happening.

    Everything internet related depends on correct translation of ‘apple.com’ or ‘bankofamerica.com’ to the correct IP address, not some third party server. How does the your machine know that it is communicating with apple.com and not some evil server? Your computer relies on the DNS lookup being correct. If the DNS lookup is compromised then when your software update runs to check for the latest security patches it is really installing a virus from evilserver.com not apple.com.

    There has been recent concern about DNS spoofing. ( links ). Being the cautious person that I am, I decided to explicitly listed opendns.org’s DNS servers (208.67.222.222 and 208.67.220.220) as the DNS Servers to trust in my Network configuration. I felt pretty cocky and safe.

  2. The second bit of the puzzle is DHCP. In order to talk to the world, computers need to have their own personal unique ipaddress (it’s very own ZIP+4 code). Every time you go into an internet cafe and pop open your laptop, your laptop uses the DHCP service to figure out what unique ipaddress (192.168.1.101) it should use while you are in that cafe. DHCP is nice because otherwise you would have to manually figure out and set an ipaddress for your computer that is different than everyone else’s laptop. And if someone else picks the same address as you did, all of a sudden your internet connection starts behaving odd. In addition to supplying a ipaddress, the DHCP server also supplies a DNS server that should be used. This is useful when you have your laptop at work and you need to go to an internal website such as http://go/wave Notice there is no ‘.org’, or ‘.com’ after ‘http://go/’ this means that ‘go’ is only visible when you are at work and can access the internal DNS server using the information that the corporate DHCP server supplied to your laptop.

    So to summarize DHCP supplies your laptop with the information needed for the world to talk to your laptop ( by assigning an ipaddress to your computer) , and helps you find out about the world (by telling your computer about the corporate DNS server). DNS servers enables your laptop talk to the world by giving your laptop a ‘go-to-machine’ for all its addressing questions.

  3. Third, DNS servers are usually big expensive computers secured by “smart people”. However, the DHCP server is really just a bit of software running on a Linksys router at your internet cafe. Your internet cafe’s Linksys router probably has the default password and no one ever checks on it. There are millions of this routers, with minimal security, no one checking on them and your laptop is trusting these unsecured routers with the keys to your kingdom. Your laptop is asking this router — “tell me which DNS server to trust?”
  4. Fourth, Lets say that you are paranoid enough to say ” ohh this is bad. I am not going to trust such a router in a greasy, dark corner with telling my precious laptop which DNS server to trust.” So if you are like me you configure your laptop with an explicit list of DNS servers thinking that your laptop, especially your oh-so-secure Mac would never disobey you about something so critical as DNS.
  5. Fifth, you would be wrong. The insecure MacOSX does disobey and it does trust that greasy spoon router over you. MacOsX doesn’t let the user (YOU!) say that only certain machines are allowed to be your laptop’s DNS servers! Furthermore even if you have supplied your own custom DNS servers that you trust, the insecure MacOSX trusts the greasy spoon DHCP server’s DNS servers over your trusted DNS servers. And there is NO way to convince MacOSX otherwise.

This means that if the DHCP server at your internet cafe has been compromised you are as well.

How I found out

So here I am feeling all cocky and safe. I type in my company’s web address, ‘amplafi.net’ and amplafi.net resolved to 113.29.236.168 which offered that the website was for sale!… I freaked out!

hacked-dns

I discovered my MacOSX laptop was insisting on trusting these EVIL DNS servers 206.13.28.12 206.13.31.12 . Was the 10.5.8 OSX patch that was installed 6 hours ago really what it seemed? Who knows? When I installed updates to Firefox plugins was I really installing the correct versions or a compromised version that would report back to some site in Russia all my bank account information? I have no way of knowing.

This is the really scary part about everything. John Simpson reports:

Under 10.4 and earlier, when I specified a custom nameserver, the system would use only the nameserver(s) I specified. However, under 10.5 Apple has apparently changed that behavior, and uses my specified nameservers in addition to the DNS servers specified by the DHCP server. It shows the DHCP-provided server IP on the list, greyed out, so you can’t delete it.

