Two-hop SSH tunnels with Putty

So this is pretty basic stuff, but I find myself looking up the exact procedure a few times a year because I forget some minor detail somewhere. The basic premise is that I want to connect to a host, but that host can only be connected to by another host. So the whole chain looks like this:


The client can connect to Host 1 as long as he has the private key matching the public key on Host 1 (along with the password for the private key). Host 1 can connect to host 2, again using a key. Host 2 can connect to the local address (Host 2 has a wan and a lan address) of the Target Server with a username and password (a Windows Box in this case). Of course, you can do all this with just password authentication, but I wanted to have the added security of “something I have” (the key) and “something I know” (passwords). The main goal is to allow the Client to connect to the Target Server via RDP (TCP 3389), using SSH tunnels all the way. I will affix Wireshark and tcpdump captures from the different points to show the traffic.

Client to Host 1

First we will establish an SSH Tunnel between Client and Host 1. To do this from our Windows Client machine, we open up putty, and perform the following configurations:

putty1Under “Source port” I added 8080. You can obviously use any convenient port that doesn’t overlap with something that’s listening on your local (the Client machine) machine. Under “Destination”, type in localhost:8080. This is so that the end of the tunnel on Host 1 will be localhost:8080. Save your configuration for easy access later. We will further connect through this to Host 2, and on to the Target Server.

Host 1 to Host 2 and on to Target Server

From the putty connection to Host 1, I can now create a tunnel between Host 1 (port 8080) and Host 2, and make the other end of the tunnel Target Server port 3389 (for RDP). The command used for this is:

ssh -L host2username@host2ip

The man-page for ssh, under -L says:

-L [bind address:]port:host:hostport.

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.

In this case it’s our end of the first tunnel, port 8080 on “localhost” (i.e. Host 1)

Client to Target Server

Now when all is done, we can start a Remote Desktop connection from Client all the way to Target Server. The connection parameters in my example is like so:

rdp1Now you will connect to yourself, port 8080, which is one end of the chain of SSH tunnels. It’ll then proceed to Host 1, port 8080, and from there to Host 2, and on to Target Server, port 3389.

Traffic captures

First we have a Wireshark capture from Client to the tunnel which terminates at Target Server. Of course, Client doesn’t know this, so from it’s point of view, it’s making an ssh connection to Host 1.


All nice and neat and SSH.

Next up, we have the view from Host 1, capturing for traffic coming from Client, and going to Host 2:



Nothing human readable. Arguments for tcpdump were: tcpdump -i eth0 -n -X -vv host ip.address.of.host2

The penultimate capture! Host 2’s prespective:


Internal addresses all the way here, from Host 2’s internal address to Target Server’s internal address

Finally, Wireshark capture from Target Server, traffic is seen as coming from Host 2:


So here we have it. A two-hop SSH tunnel that allows you to use RDP from a client somewhere, to a machine inside a private network that can’t be otherwise reached.

Disclaimer: I’m not responsible for any misconfigurations or anything, really, that causes you to end up on the front page of newspapers everywhere, lose data, face, or other features you hold dear. Also, I recognize there are about a gazillion ways to do this; This one is mine.

P.S. I also know RDP already has a lot of built in security and encryption, but I’m still not comfortable opening up a direct path to my home machine, or any other machine for that matter from all of the interwebs. Also, this was fun to do and a nice thing to learn about.


Airline travel, again

This year I flew to Las Vegas for EMC World 2014. Same as last year. The trip was less gruesome, as we had only one layover in Heathrow, both ways. The trip still takes nearly a day, including time spent waiting at airports, sitting in cabs etc. Not something I’d like to do multiple times a year.

Anyways. Travel. In Finland, things were as “easy” as they have been. No hassles at security. When you leave, you step into this booth (self service), get your picture taken and stored (for..some amount of time?). When you come back, the same process is repeated. I suppose they can track people and say “this person left, and came back”. Plus they have images of the people who are not in the country, and who are in the country. Handy if you need to track someone down.

At London Heathrow, there was a small kind of security screening thing. Get you and your bags scanned, again, and your passport looked at. Nothing too intensive.

The flight to vegas and back was on a British Airways 747-400. Personal entertainment system at each seat. Complementary crappy headphones, but on the other hand, they have used standard 3.5mm stereo plugs, so you can use your own headphones. Which is a nice change from the weird two-pronged airline fuckeries, deployed by most airlines. But, BA has no inflight internet. Blows. 10.5 hours between London and Las Vegas means.. well, being offline these days, even in the air, is a pain. Granted, you can use more gadgets in-flight than you previously could. Most devices can be on even during take off, but for some reason, phones can’t. Even if they are in airplane mode. Airplane mode means: no signals going in or out. Other than EM field generated by the various components of the device itself. But then, why would an e-book reader be any different? It has an airplane mode, and some of them even have 3G functionality, making them essentially big phones. So why can they stay on during the entire flight, including take off and landing? Mysterious.

Security at Las Vegas was about the same as usual. We were the only flight in at that time, so we only waited for about.. 15 minutes going through immigrations. Not a whole lot of questions this time around.

CBP person – “So, why are you here?”

Me: “A conference”

CBP person – “What conference?”

Me: “EMC World, at the Venetian”

CBP person – “Welcome to the United States”

That was about the extent of our conversation. Fastest entry of any of my trips to the States.

What eats me alive is that stupid “Welcome to America!”-video that plays, apparently, at all airfields when you are waiting in line for the Customs and Border Protection.

Leaving Las Vegas, there were people who were put through the Rapiscan thing (nudie-scanner), and some, like me, who were put through a standard metal detector. There was a lady in the line next to me who opted out of the rapiscan, and that wasn’t an issue for the TSA guys. No hassle, as far as I could tell.

