Insecubuntu

Alright, seriously, I know there’s a zillion ways to compromise a box, but do we have to hand people the keys and tell them to go have fun? Here’s today’s bitching session, hold tight:

So I just installed Ubuntu 9.10 on my eee again, I thought I’d give it another shot, I can be a little harsh on Ubuntu and I like to get a fair and balanced view of things, so I decided to see what’s GOOD about Ubuntu. That didn’t last long. I’d also installed a Ubuntu 9.10 VM, and someone in an IRC channel asked a question about where a certain thing was in Ubuntu, I gave an answer and booted the VM to verify it. All is well so far, the VM still works, VMWare Tools still works, Ubuntu’s still working, great.

Unfortunately, I’d given my VM’s user account a password so obscure that even I couldn’t remember it, so I set about trying to get myself back in. I did, and this is where things start to get a little less fun. See, to fix a forgotten password on Ubuntu, what you have to do is boot to the recovery console, handily placed on the GRUB menu where it’s nice and easy to find, and do your thang. Perfect for someone who’s forgotten their password, like myself in a fit of dumbassery, not so perfect for anyone who wants a somewhat less insecure system, because it turns out that in the recovery console (again, easily accessible from GRUB) requires no authentication whatsoever. Now, that means not only that you could screw a system royally using it, YOU CAN ALSO CHANGE BOTH USER AND ROOT PASSWORDS WITH NO AUTHENTICATION. Yes, let me say that again, you can jump into recovery console with no more difficulty than pressing the down key and then Return at the GRUB menu and you can change the passwords on the system to just about anything you feel like. This is default behaviour and is absolutely attrocious from a security perspective.

Allow me to use an analogy, I’m aware that you could use a boot CD/USB or other 3rd party tool to smash the security in Ubuntu (or indeed many OSs and distros, Linux or otherwise) but that’s akin to walking up to a front door with a lockpick, a situation which requires an extra tool that most people don’t have. However, recovery console on the other hand, that’s like leaving the key under the front door mat. Not the brightest of ideas, it’s useful if you lose your key or lock yourself out, but it also means that if a casual opportunist happens to check under your doormat, a common place for a key to be hiding perhaps, they can let themselves in and do just about anything they feel like. Worse still, a fresh install of Ubuntu to a less experienced user is like buying a new house, except the previous owner left the spare key under the doormat and didn’t tell the buyer. Now the new owner has no idea that there’s a key under the doormat unless they were savvy enough to check, but anyone who knows that key is under the doormat can go explore the house as they wish.

Arguments against this problem, such as the argument that it doesn’t matter anyway because someone might still break in if they’re determined or experienced enough, are invalid. Why? Well, why bother having passwords at all? It might not keep Dr Hackerman out, but it’ll probably keep your family, friends and casual passers by out. Security is layered, what might not keep the big, bad superhacker out might still be enough to put your machine just above the low-hanging fruit. Yes, I admit that a simple password isn’t going to magically make your computer inpenetrable, but every little helps. Frankly this is only one step away from having a button on the login screen saying “I don’t have the password but let me in anyway, I won’t do any harm”.

Apparently it’s been debated on the Ubuntu forums, in the IRC, on Launchpad, etc, but ultimately it’s remained a design decision (much like the others I’ve come to despise) rather than a bug as it should rather be. This is stupid. All the problems I’ve had with Ubuntu are “design decisions”, they’re not “features instead of bugs” because that’s a funny thing to say and it’s being worked on, they are real “features”, period. Drivers, security, UI, all have serious flaws because some useless bastard said “nah, it’s alright, we’ll do it this way”. BUCK IT UP, CANONICAL. Fucking seriously. If Ubuntu is ever going to be a serious contender in my eyes, it needs some serious restructuring, some serious direction, a lot of people working in the same damn direction (and not an arbitrary direction) with some idea of how things are supposed to work rather than how they think stuff should work, and it needs to take itself a lot more goddamn seriously. All these little things add up, the more I’ve seen of Ubuntu the less I see it as any more than a complete and utter joke.

Pathetic.

