Core i7-7700k build

Welcome to another PC Build thread.  I have been on an i7-7700k desktop for a week and some change.  In the last few builds I seem to be on a 2 to 3 year rotation, largely because I know people who could use computers and my custom builds would smoke a retail setup while also having good cooling layouts.  Fancy means to say the equipment should run for a long time.

Current edition kit is:

  • Processor / CPU:
    Intel i7-7700k
  • Motherboard:
    Asus Hero IX Z270
  • Memory:
    32 GB Corsair DDR4 3000 MHz LED RAM
  • Primary OS on a Samsung 860 Pro M.2 NVMe SSD
  • Power Supply:
    Corsair 850w PSU
  • Cooler:
    Corsair H115i CPU Cooler
  • Case:
    Corsair Obsidian 750D Airflow
  • Video Card / GPU:
    Asus Strix 980 GTX (Gen 1 – Non Ti)

I kept storage, graphics card, power supply from the previous build.  I have so far put together some benchmarks from Final Fantasy XIV tools, 3D Mark products, and ran some GTA V and Watch Dogs 2 for comparison.
The short hand is that, each of the FFXIV Benchmarks gave about 1000 points higher of a score.  Effects like elemental magic casts and screens with many extra objects on screen, ran much smoother.  Checking benchmark details such as 3D Mark, the i7 does vastly better handling PhysX performance heavy content.  Keeping in mind I am running the same video card as I did in the prior i5-4690k build.

For grins I also re-installed Bioshock Infinite and ran the Benchmark.exe in the install folder.  Considering I recently switched to a 144 Hz display, I was able to see the benchmark ran that steadily.  Looking back, I think I played the game on a 560 GTX and recalled some performance drops in some areas.  Worth saying that would have also likely had been when I was on an i5-2500k setup.

3DMark Shootout:  Please bear in mind most of the i5-4690k benchmarks were run on Windows 8.1.  I believe that is some of where you see the higher FPS numbers from the i5 versus the i7 benchmarks.

Fire Strike (standard) compare
FS_RegCompare.png

Fire Strike Extreme compare
FS_ExtremeCompare.png

Sky Diver compare
SkyDiver_Compare.png

API Overhead compare
APIOverhead_Compare.png

Time Spy
TimeSpy_Compare.png

Cloud Gate compare
CloudGate_Compare.png

Fire Strike 3-way compare including i5-2500k and a 570 GTX

570to980Iteration_fsCompare.png

Recapping this data, we see the PhysX scores are significantly higher, while base FPS are similar or a little slower than on the i5-4690k.  Please keep in mind the only benchmark in this set run on Windows 10 with the i5-4690k was Time Spy, as it requires DirectX 12 / Windows 10.  I added the compare links that also confirm this information and so you can add any benchmarks you may have run for comparison.

The last image and benchmark includes my i5-2500k build with a 570 GTX in it.  I wanted to add that for more of a scaling over time and performance gain metric.  In the short hand if you are asking does an i7 smooth up actual gameplay, I would say Yes to that.  Watch Dogs 2 is a recent title I saw people mentioning benefits from extra threads and a higher CPU clock.  I can confirm that to be the case as grass and tree heavy shadow environments are much smoother than they were on my i5-4690k.  Similar gains can be seen in Final Fantasy XIV.  Particularly as the Stormblood expansion pushed some higher usage textures and shading features to the game.

This rig is doing me well but I did have some issues running the RAM @ 3000MHz.  I had a few crash application issues and some reboot problems as well.  After seeing a few of those I fired up Memtest and let that run for 5 to 10 hours.  Typically around the 5th hour, I started getting some errors when running the memory at the overclocked speed.  Turns out I’m not the only person with issues running the RAM @ 3000MHz on an Asus motherboard.  Stock is 2133MHz and that passed Memtest with flying colors and also does not have the reboot issue.

Just a heads up if you are doing a build, that you might see some issues if you hoped to set your XMP and it would just run.  Increasing the voltage to the RAM made no long-term stability improvement either.  I am running 32 GB (2x 16 GB) CMU32GX4M2C3000C15 Vengeance LED RAM for point of reference.  I was happy to see the Memtest passed at stock timings, so I didn’t have to RMA them.  From the product page the timings that should work are:

Quote

Tested Latency: 15-17-17-35
Voltage: 1.35V
Set RAM to Auto
Voltage: Auto

As I mentioned, simply using the XMP settings for 3000MHz will likely jam up your memory and system stability.  Normally I would have let an exhaustive memtest run earlier, but you can get busy and I ended up building 3 machines that week.  Granted my prior build was mostly a move to another case and burn in testing.  Speaking of MemTest, I enjoy this version of MemTest.

Occasional drafts

No not the military type, but the writing ones. I occasionally write things to paper or digital document before sharing them, but here on the forums, is more a less free-form. I do jump back and edit with note if something changed heavily from original post.

Congratulations on another Friday. The more recent hubbub about security and computers was the shadowbrokers follow-up leak about some windows exploits, especially the smb file sharing ones. If anything is referenced and more commonly learned from this, I hope that ‘when only some people have access to exploits, they will also be used by others’. Even before these leaks dropped, I fathom other persons than the NSA had access to these exploits. Please keep that in mind when there is an attempt to engineer a backdoor into a protocol. By doing such a thing, it would still be an exploit. Remember that people using this stuff in the wild, don’t tend to share that information freely. That would cut into their market share and prevent them from making lots of money, doing seemingly unknown methods to reach a goal.

