Linux commands “astu” and “astsu” in Mr. Robot

mr_robot

People told me that the hacking in “Mr Robot” was pretty accurate. Mr Robot is a TV series about a hacker named “Elliot”. I had to see it, but until now I was lacking the time. Last Sunday was a prefect lazy day and I took the time to finally watch it. I must admit it was pretty amazing to see the inside of a data-center and all the geeky Linux command line screens in a such a popular TV series.

Linux commands “astu” and “astsu”

When Elliot (the main character) is hacking he uses two Linux commands frequently: “astu” and “astsu”. The commands play a critical role in the series. I did not know what they did, so I wondered:

Did anyone figure out what the “astsu” command is supposed to be? Did he just type random characters or what? The other commands I noticed were all real.

On which some other user on the Cyberpunk and Science Fiction board replied:

It seems to be used like sudo (or ssh) would so I guess the idea was that the company that he works for has its own way to allow safe privilege escalation and this is the tool they install astsu = AllSafe Toolkit Super User (allsafe security being the company name).

You should read the Mr. Robot Episode 1 Analysis for more detail on the actual commands used during the hacking.

Things I liked

Some things were really spot on in the series and I liked them a lot:

  1. The correctness, detail and accuracy of the hacking that goes on.
  2. Elliot has some social challenges and thus feels like an outsider.
  3. Elliot is unhappy and this is his strength, as he has nothing to lose.

But not everything was good, there was also some stuff that bothered me in the series.

Things that bothered me

Here is a list of the most annoying things in the series:

  1. Elliot uses a smart-phone and he never switches SIM or phone.
  2. Elliot’s schizophrenia is making his conspiracy thinking less genuine.
  3. Computers and downers do not match. Caffeine on the other hand…

I feel the makers of Mr. Robot should have thought these things over better. Nevertheless they made an enjoyable TV series. Recommended!

 

Docky makes Xubuntu look pretty

Xubuntu is my favorite Linux distribution. It is fast, pretty and minimal. Right now I am running version 15.04 and 14.04 (LTS). Previous versions used to have a sort of a dock on the bottom, but current versions do not have that. In the current version the top panel holds the “Application Menu”, “Window Buttons” and the “Notification Area”. When you move that panel down it will be familiar to Windows XP users. In order to make the transition for Mac OSX users easier you may some more adjustments. Apple desktop users need features like: a dock, expose and a quick launcher.

1) Docky is a good looking icon dock

xfce_docky

Docky is a dock that looks great and indicates open programs, so it can be a replacement for your “Window buttons” in the taskbar. Removing these from the panel is easy (right-click). I recommend installing docky with the following command:

sudo apt-get install docky

There are two tricks you may want to execute after installation, read about them below.

Docky: Remove the anchor icon

Docky has by default an anchor icon in the dock. It allows you to configure the dock. This can also be done by right-clicking a border or a separator, so you don’t really need the anchor icon. You can simple remove the anchor icon using the following command (source):

gconftool-2 --type Boolean --set /apps/docky-2/Docky/Items/DockyItem/ShowDockyItem False

You may replace “False” at the end of the line with “True” to revert the change.

Docky: Wrong Thunar and Terminal icons

The “Thunar” and “Terminal” icons may look bad/weird and the applications may have double entries in the dock. This problem is less serious than it looks. It is caused by Docky not being able find the corresponding application shortcuts (that contain the icon path). This can easily be fixed with the following commands (source):

sudo cp /usr/share/applications/xfce4-terminal.desktop ~/.local/share/applications
sudo cp /usr/share/applications/Thunar.desktop ~/.local/share/applications

NB: You may encounter other applications with this problem, but this easily fixed in a similar fashion.

2) Skippy-XD adds expose functionality

The “expose” functionality is in which a click-able miniature version of all windows are shown in a non-overlapping layout to enable quick and pretty switching of applications. For Ubuntu there is “Skippy-XD” an application that does exactly that. It has a daemon mode and a run once mode. The daemon mode is very usable. Here is how to install skippy-xd (source):

sudo add-apt-repository ppa:landronimirc/skippy-xd-daily
sudo apt-get update
sudo apt-get install skippy-xd

To make start during login navigate in the main menu to “Settings” > “Session and Startup” > “Application Autostart” and add the following command:

skippy-xd --start-daemon

To make F3 act as the expose hot-key navigate in the main menu to “Settings” > “Keyboard” > “Application Shortcuts” and add the following command:

skippy-xd --activate-window-picker

Now logout and login to see whether the application indeed works as intended.

3) Launchy is a great quick launcher

You know how convenient you can search on OSX with a Ctrl-Space? This can easily and beautifully be configured using the “Launchy” application. This can easily be installed using the following command:

sudo apt-get install launchy launchy-plugins

After installation you may have to edit the settings to make launchy properly index you “Documents” and “Downloads” folders. Also make sure you check out the plugin configurations.

Conclusion

After installing and configuring these applications your Xubuntu is feeling a bit more like OSX. For people that are switching operating systems this may be a good thing (they could also try Elementary OS). I personally dislike having a dock and prefer the gnome 2 layout with 2 panels: one on top with the main menu and one on the bottom with the window buttons. This is exactly why power users like Linux: you can customize it to fit your needs.