Here’s a nice, handy guide on how to break into recover an Ubuntu box.

Gah.

EDIT: It’s come to my attention that if root is enabled (which it’s not on Ubuntu by default, and users aren’t supposed to enable it), recovery console will indeed prompt for a password. That still doesn’t make me feel much better.

Split Personality

You’ve probably noticed I haven’t been very ranty lately, but trust me, I’m still here, I’ll get back to this stuff as soon as I stop being productive.

When I’m not being quite so pissed of at everything, I’m over at http://bgaaudio.org being creative, go check it out.

Checkbox Challenge

So I decided to get hold of a copy of one of Ubuntu 9.10’s prereleases (I can’t remember if it’s the beta or the RC, but it’s fully updated anyhow) to see how far up the OS evolutionary scale Canonical has managed to drag Linux and it turns out that I really shouldn’t have expected as much as I did. Not that I was expecting much anyway, but here’s my latest gripe with the Karmic Koala:

http://ubuntuforums.org/showthread.php?t=1295357

First thing I do in Ubuntu is change the font size down to something that can’t be seen from several continents away specifically so everything isn’t as oversized as it normally is, and then I shrink the top panel to kill the wasted space caused by the smaller font. Anyway, next on the todo list is to kill that stupid Ubuntu icon in the main menu (and the rest of the menu icons, they’re a bit cartoony and really quite unnecessary), a simple checkbox which worked exactly as it should in as many previous versions as I’ve tried. Now, however, some moron decided that not all of the icons should disappear, including the very same icon I want rid of. Who’s fucking decision is this? Seriously, that’s why there’s a fucking checkbox there in the first goddamn place, so I, the user, can turn off the fucking icons. Now it only half works because some bastard thinks I need my pwitty ickle icons to figure out what the fuck I’m doing. No. No, no, no, no, no. If I wanted the shitty little pictures I wouldn’t have clicked that special little setting that kills them, would I?

I tried updating today (and quite a lot of updates there were), thinking it was a bug which was probably just a side-effect of it being a beta, but then I found the above thread after it didn’t get any better. Waste of bloody time.

This is Linux, where’s my choice? That’s why I’m supposed to use Linux, right? Choice? I know, I’ll just turn the icons off in the configuration file and… wait, what’s that? The GUI app just flips that setting anyway? So why the holy hell am I still seeing these icons? The only option I can think of is to replace said icons with blank images so they appear to not be there, but in fact they are, they’re just nearly invisible. Is this a suitable fix? I think not. I only know that’s a fix because some time ago I tried to look up how to rid my screen of that same icon (perhaps on Debian, I forget now) and that was the suggested answer. This is not a viable answer, to me or the laymen who are supposed to be choosing Ubuntu as the flagship desktop Linux distro.

Since I’m already bitching about Ubuntu, what’s with the “yet another way of installing crap” Ubuntu Software Centre? Appreciate the Euro spelling and everything, but what the hell was wrong with Add/Remove Applications, Synaptic and apt? Software Sources and Update Manager too – seriously? As an end user, albeit a slightly more experienced one, which one of these useless atrocities am I suppose to use? Why are they all there? I can appreciate that perhaps they could use a little consolidation and maybe one day Software Centre will accomplish that but in the meantime why is it in my OS? It’s confusing, it’s a mess, it’s annoying and for an end user it’s one of those stupid little things that’s going to put them off (that and the inconsistancy, the UI, the broken functions and settings, etc).

Now I’m on the subject of usability for new and possibly slightly dense users, I should also mention that the first time I installed VirtualBox Additions I ended up at a bash shell the next reboot. Not because it went wrong, or because the Additions were broken or incompatible, but because there was a filesystem inconsistancy and fsck managed to not run, dumping me at a bash shell. If I was one of the aforementioned less experienced users, this is game over for me. Fix that, pronto, even Windows 95 didn’t shit itself and die if Scandisk didn’t run, it just carried on (if I recall, it’s been a while). Can you beat the almost 15 year old Windows 95? Can you? We’ll see.