Relaxing a little bit, if you enjoy playing Castlevania-type games, I would suggest trying Hollow Knight. It’s a platformer with hand-drawn art and an atmospheric, creepy and interesting world to explore. Between power ups and world exploration, you should have a good time. Especially since some zones are worth re-visiting as you gain new abilities. My friend suggested this one and I am pretty impressed with it. I’m about 4 zones in so far and am around of 11 hours of play.

Jumping back to security stuff… if you don’t have an active patch policy, enforce one asap instead of waiting for approval. I’ve been there and seen the political attempts to defer updates (especially for OS’) but seriously just ask for forgiveness if there is an issue, because you cannot really justify the negligence of letting it slide anymore. Particularly for anything you have with open-facing internet ports and accepted routes in your firewall.

Hopefully you had a happy 4/20 yesterday. Or as I recently learned, Lima bean respect day.

Reads and Vault 7

Jolly Friday! Weather has been weird with jumps from 70 F yesterday, down to the 30s and steady but rapidly melting snow today. I recently finished reading The Art of Invisibility (amazon link) by Kevin Mitnick. I found it to be an enjoyable read, with most content being fairly well known, yet the wider applied context was helpful. Most of all, it read like a good story, instead of a technical manual. Even if you aren’t into tech heavily, I think you would find this to be a worthwhile read. The book does a good job of applying security into a rational context, without sounding all ‘tin foil hat conspiracy’.

Also buzzing around the security sphere is the Vault 7 leaks – Part 01. This archive jumps into some CIA bug exploits and attach methods they have been using. Be wary of coverage sources, namely the Wikileaks twitter account and most every mainstream news outlet. They are jumping into some unqualified headlines. Personally I think rushing to cover the story with inaccurate information, goes to muddy the actual content. I still think this The Register article best covers the leaked content. Going with a TL;DR here, SmartTV microphones can be owned, but this looks to be a local attack to implement. Crypto applications can be circumvented, if you phone itself gets compromised… not the application itself. There has been plenty of back and forth between the security community and mainstream news over that detail between entire phone access and the subsequent access to apps that grants. The potential to control automobiles is a concern that brings up more desire to probe the death of Michael Hastings.
I have some of the Vault 7 files to rifle through myself, as 8000+ files is quite the cache. Some applications such as Notepad++ have already patched against the disclosed vulnerabilities and other companies are scrambling to do the same. Wikileaks appears to be relaying the exploit code to vendors, as they seem to have redacted almost all of the files from release into the wild.

Outside of the computer and security sphere, I picked up the new Zelda: Breath of the Wild game and have played that a little bit. I also continue to draft up some projects I’ve been working on, but mentioning them before being live, is kind of useless :)

I also learned that interacting with political twitter is the worst, because people will keep @you about something someone else said, all in effort to get their snarky rebuttals in. I know it is difficult to have a dialog in 140 characters, but if your only response is “You’re wrong and I don’t like your opinion”, your shit is weak and you lack any contribution to the dialog. Complaining without any effort at a workable solution, just helps you reinforce your current stance. Try challenging your opinions against others and see if they stick. It’s a 2-way street, but if you are busy throwing labels @ people, I can assure you, you are accomplishing nothing except the old hug box / circle jerk of hive-minded opinions.

Steelseries Sensei Wireless mouse

Welcome to another hardware thread. This installment is about the Sensei Wireless mouse from Steelseries. I have been using a Diablo 3 mouse modeled from the Sensei wired mouse for a few years now. Considering I have also used Razer mice before, but did not like how heavy or high they seemed to arch, I went with the Sensei Wireless for my laptop.

You can use this mouse wired as well, but a thing to keep in mind is that you need to have the charging base plugged in, because that is the wireless receiver for the mouse. There is no direct bluetooth or other connection methods, short of using the charging base for wireless, or directly plugging the charge cable into the mouse for wired mode. So if you are traveling you need to bring the base and cable, or run the mouse wired.

Besides that nuance, this mouse performs awesome. I primarily use it in wireless mode while playing Final Fantasy XIV or doing general UX stuff. Clicks are smooth and the cursor is responsive. DPI goes crazy-high, but for my uses @ 1080p, I tend to run it around 5000 DPI or so. Charge life says about 20 hours, but I tend to base it when not in use. I have yet to have the mouse die on me in respect to battery life. I did have one night where it would not reconnect, but I think I had the base too close to the mouse.

In respect to usage, I use it on my desk with a mousepad, or on the bed with a pad as well. Even on the cushion it works well. As i mentioned the weight, 115 g, 0.253 lbs is what it comes in at. Compared to many mice and reviews, this is a sweet spot, as to not feel heavy or a burden to move around over time. I considered the newer Steelseries mice but the little LCD and significantly heavier weight were a turn-off. The charging base is probably around 2 lbs, so if you are traveling often, you might want to just use it wired instead of schlepping the charging base around too.

Lights. You can change the LED colors of the charging base, mouse logo and scroll wheel. Similar to the Diablo 3 / Sensei model mice, you have side-buttons you can program to custom keys. My favorite button is the DPI switch button under the scroll wheel. I tend to keep it in high mode, but being able to change back to 1800 or so DPI is a nice bind to have on the fly.