Not once were any of my bags opened, and I wasn’t subject to any intense scruitny or questioning. Then again, why should I? I’ve never been selected for ‘random screening’, where as I have heard that some people are almost always subjected to the completely unbiased non-discriminatory ‘random screening’. I guess I’m just lucky.

Then again, few countries have any issues with Finland or  Finnish people. We’re not a threat to anyone, and we’re not interesting to most people. Most don’t even know where we are. That makes it pretty easy for us to get around the world.

That is, except for airline personel. We actually managed to drink all the gin that was on that plane (though, I do believe first- and business class has their own stash). Note, it’s a British airline, so they are bound to have a metric (or imperial?) fuckton of gin onboard. But when you get a group of Finns, that order not one, or two, but three drinks every time that unlucky flight attendant passes us..

At one point the stewardess that mostly took care of our piece of the plane started to suggest that some in our party maybe order one drink at a time, instead of two or three. And when we were above the continental US, she started pretty much ignoring some people in our group. “Hey xxxxx!” (they started calling her by name), and she’d be all like “Just a moment!”, and then never coming back. I hate traveling with that certain type of Finnish people, who need four galons of beer and booze to survive a flight. Not saying we’re all like that! Just 98% of us…



Credibility… It’s the only currency that means anything on this kind of playing field. Dean’s got the tape, and he’s gonna come out with it. And when he does, I want his credibility. I want people to know he’s lying before they hear what he says.

That’s a quote from the 1998 movie ‘Enemy of the State’, spoken by NSA man ‘Thomas Reynolds’, played by Jon Voight. To miss the parallels between this movie and what is happening to Edward Snowden, Bradley Manning and others, would be foolish! Foolish I say.

Is the general public so blind as to get completely sidetracked from the real issues by the media and the government throwing us crap about how Snowden never graduated from high-school, or how his girlfriend is a pole-dancer? Or how Manning is a homosexual or whatever? What does that have to do with.. well anything? Credibility. If you break the character, anything he or she says will be interpreted in that broken light. Surely anything that stinking homo-sexual says can’t be taken seriously! (/sarcasm, in case it wasn’t clear enough).

On the note of credibility, this week saw former vice president of the United States Dick Cheney call Edward Snowden a ‘traitor’ and possibly a spy for china. That’s rich! Coming from a man who lied to an entire nation about the reasons to go to war in Iraq. How come he has credibility enough to spew crap like that? Well for one, he’s a politician. He’s wealthy. He has a name for himself. Snowden on the other hand is a nobody, and therefore easier to break.

This week we also had the Director of the NSA, General Keith Alexander testifying in front of the House Intelligence Committee (part of the US Congress as I understand). The gist of the thing was denial, of course, but behind it all, I (and others) sense a play on words and semantics. Gen. Alexander is denying that the NSA is actually actively looking at the data. Quote:

“It’s a very deliberate process,” Alexander said. “We don’t get to look at the data. We don’t get to swim through the data.”

This has been repeated multiple times, worded differently.. This doesn’t say the NSA doesn’t collected the data. It says they don’t actively look at the data. They are separating collection from examination. The key issue is that you can’t look at data that you never collected. Once you have that data, it’s easier to go back and say “Ok, let’s see what we have”. This is the same as with many other issues, some of which I have discussed on this blog in the past (such as the Finnish national fingerprint database for passport holders).

Other comments of note are:

“I think what we’re doing to protect American citizens here is the right thing,” he said. “We aren’t trying to hide it. We’re trying to protect America.”

Ding ding ding. Protect America. After that we can just do whatever the hell. And you’re not trying to hide it? That’s probably why the program (and I’m sure) many other such programs are classified, and legal permissions to do this are decided in a secret court. Actually, it’s called the Foreign Intelligence Surveillance Court, which is apparently the place where they rubber stamp approvals for NSA surveilance. Rubber stamping you say? Doesn’t the court actually review the warrants before accepting them? They may. We don’t know. Because it’s like, classified. This list here, by the EPIC (eletronic privacy information center) tells a story. Observe closely the columns “Applications Presented” and “Applications approved”.

Another play on words happens during the hearing when some questions presented to Gen. Alexander, namely “Is the NSA on private companies servers as defined under these two programs?”, “Does the NSA have the ability to listen to Americans phone calls or read their emails under these two programs?”, and “Does the NSA have the ability to flip a switch by some analyst to listen to Americans phone calls or read their emails?”. These questions were asked by the chairman of the Intelligence Committee. The answers to all three questions were “No”. But not just a simple no, the answers were, “The NSA does not have the authority to do so.” The question was whether the NSA has the ability or not. The answer was about the authority to do so. Also note the phrasing of the first question: Is the NSA on company servers? I could think of a number of ways that they could look at the data without being “on their servers”. He’s most certainly being truthful. If that was a real hearing, say in a court of law, there would have been a follow-up question to General Alexander, something like: “Sir, please answer the question as asked?”. The answer to the question of whether the NSA has the ability, is most probably yes. Is this the whole “We are not trying to hide it”-part? The two programs mentioned in the question are ‘215’ and ‘702’, the former being the “Verizon-wiretapping“-thing, and the latter being Prism.

That whole Verizon thing is curious, too. It seems to do exactly the opposite of what Gen. Alexander said. Except there was another play on words. “Can they listen to phone calls” -“No”. Okay, let’s pretend for a moment that’s the case. The Verizon wiretapping was about the meta-data of the phone calls, not the audio of the call itself. I would argue the meta-data can be even more harmful, because it tells you locations of potentially both parties, it tells you information on the handset etc. I would venture that once you know the cell-site your target is in, the discussions could then be captured using any number means (other than wiretapping, which I do not believe for a second they aren’t doing), like your standard parabolic microphone, HUMINT resources, boots on the ground, you know that sort of thing? Like somebody said (it’s too late in the night (2:12) for me to dig up the source for this one, sorry), “In order to find a needle in a haystack, you first need to have a haystack.”