Oh, and while I’m here, will someone fix virtual machine addons so I don’t have to reinstall the damn things every time my kernel’s updated? Thanks.

Fun and Frolics with Flaps and Phallus

So I just came across mubix’ post via cmdline.tv* and despite (or because of) my somewhat (perpetual) sleep deprived state I feel the need to drop my two-penneth in the bucket. Recommended reading, if only for the links peppered throughout it.

Ok, maybe I just wanted an excuse to link to the post and some of that which contributed to it. Also maybe to promote cmdline.tv’s diverse array of posts and posters.

*Originally I planned to dunk my own biscuit in the boiling broth of sputum and bile that is this topic, but the more I typed the more I realised that it’d all been said by mubix and those mentioned in his post, so just go there and look instead. Especially Nikita’s bit, which pretty much covers anything I would’ve had to say.

Quit Spooging Already

See that? Yeah, that. That’s what I think Google’s “Chrome OS” will look like. Actually, that’s not true, it’s actually a leak.

OK, you got me, it’s a fake, how did you know?

Can people shut the fuck up about this already? I’ve heard about this supposed Chrome OS for little more than a few hours now (this time around, anyway) and I’m already sick to the back teeth of it. What are you guys expecting? Seriously? I’ve heard people yelling things like “OMFG WONDIWS KILLA!!!” and “OSX WILL SUXXOR COMPAIRED!!!” coming from people who seem to believe they’re sane and rational. Really now. OSs which have been in development in some form or another for 20 years or so (ish, give or take, if you count OS/2 and NeXTSTEP way back in the late 80s) will suddenly be worthless compared to… uh… a glorified browser? Sorry, run that by me again? Full fledged operating systems which have been developed over 2 decades are magically going to be supplanted by a practically brand new sub-par browser from a company bent on collecting as much data as it possibly can which also happens to run online services which pale in comparison to desktop based (and also very well established) alternatives? Uh… sure. Even if it was a full OS, what would it be based on? Linux? Remind me, how many desktops run Linux compared to Windows and MacOS combined? Right, I see.

This is, of course, assuming that it will be Chrome on Linux and little else. If it’s not, what else is it likely to be? If it is, haven’t we already seen that? Canonical seem to be doing their bit for desktop Linux, but I’d be willing to bet that Ubuntu still doesn’t have market share worth caring about. Perhaps a mini distro intended to be used as an instant-on browser based… oh, wait, kinda like SplashTop? Ah, right.

See my point? Now go change your fucking underwear and get back to whatever it was you were doing before you heard the news, nothing to see here folks, move right along.

I’m a Moron

…is pretty much what you’re telling me when you make such amusing quips as M$, Crapple, Linsux or any variations thereof. It’s not in the least bit funny and it’s about as original as breathing air to stay alive. It makes you look like a twat, so if you actually intend to be taken seriously I recommend you stop saying these things. If, on the other hand, you wish to be beaten with an iron bar and forced to install or use the products which you so willingly bash under penalty of death if you don’t (that is, if you don’t already, as I often suspect is the case) then by all means continue. Sure, things aren’t perfect and yes, some things are unsuitable for the task(s) you wish to accomplish but it’s your responsibility to just move along and find something which works for you. I’m sure I don’t even need to mention that companies have to make money just as you do to stay alive. Save yourself, don’t make people want to carve your internal organs out with a snapped up CD.

I Am Not Google

It’s true. Really it is. I am not Google, Google is Google. Google is a search engine, an engine which searches. An engine that searches the world wide web for things you might be interested in knowing. This is not me. I am a human, I am the human who types “www.google.com” into an address bar and uses the resulting page to find things which might interest or help me. You are a human too. You can also type “www.google.com” into an address bar and use the resulting page to find things which might interest or help you too. If you need to know things, Google can tell you. Google has the answers and I do not. If I have an answer to a question which you ask me instead of asking Google then I probably used Google to find out that answer. Why not cut out the middleman and type “www.google.com” into your address bar on your browser and find the answer yourself without my sarcasm or my insults? Why not ACTUALLY DO SOMETHING YOURSELF FOR ONCE, YOU FUCKING LAZY BASTARDING MORON?

