Categories
Uncategorized

Post archive back

As you may notice, I rolled back to WordPress.  Many of the hardware threads have been posted here, from the forums.  This page focuses on hardware and computing topics from the forums, while FuntimeBliss.com will cover gaming with anything else included.

I will back fill some interesting threads from this year as well, since all the content comes from the forums, then gets posted here on these front pages.

Thanks for visiting!

Categories
Uncategorized

Community resources and projects

I want this to be short, yet more detailed than a tweet or lost in a string of them. I have to say there is an issue with contributing to a public project, that is when you are eternally expected to maintain said thing. Especially with no compensation or expectation of support timeline. I know that can sound rude, but the context I am especially honing in on, is stuff like game mods or application support by a person or community, that the OEM / vendor ignored.

There comes a point when if you want to improve something or add features to it, you need to roll up your sleeves and figure it out yourself, instead of ranting on reddit for someone who did a kind deed of the original contribution, to somehow become the permanent dev to your whim. This applies to games as well, because it seems like smaller developers get bombarded with this syndrome, while a major game studio just gets a shrug and ‘oh that’s the best we will get from them’ replies from the same people making outlandish demands from the smaller developers and studios.

Sharing another story, I know a person who wrote a Gamefaqs guide and still had people emailing for intricate details about a thing, 9 years later. I’m sorry (but not really sorry), people probably moved onto other projects, especially in that span of time. It seems like if you give a huge effort, you are presumed to own it forever. Don’t get me wrong, kind people do pick up the torch on projects and move forward, but the issue of insane expectations is a real thing.

If you can ask the question and understand the basic of how something works, if you apply some effort into research and working out the problem, you can likely contribute, if not completely solve the issue itself. I feel many people get burnt out trying to contribute to communities for reasons like this. Throwing in a video game trope; when I played Final Fantasy XI heavily, many of the newer members always showed up for the leet boss fights, but were never to be seen or magically went afk, when the core team was farming triggers (items required to actually fight the leet bosses), because the trigger part takes time and does not directly lead to an immediate reward.

That ends my rant. Please be courteous of people who produce content and products to help others. Donate them some loot for good work, if you want to help debugging and giving feature requests, do not write snarky comments about how dumb they are for omitting your favorite feature. Especially because it may already be there, you just didn’t see it or it has another name for that flag option.
I don’t know about you, but working a day job, upkeeping around the home, finding time to spend with friends and family, getting some recreational and sleep, can be a struggle. Especially when day job requires after-hours maintenance. Please be cool to others. If someone is releasing a tool or something cool, remember they are people too, or at least some sort of advanced AI that probably has some feeling registers too.

Let’s try to avoid pushing people to burn out faster. It’s hard enough to avoid without the crowd heckling that can be this social media age. Thanks for reading and visiting :)

Categories
Uncategorized

Occasional drafts

No not the military type, but the writing ones. I occasionally write things to paper or digital document before sharing them, but here on the forums, is more a less free-form. I do jump back and edit with note if something changed heavily from original post.

Congratulations on another Friday. The more recent hubbub about security and computers was the shadowbrokers follow-up leak about some windows exploits, especially the smb file sharing ones. If anything is referenced and more commonly learned from this, I hope that ‘when only some people have access to exploits, they will also be used by others’. Even before these leaks dropped, I fathom other persons than the NSA had access to these exploits. Please keep that in mind when there is an attempt to engineer a backdoor into a protocol. By doing such a thing, it would still be an exploit. Remember that people using this stuff in the wild, don’t tend to share that information freely. That would cut into their market share and prevent them from making lots of money, doing seemingly unknown methods to reach a goal.

Relaxing a little bit, if you enjoy playing Castlevania-type games, I would suggest trying Hollow Knight. It’s a platformer with hand-drawn art and an atmospheric, creepy and interesting world to explore. Between power ups and world exploration, you should have a good time. Especially since some zones are worth re-visiting as you gain new abilities. My friend suggested this one and I am pretty impressed with it. I’m about 4 zones in so far and am around of 11 hours of play.

Jumping back to security stuff… if you don’t have an active patch policy, enforce one asap instead of waiting for approval. I’ve been there and seen the political attempts to defer updates (especially for OS’) but seriously just ask for forgiveness if there is an issue, because you cannot really justify the negligence of letting it slide anymore. Particularly for anything you have with open-facing internet ports and accepted routes in your firewall.