For a while, I adopted a “grin and bear it” attitude — after all, the DHCP server at home is handing out the IP of my internal Linux server (also running djbdns) as the DNS server, so I was only unsafe when I used the laptop outside the house. However, with the recently announced vulnerability in the DNS protocol, the massive world-wide patch effort by major DNS vendors, and the fact that many networks haven’t applied the patches yet, I don’t really feel safe relying on anybody else’s nameservers.

I tried calling Apple about this, but it turns out that my AppleCare contract doesn’t cover technical support such as this.

My next approach was to just brute-force search the system for anything relating to DHCP. It took a while, but I was able to find the file which needed to be changed, and figure out the necessary changes. Basically, I found a file which controls which options are used by the DHCP client when handling a response from a DHCP server. I removed the DNS-related options from this list, and after rebooting the system, the laptop now ignores the DNS server options being sent by the DHCP server.

The file I found is named IPConfiguration.xml, and it’s buried in this folder: /System/Library/SystemConfiguration/IPConfiguration.bundle/Contents/Resources. You need to create a copy of that file, edit the copy, and remove a few entries in the DHCPRequestedParameterList key. (The entries to remove are those for 6, 15, and 119.) I have added full details on this process to my djbdns setup page, in the section titled Disabling DNS servers from DHCP.

Thankfully I found this web page from 2008(!) that showed how to fix this problem (thanks John M. Simpson):

It is possible to make the DHCP client ignore the “DNS server” options in the DHCP response. It’s not for the faint of heart, but if you’ve been able to handle the rest of the instructions on this page, you can handle this bit as well.

I have done this on my own laptop (a MacBook Pro) and it does work.

Be aware that this is a GLOBAL change. If you do this, your machine will not use the DNS servers specified by any DHCP server. This may affect your machine’s ability to easily work with corporate networks (especially those using Windows Active Directory) or other networks which use private DNS namespaces.

$ sudo -s
Password: You will not see your password as you enter it.
# cd /System/Library/SystemConfiguration/IPConfiguration.bundle/Contents/Resources
# vi IPConfiguration.xml

Find this block...

        <key>DHCPRequestedParameterList</key>
        <array>
                <integer>1</integer>
                <integer>3</integer>
                <integer>6</integer>
                <integer>15</integer>
                <integer>119</integer>
                <integer>95</integer>
                <integer>252</integer>
                <integer>44</integer>
                <integer>46</integer>
                <integer>47</integer>
        </array>

Comment out the 6, 15, and 119 entries. The result should look like this:

        <key>DHCPRequestedParameterList</key>
        <array>
                <integer>1</integer>
                <integer>3</integer>
                <!-- commented out so that Bad DNS servers coming from DHCP servers
                are not used.
                <integer>6</integer>
                <integer>15</integer>
                <integer>119</integer>
                -->
                <integer>95</integer>
                <integer>252</integer>
                <integer>44</integer>
                <integer>46</integer>
                <integer>47</integer>
        </array>

Save your changes.

Be sure to flush the DNS cache.

On MacOsX:

dscacheutil -flushcache

I have tried John’s suggestion and those scary DNS servers are no longer present. But has my machine been compromised already? I will be visiting the apple store in a few hours asking for answers.

The story continues. I was sitting next to a customer. On her windows box she was picking up the same bad DNS servers. It wasn’t until later when I got home that I discovered all this information. I suspect (but am not completely certain) that windows will not override an explicitly specified DNS server.

Update: So after talking with some people, its pretty clear that MacOsX shares this issue with Windows XP because offering out internal DNS servers is part of what DHCP does. However with Windows XP, it is easy to explicitly lock down the DNS servers.

How to lock down a Windows XP box with safe DNS servers:

On Windows:

network-connections-step1

before-changing-dns-step2

use-opendns-dns-servers-step3

To clear Windows DNS cache:

ipconfig /flushdns

Posted in broken, how to, technical | 1 Comment »

Third person in the room

Saturday, March 14th, 2009

Passion is a wonderful thing.

When someone is “wrong” about a subject that you care passionately about, it is natural to argue with them and try to “prove” to them that they are wrong.