I really enjoy this mouse and started out with my most relevant complaint, the charging base. If there was a little usb dongle for wifi use like a logitech device, that’d be nice for travel. Other than that, well worth the $100 price I got it for on their website.

I considered a Razer mouse to go with the laptop, but I had the MMO mouse before and found it heavy and the side button bar kind of clunky. I have had the Diablo 3 Steelseries mouse since Diablo 3 released and have put many clicks into it. It continues to work to this day on my desktop. That’s the main reason I went with this wireless sensei. It takes a beating and keeps on rolling, while also feeling smooth and durable.

Razer Blade 1060 GTX (late 2016)

Howdy and thanks for reading this thread about a Razer Blade (late 2016) with a Nvidia 1060 GTX video card. I have been playing with this over the weekend, as I did research and found this to be the best bet for what I was looking for. Both by performance and laptop size. I went with the 512 GB FHQ model.

Starting off, Yes you can install Linux on here and it will run pretty well, granted I spent most of the weekend in Windows, running benchmarks and checking out multimedia and games. I got Ubuntu 16.04.1 on a 40 GB partition that I carved out of the 512 GB SSD M.2 Drive. To do that, I loaded up a Live USB of Ubuntu, ran gparted on the Windows partition and had it cut 40 GB into a new partition. Installed Ubuntu onto that. Best part being, GRUB and the Windows boot loader can co-exist. You may want to jump in the bios and change your default boot device, once the install is finished.

Temperature wise the GPU was hitting 179 F. While not great for temps in a desktop, this is passable for me as the games continued to run smoothly. You will absolutely hear the fans increase in noise and speed when playing any intensive games. That being said, I do feel the laptop is basically silent when not in a game.

I mentioned getting the FHD (1080p) model display over the QHD+ one. FHD is a matte finish, the brightness is higher than the QHD, and honestly the 1060 GTX will not be able to run max settings smoothly on newer games like Watch Dogs 2, or even to an extent GTA V, unless you scale down some of the advanced video fluff. Point being there, QHD resolution is going to be really daunting on the video card. I also feel 1080p on this 14″ LCD is hard to read sitting back on the couch, especially without my glasses on. So you would be even more crunched @ 3200 x 1800 (QHD+). QHD comes with a glass cover instead of a matte finish and also is + $300 to the purchase price. So I got to avoid my reflection and light bouncing, while also saving some loot.

Performance:

  • Fire Strike (3D Mark) scores over 9000. 9264 actually. You can check the details from the run on the Futuremark site.
  • Final Fantasy XIV: I can play this @ 1080p with maximum settings with a smooth 60 FPS. You will want to use the system and character config options to scale up the UX, as I did playing from the couch.
  • Doom 2016: 1080p with maximum settings is smooth and looks great.
  • GTA V: Ultra settings will get you some dips into the 40 FPS range. Tweaking some of the more expensive graphic options, will get you to or close to, a smooth 60 FPS.
  • Watch Dogs 2: My configuration from the desktop with a 980 GTX, got me into the 30 FPS range. I heard some forum chatter about this game and 1000 series cards having extra performance hits. I was able to change some of the detail settings back to High, and I got closer to 60 FPS. Even on my desktop though, driving will get you some dips into 50 and some 40 FPS ranges.

Summing this up, the 1060 GTX in this laptop is certainly slower than the desktop 980 GTX in my desktop. While the laptop card has 6 GB of VRAM, the processing power of the 980 GTX and it’s 4 GB VRAM is superior. Saying that, I’m comparing a video card integrated into a 14″ laptop weighing less than 5 lbs, to a full sized desktop GPU. Performance was relatively close. I will throw some benchmarks versus the laptop to my desktop, below.

Benchmark wise, you can peep the Fire Strike comparison between my desktop 980 GTX system and the Razer Blade 1060. Saving you a click, the 1060 GTX scores @ 9264 while the 980 GTX scores @ 10921.

I will add some more benchmark scores in the next post. I have to be in front of the machine to check the log results.
I think it’s pretty apparent that I am happy with this purchase and the performance of this laptop. Let me confirm that I am happy with this purchase and love this device. It looks like a black Macbook, that happens to run Windows and Linux, while also having some quality, fast components in it. That being said, I got mine for just under $2000 (USD)

I did start by looking at laptops in a local Microsoft store to see what price, performance and form factor options were on the market. I used to travel for work and had a quite nice Sony Vaio laptop. This is the 1st high-performance laptop I ever bought with my own funds. Looking at the other models in-store, they either had weak video cards, or were of the Asus tier laptops, that honestly looked really crappy with all the big plastic cases and odd curvature. I didn’t want a laptop that looked like a malformed lego and weighed 10 lbs. I would say Razer is owning that market segment, for anyone wanting a fast, light weight and smooth looking laptop.

