Rough Book

random musings of just another computer nerd

Category: Nerdy Stuff

Reasoning about Sequential Cyberattacks

My paper Reasoning about Sequential Cyberattacks was accepted for FOSINT-SI 2019. I had the opportunity to present the paper at the conference last month in Vancouver, where I was also awarded “Best Paper”.

You can check out my paper here.

I suffered a lot of heartbreak with this paper; it was either rejected for the most trivial of reasons (one reviewer rejected it because I didn’t cite a particular work) or because it didn’t seem like a good fit for the venue. I’m happy that it finally got accepted, and that it was also found good enough to be awarded “Best Paper”. I must be doing something right in my PhD.

Getting artifactory running on Ubuntu 18.04

I was trying to get the Artifactory OSS 6.3.3 running on Ubuntu 18.04 and ran into issues described in RTFACT-16909. The issue is that there are systemd changes in 18.04 that make the handling of PID files much stricter. When Artifactory starts up as a service, systemd runs /opt/jfrog/artifactory/bin/ as root. But the script then starts up Tomcat as the artifactory user. The PID of the Tomcat process is then written to the PID file in /var/opt/jfrog/run/ When control comes back to systemd, it sees that the PID file is not owned by root and refuses to deal with it. The errors look like this:

Sep 26 19:04:33 ip-172-31-41-254[13784]: Max number of open files: 1024
Sep 26 19:04:33 ip-172-31-41-254[13784]: Using ARTIFACTORY_HOME: /var/opt/jfrog/artifactory
Sep 26 19:04:33 ip-172-31-41-254[13784]: Using ARTIFACTORY_PID: /var/opt/jfrog/run/
Sep 26 19:04:33 ip-172-31-41-254[13784]: Tomcat started.
Sep 26 19:05:02 ip-172-31-41-254 systemd[1]: Started Session 211 of user ubuntu.
Sep 26 19:05:12 ip-172-31-41-254[13784]: Artifactory Tomcat started in normal mode
Sep 26 19:05:12 ip-172-31-41-254 systemd[1]: artifactory.service: New main PID 13844 does not belong to service, and PID file is not owned by root. Refusing.
Sep 26 19:05:12 ip-172-31-41-254 systemd[1]: artifactory.service: New main PID 13844 does not belong to service, and PID file is not owned by root. Refusing.
Sep 26 19:05:12 ip-172-31-41-254 systemd[1]: artifactory.service: Failed with result 'protocol'.
Sep 26 19:05:12 ip-172-31-41-254 systemd[1]: Failed to start Setup Systemd script for Artifactory in Tomcat Servlet Engine.
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: artifactory.service: Service hold-off time over, scheduling restart.
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: artifactory.service: Scheduled restart job, restart counter is at 201.
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: Stopped Setup Systemd script for Artifactory in Tomcat Servlet Engine.
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: Starting Setup Systemd script for Artifactory in Tomcat Servlet Engine...
Sep 26 19:05:17 ip-172-31-41-254[14254]: found java executable in JAVA_HOME
Sep 26 19:05:17 ip-172-31-41-254[14254]: Artifactory Tomcat already started
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: artifactory.service: Can't open PID file /var/opt/jfrog/run/ (yet?) after start: No such file or directory
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: artifactory.service: Failed with result 'protocol'.
Sep 26 19:05:17 ip-172-31-41-254 systemd[1]: Failed to start Setup Systemd script for Artifactory in Tomcat Servlet Engine.
Sep 26 19:05:23 ip-172-31-41-254 systemd[1]: artifactory.service: Service hold-off time over, scheduling restart.
Sep 26 19:05:23 ip-172-31-41-254 systemd[1]: artifactory.service: Scheduled restart job, restart counter is at 202.
Sep 26 19:05:23 ip-172-31-41-254 systemd[1]: Stopped Setup Systemd script for Artifactory in Tomcat Servlet Engine.

To work around this issue, you have to do the following. First, in /lib/systemd/system/artifactory.service add the following lines under the [Service] section:

User=artifactory   # change if your artifactory user is different
Group=artifactory  # change if your artifactory group is different

This will now run as the artifactory user. But the script assumes that it is to be run as root, and so there are some changes you will need to make. First, the script uses ulimit to change the limits on the number of open files. This will fail because the artifactory user will not have permissions to set the hard limit. You can get around that by adding the following to /etc/security/limits.conf:

artifactory soft nofile 32000  # change if your artifactory user is different
artifactory hard nofile 32000  # change if your artifactory user is different

Note: The actual numbers may be different for your system. To find out what they are, manually run start as the artifactory user before you make the above changes. The script should spit out lines similar to the ones above.