Don’t.

Mentally step back. Look around. There is always a third person in the room. Even if that third person doesn’t look like they are paying attention; they are.

Are you at a party arguing in a corner? The tone of your voices will reach others. The facial expressions will reach others. What are you saying to those other people?

If this is a subject that you really do care passionately about, and the second person also cares passionately, diametrically-opposite opposite to you, neither one is likely to convince the other to change their mind.

The person’s mind you can change is that third person. The person who is casually observing. The person on the fence who hasn’t yet made up their mind.

Take the time to use and channel your passion to reach that third person to your side. That is the person you need to persuade.

Focus on being pleasant and reasonable sounding. Not argumentative. Don’t be dismissive of the person you are directly disagreeing with.

Use curiosity to counter their points. “I am curious why you feel this way, when …” (h/t to Genie Z. Laborde, Ph.D. )

Your curiosity conveys open-mindedness to that third person. Your curiosity will persuade that third person.

Posted in how to, management, marketing, political, starting a company | No Comments »

How to drive a manual transmission

Sunday, April 6th, 2008

From Shannon:

hmm well the number of people I know who keep replacing clutches & transmissions much higher than the issues I’ve had w/autos

If you already know how to drive, learning to drive a manual transmission takes 45 minutes. A manual transmission gives you these benefits:

  • Lower brake wear-and-tear
  • Higher gas mileage
  • Cheaper maintenance – manual transmissions have fewer parts than an automatic.
  • Cheaper to purchase – cheaper to make + fewer people want a manual so they are lower in price on the used car market.
  • Can rent/use cars in other parts of the world which may have only manual transmission cars
  • Impress your friends with tricks like driving without the gas pedal

How to get the benefits:

  • Instead of having your foot on the gas until the moment you slam on the brakes, try this: Take your foot of the gas a long way away from that red light or stop sign. Push in the clutch and let the car coast. It will slow down naturally. When you finally do brake, the car will be a lot slower and the brakes will not do as much work. This will dramatically increase the brake life and saving gas and bucks (or euros).
  • When driving in stop-and-go traffic, ease off the clutch just enough to get the car rolling. Push the clutch back in and let the car coast toward the cars in front of you. (brakes and gas again)
  • Ease in and out of gear. Don’t leap from the clutch to the gas pedal. This ain’t the Dayton 500. Take your time and don’t let the transmission get constantly hammered by suddenly being engaged. Learn to avoid stalls by learning how to drive a manual correctly. (saves maintenance)
  • Once the gear change has been completed – get your foot off the clutch. If you leave your foot on the clutch even a “little bit”, chances are that the clutch will be slightly engaging – wearing it out faster.

Driving on hills:

Its actually pretty easy.

  1. When stopping give yourself extra room to the car in front of you. They might roll backward or you might need the room for what happens next.
  2. If you are the first car stop with your front tires over the lip of the hill.
  3. When going up a hill rather than braking at the top, try to put the clutch in so the car coasts to the stop. Not always possible – but a goal. This will leave you in the happy situation of your foot being on the clutch and the gas.
  4. Use the combination of the clutch and gas pedal to deliver enough engine power to the tires so that you don’t roll. Going forward will be a piece of cake – just add more gas and ease off the clutch
  5. If you find yourself with your foot on the brake and the clutch, then you will need to get from the brake to the gas.
  6. Don’t panic.
  7. Ease off the clutch until you start feeling the engine engaging.
  8. Then quickly transition from the brake to the gas pedal
  9. Press down on the gas only enough to get you going slightly forward – you might go forward more than you intended (thats why you gave yourself the room to the next car – right?)
  10. If you stall, don’t freak and don’t let the guy with the horn bother you. Brake. Clutch. Key to restart and try again.
  11. If the guy behind you is really on your tail, then let his front bumper touch your rear bumper. His car will stop yours from rolling backward while you do the brake-to-gas transition :-) Be sure to thank him properly!

Tags:
Posted in entertainment, how to, transportation | 20 Comments »

How to learn to drive a manual transmission in 45 minutes

Sunday, April 6th, 2008

The Pat Moore, patent-pending, I-will-sue-your-ass-if-you-use-it, guaranteed-not-to-fail-or-your-money-back!