Continuing my researching, I took for Razer support forums, reddit and some review sites. Review sites are good for some insight but can gloss over some big issues. Especially if they are getting a review model, instead of a consumer production model. I started with deciding between QHD or a FHD display. That actually led me to read some folks who had an older model QHD+ but decided to go with FHD both for less pixels on a 14″ LCD, and the increased visibility from a matte finish.
The wireless card that comes in the laptop is a Killer Wireless-AC 1535 card that some reddit users noted, kind of sucks. I did run the Killer wifi briefly, but since I have a wired cable by the couch, I used a Plugable USB-C / Thunderbolt LAN NIC dongle. Using the Killer in FFXIV, I was getting some in-game lag. Also doing some ping tests on local devices, I saw quite a few 50 ms+ replies. Switching out the Killer for the Intel reduced the amount of high ping replies. YMMV, but for $25 and the use of a T5 screwbit, it’s a fairly simple replacement. As the linked reddit page notes, I also went with that Intel 8260 wifi card.

Speaking of the wired connection, it’s super fast. I was steady steam downloading, network transferring and the laptop didn’t slow up at all. My internet connection was being worked but the internal network and this wired adapter kept up without fault.

The Chroma keyboard is quite nice. Quality typing experience and the lighting effects are really enjoyable. I use the starlight pattern most of the time, unless I’m playing an MMO in the dark. Dark playing with a fixed color is really nice. If you press the ‘Function’ key, your F1 to F12 will be the only lit keys to use the multimedia functions. However the icons for the brightness, track skip, volume, etc will not light up. Because the smallness of those indicators and the main letters, I figure the light bleed would be too intense. Speaking of intense, if you pick a white-based color, you might see some blur reading the keys at night in a dark room, because they are so bright. Disclaimer / reminder that I wear glasses. Still a factor with my glasses on. In the Razer application you can juggle your lighting options for the keyboard, pick a color or pattern, and adjust the brightness of the keyboard illumination. Have fun messing with the ripple effects and other keyboard light presets.

Oh yeah. You will have 3x USB 3 standard ports, 1x USB-c connection, and 1x HDMI connection on the laptop. In addition you have the power brick connector on your left and the kensington mount on the right side. In respect to battery life, I haven’t done any benchmarks yet. If you are playing games, I would just keep it plugged into the wall, as that is exactly what I was doing. By the way, here is the laptop product page. I will get some game benchmarks and comparisons later in this thread.

Benchmark of the battery gave me about 2 hours before I was on the hunt for a charger. If you happen to travel to co-locations and work on a server rack, you may want to get a PDU to 3 pin adapter so you can charge up on extended sessions. Here is a usage breakdown of battery life.

9:25 – Laptop boot. Chilling Idle
9:34 – 97 % battery. 100% brightness.
9:38 – Chrome – emergencyfm music streaming started.
9:40 – 93 %
9:53 – 87 %
10:08 – 79 %
10:13 – 76 %
10:16 – Nmap installer. 74 %
10:19 – Scan Local Lan 73 %
10:20 – Completed sn scan. 72 % Lan
10:22 – Starting intense scan. 71 %
10:37 – Scan active. 62 %
11:05 – Scan nearly finished. 46 %
11:19 – 37 %
(Went to remote site)
Ran web browser to configure devices. Battery below 20 % in about 20 more minutes. Condensing that list of times, I was in the critical low battery around 2.5 hours.

Let me step back here, I forgot to detail machine specs.

  • CPU: Intel Core i7-6700HQ (Skylake)
  • 512 GB M.2 SSD. Samsung PM951 model MZVLV512CJH.
  • 1080p LCD @ 60 Hz
  • 16 GB DDR4 RAM
  • Nvidia 1060 GTX (6 GB VRAM) on driver 376.33
  • Wireless Killer AC is what it shipped with. I replaced this with an Intel 8260 Dual-Band Wireless card.
  • Ports: 1x USB-c, 1x HDMI, 3x USB 3, 1x Headphone / Mic input combo jack, Power charger input, Kensington security lock mount

Cooling is controller by 2 fans on the bottom of the unit. They are your air inlets, as the exhaust is behind the top of the keyboard. Under the display you will see some vent holes with a grill on them. It’s in the join between the bottom of the laptop and the display. You may also see dust collect on the bottom of the monitor, as I did cleaning up the apartment and playing FFXIV. If you want to clean the fans and open up the bottom of the laptop, you will need a T5 screwdriver to remove the 8 or so screws. Bottom plate removes similar to a dell laptop (or most kinds, to be honest).

Heavensward Final Fantasy XIV Benchmark on Maximum settings in DirectX 11 for 1080p scores in over 10334 with a Extremely High rating. Game plays crystal smooth @ 60 FPS in actual server gameplay, questing and dungeons. Run the benchmark a 2nd time to be sure, as I had some other stuff open and it game me a score in the 8900 threshold. Also of note, alt-tabbing to check a web browser does not cause any significant performance drops.

Glitch warning. If you hook up to an external display, you may see slower gaming performance, as it seems to try and use the Intel HD 530 GPU on the processor. I saw this testing the HDMI port, running the FFXIV Benchmark and seeing my normal score of 10516, dropping to 8900. I rebooted and had got back into the 10000 score threshold. I can confirm this by running a benchmark with an external display hooked up and getting a lower score, then unhooking the hdmi cable (without a reboot) and re-running the benchmark to get a score in the 10000+ range.
Be warned that I had to switch to GPU-Z for thermal monitoring, as HWMonitor started showing the Intel 530, since I hooked up an external display. This resolved and HWMonitor is showing both cards, thermals for the Nvidia 1060.