But according to General Alexander, these programs have prevented “50+” terrorist attacks. Which attacks? Oh well. Attacks. Just general attacks. Around. Two of the planned attacks were mentioned (the plans to attack the New York subway, and the financial district). That leaves “48+” attacks. Where is the transparency? What is the damage in telling the public exactly which terror attacks, by which terrorists, in which countries? What can the terrorists gain by knowing which terroris attacks were prevented by US Surveilance programs? I’m pretty sure it’s not a secret that the US conducts foreign and domestic surveilance. I think there was the comment that “talking about the specifics of the cases would reveal details about the surveilance programs, which would help terrorists circumvent the surveilance”. If I was an American, I would have some questions for my elected officials.

Ok before I’m completely wrapped in tinfoil, let me conclude this post by saying: There’s credibility, and then there is credibility. When you reach a certain position, you can do or say whatever you want.

A slippery slope

I was wathcing the news yesterday, and there was a piece on the government supporting teachers getting the right to go through students bags and such while at school. I think this is a horrible idea. Let me tell you why.

Traditionally, a person and his property are his. You need probable cause to search this person or his or her property. What they are now proposing is that teachers get the privilege to go through their students stuff, in order to..what prevent school shootings? I guess that’s the subtext, since we’ve had a few of those. Now, I don’t have to tell you school massacres are a bad thing; hint: they are. What I’m saying is loss of privacy is even worse. What would the teachers consider harmful? The article, posted on here, mentions harmful items and substances. So drugs and guns? Let me be the first (not) to tell you that this will not solve the problem of school shootings. Why? Because I can come to school in the middle of the day and start shooting, before anyone has had a chance to look at my bag. Should we then install metal detectors at schools, and be all American, and shit? Not a bad idea, but imagine the amount of false positives? Start X-raying the pupils bags? Fine, but imagine that scene from the Matrix. Yeah that one. This isn’t creating security, this is creating insecurity, delays and loss of privacy.

Where we should spend money, in my humble opinion, is mental care, and early detection of mental issues at school. Talking to people works better than patting them down. We all remember that kid from school that nobody talked to, who always sat in the back of the class and didn’t speak to anyone unless spoken to. These are the people (among others), that we should be talking to. Making connections, talking to parents, talking to peers.

There is no amount of physical security that will prevent all shootings. You can say that “Sure, but it’d stop some, so isn’t that worth it?!”, but I don’t think it is. The determined person will always find a way. And what we will have lost in the process is much more valuable.  Because once we start down that road, there’s no stopping. Next we’ll have authorities looking at what books are checked out from the (school) library, what people chose to eat at school or work, and using that to start profiling people, and comparing those profiles to those of ‘threatening individuals’, or anything that’s indicative of risky behavior. We’re gonna start getting the classic “If you’re not a bad person, you shouldn’t have anything to hide”-argument. People are gonna shrug, and go along. And before you know it, we’re in the surveilance society. Finland still has a fighting chance. We don’t have cameras everywhere. It’s a big country with low population density.

We know by example that what the authorities tell us is just their best effort. Start collecting fingerprints for passports? Promise us to just use them for that purpose? Fast forward a few years, and we have police/politicians saying “Okay, now that we have these handy fingerprints of almost every Finn, why not.. use this data? I mean, we already have it!”. The authorities are not robots. They are not immune to personal desires and misbehavior. Look at the amount of police looking, illegally, into the cases of a number of celebrity crimes (Anneli Auer, Mika Myllylä to mention a few; the latter of which had 136 police officers snooping around data that they were not authorized to view). The fact that the data is collected, or the authority given, does not protect us from mis-use. It makes it easier.

We’re now considering installing traffic cameras that would look at not only speeding and running red lights, but see if a car has been inspected (as is mandated by law), if it’s registered, whether people are wearing seatbelts etc. Again we get the “So don’t do anything wrong!”-argument. But this doesn’t change the fact that we are getting authorities with increasing amounts of data on our movements and actions that they have no business knowing. The fact that they will collect the data will lead to them abusing the data. Imagine if that data were to get to the hands of advertisers? Minority Report, anyone?

We saw the S-chain of stores use loyalty card data to send out warnings on a product that contained harmful substances. So you buy a bag of chips, and flash your loyalty card (or bonus card as we call them here) at the checkout, and whammo, the store knows what you bought, when, how you paid, etc. “No no, this is just for statistics and..” ..and when you want to contact people to let them know they bought a potentially dangerous item. And maybe if you want to send targeted advertising to people based on what they bought? Or maybe sell that to third parties who also want to know what you buy and when. Hey, bought adult diapers? Either you’re a pervert or you have a medical condition. Maybe someone would benefit from knowing that information. Would you like that information to be public? Probably not. But then, the store wouldn’t use that data to do anything evil, now would they?

So don’t use loyalty cards. Don’t pay by credit. Don’t drive. Don’t move. Don’t go to school. Don’t get a passport and don’t travel. Don’t..


NYC – A Post-Mortem

A writeup on my trip to New York in July 2012. I’ve separated it into a few topics, so you can read what you want, or all of it if you are bored.

Travel, Security & Airports

Finnair gets a slap

First of all, i’d like to slap Finnair with a huge wet fish. I had some .. curious issues trying to fill in my data for the flight. By data, I mean the supplementary data that is required to travel to the US. I did my ESTA-thing, and was approved for travel. That system, even thought it costs actual big-people money, works fairly well. Finnair on the other hand, which took 742 euros of my money for a roundtrip, did not work too well. I got an e-mail a 2 weeks before my trip telling me that I need to add some information. I was provided with a link to do so. I edit my information and hit save. Nothing happens, though it did submit something. Close the little window, and hit confirm on the main page: “Your reservation number 123456 could not be found”. Yes, literally that message. Tried IE. Tried Chrome. Tried Firefox. Same result.