If you follow these steps you will learn how to drive a stick shift in about 45 minutes. Driving a stick shift will let you:

  1. get more mpg (manuals have higher EPA ratings than automatics)
  2. reduce your car repair expenses. (Automatic transmissions have more moving parts and are more complex.)
  3. reduce your car maintenance expenses. (You can coast up to stoplights rather than having your food on the accelerator until the moment you are slamming on the break.)

I learned to drive in Michigan and when to college in a town that had snow, ice, more snow , more ice and hills that is some cases were as bad as San Francisco’s (only with ice).

I have taught a bunch of people (~8) how to drive a stick shift this way and have had 0 failures and everyone of them could drive a stick after 45 minutes (assuming you already know how to drive).

So here is how to do it:
Get a manual transmission car to a parking lot. This parking lot will have 4 features:

  1. empty
  2. speed bumps
  3. fairly long straight section
  4. flat

Generally a office building’s parking lot on weekends works best. Not-so-good: a mall’s parking lot during Christmas.

Lesson #1:

  1. Get the car so that you have the maximum empty straightaway ahead of you.
  2. Do NOT touch the gas.
  3. Press in clutch (and keep it in)
  4. Put car in first gear.
  5. Turn on car
  6. Do NOT touch the gas pedal (at all)
  7. Slowly ease the clutch out (very slowly)
  8. At some point you will feel the clutch start to engage and the car will start to inch forward.
  9. Do NOT touch the gas pedal (at all)
  10. Continue to slowly ease the clutch pedal out.
  11. LISTEN to the car engine. Watch the tachometer if the car has one.
  12. Don’t freak if the car stalls. Just remember what the tachometer reading was when it stalled and restart it.
  13. If the car starts to stall, push the clutch in – do NOT touch the gas
  14. Continue to slowly ease the gas pedal out letting the car pick up speed.
  15. At some point, hopefully before you run out of parking lot, the clutch will be completely out and the car will be doing about ~7 mph.
  16. Without stopping, press in clutch (and keep it in)
  17. Put car in second gear.
  18. Do NOT touch the gas pedal (at all)
  19. Slowly ease the clutch out (very slowly) until once again you are not pressing in the clutch at all.
  20. Pay attention to the sound of the car engine and the tachometer reading. Try to get as close to the stall point without stalling
  21. Repeat for 3rd, 4th gears (if possible before crashing into bushes)
  22. Do NOT touch the gas pedal (at all)
  23. Turn car around.

Lesson #2:

  1. Repeat Lession #1 – each time trying to ease the clutch out faster and faster
  2. Do NOT touch the gas pedal (at all)
  3. Pay attention to the sound of the car engine and the tachometer reading. Try to get as close to the stall point without stalling

Lesson #3: Hills

  1. Drive car to first speed bump.
  2. Press in clutch (and keep it in)
  3. Put car in first gear.
  4. Do NOT touch the gas pedal (at all)
  5. Slowly ease the clutch out (very slowly) until the car begins to creep over the speed bump.
  6. Stop releasing clutch. Let the car’s engine be engaged just enough so that you don’t roll backward but not enough to actually go forward.
  7. Play with clutch to rock back and forth with the front tires slowly climbing/descending the speed bump.
  8. Repeat until you don’t roll off the speed bump either direction.

This is how you handle hills on a stick shift. Only with a real hill you will need to use a little bit of the gas pedal as well. But you will not use the brake. (For the most part).

Lesson #4: Jump Starting and confidence building

  1. Repeat Lesson #1 – quickly getting the car going.
  2. Press in clutch (and keep it in)
  3. Put car in first gear.
  4. Turn off car (while it is rolling about ~17 mph)
  5. Press in clutch (and keep it in)
  6. Put car in first gear.
  7. Turn car to on position (but not to start the car)
  8. Release the clutch as fast as you can by letting your foot slid off the pedal. (“popping the clutch”)
  9. The car will jerk around and if you are going fast enough it will start up on its own….. and the car will be just fine.