In respect to fan noise at idle, I can hear them if I’m in a silent room. Confirmed that this morning before I left. However it’s pretty rare I’m in a quiet room and even so I didn’t find the noise to be bothersome. Keep in mind I’ve spent some time in server closets and have a desktop server at home in my bedroom. YMMV. I know people call this laptop a Mac Killer, but have had complaints about noise from the fans at low load.

In respect to keyboard usage and interaction, this laptop works great. 1080p desktop resolution allows me to control consoles clearly, the keyboard feels nice and responsive, while the touchpad does work, I prefer to use a trackball or mouse instead of hovering a hand over the touchpad. I cannot think of an instance where my hands accidentally moved the mouse cursor when typing, so that is a large benefit for me, as I have this issue fairly often on most other laptops.

Temperature wise rundowns over load are as follows:
CPU: Max 89 C / 192 F – Idle 45 C / 111 F with a low of 37 C / 98 F
GPU: Max 82 C / 179 F – Idle 46 C / 114 F with a low of 42 C / 107 F
SSD: Max 58 C / 136 F – Idle 38 C / 100 F with a low of 35 C / 95 F

Additional benchmarks continue in the linked thread here.

KB3201860 Adobe Flash?

So I did not install Adobe Flash, it is not in my add remove programs, nor is it any active plugin for my installed web browsers.

On this machine, I have Windows 8.1, the Flash options in control panel, but no Add/Remove for flash. I was legit baffled seeing this update pop up, as I didn’t install the software, because I feel it is more harm than good, as a security exploit vector.

KB3201860 details @ Microsoft. I am still digging around but I am really concerned how something I didn’t install is on here. I guess it will be an interesting weekend, finding this and gutting it out of this system. I also see no Adobe windows services installed.

I have heard and seen Google Chrome has it’s own version of Flash. But it adds extra concern it’s escaping the Chrome ‘sandbox’ because if you can make a call to it, it can be exploited. IMO and all of that.

Oh wow, the plot thickens. Thanks to adobe’s link, it is rolled in with Windows 8.
Checking with this Installed Flash web tool, Chrome of course has Flash baked in, as it’s baked into Chrome. My installed Mozilla based browsers fail the test (yay). IE 11 on Windows 8.1 also has it’s baked in Flash. It looks like that is what this update is for. Now of course, is the quest to eviscerate it from being able to execute or be invoked.

… So then I checked again and saw Shockwave Flash Object in Internet Explorer Add-onsand was able to disable the plugin, then the ‘Is this installed’ check failed.

Computer news recap

So everyone has been foaming at the mouth about the Dyn DNS attack / mirai botnet theory on how some large sites had been down over last Friday (10/21/2016) into the weekend for some folks. There were heat maps of areas in the USA hit, and laughably common, Russia was the 1st to blame. That of course turned into more competent speculation that the attack came from a botnet of devices, such as cameras and other Internet of Things (trash) with default passwords, or worse yet hard-coded passwords.

Pardon the cynicism, but I am waiting for this coffee to cool down and it’s the morning. I would also make a list of major websites that had their user databases taken, but that would be a huge and no where near complete list. When that happens, the obfuscated passwords are run against some cracking methods to get the raw ASCII value.  Hashcat is something I do not yet have experience with, but would like to setup a test windows domain to reverse the AD password obfuscation, for sake of seeing it run and deliver personally.  I enjoy projects.

Notable sites where the user data got popped are (with some speculation on my part, perhaps):

  • Yahoo
  • Hotmail
  • LinkedIn
  • AshleyMadison
  • MySpace
  • Twitter (~2014)
  • Facebook (~2013)

 

Please note that Twitter and Facebook are speculation on my part and that is why I put the projected date next to it.  At this point honestly, I give consideration that every site has potentially been popped for their user databases.  Salting and Hashing your user passwords will get you so far, but like encryption, if you leave the keys with the protected data… you are not really gaining any benefit because you gave away the key to the puzzle.  We can call this security nihilism, but seriously this is worth restating.  Do not store private keys with your data, if you salt and hash method are in that production database, you are going to have a bad time.

*Sips Coffee* There is no such thing as perfection, so do not worry about chasing that dragon.  The moral of the story above however, is to not re-use passwords.  Do you have the same password for your email, bank, work, and social network sites? Please don’t do that.  It makes being a victim way easier, especially after a data breach / password dump from a major site.  Let me assure you I’m not spouting this out from my ivory tower, because I had some shared passwords between services too.  Fortunately I seem to have changed those before the accounts could get popped.

Granted, depending on how bad a network gets run, authentication could be irrelevant because an attacker had full access to the site by side-stepping authentication completely.  Another one of those theories, but yeah you have to do what you can.  I spend a formidable amount of time reading about security news and researching myself.  A few years ago I dorked around pretty heavy on facebook, laughed at the perceived privacy controls, and got put in ‘Facebook Jail’ a few times for abusing features.  That taught me the humor of what privacy means, to a site that really wants to sell me t-shirts and crawl the search history on my mobile phone to schlep advertisements, if I use their mobile application.