Hopefully you had a happy 4/20 yesterday. Or as I recently learned, Lima bean respect day.

Categories
Uncategorized

Reads and Vault 7

Jolly Friday! Weather has been weird with jumps from 70 F yesterday, down to the 30s and steady but rapidly melting snow today. I recently finished reading The Art of Invisibility (amazon link) by Kevin Mitnick. I found it to be an enjoyable read, with most content being fairly well known, yet the wider applied context was helpful. Most of all, it read like a good story, instead of a technical manual. Even if you aren’t into tech heavily, I think you would find this to be a worthwhile read. The book does a good job of applying security into a rational context, without sounding all ‘tin foil hat conspiracy’.

Also buzzing around the security sphere is the Vault 7 leaks – Part 01. This archive jumps into some CIA bug exploits and attach methods they have been using. Be wary of coverage sources, namely the Wikileaks twitter account and most every mainstream news outlet. They are jumping into some unqualified headlines. Personally I think rushing to cover the story with inaccurate information, goes to muddy the actual content. I still think this The Register article best covers the leaked content. Going with a TL;DR here, SmartTV microphones can be owned, but this looks to be a local attack to implement. Crypto applications can be circumvented, if you phone itself gets compromised… not the application itself. There has been plenty of back and forth between the security community and mainstream news over that detail between entire phone access and the subsequent access to apps that grants. The potential to control automobiles is a concern that brings up more desire to probe the death of Michael Hastings.
I have some of the Vault 7 files to rifle through myself, as 8000+ files is quite the cache. Some applications such as Notepad++ have already patched against the disclosed vulnerabilities and other companies are scrambling to do the same. Wikileaks appears to be relaying the exploit code to vendors, as they seem to have redacted almost all of the files from release into the wild.

Outside of the computer and security sphere, I picked up the new Zelda: Breath of the Wild game and have played that a little bit. I also continue to draft up some projects I’ve been working on, but mentioning them before being live, is kind of useless :)

I also learned that interacting with political twitter is the worst, because people will keep @you about something someone else said, all in effort to get their snarky rebuttals in. I know it is difficult to have a dialog in 140 characters, but if your only response is “You’re wrong and I don’t like your opinion”, your shit is weak and you lack any contribution to the dialog. Complaining without any effort at a workable solution, just helps you reinforce your current stance. Try challenging your opinions against others and see if they stick. It’s a 2-way street, but if you are busy throwing labels @ people, I can assure you, you are accomplishing nothing except the old hug box / circle jerk of hive-minded opinions.

Categories
Uncategorized

Computer news recap

So everyone has been foaming at the mouth about the Dyn DNS attack / mirai botnet theory on how some large sites had been down over last Friday (10/21/2016) into the weekend for some folks. There were heat maps of areas in the USA hit, and laughably common, Russia was the 1st to blame. That of course turned into more competent speculation that the attack came from a botnet of devices, such as cameras and other Internet of Things (trash) with default passwords, or worse yet hard-coded passwords.

Pardon the cynicism, but I am waiting for this coffee to cool down and it’s the morning. I would also make a list of major websites that had their user databases taken, but that would be a huge and no where near complete list. When that happens, the obfuscated passwords are run against some cracking methods to get the raw ASCII value.  Hashcat is something I do not yet have experience with, but would like to setup a test windows domain to reverse the AD password obfuscation, for sake of seeing it run and deliver personally.  I enjoy projects.

Notable sites where the user data got popped are (with some speculation on my part, perhaps):

  • Yahoo
  • Hotmail
  • LinkedIn
  • AshleyMadison
  • MySpace
  • Twitter (~2014)
  • Facebook (~2013)

 

Please note that Twitter and Facebook are speculation on my part and that is why I put the projected date next to it.  At this point honestly, I give consideration that every site has potentially been popped for their user databases.  Salting and Hashing your user passwords will get you so far, but like encryption, if you leave the keys with the protected data… you are not really gaining any benefit because you gave away the key to the puzzle.  We can call this security nihilism, but seriously this is worth restating.  Do not store private keys with your data, if you salt and hash method are in that production database, you are going to have a bad time.