Lesson #5: Go practice on the streets.

In summary:

  1. Don’t press the gas pedal. People who don’t know how to drive stick shifts leap on the gas pedal like it is the last raft off the Titanic.
  2. If the car is going to stall, press the clutch not the gas pedal. Pressing the gas pedal could send you leaping into traffic. Pressing the clutch is much safer.
  3. Don’t freak if you stall – it ain’t a big deal. And flip off the asshole behind you with the horn.
  4. Really feel your car and it’s stall point.
  5. Relax.

That’s it .. and be sure to send your check. o.k.?

Posted in entertainment, how to, transportation | 5 Comments »

How to buy a car.

Sunday, April 6th, 2008

My response to Shannon’s thinking about buying a car:

Congratulations saving so much money by avoiding car ownership for so long.

Here is my feedback:

  • Forget the concept of a car retaining its “value”. A car is a liability not an asset. If a car runs and operates it has value. The only time the car’s “value” will matter is if it gets totaled in an accident.
  • Don’t bother buying a new car. Its a stupid waste of money. Let the other poor sucker buy the shiny new object. Unless you are trying to impress some bimbo girlfriend, forget it.
  • Forget the used car guides, they talk about general trends – not your specific car.
  • Figure out how much money you want to flush down the car toilet. Double that number (maintenance, license, etc.) While you are figuring out what you want to buy set that money aside to make sure you can really do without it (the money that is).
  • How many times can you rent a car with the above cash? Do you still need that car?

Now that you have decided that you really must discard your cash this way. Buy your car this way:

  • Find out what your minimum monthly payment would be buying a car from a dealership. (Lets say $400/month)
  • Decide what your hassle tolerance is. Your hassle tolerance is how long in months the car must run with only oil changes or other routine maintenance before you get pissed off with it. Note this is a minimum – not a as-long-as-possible value. Lets say 10 months – so after 10 months you wake up and discover that the car had been crushed by a semi you wouldn’t care.
  • Hassle-tolerance * monthly payment = maximum to spend. Yes – maximum. In our example, that is 10*$400 = $4000. If you don’t mind buying a new-to-you car every 10 months, then if the car lasts 20 months – the last 10 months were ‘free’
  • Look on craigslist. Buy the third car that passes a basic driving test and an inspection by a trusted mechanic (or at least a mechanic that you can beat the shit out of if he screws up). Why the third car? Because you should give yourself the opportunity to get a good deal but you should not agonize and ditter yourself into indecision. If you can’t decide by the third car then you don’t really need a car – its not urgent. Update: Note that I am not saying the third car period – but rather the third car in decent shape where “decent shape” = able to run at highway speeds and your mechanic doesn’t ask if he can share in the life insurance payout. The car is decent if it is ugly or has cigarette burns in the seats.
  • Buy a car that you would never want to both getting comprehensive insurance on. If you don’t care if the car is destroyed in a collision, stolen, explodes, etc. — then you will not care if it is a ‘lemon’. Even a lemon will likely last ~10 months.

As a result, you will buy a car that:

  • you will not have an emotional attachment to — save emotional attachments for people not things.
  • you will be indifferent to. You will not wash the car (saving money, time and clean water).
  • you will not waste time cleaning the car.
  • will not be hard to ditch when confronted with a huge repair bill.
  • you will be able to sell for about what you paid for it – even if it doesn’t run at all you will be able to convert it to a tax deduction.
  • drive it into the ground.

As background, my wife and I between the 2 of us have owned 5 cars: 1 new, 4 used. We never paid more than $4000 for a used car (or van). The car that has lasted the longest is a 1991 Ford Festiva – which gets over 30mpg. We paid $1500 for that car. The other vehicle we own is a 1994 Dodge Caravan – $4000. We have never ended up with a lemon. We have spent a total during our entire combined life span of >80 man-years on vehicle purchases is about ~$35,000. (I think that might be too high actually).

Update ( 9/7/2008) :
Apparently I am not the only one see things this way. Cars: The real reason you are broke.

Posted in environment, how to, transportation | No Comments »