Finally, you will need to change some lines in /opt/jfrog/artifactory/bin/ In the snippet below, the commented-out line is the code as it originally appears and the modification is just below that:

#su -s "/bin/sh" ${ARTIFACTORY_USER} -c "${replicatorScript} start"
${replicatorScript} start


#su -s "/bin/sh" ${ARTIFACTORY_USER} -c "${replicatorScript} start"
${replicatorScript} stop


#su -s "/bin/sh" $ARTIFACTORY_USER -c "export JAVA_HOME='$JAVA_HOME'; $TOMCAT_HOME/bin/"


#su -s "/bin/sh" $ARTIFACTORY_USER -c "export JAVA_HOME='$JAVA_HOME'; $TOMCAT_HOME/bin/"

Note: I also made these exact changes to /opt/jfrog/artifactory/misc/service/artifactory for the sake of consistency, but I have not verified that it is strictly necessary.

We have to make these changes because is being run as the artifactory user now and so there is no need to explicitly run the other scripts as the same user. Once you make these changes, you should be able to start artifactory via systemctl start artifactory.service successfully.

For that pristine machine

I remember when my home directory used to be organized. I knew exactly where my documents were. Which folders had which files. All my Napster MP3s were organized perfectly by artist and album. It was beautiful. I maintained this order assiduously, between multiple installs and machines. But the internet gets faster. And there is ever more data to download. Today I can barely remember where things are. Sure, I remember the general folder. But do I remember exactly where? In which backup is it? From which year? On which server? Is it in the cloud? Or did I copy it to this machine? Maybe it’s on my Windows install? Now they all float about. Digital ghosts. The layers pile up, strata of data; an archaeologist could dig through them and see the progression of my digital life. Digital experiments; code half written and half forgotten lie about.

I need to write a script to organize it all.

Ethical egoism is harmful

**Note**: *This is a rambling argument against ethical egoism; I’m saying that it doesn’t make sense to reject altruism, especially using evolution as an argument, and in fact, evolution can be used to explain how altruism can be evolved. I’m not talking about possible solutions or theories of socio-economic organization. Obviously, philosophy informs those ideologies and the rejection of ethical egoism has implications in that regard. But that’s another topic.*

I can’t believe that ethical egoism is even considered to be a valid moral-framework. It essentially legitimizes being a selfish asshole who has no regard for the feelings of others; a narcissistic psychopath would be the supreme ethical-egoist. This is absolute nonsense. It is argued that altruism doesn’t “make sense” because looking out for another person when it’s not even in your interest doesn’t jive with “natural selection” (something right libertarians are in _love_ with). That’s still generally true; evolution is ruthless competition — the amoral laws of nature or the “law of the jungle”. But there is also emergent complexity.

When you start dealing with agents that not just aware of themselves, but also _other_ agents like them, then they must necessarily be aware of the consequences of their actions, on such agents. This was a foregone conclusion, I think, once sexual reproduction evolved. At some point, a creature would evolve that needs to be aware of opposite sex, and needs to be able to maximize its chances of reproducing with that opposite sex. That requires an internal cognitive framework (or at least embedding so that we don’t have to quibble about sentience) that can represent an “other”. Naturally, this will give rise to cooperation, because even by chance two agents can discover that their chances of success at gathering resources (food; i.e., energy) is maximized if they work together. From here it’s not too difficult to see how packs, herds, and flocks evolved. Once the brain already has a sense of the opposite sex, it’s not hard to extend that to other members — I would argue that that would have necessarily evolved at the same time as awareness of the opposite sex because agents usually have to compete with members of their own sex for access to the opposite. Hence again, even by chance, it is possible for agents to discover that by working collectively, their chances for success are maximized. This is especially observed in pack animals from wolves, and in primates, especially in us.

If early humans only looked out for themselves, we would have gone extinct. This is because by himself or herself, a single human-being is not a formidable predator; we don’t have big, sharp, teeth or claws. We aren’t especially hardy either; we don’t have fur and we are comparatively frail when compared to other predators that occupy the same niche. This is true for many primates as well. But what maximized the chance of not just group, but _individual_ success and survival, is working together _as_ a group. To do that necessarily _requires_ altruism, since the agent _must_ be able to balance individual needs against the overall well-being of the group. For example, when a group is attacked, healthier individuals will protect the injured, old, and young — this puts them at more risk, but they do it regardless because group survival is only guaranteed by the protection of those who cannot protect themselves. With humans this reaches a different stage. No longer guided by the blind evolution, our sentience lets us explore the solution space of social-organization even further. Our sense of _self_ , our metacognition, lets us _question_ norms and wonder about _other_ social arrangements.