*Sips Coffee* There is no such thing as perfection, so do not worry about chasing that dragon.  The moral of the story above however, is to not re-use passwords.  Do you have the same password for your email, bank, work, and social network sites? Please don’t do that.  It makes being a victim way easier, especially after a data breach / password dump from a major site.  Let me assure you I’m not spouting this out from my ivory tower, because I had some shared passwords between services too.  Fortunately I seem to have changed those before the accounts could get popped.

Granted, depending on how bad a network gets run, authentication could be irrelevant because an attacker had full access to the site by side-stepping authentication completely.  Another one of those theories, but yeah you have to do what you can.  I spend a formidable amount of time reading about security news and researching myself.  A few years ago I dorked around pretty heavy on facebook, laughed at the perceived privacy controls, and got put in ‘Facebook Jail’ a few times for abusing features.  That taught me the humor of what privacy means, to a site that really wants to sell me t-shirts and crawl the search history on my mobile phone to schlep advertisements, if I use their mobile application.

Wrapping this up with some dystopian nightmare, I see more and more corporations are merging on up into massive conglomerates.  It feels like only yesterday Time Warner and Comcast merged, yet AT&T is preparing to buy Time Warner.  By Time Warner I mean more than just the cable services as well.  So much for reasonable internet prices.  I mean it’s pretty clear that balanced media reporting is a relic of the past, short of some slivers of the internet and print sources.  Complaining about the media, I reference the fault that comes from major networks only reporting from one perspective, so conservative hones in on their pitch, while moderate or whatever you call Fox and not CNN, also ignored highly relevant details, so they can pitch their sponsors agenda.  Worst of all, leading people to argue about disinformation they get from controlled outlets, instead of combining multiple resources and trying to come to their own conclusion.

For what it is worth, hopefully instead of trying to support broken infrastructures, global society rolls up it’s sleeves and looks to put in new solutions, instead of band-aids for flawed infrastructure.  In this case I mean things like replacing DNS and core network topology with a new back end, at least designed with some concepts of preventing major issues from being so detrimental.  Granted, Global Society applying similar methods to non-technical processes would be great too.  I hope you enjoyed the rant :bunny:

Categories
Uncategorized

Logo clean

Pardon the prior header image. I had it up from prior years. I like to think I have normalized some progress and a smidge of coherence, at times.
Explore every day for those of us who are no longer with us. Respect and salute to them. That is my opinion on resolve.

Attached Thumbnails

  • JoeDirtSnowden.jpg

Categories
Uncategorized

Flashback topic

Thanks again to everyone who came out to the Open House @ Philly Secure Shell.  I handed out some stickers with the BlissPC.com address, so I wanted to share a 2014 thread about Bitcoin Miner Malware.  A random note, is to use google and type ‘bitcoin miner site:funtimebliss.com’.  You will get the 1st result, but it looks like there is some redirection poisoning going on there.  It bounces to a URL4SHORT_info page.  I have to explore that some more.

 

A friendly reminder that I do not do the advertisers thing on the site, as I believe in sharing information and not exposing people to advertiser traffic and potential infection by way of poorly moderated advertising networks.  I have had the forums up for about 13 years now and plan to keep doing so.  When I jump into hardware or software reviews, I do so of my own opinion and observations.  No one has, nor ever will send me a free product to view, without that being clearly defined as the scenario.  Even if that were to occur, I would also remain to be critical.

Pardon the blurb, but I really felt this needed to be a front-page post and known reminder.  I have purchased products and services before with known issues, that were never shared at launch, due to review deals and all sorts of other anti-consumer deals.  There is no support for that here, nor will there ever be.  I’m into this for sharing information and learning more from people I chat with and meet.  Now that I shared some of my ethos, allow me to drop a link for our Hackerspace in South Philadelphia, PA.
http://www.secshell.com/

I speak as me, a real person who is occasionally (to often) grumpy.  I do try to be nice though :bunny:

 

Categories
Uncategorized

Cisco Noob Guide

Especially on old-school devices, you might find no one logged  any of the network topology and config details.  If you are lucky (depends on your outlook) there is no password for the console connection.  To connect over console, you will need an ethernet cable that plugs into a serial port on your config machine.  If you do have a password on console port, hopefully it’s something from your list of other device passwords.  Probably a Level-15 account.

We will be in the CLI, so all those nice GUI configs you are used to with newer devices, are not at your disposal.  So we have this guide for logging in, going into enable mode, then showing certain configurations.  This can help you map a network out, especially if you inherited it and want to document and know how it really functions.