Wrapping this up with some dystopian nightmare, I see more and more corporations are merging on up into massive conglomerates.  It feels like only yesterday Time Warner and Comcast merged, yet AT&T is preparing to buy Time Warner.  By Time Warner I mean more than just the cable services as well.  So much for reasonable internet prices.  I mean it’s pretty clear that balanced media reporting is a relic of the past, short of some slivers of the internet and print sources.  Complaining about the media, I reference the fault that comes from major networks only reporting from one perspective, so conservative hones in on their pitch, while moderate or whatever you call Fox and not CNN, also ignored highly relevant details, so they can pitch their sponsors agenda.  Worst of all, leading people to argue about disinformation they get from controlled outlets, instead of combining multiple resources and trying to come to their own conclusion.

For what it is worth, hopefully instead of trying to support broken infrastructures, global society rolls up it’s sleeves and looks to put in new solutions, instead of band-aids for flawed infrastructure.  In this case I mean things like replacing DNS and core network topology with a new back end, at least designed with some concepts of preventing major issues from being so detrimental.  Granted, Global Society applying similar methods to non-technical processes would be great too.  I hope you enjoyed the rant :bunny:

Firewall Log Fun

This thread is ongoing, but let me start with the results I have from a year worth of dropped firewall connections.

  • 228376
    January 2016
  • 253698
    February 2016
  • 244374
    March 2016
  • 494842
    April 2016
  • 611021
    May 2016
  • 259013
    June 2016
  • 529243
    July 2016
  • 406937
    August 2016
  • 2096766
    September
  • 264421
    October

Let’s jump back a minute. I am importing firewall logs for dropped connections into a MS SQL Database. September as you can see is a fun month with 2,096,766 records.
Since my firewall is a Zyxel device, I gave a look at the .csv delimited log output. Easily enough you can use a Data Import Wizard to spin the logs into some tables. Rough table to log structure is as such:

CREATE TABLE zy_2016-09 (
  time VARCHAR(50) NULL,
  source VARCHAR(50) NULL,
  destination VARCHAR(50) NULL,
  priority VARCHAR(50) NULL,
  category VARCHAR(50) NULL,
  note VARCHAR(50) NULL,
  sour_interface VARCHAR(50) NULL,
  dest_interface VARCHAR(50) NULL,
  protocol VARCHAR(50) NULL,
  message VARCHAR(250) NULL,
  col00 VARCHAR(250) NULL,

I am having fun crawling some output. Typically it’s some sort of fancy OpSec to not say your type of network gear, but this is meant to be informative and hopefully helpful.
So let’s crawl some queries and output in the next post.

I am in the middle of crunching data at the moment. Since we have some records, I am starting with the gigantic table for obvious trends in the dropped connections.

I didn’t have good criteria yet, so I went with ordering the output by Source, in Descending order. Giving the old scroll observation, I saw quite a few connections on port :7759.

Quote

2016-09-19 16:21:36 99.98.xx.xx:7759 xxx.xxx.xxx.xxx:7759 notice firewall ACCESS BLOCK wan1 udp Match default rule DROP

I figured I’ll filter the IP result for the moment, with the xxx.xxx address being to my web IP at the time. Yay it was dropped. So that’s a nice log to see.

Jumping back, I started with normal phishing ports but they were not yet as interesting as the following query.

SELECT * FROM [dbo].[zy2016-09]
WHERE [source] like '%:7759'
ORDER BY [source] desc

975340 rows returned. Out of 2096766 rows. That was a big old flag for just looking into the 99.xx range by a output sort.

I’m going back to reviewing results and trending them. I did skip some details for procuring the logs from your device, setting the firewall up to log to a USB device, and so on. Manually reviewing logs sucks and being able to do queries with COUNT(*) for total, is nice to know what you might be dealing with. Always remember the internet is being port scanned, so trying to log some of it hitting you, let’s you see the weather online.

Jolly Weekend on the upcoming Halloween season. :yar:

Let’s get some Python involved. Manually writing queries is going to be a pain and take a ton of time.

#Dump Queries with start to end port range

import sys

pstartNum = int(input("Source Port number start: "))
q1 = "SELECT COUNT(*) AS Port_"
q2 = "FROM [dbo].[zy2016-09]"
qWat = "WHERE [Column 1] like '%:"
qClose = "'"
for x in range(100):
    sys.stdout.write("%s%s %s \n" % (q1, pstartNum, q2));
    sys.stdout.write("%s%s%s \n" % (qWat, pstartNum, qClose));
    print("GO")
    print()
    pstartNum = pstartNum - 1
exit  

While I’m not a python wizard, this code works. What it does is start from a user-inputted port number and runs a loop 100 times, subtracting 1 for each iteration.

Taking a description of why I am using sys.stdout.write, is to control the spacing on string output, so I have functional SQL queries. If you try to do this with the print() operator, you will get spaces in your output that will break your SQL Query.

I was trying to find a way to handle this in print, but I was fighting against how string interpolation and output control in Python works. Ending this part with what a pair from the 100 loop looks like

Output:

SELECT COUNT(*) AS Port_8888 FROM [dbo].[zy2016-09] 
WHERE [Column 1] like '%:8888' 
GO

SELECT COUNT(*) AS Port_8887 FROM [dbo].[zy2016-09] 
WHERE [Column 1] like '%:8887' 
GO

I defined the q variables as parts of the SQL query, instead of kludging together a nasty looking sys.stdout.write line, while keeping it more easy to edit and maintain.