So I decide to call Finnair. The phone-call costs 3.15€ per call, plus local per-minute fees. Not exactly cheap, considering that Finnair isn’t usually the cheapest choice in tickets either…

A peppy-sounding woman answers, and I describe the issue to her. She offers to take my information and feed it to the system over the phone. I tell her every single item, and spell any names and such. I didn’t spell New York to her, but more on that later. So i ask her whether the information is on time, and she tells me she doesn’t know, but that she thinks it’s 72 hours prior to travel. This actually applies to the ESTA-form, afaik, and not this supplementary information that the airlines send to the relevant US authorities.

At the end of the call, she tells me to check the website again to see if the information is there and correct.

Rest assured, it was not. Let me itemize some of the things that were either missing or incorrectly typed:

  1. My middle name was missing, even though i gave it
  2. My passport number was missing two characters
  3. My passport expiry date was incorrect (i even got an error saying that my passport is now expired and that i should contact Finnair!!). She typed 2012 when she was supposed to type 2013, making my passport expired
  4. The destination city was typed incorrectly. Now, i may be anal about this, but if you work for an airline, or in the travel industry, even as a temp, you should know how to spell New York.Hell, if you are a human being in the western hemisphere, you should know! But no. She spelled it New Yourk. In my mind, this was the stupidest, though perhaps the smallest, of all the faults she had made.

So after a short moment of perplexion, i redial the Finnair customer support number. I think I got the same Woman, because she neither confirmed or denied when I inquired about whether she was the one I talked to earlier. I tell her the information is incorrect, and start out with the ‘New Yourk’-issue, because that stumped me the most. She started out by telling me: “Oh that’s a small mistake..but I’ll go ahead and correct it anyway”. I then described the other three issues (perhaps not so minor, eh Finnair?) which I asked her to read back to me once she’d typed them in. She then tried to cover her ass by saying “Some of the information we type into our systems don’t show up on the website, so don’t worry”. I could understand if it was my choice of meals on the plane, or what color luggage I was planning on checking in, but what would be the point of having two separate systems that integrate partially? I  mean you could do it that way, but it just sounds weird to me. Then, I’ll disclaim that I’m not a code monkey so i don’t know how they (don’t?) think.

I still didn’t trust her, but decided not to check the information online anyway. I had this theory where, if i open the thing online, it wipes out some of the fields she’s typed in on their end. Sounded plausible at the time..

Now, I am a cautious person by nature. Some might call me neurotic (and be correct in their statement), or even paranoid. But when it comes to dealing with US three-letter-agencies, I tend to want to err on the side of caution. They’ve turned away people at the border for tweeting jokes, so what would happen if my passport number was incorrect? I also bet that Finnair is completely void of any responsibility for any missing or mis-typed information, through some EULA or other agreement I must have mentally signed when I woke up that morning and thought of Finnair. And the amount of .. emotion I would have felt should I have been turned back at the border after paying for everything.. would have been substantial.

I also sent in a complaint to Finnair through their webform (yeah yeah, the irony). I checked the box saying “Yes, I want to be contacted on this issue”. After a while, i got an e-mail saying (or maybe it was on the website after i submitted the form?) that their complaints department is very busy right now, and that someone would get back to me within 28 days. Two weeks after I have returned from my flight. OK, fine, I’ll wait. I’ll also blog about what they say.

The funny did not stop here. A short while later, i get an SMS from Finnair, saying, roughly: “Hello! You’ve recently sent some feedback to us. Would you like to fill in a questionaire on your experience? You could win Finnair Plus gift-cards (or some such trinkets /note) for your troubles!”. Needless to say, I filled in the questionaire, vitriolic content flowing through my literary veins.

I don’t think I’ll win any gift-cards.

Samsonite gets a cookie

I bought my single most expensive piece of luggage before the trip. I was getting tired of lending bags, or using crappy supermarket-quality bags. I bought the second best Samsonite they had on display, at roughly 200€. A black, hard-shell stroller with four wheels. 10 year warranty. Absolutely worth the money. Lightweight, tough, easy to move around. And the obligatory TSA-approved lock, so they can open my bag when they want to!


The plane both ways was a Finnair-owned Airbus A330-300 (tail number OH-LTO i think?). The planes were clean, looked “right-out-of-the-factory” for the most part. Neatest part for a geek? Every seat, even in economy, had their own entertainment system in the seat in front of you. And best of all? It ran linux. I’ll add some pics later, which I was able to snag when the guy in front of me fell asleep on his screen, causing it to reboot. The screens got fairly hot, but all in all they worked flawlessly. The screens were resistive touchscreens, maybe 8 inches in size? Also included was a small wired remote with a small lcd-screen. The flipside of the remote had a qwerty-keyboard. The features that I looked at and tested were, in no particular order:

  • SMS (send/receive)
  • E-mail (send)
  • Movies and other video-type entertainment

SMS and E-mail cost two dollars a pop, which is highway (uh.. mile high?) robbery. It costs a shit and a nickle for them to send it out, seriously. I’m gonna look at the email headers later to see what i can deduce from that, as to the route it took etc. Sending and receiving was fairly straight forward, and it asked you to swipe a major credit-card before you started. This felt a bit odd, but since it confirmed each charge separately, I felt pretty safe using it. There’s something about sending an SMS at 11 km above Greenland that tickles my geek-buds.

Also offered was a phone-call option, (the remote/keyboard would have functioned as phone). Sure, phones have been on planes since.. the 80’s? But anyway, first flight i’ve been on that has these ammenities in economy class.

Linux on a Finnair Airbus A330-300

Movies had a fair selection (maybe 30 movies in different categories), all worked fine. Earbuds were included and waiting on the seat on both flights. Again an improvement from the rip-off 5 or 10 dollar charge for those shitty 2 cent chinese headphones on most flights.