Windows compatibility broken in Linux kernel (fixed)

linux_steam_broken

I’m running Ubuntu Linux and today I found that Steam did not work anymore (nor did some other Windows applications). Steam could not find my games and the store was not working. I remember installing some security updates. It turns out that Wine crashes on Ubuntu 14.04 LTS with the latest kernel update (3.13.0.59). There are several workarounds:

  1. Run “wineserver -p” in the terminal before starting Windows applications (like “steam”).
  2. Revert the kernel update with “sudo apt-get remove linux-image-3.13.0-59-generic” and “sudo update-grub”.
  3. Upgrade the kernel with “sudo apt-get install linux-image-generic-lts-vivid”.

Bug reports on the web

There are multiple places where people are discussing this bug:

I hope this helps you all… Happy gaming on Linux!

Update: A new kernel has been released, which fixes the problem: linux-image-3.13.0-61-generic (automatically installed)

 

Detecting torrent traffic on a Linux box

torrent_detection

At home I am sharing my Internet connection with several other family members. Sometimes my Internet is very slow with high latencies, causing my interactive SSH connections to stutter. The problem is always the same: somebody is downloading a torrent. And although I have no objection against torrent technology (it has many good applications), I hate it when I cannot work properly on my remote servers. So I decided to take action.

Wireshark and Tshark to the rescue

Wireshark has a command line version called “tshark”. It has a bittorent protocol analyzer and can be used to do Deep Packet Inspection (DPI). I decided to make a simple script that runs every 5 minutes and samples the network traffic for 10 seconds. After that it sends a report (top list, including packet count) of the local IP addresses that do the most torrent traffic (if there are any).  It can be ran using:

sudo tshark -a "duration:10" -Y bittorrent -f 'not port 80 and not port 22 and not port 443' | grep -o "192\.168\.1\.[0-9]\+" | sort | uniq -c | sort -rn | head | mail -E -s "LAN abusers" maurits@vdschee.nl

It is using postfix to send email via the gmail SMTP server (gmail account required). I am runnig the above in a cron job every 5 minutes. You may simply run this script on the gateway of your network. In case you can setup a port mirror on the switch of your up-link, then you can run this in promiscuous mode. Tshark will try to enable this mode by default, if it does not work, then check the FAQ here.

Blocking on detection

There are several ways to block the user that is abusing your network. I feel that temporary null routing the IP address is the simplest way. Additionally you may add an entry to your DHCP lease table to avoid that the user can simply request a new IP address. Filtering the good from the bad traffic is actually much more complicated. For one, because you need to find all the bad packets (as the software may try to avoid the block, switching protocols). If you really want to give it a try, you may look at netfilter string match. If you do, then make sure you enter good offsets and ranges to avoid negative performance impact on your network. Also I would not know where to get a maintained and complete set of protocol signatures.

torrent_utp_detection

Detecting uTP

If you are using the “Deluge” torrent client, you will be quickly detected by the above script. When you are using “Transmission” (another client) you may get away undetected. This is caused by the Micro Transport Protocol (aka “uTP”). This is a UDP based torrent protocol that cannot be recognized by Tshark yet. It is not very hard to actually make a custom rule that detects “uTP”. This is the custom filter:

sudo tshark -a "duration:10" -Y 'udp[8:5] == "\x64\x32\x3A\x69\x70" or bittorrent' -f 'not port 80 and not port 22 and not port 443' | grep -o "192\.168\.1\.[0-9]\+" | sort | uniq -c | sort -rn | head | mail -E -s "LAN abusers" maurits@vdschee.nl

The above command will detect also the “undetectable” uTP protocol. You may even extend the match a little as there are more fixed position bytes that can be matched.

Finding bad RAM with memtest86

Lately Firefox started to crash randomly without an apparent reason. Also other software on my computer started acting weird. It took me a while to found the cause of the problems. It turned out one of my memory modules has gone bad. Finding that out was not exactly easy. Normally I would run memtest86+ from an Ubuntu live CD. That was not possible as I have an UEFI BIOS (without legacy support) and memtest86+ is lacking UEFI support.

memtest_splashscreen

I was able to create a virtual machine (with KVM or VirtualBox) with reserved RAM and run memtest86+ in there. That actually showed the problem. Another trick to detect the problem is to run memtest86 (without the plus) as it has support for booting using UEFI since version 5. It can be downloaded from memtest86.com (choose CD image) and put it on an USB stick using UNetbootin (install using apt-get).

ram_modules

When I found the problem there was no other way than to try to add and remove memory modules and run the test again to find out which one was broken. It took some time, but eventually I succeeded. It wasn’t a pretty process and it took way too long. Somebody should write a memory testing program in user-space that also reports the slot of the broken RAM module. In the end the broken module turned out to be the one closest to the CPU (see picture), maybe it got too hot.

Suggested tools:

  1. MemTest86 from: memtest86.com
  2. Memtest86+ from: memtest.org
  3. Windows Memory Diagnostic from: microsoft.com

I hope it will help you.