Category Archives: Technical

ASB Bank and TOR

Sometime in early December I thought I’d have a play with TOR.  I ran it up on micro and played with it for a few days.  I thought I’d “help the TOR world” by running an exit node, seeing as we have more bandwidth allocated to us than we use.

After a few days though I figured hell, I probably wasn’t doing much to help, so I turned it off and forgot about it.

Fast forward to a few weeks later:  Suddenly my wife can’t get to a website she needs to access.  Do some digging, turns out that it works from other IP’s, just not our home IP.  Our home IP is static, so I can’t just reboot and get a new one.  I email the people running the website and to my surprise, they’re very helpful.  They investigate and tell me that due to my IP having been a TOR node, it’s been blacklisted.  Their network gear auto-updates a blacklist every few weeks, so if we’re not longer a TOR node we should be removed.

No worries, I put a bypass in place in our home router, using OpenVPN.  Annoying, but it works.  A couple of weeks later they email me to tell me that it’s all sorted now. I remove the bypass and their site still works. Thanks!

Then ASB FastNet stops working. Both the website and their Mobile App (which accesses MobileAPI.asbbank.co.nz, a different IP than the Browser site.)  Argh!

I can’t get a single communication out of them as to why it doesn’t work, but trying to connection to FastNet classic gives me:
micro:~> curl -vv -I https://fnc.asbbank.co.nz
* About to connect() to fnc.asbbank.co.nz port 443 (#0)
* Trying 210.55.180.58...
* Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

Which is quite annoying.  So I have an OpenVPN bypass in place for it as well.  The problem is my OpenVPN bypass is quite flakey, mostly due to the way I’ve setup OpenVPN.  It doesn’t reconnect properly when the tunnel drops, which it does every now and then on the end of a consumer grade Internet Service.

Can I get hold of anyone at ASB to help me?  Tell me why the IP’s blacklisted?  Nope.  I’ve emailed, prodded.  Very frustrating.  Please, someone at ASB in the Network Team get in contact.  Tell me what I can do to get removed/get this fixed.

Thanks,

Tim

Update: ASB use BrightCloud’s IP Reputation service.  Once I filed a request with Brightcloud and they verified we weren’t a TOR exit node anymore, they updated the status of our IP address and we can once again access ASB directly.  Thanks ASB for getting back to me after I made a lot of noise…

Moved to WordPress

I moved my blog from BlogFile to WordPress.  I couldn’t do everything I wanted in BlogFile, neat as it is.  So WordPress it is…  Drupal would have been overkill.  Wordpress probably is.

If you got here from a “blog.php” link well, all the old content is here, but you might have to search for it sorry!

All the content is crap anyway…

grsecurity RBAC system

A few notes I wrote down about enabling the (very intense) grsecuriy RBAC system on micro.

  1. If you have role_allow_ip defined and you try and “do something” from an IP not in that allowed list – you’ll end up in the default role.  That can be hard to figure out at first, you know you have a role setup for the user, but you’re not ending up in it.  That’s why.
  2. A subject in a less specific policy with an “i” will override a more specific subject.i.e.This “/” subject:subject / o {    /bin        rxi}will win over this:subject /bin/bash o {}/bin/bash will use the polices from the first subject, not the second.
  3. To be able to unlink (delete!) a file, you need both d and the w subject flags.  d alone isn’t enough.
  4. Be VERY careful with the C subject flag.  It will kill everything with the same IP address, silently.  Your MYSQL server might be dead and you won’t know it.
  5. Shared Libraries (.so) need the rx flag, x alone isn’t enough.
    subject /bin/bash {    

    /     
    /lib            rx
    }
  6. The -V flag to gradm -E will give some useful information!

Building MPD

micro:~/mpd-0.18.7> make distclean ; ./configure --disable-dependency-tracking --enable-libmpdclient --enable-alsa --enable-bzip2 --enable-curl --enable-ao --enable-ffmpeg --enable-flac --enable-httpd-output --enable-id3 --disable-ipv6 --enable-lame-encoder --enable-lsr --enable-mad --enable-mikmod --enable-mms --enable-modplug --enable-mpg123 --enable-pipe-output --enable-recorder-output --enable-shout --enable-vorbis --enable-vorbis-encoder --enable-zzip --prefix=/usr/local/mpd ; make

Dell XPS m1330 with Windows 8.1 – DPC Latency Issues

Finally upgraded my ageing XPS m1330 from Windows XP (32 Bit), which of course worked perfectly, to Windows 8.1 (64 Bit), which of course initially didn’t.

The major problem that I encountered was major latency when playing audio. The DPC latency would cause the music to stutter and jerk and basically be unlistenable. A major pain in the arse for someone who likes to listen to streaming audio while they work.

After doing a bit of reading and research, I thought it was the NVIDIA driver that was causing the problem, PowerMizer was flagged as being the culprit. But adding the “correct” flags to the registry didn’t fix the problem, music was still impossible to listen to and the DPC Latency tool showed me major spikes.

Some more testing and research lead me to find the Intel Wifi card I have, a Intel PRO Wireless 3945ABG as the cause of the problems. The issue was there is no later driver for it, indeed Intel haven’t officially released any driver for it, but Windows 8.1 seems to have a driver built in.

The fix was to download the Windows Vista x64 driver from <a href=”http://ftp.dell.com/FOLDER95945M/2/Intel_multi-device_A06_R171132.exe”>here</a> and to force Windows 8.1 to install it as the driver. Which takes a few options because it’s an older version of the driver than the one Windows 8.1 comes with.

But once the “new” old driver was installed, all DPC latency issues dissappeared. Music can be listened to without stuttering and jerking.

I’ve still got three items in Device Manger under “Other devices” all called “Data Interface” that don’t have a driver, but I expect that’s something to do with the 3G Modem this laptop has installed (the official Dell one)

Tim

modsecurity

I re-enabled modsecurity, this time with the PCRE JIT.

To do this I had to do the following:

Build the latest version of pcre.
Install it in /usr/local/pcre

Modify the apache startup to use LD_PRELOAD to load the new libpcre.so instead of the standard system one.
I could have overwritten this using ld.so.preload but that’s a system-wide changes and I don’t know what else I might break, seeing as most other things will be compiled against the old version.

Finally I had to modify the apache2 binary so that it’s allowed to create code at runtime (we are doing JIT here, afterall)

paxctl -cm /usr/lib/apache2/mpm-prefork/apache2

Now it seems to be working fine.

PCRE was compiled like so:

./configure –prefix=/usr/local/pcre –enable-jit –enable-pcre16 –enable-pcre32 –enable-utf –enable-unicode-properties –disable-static

You Get What You Pay For

Bought a cheap arse memory stuck for micro. 128GB for $40. Does it work? Hell yes it works. Formatted as FAT32. Format the fucker as EXT4 and you think it works? Hell no. Can’t find superblock. Can’t find this, can’t find that. Error error dead dead fuck you error.

I’m sending it back. I didn’t really expect it’d work, but I kinda hoped that maybe it would you know?

Idiot.

Full RELRO for Bitlbee

Took me ages of fucking around to get bitlbee to compile with full RELRO.

In the end I had to hack the makefile.
At line 182 (the line where it gets linked) I had to add the following:

180 $(OUTFILE): $(objects) $(subdirs)
181 @echo '*' Linking $(OUTFILE)
182 @$(CC) $(objects) $(subdirobjs) *-march=native -O2 -fstack-protector-all -fpic -pipe -Wl,-z,relro,-z,now* -o $(OUTFILE) $(LDFLAGS_BITLBEE) $(LFLAGS) $(EFLAGS)