So all in all,  Finnair gets points for the flight.


The airport at Helsinki-Vantaa here in Finland is pretty much the same. They’ve added a new security measure, which involves scanning your passport, then walking into a small booth (not a scanner as far as I know), and then facing a camera which takes your picture. It automatically adjusted for height, and when the picture was taken, it opened the other side so you could pass.

JFK was about the same too, though the TSA has changed some of their uh.. policies. I was at Terminal 8, which is the Finnair terminal, both ways. No nudie-scanners that I could see, so I didn’t need to decline any such invasive radiation based scanning of my body. Too bad, I wanted to see how that worked out, declining that is. I mean, a trans-altantic flight gives you enough of a dose as it is. I see no reason why anyone would like to get irradiated a second time at the airport with technology that is possibly unsafe (or at least not extensively tested), and not even effective.

The TSA signs were pretty funny, stuff like: “Good news! If you’re under 12 years old, tighten your shoelaces! You won’t have to take off your shoes at the security checkpoint!” and “If you are born on or before this date  in the year 1937, you will not have to take off your jacket and shoes”. I for one am thrilled. In only fourty some odd years, i’ll be able to travel without taking off my shoes!

Customs and Border Protection (CBP) was pretty much the same, though I was processed by a rather humorless TSA “officer” (why do these guys and gals still have badges? I’m pretty sure they are not all law enforcement trained). He took my passport, scanned it, and asked some questions. I’m not sure he looked at me in the eyes once. Would that be a sign of weakness? Was he just not interested? What was the score here. I don’t know, but it felt rather strange. And for some reason, he stamped the “Welcome to the USA” stamp in the middle of two pages. Was he looking away when he did the stamping? Perhaps.

On the way back we experienced a heavy thunderstorm which hit JFK head-on. Eventually, a blue light started flashing outside, and they announced that the airport was now closed. All eight terminals of JFK. In the end our plane was like two hours late.

During the wait, we were sitting in the Mastercard lounge, which didn’t have wifi. That was the first thing they announced when we got to the lounge. Most people turned around after hearing this, but we just came for the comfortable leather seats. The wifi would have been pretty great though, but it appears nobody had internet at the airport, not wirelessly at least.

Back at Helsinki-Vantaa, we went through the same “airlock” with the self-adjusting camera. Fast and easy, though I fail to see how this increases security.

Hackers on planet Earth 9

So 13-15th of July was Hope #9. The theme was surveilance. Oh boy, where to start?

So the layout was the same as most years, with a few minor changes. There were three main tracks, and a fourth un-scheduled track. The tracks ran on the 18th floor of the Hotel Pennsylvania in New York. We also had the Penn Pavilion for us, which consisted of a ground floor, and a mezzanine level. The ground floor had signin and security, as well as the music area, and the mezzanine had vendors, hackerspace area, chillout area, art installations and a bunch of other stuff.

I volunteered again, as I did during the Next Hope (the last hope, in 2010.. yeah, the names are confusing :), though this years experience was, I’m afraid, a bit less exciting. Maybe I’ve changed, or maybe it was really different? I helped out during loadin on thursday, and then did some shifts helping out the AV crew during friday-sunday. This year though, the organizers were either too distracted or there were “too many” volunteers. Work was harder to come by than in 2010, and it was hard to find the people who actually knew what they were doing, and what needed to be done. Also, there was a certain.. clique this year. People who had banded together and gotten special vests (STAFF!), special “all areas access”-cards and such paraphenelia that they paid for themselves. That’s okay, I’m all for that, but it kind of serves as a separator between the have’s and have-not’s. And yeah, I’m probably being too serious, as people always keep telling me, but some of the guys there were clearly above the rest. Man, some of the volunteers were hard to even talk to or get eye-contact, because they were so into their role. Think earbuds and CB-radio. Think walking around like you own the place.

And by no means does this apply to all of the volunteers. Just a select few. Anyway, I felt a little out of my league, and out of place. I didn’t do nearly as much work as last time around. Didn’t really feel like it either.

Okay, but enough whining. On to the talks. There were so many talks that i attended, that it is hard to pick out the best ones. I really liked the Prometheus Radio Project talk, the William Binney keynote (ex NSA dude), and Space Rogue’s Media Hype talk (Great hacks that never happened). There were other great ones as well, but there’s some of them. There were over 100 talks, of which you could see roughly.. a fourth maybe? Unless you were Schrödinger’s Cat or something. The talks were all filmed and recorded, and you can buy them from the 2600 store. Some of the speakers have released their slides, look on twitter for instance. Check the #hope9 tag for some of them.

The tickets this year were not electronic. Instead, we got a purple “Passport”. Inside you could affix stickers, or get stamps from different groups or people. My definite favorite was the one I got from Space Rogue; the L0pht Heavy Industries-stamp. Here are some pics of the passport and stuff:

Hope 9 Passport and plain-jane Volunteer card
First and second page of the passport
Some of the stickers and stamps, including the coveted l0pht stamp
Stamp from a weird “russian” 🙂

In the vendor-area there were some new faces. Hackers for Charity (the Johnny Long-project if i’m not mistaken?), the EFF, the FSF and others were present.

I got a bunch of schwag from the conference, mainly stickers and shirts that i bought or received through donations to the non-profits. I was sad that I couldn’t get some of the EFF shirts without becoming a member. That’d be kind of pointless (and not even possible?), since  I’m already a member of EFFI here in Finland. But we need cooler shirts here too damn it! The “I Fight For The User” shirt was especially nice.

Stickers from Hope 9

New York in general

On the last full day, we went to see the World Trade Center site. The new building, One World Trade Center, was looking mighty fine. It’s now the tallest building in New York, and it’s not even finished yet. Awesome building!

We also visited the Museum of Natural History in the uh.. upper west side of town (i think that’s what it’s called), which was well worth the 19 dollar entry fee. So many exhibits and things to look at you would have needed hours to go through it all.

Wireless was still a pain to find. The hotel apparently had some kind of deal, which was 10 dollars a day. I wish I had seen that when i checked in. Oh well. I resorted mostly to the classic “attwlan” or whatever the Starbucks one is called, and other such places (Burger King was pretty good with Wifi too). Intertubes were slow, and laggy. I don’t have roaming data in my contract, because it’s usually prohibitively expensive. Not that we should complain. The Americans are getting ass-raped by their carriers. They pay some insane sums to get small scraps of data. Sure, they have uh.. “4G”, (not really), but who cares if you have a 1G cap? Even residential DSL connections are capped, which is something I will not stand for, even if I don’t download a lot of stuff…

I set one goal for the trip: Try as many fast-food places as possible. I tried: Wendy’s, Burger King, McDonald’s, KFC, Pizza Hut, Taco Bell and Five Guys burgers and fries. Out of those, Five Guys had perhaps the best burgers, while Taco Bell had the most bang for the buck (cheap as hell, and rather filling). Burger King had good fries at times, and KFC had tasty little Chicken Bits. Pizza Hut had just released the garlic bread pizza, which we of course had to try. It was pretty good too.

TV over there is still insane. Like five or six commercial breaks per  hour of programming. And the ads are so fucking inane. Two seconds of content and the rest is warnings and advisories. Why, I had no idea that Cialis doesn’t prevent me from getting HIV!

All in all we walked a lot, and saw the city. I plotted some of the walks we did, and ended up at nearly 40 kilometers of walking, just inside one city and about four days. Great trip, but I don’t know when I’ll be back. It’s pretty darn expensive to go there, and Hope is now kind of.. I don’t know, been-there-done-that? A 3000 euro trip for the two of us is not something you can just go out and do. It takes saving and planning.

I think I’m going to look at the European conferences next. CCC or some of those events? At least the flights are cheaper.

Ok, this is one monster of apost, best to end it here.

Pseudo-Review of “Zero Day” by Mark Russinovich and other stuff

I’m currently reading “Zero Day” by Mark Russinovich, and to sum things up: for the first time in a very very long time i’m actually considering abandoning the book before reaching the end. I’ll try to explain here what i mean by this. Even though i have not reached the end, i can safely say that i can’t recommend this book to anyone interested in a *solid* techno-thriller. But anyway, spoilers ahead.

I bought the book based on..what? Maybe a tweet? Maybe it was Amazon who recommended it to me or something. I’m not entirely sure. But i had just finished Bret Easton Ellis’ latest book “Imperial Bedrooms” which was.. well rather bland as well, and i was looking for a good read.

Zero Day starts out fast, exciting, like a real techno-thriller. But very soon, the reader will become aware that the book is written with a very very specific audience in mind: A person who is male, young and unaware of the ways of “hackers” and computer crime. Reading this book i feel almost insulted at times. I could for instance not recommend this to anyone who is easily offended by the objectification (is that even a word?) of women. The book reads like something written by and/or for horny teenage boys. Almost every (it may even be every) female character in the book is portrayed in a flirtatious manner. Like all women are raucious perverts, just looking to be fucked. Almost every “scene” describing a female character, no matter how minor, includes descriptions of things like men oogling the woman’s ass, breasts, how she looks, or she may talk in a flirtatious manner, proposing sex or just generally acting like sluts.

I thought it’d apply to just one or two characters, but this has to be a god damn joke, because i have never seen such horniness in any description of the IT industry. Where are all these big-breasted, ample-assed always-horny IT-expert women? I need to know, now.


Another annoying thing, that drives me mad, is the chapters where the protagonists are discussing on instant messenger, irc or whatever. The language is silly, and made up and not how people talk, anywhere! Christ! Do you have to put up a big sign saying “this is how hackers talk!!” by making the characters talk like fucking language-impared imbecilles? Sure, sometimes people talk in leet-speek, but this has become kind of an in-joke at this point. I’ve seen 14 year-olds express themselves quite clearly, and i find it very difficult to believe that 30-something IT-industry experts would sit in a chatroom writing sentences that lack most vowels or are otherwise compressed to the point of utter annoyance. It would actually take a concentrated effort to write like the characters in this book.

I have about 70 pages to go, and i’m so tired of these repeating themes. Oh and one can’t forget the continuous references to 9/11 (that’s September the 11th for people who write dates in a way that makes sense). I get that it’s a central plot point, and Al Qaeda is the pseudo-boogey-man, and how arabs are evil and the towers fell and the planes hit and oh the humanity. I don’t think it’s a very effective plot point at this point anymore, but then again, i’m not a US citizen. I don’t have the lifelong emotional scars.

This just.. doesn’t work for me. I might recommend this to someone who is entirely outside this industry, this scene  if you may. But under no circumstances would i recommend this to anyone who has spent more time in front of a computer, or who would like to read something about like cool cyber hackers (the word cyber also appears on nearly every page, which means, if you’re playing the Pauldotcom drinking game, you’d be dead by page 100), about criminals and terrorists and Osama Dead Laden, and how horny the girls are in the IT industry (not). But if you for some reason wish to read about this stuff, by all means, pick it up. A casual reader looking for a sure-flowing thriller might enjoy this book. I’m not sure i can finish it, because i find it so insulting to my intellect. And i write this without even a hint of arrogance, trust me.

The other stuff

Another chapter of miscellania. Most of the stuff is now in boxes or bags. Keys will be picked up on Friday. We’re on the waiting list to buy Assembly 2011 tickets  (me and H, P, M and O, at least). The other people, well.. they don’t seem too interested, as nobody has contacted anyone about tickets. But i guess that’s for the better.