But that one can explore this solution space means that one will encounter both _bad_ and _good_ solutions. Ethical egoism is bad solution. That it has been conceived of, doesn’t give it any validity. Individuals purely acting in their own self-interest may lead to a functional society, but it is not one that is necessarily equal (it is highly improbable+ that it would be); where the rights of a percentage are not being continually oppressed — disregard of the rights or feelings of others necessarily leads to that. As human beings, our chances of survival are maximized by having concern _about_ our fellow humans. In these times, we’re talking about the survival of human civilization itself.

Ethical egoism as a moral framework should be rejected.

+*I have this intuition about a game-theoretic agent-based framework that could perhaps provide evidence for this. I would need to use an inequality measure of some sort and then run thousands of simulations to get a distribution of values for the coefficient, and the parameters (types of cost-functions, basically) that produce those values. I haven’t fully thought it through because I have other stuff to work on, but it’s an experiment I’d like to try one day.*

Sci-Fi Fever Dreams

Yesterday when I finally fell asleep, I was running a fever of 102.5 (it broke last night and I feel much better today – I think I’m over whatever I got). I then had a dream I was in a TV show – something like Stranger Things. At least that’s how it started out. Something weird was going on at some house where there was a hole to a parallel dimension and a team of investigators had shown up to check it out. I was part of this team. For whatever reason I had a sweet pair of polarized sunglasses with me. Don’t know where I got them from, but they looked really cool and they most definitely didn’t belong in the 80’s. Everyone kept talking about how cool my shades were and I agreed; they were cool.

We were looking at the lawn where there was a burn mark due to the paranormal occurrences at this house, when I noticed that I would see a strange pattern on the lawn only when I wore the shades. No one else could see it. I lent my sunglasses to the other investigators and then they could see the pattern too. When they wondered why, I said “Well, my glasses are from 2016” (as if that would explain everything). They laughed because it was only 1986. I think at that point I realized that I had somehow time-traveled to 1986 and ended up as part of this team. Anyway, I then realized that the pattern I was seeing on the lawn was basically a series of gears; kind of like what you would see in a clock. Furthermore, the gears were moving. That’s when I realized that what I was looking at was time itself! The glasses helped me view the entire dimension of time using this metaphor. But not just view it…

I decided to say “Go back 10 seconds” while wearing the glasses, and I went back 10 seconds in time! So apparently that was how I had arrived in 1986, but I had forgotten that critical piece of information. I don’t recall what else I did with my new-found power but I vaguely remember time-traveling to 1991 and ending up in my old house in Darsait, Muscat as my younger self. So it appeared that the glasses had a sort of Quantum Leap-esque power too. Unfortunately at this point I either woke up or the dream transitioned into something else because I don’t remember what happened next.

My data-recovery story

I was looking through wayback machine at snapshots of my website, when I came across one from 2005. It reminded me of something I had almost forgotten. At some point in 2005, the network card in my FreeBSD server started to die. I got myself a new card and set about replacing the dying one. I can’t recall why anymore, but I guess I had needed to disconnect the hard-drive at some point. I remember that after I plugged it back in and booted up, I was greeted by a screenful of terrifying error-messages. Something horrible had happened to the drive that held my home directory, my website source-code, and my database. I had lost about 6 years worth of posts and images on my website. My first instinct was to power down the machine to prevent anything more being written to the drive, which I immediately did. After that I think I tried a bunch of disk-recovery tools to try and recover my data. But this was difficult because the filesystem was UFS. I can’t remember if there were any UFS recovery tools at the time, or if I tried them, but I remember having tried almost everything I could think of.

Out of desperation, I think I finally decided to use dd. I started dumping the data from the drive using the lowest size-setting possible in dd (I want to say it is a byte, but I don’t really remember). I then piped this into a perl script that would examine each byte, looking for magic numbers. The drive had been corrupted so badly that there wasn’t even any trace of a coherent filesystem anymore. I knew that the data I was getting were most-probably fragmented, but I didn’t care at this point. I would guess the file-type by looking for magic numbers, and then I would start dumping that data into a file until I found an ending marker, or if the file-type didn’t have one, until the start of another magic number. I remember having various settings in the script so that I could tune its behavior, especially when dealing with false positives. My priority was to retrieve my pictures, website, programming projects, and database. For my source-code I only had to look for ASCII data. For pictures I looked for file markers for JPG, PNG, and GIFs. The database was difficult though, because I was using MySQL. By sheer chance, I had decided to take a SQL dump of my website’s database the day before for backup purposes (ironically, on the very drive that would die the next day). This was ASCII data, and so it was one of the first things my script found.