By adding ‘GO’ to the 3rd line, I can have the other queries run instead of not getting results until all 100 queries complete. For some samples of SQL code, check out this MS SQL usage thread I have up here.

Debugging the SQL, here is the breakdown of the output above.

Quote

SELECT COUNT(*) AS Port_8887 FROM [dbo].[zy2016-09]

WHERE [Column 1] like ‘%:8887’

GO

SELECT COUNT(*) AS Port_8887

This does a count for the matched records and displays it to your results. If you want to see the record results, replace COUNT(*) with *

FROM [dbo].[zy2016-09]

Here is the name of the table you imported from your firewall log. In my case, it’s the name I gave to the exported firewall logs.

WHERE [Column 1] like ‘%:8887’

This is the search criteria for the entire table. In this case, :8887 represents the port number for [Columm 1]. Or as I defined in the 1st post source ip address.

GO

Ending with this line, says run these individually, instead of waiting for all 100 of your queries to finish.

Running this in Microsoft SQL Server Management Studio, from a New Query window, you will get similar output to below image.

PortCountOutput_Query.png

I am showing 2 example outputs, but the python script is doing 100 iterations.

Jumping back to source Log files.

Depending on your device, check the top of the file. You will likely have some column headers, and in my case I had a line of ‘======’ characters. I find it easier to remove the header and 2nd line, then save the modified file as a new file.

Example log file header for Zyxel firewall:

Quote

Time ,Source ,Destination ,Priority ,Category ,Note ,Source Interface ,Destination Interface ,Protocol ,Message

========================================================================================================================================================================================================================================================================================

To save hassle on the import, I saved the modified files as zy(Year)-(Month) (IE: zy2016-09) as seen in the SQL code examples. These became my table names when I imported them into my database. By deleting the top two lines, the new file works as a clean csv to import.

What is the python doing?

I read a few books for python and read the online manual, but trying to format string output was driving me crazy. To save you some rage, my observations are that using print(“text”,variable,”rest of query line 1″) will always force a space to be inserted. This will not fly in SQL queries and you don’t want that hassle.

Trying to avoid vomit inducing code and searching around, I found that using stdout.write, lets you define the output spacing, followed by your variable values. It took me vastly longer than I would have liked to have figured this out, but considering generating database scripts was the main goal I had for learning python, I’m pretty excited this works. :)

The running python code is higher in the thread, but below I explain each line, with a # comment under each line.

Line for line breakdown to build the SQL Queries:

import sys
# import sys so we can use sys.stdout.write

pstartNum = int(input("Source Port number start: "))
# Asking to have the user (You) enter a start number.

q1 = "SELECT COUNT(*) AS Port_"
# Start of SQL Query, in this case we are getting a count, instead of a display of the values matching the query.

q2 = "FROM [dbo].[zy2016-09]"
# From portion of a SQL Query

qWat = "WHERE [Column 1] like '%:"
# Query for your search criteria.

qClose = "'"
# Close the SQL Query for the like string.

for x in range(100):
# Run this loop 100 times.

    sys.stdout.write("%s%s %s \n" % (q1, pstartNum, q2));
# The left side with %s placement, says grab the 1st part of the Select variable, Current iteration of loop, with a space added for the variable for 'FROM (tablename)'.

    sys.stdout.write("%s%s%s \n" % (qWat, pstartNum, qClose));
# Here the %s triple string placement is to have no spaces.  We call the Query, current iteration of the start number from the loop, and close the line with a "'".

    print("GO")
# Execute each query instead of waiting for all of them to complete.
    
    print()
# prints a blank line.  I saw some crazy code to do this by other means, but since all I want is a blank line, this is way easier and fits the bill.

    pstartNum = pstartNum - 1
# Once the 1st loop finishes, subtract 1 from the starting port number.  Do this for each iteration, by sayin that variable is equal to -1 from it's current state. (Please note you will error if you start with a port number less than 100.)

exit
# stops the 100 loop, so I can copy and paste this into my SQL query window and get results.

Remember this is a breakdown of the source code from the above 3rd post.

If you want this to run for 1000 iterations, change the for x in range(100) to for x in range(1000) or whatever works for you.

If you are not already doing this on your own equipment, you may anger some server admin with resource utilization. Or in the case of using Amazon Web Services or other hosting, your bill might get nasty expensive.

Table structure and Imports revisited

In the case of dealing with Zyxel logs, we are better off leaving the 1st line for headers, but removing the line of ‘=’ as shown in post #5. Once this line is removed, save the .log file and we can import the records into a table using MS SQL Import Wizard. This way, we know everything imported ok, and if it fails, most often it’s because your input column has more characters than your Column defined in the new database table.

In the case of a Zyxel firewall log, this table structure should match the log format and import without error. Here are the columns to a supported character import length:

[Time]   varchar(50)
[Source]   varchar(50)
[Destination]   varchar(50)
[Priority]   varchar(50)
[Category]   varchar(50)
[Note]   varchar(250)
[Source Interface]   varchar(50)
[Destination Interface]   varchar(50)
[Protocol]   varchar(50)
[Message]   varchar(450)

There would be some spaces padded into the inserted column names, but at least it would be consistent to what your source data is. You can edit the Design of the table after the import, since changing the column names will not break the data sets. In queries the spaces on the end seem to be ignored, so edit at your preference.
When doing the import, you can click advanced on the Flat File Source portion of the import and in Advanced, you can edit the OutputColumnWidth to match the listed VarChar parameters.

Extra posts

Hello.  Below I added 60 other posts relating to computer projects and threads from the Break Fix forum.  Hopefully some of the information is helpful.  I like to keep exploring and sharing what I believe to make sense.  Thank you for visiting and reading.
whois funtimebliss.com
* since 2002 :) first time I typed the command for that, instead of using a webpage lookup

Forensic talk slides

Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.

If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. :)

For fun, you can run exiftool on this ppt, exported from LibreOffice.

For accessibility and ease of access, I added the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. :p

Text from slides below:

|+| Slide 01

Forensication

A data backup and verification chat.

Backing up and ripping data, making test beds and using equipment.

This fire talk will cover:

Write-blockers (hardware), dd, sha256sum, exiftool.

|+| Slide 02

Disclaimer (01 of 02)

Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.

Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example – thumbs.db folder indexers) versus manually viewed files.

|+| Slide 03

Disclaimer (02 of 02)

This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding ‘the needle in the haystack’ tremendously easier to find patterns.

Testing with the tools will give you the comfort to provide services for others.

|+| Slide 04

Backstory

Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.

After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

|+| Slide 05

Tool usage

There are plenty of tools and applications with forms you can use. However they can be quite expensive.

Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I’m being asked to do or recover.

|+| Slide 06

Write Blocker Imaging

Using a hardware write-blocker is an assured way to not modify the contents of the source drive.

They are around $300 USD, so you have some cheaper options to do software write blocking… but if you forget to turn it on, you can contaminate your data source.

(Such as browsing a folder, having windows make new thumbs.db files)

|+| Slide 07

[Picture of write blocker source drive, and output drive]

|+| Slide 08

Imaging Drives

[console]

sudo dd if=/dev/sdf of=/dev/sdg bs=16384k

[/console]

For a 500 GB HDD, it took about 3 hours. (results below)

[output_example]

29808+1 records in

29808+1 records out

500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s

[/output_example]

So how do you come up with the device names?

[console]

ls /dev/sd*

[/console]

[output_example]

/dev/sda

/dev/sda1

/dev/sda2

/dev/sdb

/dev/sdb1

[/output_example]

|+| Slide 09

Verifying disk image

Now that your drive is imaged, let’s start verifying with the source drive, hooked up to the write-blocker.

This is for the source drive.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

Unhooking the source drive, plug in the target / copied drive and run the same command.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.

Boom! It’s a match :)

|+| Slide 10

Cryptographic Checksums

There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.

Signature based anti-virus seems to have some clashes in the MD5 space.

Tools to get a checksum for a file are:

md5sum

sha1sum

sha256sum

|+| Slide 11

Checksum examples

Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).

Making a new file called ‘sampleChecksum.txt’ with the contents of ‘Hello checksum’ and saving it.

[console]

nano sampleChecksum.txt

[/console]

Obtaining the checksum of said file:

[console]

sha256sum sampleChecksum.txt

[/console]

[output_example]

9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt

[/output_example]

Making a second file with a single character change, I calculated that hash. New file called ‘sample02Checksum.txt’ with the contents of ‘Hello Checksum’ and saving it.

[console]

sha256sum sample02Checksum.txt

[/console]

[output_example]

65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt

[/output_example]

File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.

|+| Slide 12

Other checksum examples

ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.

[console]

md5sum sampleChecksum.txt

[/console]

[output_example]

9938b398bc883db337fb41431545955b sampleChecksum.txt

[/output_example]

[console]

md5sum sample02Checksum.txt

[/console]

[output_example]

65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt

[/output_example]

sha1sum displays a similar but unique output for each file. Slightly more ( 8) characters a return value than md5sum.

|+| Slide 13

(Duplicate slide of slide 12)

Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.

|+| Slide 14

BONUS ROUND – exiftool

Here I am grabbing the logo image from my site, then checking the image metadata for extra details.

[console]

wget https://funtimebliss.com/pathToASiteLogo/ftb-logo.png

[/console]

|+| Slide 15

Exiftool (continued)

Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.

[console]

exiftool ftb-logo.png

[/console]

[output_example]

ExifTool Version Number : 10.26

File Name : ftb-logo.png

Directory : .

File Size : 29 kB

File Modification Date/Time : 2013:05:29 11:45:14-04:00

File Access Date/Time : 2016:09:26 12:20:58-04:00

File Inode Change Date/Time : 2016:09:22 14:26:31-04:00

File Permissions : rw-r–r–

File Type : PNG

File Type Extension : png

MIME Type : image/png

Image Width : 465

Image Height : 100

Bit Depth : 8

Color Type : RGB with Alpha

Compression : Deflate/Inflate

Filter : Adaptive

Interlace : Noninterlaced

SRGB Rendering : Perceptual

Background Color : 255 255 255

Pixels Per Unit X : 2835

Pixels Per Unit Y : 2835

Pixel Units : meters

Modify Date : 2009:10:13 17:45:32

Comment : Created with GIMP

Image Size : 465×100

Megapixels : 0.046

[/output_example]

|+| Slide 16

Exiftool conclusion

Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.

Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option

Looking at the File Modification Date/Time that is consistent to when I uploaded that file into WordPress for my front page of the site.

There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!