Starting out: (Run a cable from the console port on said switch, to your machine Serial port.)

  • Use PUTTY or a similar application to connect to COM1
  • Press Enter 2x.  You should then see Console of some sort
  • Login when prompted for a password (or if none)
  • type ‘en‘ without the quotes.  This will take you to config / enable mode.
  • show ? will give you a list of available commands.
  • Start with show version to get an idea what platform and version of iOS (or PiX) you are dealing with.
  • show running-config will show you the currently running device configuration.  Feel free to archive this into a flat file for reference later.
  • show vlan is huge if you need to know the VLANs defined on the network.
    Note: Your core switch will have them defined, then other devices can reference those VLANs and route accordingly.  IF you do not have a VLAN defined somewhere, it will be useless to use as a target.

 
 

That’s my primer on dorking your way though some older cisco devices.  Granted these methods will work or be very similar in current, CLI based cisco sessions.  Happy explorations.

Categories
Uncategorized

VMWare ESXi on Gaming PC

Good morning.  I took on an attempt to install ESXi 6.0 onto a hard drive in my gaming PC.  I ran into a few modifications I needed to make, but luckily nothing too intense.

Starting out, I will rattle off my relevant PC specifications:

  • Intel i5-4690k @ 3.5 GHz
  • Asus Maximus Hero VII BIOS (3103)
  • 32 GB Corsair Vengeance DDR3 1600
  • 500 GB SATA WD Hard Drive (Non-SSD)

 
OK, so we’ll get started with an EXSi Install CD.  Upon boot up, I did not see any drives I could install to.  At first I thought I had to mark the drive active, since I did a 3-pass wipe of it prior, but that was not the case.  Turns out I had to jump into my BIOS and set my Drive Mode to RAID, instead of SATA that I had it set at.
There is no need to build a RAID array (and in my case, I’m using the Intel Z97 chipset that is the onboard SATA controller on my motherboard).  I am running a test build, otherwise a redundant RAID set should be a priority.

Once the RAID mode is set for your SATA Mode Selection (Under: AdvancedPCH Storage Configuration in my BIOS), you should now see a drive you can install ESXi to.  Also in your BIOS, if you have not already turned on Intel VT-x virtualization support, enable that as well.

Now that we have an install going, set your root password and when the install finishes, reboot.  On my 1st boot up without a network cable plugged in, I got the following message as it stuck in the boot process:
 

dvfilter-generic-fastpath: loaded successfully

 
I started to research this and was going to splunk the log files, but I rebooted and it loaded successfully.  As I have experience with supporting and deploying fresh Xen Server installs, this Hypervisor looks nearly identical in ESXi.

Once it boots up, connect to the IP Address by web browser to install the client tools, if you have not done so already.  The tools are sadly, confined to working best in a windows environment for your client software, but there is a web interface as well.  I am currently putting a Kali Linux install on via the Web Interface for EXSi, from my Mac.

That concludes my start to hypervisor online install of EXSi.  My gaming computer picked up another skill as a virtualization server.  I also have a Core 2 Duo refurb I will try the same for, but since that one is an OEM HP Machine, the BIOS features for Hyper-V and RAID support may be absent.

Categories
Uncategorized

South Philly Hackerspace

Since I have been fairly light on the forums, I wanted to make a thread about our new Philly Secure Shell hackerspace.  I have been helping setup the location, while Leo has been doing all the coordination, paperwork and intricate work.

We are in the Bok building so you can also checkout Hive 76 (different space – same building), a hardware hackerspace in the building that has been around for some time now.  As for Secure Shell, we just got into the building this month and had a local CTF trial this weekend.

 

https://twitter.com/SecShellPhilly <-+ Twitter page for our group.  We have been around for just over a year now and made the jump to getting a space as well.  Feel free to come check us out, we have a meetup page too for month meets and events as they pop up.

http://www.meetup.com/Philly-Shell-info-sec-meetup/ <-+  MeetUp page.

Personally, I’m into hardware, data recovery and log crawling with SQL database log data archiving & trending.  I’m a fan of chatting and sharing ideas, so this space will be an excellent venue for that.  Shameless plug for 2600 First Fridays as well.  I tend to make most all of the local meetups @ 30th Street Station by the Taco Bell near Bridgewater’s bar.  It’s a really fun time to get out IRL and chat IT or just crack some jokes.  Highly advised, especially if you thought about it but never got around to it yet.