This will probably be my last year. It’s a fitting end too. It’s the 20th aniversary Assembly, and i’ll get to show H what the fuzz is about. I also realize i’ve said this for the past three years. But you can’t trust me!

We’re rewatching Twin Peaks, and we just saw the episode with David Duchovny as Dennis, sorry, Denise. A brilliant episode, and a brilliant portrayal by Duchovny, keeping in mind that this was before The X-files started. Wonderful.

With B, we’ve discussed multi-dimensional objects, probabilities of intersection in finite and infinite spaces. Standard stuff.

Also wrapping up Mad Men Season 3, which is a great series to watch. Looking forward to the 4th season on DVD, whenever i can get that for a reasonable price. Also, Flash Forward, though i have only seen the first half of the series. The box is a bit pricey in Finland at the moment, so maybe i’ll wait to get it. I’m not sure they showed the entire thing on TV, and considering the fact that i don’t watch TV anymore  (haven’t watched more than an hour a week for the past two years), it’s unlikely i’ll see the remaining episodes there.

A distinct disinterest

What is it with the state of security that i’m seeing around me?

People are using weak passwords, or the same password for everything, and not only that. The people who are supposed to be responsible for security do not discourage or prohibit the use of such passwords. Hell, weak passwords are sometimes even encouraged. “Pick something that you’ll remember for sure, as long as it has at least one capital letter”. Then we end up with passwords like “Dog1234” and then when the obligatory tri-monthly change comes a-knocking, we get “Cat1234”, because of poor user education and poor (or non-existant) complexity rules.

If we have something like full-disk encryption, chances are it’s synchronized with windows, using a single sign-on. Or then it’s a PIN code or something that’s way too easy to guess or deduce.

Security is just simply abhorent everywhere i look. And i’m not sure how to start changing it. Other people are making the policies, i can only offer suggestions, and complement users on good choices (and i’ve seen some of those too!). I’m more for positive feedback, but sometimes i just want to scream. It’s like nobody cares that a fucking VPN password only has single factor authentication, and the password is like December2009.

“But it has numbers and a capital letter in it!”

Inadvertent leakage of data


Most people are either not aware, or blissfully ignorant that the data they carry, be it analog or digital, is significant or important to anyone in sense. If it’s not a contract, or other clearly classified document or file, people just don’t care. But for a social engineer, this speck of data could be all he needs to penetrate your corporate structure and network.

Data overload

How many gigabytes do you have on you right now? Well, i can list the following:

  • 30GB iPod Video
  • Laptop with a 40GB disk
  • 8 GB memory stick
  • 8 GB microSD card in my phone
  • Caselogic full of CD’s and DVD’s, plus a 250 GB mobile hard drive

That’s what i have on my person right now. Now, it should be noted, that the actual amount of data on these media is only a fraction of that, but as an example.

How about analog stuff? Most of us carry business-cards in their wallet (along with other cards, receipts, etc.). Some oldschool yahoos still have a bunch of papers in folders, binders and other assorted archiving methods, that they lug around town every day.

If you look at what you have, you could very quickly conclude that there isn’t anything crucial that you have on you. No contracts, no lists of people’s salaries or who’s getting fired next. No passwords on small post-it notes (and some of you do that too…). So what could be compromised if you lost one of these items, huh? Not a lot? Think again.

One man’s garbage is another man’s…

…fucking treasure-trove. What could an adept social engineer do with a business-card? Well, he could assume your personality for purposes of calling someone, or even staging a meeting. The information contained on a simple business card, is usually: name, title, address, telephone numbers(s), e-mail address. Let’s go through these and make up plausible scenarios for their usage.

If you’re just out trolling for a random target, a business card with these data could be all you need. Based on this, you can do additional network searches, and find out more about you, the company or what you do. Maybe you have a blog, or maybe your calendar is openly viewable on Google Calendar. You’re most certainly on facebook, and since you have a business card, you probably have an extensive “net-history” to begin with. All this is fuel for the flame of a social engineer. Using this data, they can get to friends, family, co-workers, ex-partners with a grudge, old school-buddies or teachers, etc.  All ways of getting to the good stuff, of whatever data it is that the social engineer is looking for.

A telephone number will give you a lot of things. First, in certain cases, it can be used to deduce your mobile carrier. And through that, find out who your company deals with for telecommunications perhaps. Using that data, an attacker could assume your personality even better, because he knows something detailed about you. A good speaker could call up a secretary and with the proper words, get what they want, just because they know a little bit of “insider information”. A landline number (for those of us who still use those things), could give you an extension number, or a system of extension numbers. That way, you could exploit the company switchboard, operator or even voicemail. It’s unbelieavable, but in some cases, you can get to someone’s internal voicemail just by knowing their extension, name, and the “internal” phone number to call. Some systems are open to the outside world, because people may need to get to their voicemail from their hotel, mobile phone, home, etc.

The e-mail address will give you the method of naming. Is it, or something else. This again is information you can exploit, while calling someone within the company, or perhaps the service desk, pretending to be a lost user without a password.

Realizing value

This is the core problem. People don’t view these things as risks. And neither do heads of corporations, or in the worst case, the security department (if you have one). How many buildings you work in actually have a method of making sure nobody unauthorized gets in to the office? How is physical security in general? How easy is tailgating?

I’ll give you a hypothetical example. A door has a codepad, which requires a magnetic keyfob, and a four digit pin-code to get in. Now, even without these, getting in is childsplay. Just tailgate. At any one time, betwen two and five people walk in with the same opening. There’s no reception desk at this door, but there is a camera. How often have you been confronted by someone asking you to show their ID? Not a single time. Most people don’t even carry their ID’s anywhere visible (which is a good thing on it’s own). Get to the elevator. Someone else uses their keyfob to activate the keypad. They hit their floornumber, and you hit your number right after, and you won’t need your own swipe to get to the floor you want. Get in to the actual offices without a key, again, tailgating. Pretend you’re from another office or something, based on the information you have gotten from a business card you found, or the company website. In most cases, you won’t be challenged. In most cases, people will open the door for you, and get you coffee if you’re nice and personable.