I ran this script over a couple of hours I think, and then for most of the next day for good measure. Then I began the tedious process of sifting through these files, weeding out false positives. All said and done, I retrieved a good chunk of my data. I think I got back around 80% of my pictures, and almost all of my code and website source. It was a scary few days, but I’m glad that my desperation drove me to try something like this!

Doing front-end development IS such a pain

This is so true that it’s hilarious. And sad. Any time I try to do something a little nontrivial for the front-end, it goes downhill so quickly. It’s like you are at this bizarre Home Depot with a million tools and you aren’t quite sure what they do because the most of the instruction manuals are missing pages or are just completely absent. There are very few that are complete.

You went there trying to get some nails and a hammer to hang a picture at home. But the nails only come in package that includes a lava lamp, a sledgehammer that weighs 50 lbs, and 217 blocks of assorted shapes, sizes, and colors. You get a hammer that seems to be the most popular but then you read a blog post from a carpenter ninja rockstar who has come out with a new hammer-design (and a cool name: “Hamm.ür”) that everyone is raving about and is a huge improvement over the new one and has started a new company that is already building and selling it. Home Depot also just happens to have it. You decide to get the new one; the old one wasn’t that actively supported by the manufacturer anymore anyway. In fact, it was just made by one guy in his garage and no one had seen him in a year and he rarely answered his phone or responded to emails. The new hammer does also come in a package with other stuff but at this point you really just want to hang that picture because that thing has been sitting against the wall for months.

You get home and finally start to hammer in the nail but end up burning your house down because the hammer replaced the lava lamp’s power adapter with a bare copper wire that set your curtains on fire. When you complain that using bare copper is unsafe and that they shouldn’t come with hammers or replace power adapters in a lava lamp that you didn’t even want in the first place, because seriously why the hell does anyone sell lava lamps with nails, you get told “Stfu noob! Copper is like the second-best fucking conductor and it is cheaper than silver and bare copper is so much lighter than a whole stupid adapter; seriously weren’t you just complaining about not wanting extra shit with what you buy?”

Don’t use class literals as type-tokens

Generics were added to the Java language within J2SE 5.0, and there was much rejoicing. It was finally possible to deal with containers in a type-safe manner. Prior to the availability of generics, Java developers had to do things like this:

List people = new ArrayList();
people.add(new Person("Donkey Kong"));
people.add(new Person("Guybrush Threepwood"));

Person pirate = (Person) people.get(1);

This kind of code is very fragile since it is not easy to keep track what is inside a container. If at runtime, the object you retrieve is not of the type that you’re expecting, you can get a ClassCastException. It is also remarkably easy to pollute a container by shoving objects of different types inside there, which makes it even more difficult to keep track of the types of the objects inside. Workarounds included littering code with instanceof checks, or creating a wrapper class (for example a class called PeopleList that would delegate to an internal List instance) around the container so that you could have control over the types of objects being inserted.

When generics finally arrived, people were ecstatic because now you could do things like this:

List<Person> people = new ArrayList<Person>();
people.add(new Person("Donkey Kong"));
people.add(new Person("Guybrush Threepwood"));

Person pirate = people.get(1); //It just works!

This meant no-more ugly workarounds, which means that things are awesome! Right?

Read the rest of this entry »

Heroku template for Spring 4 app with Oracle Java 8 and Tomcat 7.0.54

I’ve been playing around with Heroku at work for the past week or two. Heroku is pretty awesome if you want to get an app up and running quickly. Heroku does support Java and they have a few Java templates. Their current offering for Java uses Spring 3 and Tomcat 7.0.54 with Java 7. However, the version of Spring is somewhat older and they also use OpenJDK’s Java instead of Oracle’s Java. I wanted to try out Java 8 and also use a newer version of Spring so I upgraded the existing template to support both of those (I used a forked version of a custom buildpack for Java 8). I also had to update Heroku’s Web Runner to use Tomcat 7.0.54 (I have a pull-request waiting but I’m not sure if/when it will get approved so I have an artifact on GitHub that Maven can pull).

You can check out the template here.

All original content on these pages is fingerprinted and certified by Digiprove
%d bloggers like this: