Felipe Alfaro Solana

Hoy he tenido que quedarme hasta tarde en el trabajo. Para volver a casa, he llamado por teléfono para solicitar un taxi y, a la hora de indicarle al taxista cuál era la dirección de mi casa, éste desconocía completamente el nombre de la calle. Tal ha sido la situación que he tenido que indicarle cómo llegar hasta mi casa desde el trabajo.

Lo curioso del asunto es que apenas llevo una semana en Zürich y ya me siento capaz de darle instrucciones a un taxista local para que me lleve desde el trabajo hasta mi casa. ¿No resulta, cuando menos, sorprendente?

A pesar de todo, el taxista hablaba ingles y se ma mostrado bastante amable y comprensivo asi que, después de todo, he llegado a casa sin problemas.

Recently, I read a nice post (Spanish only) published by Sergio Hernando on anti-virus software. After reading it, I decided to go on and write my own personal opinions on security and anti-virus software. In this particular case, although unusual, I disagree — most of the time, I can’t agree more with Sergio — with some of the points he made in this post

The last time I used an anti-virus software was more than ten years ago, and the last virus that infected one of my computers was called Omicron. In fact, my computer got infected due to a MS-DOS floppy that somebody copied for me that was already infected. In those days, it was pretty common to exchange floppy disks between friends.

I don’t like anti-virus software, at least in their current form, and I think I’m not the only one ([1] and [2]). I think I don’t need one anymore — and so does Jim Allchin ([4]).

Personally, I find anti-virus software to be:

Inefficient

Most of the anti-virus products I have ever used try to attach to the operating system itself — either the kernel, file system driver, disk driver, etc. — which makes the system slower, or crash-prone and unstable or all at the same time They are pretty much reactive beings.

I think reactiveness in isolation does not lead to a secure system. In real life, I tend to have a healthy diet, make some exercise, have enough sleep, etc., so that I can stay away of becoming ill or sick. That is, I’m being proactive: instead of waiting to become ill or sick, then going to the doctor, I do take actions, actions aimed at keeping me on the safe side.

Ineffective

There is a small joke that I think reflects the problems I see with anti-virus software:

- I think I’m ill, Doctor
- You suffer of Smith Sindrome
- What’s that?
- We don’t know yet, Mr. Smith

Most anti-virus products are reactive. Most of them include really good and ingenious engines that are able to even debug suspicious code in order to guess whether it is good or bad to run it. The problem is, however, that the user has little or no way to influence that decision — and it would be probably a bad idea to do so, since there are a lot of people out there that aren’t trained enough to decide by themselves.

Right now, anti-virus software is totally useless against new forms of malware, like Blue Pill ([3]). To me, the resources (time and money) of running an anti-virus can be wisely used to do other things, which I find far from perfect but more effective.

Misleading

Some people I know think that having an anti-virus software is all they need to keep their computers safe and clean from malware. They think that, as long they have an anti-virus software installed churning all of they available CPU cycles, it is safe to browse malicious sites, click on any banner, download dubious software, or open an e-mail message even when the sender is totally unknown or the subject is written in a language they don’t understand.

Whoever thinks this way is quite frankly wrong. And what’s worse, I don’t like the fact that anti-virus manufacturers (yes, I think they manufacture software, instead of handcrafting or designing it) don’t try to stop this insane advertising. I don’t take flu shot and expect being healthy forever. Things don’t work this way: medicines aren’t perfect and doctors, from time to time, make mistakes. You need to be wiser, smarter. You need to be proactive.

Anti-virus software is like a vaccine: it can’t only fight, and eventually defeat, known threats. It tries to defeat unknown threats by using heuristics and even IA, but it is far from perfect and sometimes can’t detect or defeat new kinds of malware that haven’t been properly analyzed. In fact, there a new breeds of malware that can’t be detected, even less be defeated, by current anti-virus products [3]. It the same way in real life: does H5N1 sound familiar?

These are the advices, rules, mantras and habits that have helped me staying secure for a very long time:

Use a (more) secure platform.

I personally like to use little-used, little-known, secure, well-designed platforms. That leaves me out with GNU/Linux, FreeBSD, OpenBSD, NetBSD, Solaris and, at some extent, Mac OS X. They are far from perfect — there is no completely software at all, by the way — but they do a really decent job.

I consider the rest of them to be either insecure (i.e., Windows) or so unknown and/or obscure to me that I don’t feel confident enough to install, configure or run them in a secure and safe way (i.e., BeOS, QNX, etc.).

Use a safe(r) browser.

Or the safest browser that you can find. I mean, stay away from Internet Explorer. It is insecure, doesn’t comply with standards and it is a privative, closed-source software —it’s difficult to audit software whose source code is closed away from you.

Be proactive, not only reactive.

Keep yourself up-to-date, well-informed by subscribing to security mailing lists, like SANS, CERT, vendor-driven mailing lists, Kriptópolis, una-al-día, etc., so that you stay aware of new exploits and vulnerabilities, their consequences and how to fix or overcome them if possible.

Talk to other people, to colleagues, to friends and share experiences and knowledge (right know, sharing knowledge is not yet illegal), read books and learn from your own experience and from others’ experience.

Also, be prudent and use your common sense (it comes by default in you, so it is free).

Keep your system up-to-date.

Updating production systems, particularly if you run a lot of them or they run critical software, is not an easy task. From time to time, security updates break things, change functionality or create problems. They aren’t supposed to behave this way, but software is not perfect. You should know That’s when auto-updating software comes to rescue, doesn’t it?

That doesn’t mean you should run stupid, automated auto-updating software, like Windows Update. For me, I find that letting any sort of automated, clueless system, other than me, deciding what to update and when to do it is, at least, crazy. Current auto-updating software doesn’t have sense of risk since it doesn’t fully understand the system it’s running on. The risk of rendering your daughter’s game-playing PC useless is completely different — and probably lower — than the risk of rendering your working/corporate PC useless because of a broken security patch. However, auto-updating software will probably make sense for a game-playing PC or a PC used to sporadically surfing the Web. Knowing if auto-updating software makes sense or not is tricky business. What is worse: Having an un-patched system running several Trojan horses at the same time, or a patched, but broken system?

So my personal advice is: before applying a fix, make a backup of the system and, if you can, deploy the fix on a canary or test system before you do that on production or critical (like your laptop with invoices and your whole digital life) systems.

Use a real firewall.

But please, really use a real firewall. One that is powerful enough to to filter both incoming and outgoing traffic, like the IPTables (GNU/Linux) or PF (FreeBSD and OpenBSD).

For example, I can’t think of any machine of mine sending traffic to any of the following ports: SMTP, NetBIOS, CIFS, BGP, etc. I know that it is easy to defeat that kind of blocking by using HTTP tunneling, but that’s another story.

Ask yourself the following questions three times in a row before installing software.

Can I do fine without this software? Was I thinking of installing this software cause it is super-cool?

If my answer to any of these questions is yes, then I don’t install that particular piece or software, or do it on a test machine (like a virtual machine). This is my first level of filtering.

Do I know who wrote the software? Do I know where the software came from? Do I know why the author wrote the software? Is anybody else using that software? Do I have the right to access, read and modify the source code of the program?

This is my second level of filtering. I don’t like running closed-source software for a couple of reasons: I can’t debug it easily in case it doesn’t work as expected, which is a hassle to me and, second, if it is insecure or has a defect, I can’t fix it or, more commonly, find someone else to fix it for me.

If I ever need to install suspicious or untrusted software, I usually start up a virtual machine and install the software on it just for testing. In fact, I very rarely do run Windows but if I ever have to do it, I always use a virtual machine. Once I end my session, I undo all the changes (unless I can’t afford to do it by risking losing data or configuration changes).

Capture network traffic from time to time.

This allows me to check my expectations. I know my computers should never ever send NetBIOS or SMTP traffic. If they ever do, I know something is wrong. Maybe some component is misconfigured, or maybe something else has been installed that is triggering this behavior.

Knowing how your systems should behave and how they behave is really helpful. Not only for security, but for reliable systems. Also, I’m not the only one doing it ([2]).

Disable JavaScript.

I do for any Web site and I do only enable JavaScript for sites that do require it, like Google Maps or Google Mail. If you use Internet Explorer, I recommend you to do the same for ActiveX.

Disable Java.

Although Java is not insecure by itself, I usually find it pretty annoying. I usually enable it specifically for some Web sites that require it or lose functionality I like or depend on..

Sorry, Sun. No pun intended.

Don’t ever open e-mails from a sender you don’t know about.

My father told me this when I was a child:

Don’t talk to strangers!

My mother told me this when I was a child:

Never open the door if you don’t recognize the guy on the other side.

My mom’s advice was extremely restrictive. Should I have followed it, I think I would have never allowed the gas or cable technician to get into my house in order to check or fix broken things. So, I would rephrase that to:

Never let anyone in your house unless you invited or expected him.

I apply this mantra in the real life as well to my e-mail messages: “I never ever open an e-mail message from someone I don’t expect to talk to me”. Of course I can be deceived by some viruses which cloak themselves or pretend to be a friend of mine — typically those that send themselves to recipients of someone else’s address book.

Additionally, e-mail based Spam and viruses are usually one-shot only: if I ever discard a mail message, either on purpose or by accident, which is important, from someone that I don’t know about, he or she will probably try to get in contact with me again by either resending the message or by finding a different communication channel.

These are, of course, my personal opinions. They might or might not make sense or apply to you

References:

[1] Why the Top-Selling Antivirus Programs Aren’t the Best

[2] Rutkowska: Anti-Virus Software Is Ineffective

[3] Introducing Blue Pill

[4] Allchin Suggests Vista Won’t Need Antivirus

Aquí estoy, en Zúrich: una de las ciudades de negocios más importantes de Suiza, y puede que de Europa. Con cerca de un millón de habitantes, con un lugar como Paradeplatz — con uno de los precios por metro cuadrado más altos de Europa y puede que del mundo entero —, Zürich es una ciudad distinta, verde, entre medieval y urbana, de casas bajas y apariencia nórdica, un lago precioso, con sus barcas moviéndose al vaivén del agua, y una vista de los Alpes que se vislumbran en el lejano horizonte como colosos de roca y nieve.

El transporte público es excelente, y pone a disposición del hombre una oferta que ronda desde los típicos autobuses con ruedas de caucho, pasando por autobuses eléctricos y una curiosa red de tranvías denominada Tram, así como una extensa red ferroviaria.

Aunque el clima en invierno es algo inhóspito, mi primera impresión es que la cordialidad Suiza no es tan fría como pudiera aparentar. Si bien es cierto que el idioma oficial del cantón de Zürich es el Suizo-Alemán, voy descubriendo día a día que existe un importante núcleo de personas que hablan el Inglés con perfecta normalidad, y hasta hacen gala de un excelente acento (mucho mejor que el mío), lo cual no hace más que evitar que salga de mi asombro y es que, en mi caso particular, apenas soy capaz de hablar idioma y medio — un castellano propio de Madrid, y un inglés que ronda un nivel medio/bajo, sobre todo a nivel conversacional. Soy duro de oído, muy duro. Casi tanto que confundo el sonido de una “ü” con el sonido de una “i”.

Aterricé en este país sinigual un lunes, surcando los cielos a bordo de un MD-87 de la compañía aérea Swiss, saliendo de la T1 de Madrid Barajas con el usual retraso debido a motivos estándar — clima, control aéreo, etc. Sin embargo, tocar tierra no fuera tarea sencilla. Había una densa niebla que cubría gran parte de la ciudad de Zürich, como una manta de algodón dulce, entre gris y blanco, que sólo permitía ver los árboles y las laderas de las colinas, como un velo que guarda un espejo encantado tras de sí. El viaje había sido de lo más tranquilo, con un movimiento suave, sin turbulencias durante las casi dos horas de vuelo. Sin embargo, el aterrizaje demostró ser harina de otro costal. Casi justo en el momento de tocar la pista de vuelo, el piloto tuvo que corregir en el último momento, poner los motores a pleno rendimiento y elevarse de nuevo, consiguiendo que mi estómago se revolviese como gato al que se intenta meter en una bañera llena de agua. Sólo había visto maniobras semejantes en las películas y nunca pensé que en la vida real se pudiera cancelar un aterrizaje con tan poco tiempo de antemano, de manera tan imprevista y brusca. Así pues, tras el fallido intento de alunizaje (y es que la superficie de Zürich se parecía a la luna, tan blanca y brillante y casi inaccesible), estuvimos algo más de diez minutos dando vueltas alrededor del aeropuerto, supongo que esperando a que la neblina continuase su camino hacia otra parte, menos inorportuna. Pero no fue así. Tal fue la situación que el piloto se vió obligado a intentar un nuevo aterrizaje, esta vez satisfactorio, entre una espesa capa de agua condensada que apenas permitía ver nada. Sólo cuando pudimos oir el golpe de las ruedas contra el pavimento, y notar cómo temblaba el avión, observé que la niebla permitía ver algo del entorno, como algunos de los vehículos que se afanaban como locos, y con vida propia, en sus rutinarias tareas, como si de hormigas trabajadoras se tratara.

Al cabo de unos instantes, el avión se detuvo, las señales luminosas se apagaron y la gente comenzó a moverse nerviosa y rápidamente, ávida de capturar sus equipajes de mano y abrigos, y encender el teléfono móvil. Al salir del avión hacia el pasillo articulado que conectaba con la terminal, pude notar el golpe seco del frío y húmedo ambiente en mi cara. Fuera, la temperatura era de unos dos grados centígrados, en un día algo gris, típico de un invierno en los Alpes. Me dirigí sin dilación hacia la cinta transportadora, siguiendo los carteles amarillos que, afortunadamente en Inglés, indicaban el camino hacia las cintas de recogida de equipajes. Allí aparecieron, tras unos breves momentos, mis bultos, sanos y salvos, como de costumbre, y es que empiezo a pensar que tengo demasiada suerte, ya que nunca me han extraviado las maletas. Algún diá deberé probar el amargo sabor de la derrota a tal efecto y esperar cola delante de un mostrador, donde un agrio empleado de alguna compañía aérea escuchará mis plegarias sin decir palabra alguna, asintiendo, disculpándose.

Me dirigí hacia la salida del aeropuerto, tras pasar el pertinente control de pasaportes donde una mujer rubia, vestida de policía, me saludó en Español tras comprobar mi nacionalidad. Fuera, ya en la calle, encontré una fila de taxis que ya estaban dando cobijo a diversos pasajeros. En un imperfecto alemán, pregunté al conductor del que iba a ser mi taxi si hablaba inglés. Sin aparente sorpresa, y con un curioso acento, el hombre me respondió con un “Yes, I do”, que sonó como música para mis oidos. Resultó ser un tipo agradable, de rasurada barba y aspecto centro-Europeo, procedente de la antigua Yugoslavia, que hacía uso de un curioso acento al hablar. Me llevó hasta el que iba a ser mi apartamento, sito en una zona residencial cerca del borde de la Zona 10 de Zürich, casi en la frontera de la ciudad. Tras buscar las llaves en el buzón de la casa, y comprobar con un susto en el cuerpo que no estaban donde debieran, el Espíritu Santo iluminó mi ser y la providencia hizo que me fijara en los carteles de los buzones, viendo que mi apartamento no era el indicado en la carta de presentación, sino uno diferente. Subí raudo al piso, solté mis maletas y volví al taxi, rumbo a la oficina.

Llegué a la oficina sobre las diez de la mañana, con mucho sueño en el cuerpo y cansancio acumulado (sólo pude dormir tres horas). Tomé sitio, me acomodé y, aunque aún sigo en ello, ya empiezo a hacerme a la idea de dónde estoy, qué he de hacer y quiénes hay conmigo. Uno de mis compañeros, Gary, ha resultado ser extremadamente cordial, informativo y de gran ayuda en labores como enseñarme a llegar a mi piso usando el transporte público, localizar supermercados por la zona, encargar la cena, solicitar la tarjeta anual de transporte público, etc. Incluso se ha ofrecido a acompañarme al Ikea en caso de tener que comprar elementos voluminosos, como una tabla de planchar, por ejemplo. Le estoy tremendamente agradecido por ello, y hubiera deseado que alguien hubiera hecho lo mismo por mí cuando llegué a California, tres meses atrás.

Aunque mi contrato me impide hablar de mi trabajo, sólo puedo decir que en la compañía hay gente francamente brillante. Tremendamente brillante. Algunos disponen de Don de Gentes. Otros, no tanto. En general, me siento insignificante, perdido en numerosas ocasiones, pero con tanto talento a mi alrededor resulta fácil sentirse tremendamente alegre o enormemente frustrado. Todo ello a la vez, como un dulce amargor, o una hilarante tristeza. Por lo demás, no he tenido mucho tiempo de hacer nada, extralaboralmente hablando. Después del trabajo, alguna compra esporádica, y luego a casa, a comer la cena encargada a través de Internet (hecho de menos la comida de verdad, la que se prepara en persona, y que se sirve bien caliente, casi humeante), a leer y a dormir. Tardo algo más de media hora en llegar a mi casa y, dado que tengo que tomar dos tranvías y un autobús, esa media hora puede fácilmente convertirse en cuarenta y cinco minutos, y no porque el transporte público sea lento, sino porque hacer tantos transbordos supone una gran pérdida de tiempo.

Por lo demás, pronto empezaré a tomar clases de alemán, puede que de inglés, y de conducir también. Y si me queda tiempo, quizá pueda apuntarme a un gimnasio y, quién sabe, quizá hasta conocer a alguna chica. De momento, ya he conocido a una en el trabajo. Su inglés es casi tan malo como el mío, así que la comunicación interpersonal va a ser, cuando menos, árdua.

Bienvenidos a mi nueva vida. Deseadme suerte. ¡Aufwiedersehen!

“If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. Its peculiar character, too, is that no one possesses the less, because every other possesses the whole of it. He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening me.”
- Thomas Jefferson

During this week, I have been playing extensively with the OpenWRT whiterussian Linux distribution for embedded devices, like the Linksys WRT54G wireless routers.

My initial plan was to build a custom firmware for the Linksys WRT54G wireless router in order to enable some functionality that is disabled by default — like busybox su applet or shadow passwords — and disable some other features that come enabled by default — like USB or PCMCIA.

I followed the instructions outlined in OpenWrt Buildroot, but had only partial success.

First, I downloaded whiterussian build sources from SVN:

$ svn co https://svn.openwrt.org/openwrt/branches/whiterussian/
$ cd whiterussian/openwrt
$ make menuconfig
$ make

Next, I uploaded the resulting bin/openwrt-wrt54g-squashfs.bin image to the Linksys router:

$ scp bin/openwrt-wrt54g-squashfs.bin root@linksys:/tmp

Then flashed the new image:

$ ssh root@linksys
# cd /tmp
# dd if=openwrt-wrt54g-squashfs.bin of=flash.trx bs=32 skip=1
# mtd -r write flash.trx linux

mtd flashed the new image and rebooted the router — as instructed per the -r command-line flag. I could telnet into the Linksys box, but something strange was going on: instead of seeing a bunch of symbolic links under /etc/init.d pointing to /rom/etc/init.d, I only found plain text, executable script files.

While looking around, I could see the JFFS2 partition was mounted under /jffs. I ran firstboot by hand and that seemed to create the JFFS2 filesystem layout, which mostly consists of symbolic links to files in the SquashFS volume (mounted under /rom). Rebooting the Linksys router left an apparently useable system that mostly looked like the normal OpenWRT whiterussian images I can download from http://downloads.openwrt.org/whiterussian/rc5/, but still not identical.

Why doing a custom build of OpenWRT produces a flash image that is different from the ones available for download from the official site, and one that fails to run firstboot on the first run after reflashing the router’s memory?

Does anyone have dealt with building custom OpenWRT images before? And what’s more, does anyone had full success in flashing and using them?

¿A que no parece un sistema GNU/Linux?