There have been cases where a hacker, impersonating a service representative, or helpdesk person, has actually carried out hardware from the front-door, and even had help with doors.

One of the greatest fallacies of all time is that “people won’t go through all that trouble to do that!”. You’d be amazed at what people are willing to do.

Treat every bit of data you carry on yourself as important. If you don’t, eventually someone smart enough is going to come along and exploit that. For fun, profit or something inbetween. Maybe just because he can.

And this is not even to mention what should be plainly obvious: Losing any bit of digital data might be really really bad. A hard disk might contain not only your files, but log-files that contain ip-adresses or in the worst case, passwords to internal or external systems.  The next time you lose something, take it seriously. The next time someone asks you for something, be curious as to the reason of his inquiry. We already stream out copious amounts of data that used to be personal, using social networks such as Facebook, Friendster, Twitter, etc. Don’t make it too easy for the badguys, huh?

The politics of DDOS-attacks

Twitter has today been the target of a rather crippling DDOS, which has left the site down for several hours, according to Pingdom and Netcraft.

I haven’t seen any word as to the attacker, and that got me to wonder:

Is there politics involved in DDOSes? Twitter knows exactly who’s been hitting their sites, they see the source ip:s. Sure, they might’ve gone through a bunch of zombies here and there, or a botnet or something, but i’m pretty sure they have an idea of what is going on. Can they tell us who it was?

Let’s play with the idea that it was Iran, even governmental forces in Iran who wanted to show Twitter who is the king of the hill? Twitter was and has been instrumental in the dissemination of information from the botched elections in Iran not long ago. Twitter has been blocked in Iran by the government, but there are also other groups working to provide twitter to Iranians, through proxies and anonymizers. I’m not gonna get in to this issue now; the blocking of people from sites so they can’t talk freely, that’s an issue for a different post.

Instead i’m wondering whether Twitter can actually disclose the attackers, should they  know them? Or does foreign policy or something else dictate how it’s done? I mean, twitter delayed their service break at the request of the government, so that reporting from Iran could keep on going.

Who knows, but i’d be willing to bet at least someone is thinking about this issue. Can you publicly blame someone, if you are absolutely sure it was them? Or does it fall under the umbrella of politics?

Medeco – Hiding the truth since 1968

Ok, let’s get the facts straight here. Medeco, a “high-security” lock manufacturer founded in 1968 tries to hide the fact that their “high-security” locks are not foolproof. Wikipedia has a page on Medeco, and when someone tries to add a section on the weaknesses found in their “high-security” locks, it gets removed. Also it appears the history page is wiped clean, as well as the discussion, since i can’t find any of the edits (makes it harder to restore!), or any whine or gripe on the subject. There was one comment, but my feeling is that there have been much more.

Medeco locks are used in various high-security places, such as government organisations etc. The only problem is, the locks have a weakness which makes them not at all secure, since the security can be bypassed without breaking anything.

The method is known as bumping, and was invented sometime in the 1970’s in Denmark. When you bump a lock, you use a specially crafted key that is inserted in to the lock, then “bumped” inwards, causing the driver pins to jump up past the shear-line, so you can turn the cylinder freely. The lock is not harmed, nor will any discernible marks be left on the lock.

Most (but probably not all) Medeco locks are susceptible to this technique, and are therefore, not high-security locks, and i recommend nobody do any business with them, until they correct and/or admit that they’ve been hiding the truth. I know it’s hard guys… you’ve got a product that you know is flawed, and you’ve sold millions of them to like.. the government, and you don’t want to get reamed. I get that. I don’t enjoy getting reamed. But you gotta fess up when we are talking about a product that is supposed to provide security. People stake life and limb on these things.

If you want a lock that is bump-proof, and also, comes from my country of Finland, get an Abloy Disc Tumbler lock, which are very common here. They are not bumpable, and take a considerable amount of time and expertise to pick, requiring special tools and skill. Unlike medeco locks which take a filed piece of metal, and in some cases a screwdriver. Whoo!

Some sources here:
Wiki – Disc Tumbler Locks
Wiki – Lock Bumping
Wiki – Medeco

Medeco Bumping at Defcon In this link, an 11 year old bumps a Medeco M3 High-security lock. On this page from 2006, they say their locks are virtually bump-proof. Virtually.

Hell, they even host courses on what lock bumping and the risk it presents..

A word on legality: The posession of lockpicks or other tools that can be used to gain unlawful access, with criminal intent, to the property owned by someone other than you is a crime punishable by a fine in Finland.

I am not a lawyer, so don’t listen to me, but that would mean that you could have these tools for your personal practice. Lockpicking is a hobby in many countries (haven’t heard much of it in Finland), and why couldn’t it be? Picking a lock could be a useful skill in an emergency, when someone is locked inside a dangerous area, or if you are there yourself. Or just as a general hobby. I mean shooting can also be a hobby…

Here is the law:

28 luku, 12 a § (24.5.2002/400)
Murtovälineen hallussapito
Joka ilman hyväksyttävää syytä pitää hallussaan sellaista avainta toisen lukkoon taikka tiirikkaa tai muuta välinettä, jota voidaan perustellusti epäillä pääasiassa käytettävän tunkeutumiseen toisen hallinnassa olevaan suljettuun tilaan rikoksen tekemistä varten, on tuomittava murtovälineen hallussapidosta sakkoon.

This means, if you for instance, carry some tools that can be used to pick locks, in a public area, without a reasonable reason, you can be fined. This means, if you are not coming or going to a lock-picking event/hobby club etc.

A good site on this whole hobby, is can be found here, at the “Haittalevy” blog.