Fucking useless assholes.

Fanboy Brigade

Alright, alright, I know I hate fanboys and needless bitching for no reason, but Apple and its fanboys just can’t stop pissing me off lately. Here’s a selection of reasons why:

1) They released a music player… with no buttons. Oh, oh, you want buttons? Yeah, that’ll cost you extra. Yeah, thanks for that. This wasn’t even a technical issue, companies have been controlling devices with in-line remotes for years and many of them included a regular 3.5mm socket on the end of the remote for normal fucking headphones. Proprietary headphones. Seriously? Why don’t you just bolt a fucking credit card slot on the side? Speaking of credit cards, we bumped up the price for the trouble we had to go to in order to keep your from using your existing headphones without buying extra crap to do it. Run along now, the Apple store awaits.

2) They upgrade the firmware for their iPhone and iTouch with features everything else has had since the year dot and people actually celebrate it? What’s to celebrate? That your phone was shit and now it’s slightly less shit? It took how long to add A2DP? I thought the point of iStuff was to play music on it? I’m sure they are nice devices and all, what with the UI and… uh… the UI, but seriously, you’re celebrating because the phone you’ve been bashing everyone for not owning just crawled out from the dark ages? Oh boy, I can even install things on it? Awesome! Wait, everything has to be approved by Lord Jobs himself, can be turned off or withdrawn at any time, can’t do anything the phone already does (even if it doesn’t do it very well) and can’t run in the background…? Yay. Awesome. Great. Sigh.

2a) Yes, yes, I know you can jailbreak, but why would I buy a new phone which I’m forced to mod, void the warranty of, and potentially brick right out of the box in order to make it do things I expect from a phone? Even cheapo piece of shit phones can run as many Java apps as I can put my hands on, why the hell should I have to get permission first? Oh yeah, and even if I did jailbreak, someone at Apple might decide I’m not following the Book of Apple to the letter and decide to brick my phone at will. It’s bad enough that they control what you can do with the damn thing in the first place, it’s many, many times worse that they can decide you’re doing it wrong and brick your $600 phone for the sake of it. I might have even been convinced to try my hand at writing an app or two just for kicks, but no, I can’t do that either because I don’t have a Mac. If you think I’m paying upwards of $1000 for a near redundant machine to play around with you can go and get bent. As for being locked down, it’s not just phones either, they’ve decided non-standard AppleTVs are unhealthy for the happy little Apple lemmings too and have gone about their day “fixing” that for them. Yeah, yeah, “they update the software and it just happens to break mods, it’s not their fault”. Sure. Anything you say.

3) So they upgraded their firmware and now everyone can copy/paste, receive MMSs, etc, etc, all the stuff people have been bitching about. Great, right? Not quite. If you’re an iPod Touch user then you’ve gotta pay. If you know Apple then you probably expect this already, it’s not like they haven’t pulled that before, but half the shit won’t even work on the Touch… MMS? I think not. Push alerts? Uh… right. Oh yeah, and if you bought a first-gen iPhone then you’re screwed too, because apparently half the features won’t work on it. No A2DP and “MMS won’t work because it has the wrong radio”? Bull. Fucking. Shit.

4) Why is it that when someone expresses dislike for an Apple product they get called a fanboy, yet if you praise Apple to high heaven then you’re… not a fanboy? How does that work? I use and enjoy using products from companies which won’t make me pay out of the ass for style or functions everyone else already has, don’t hate me for it, hate yourself. Why is it when I point out an Apple product for being legitimately, genuinely inferior I’m at risk of having to listen to legions of fankids telling me to grow up or stop hatin’ because I’m being a fanboy, but if they don’t like what I’m using it’s ok for them to go balls out trying to rip it to shreds?

5) Used Apple prices. £500 for a 5 year old laptop? Ahahahahaha. No thanks. I could buy a brand new non-Apple laptop with a current set of technology (I’m looking at you, PowerPC) in it for less than that and it comes with a brand new battery and a warranty. Sure, I admit I wouldn’t mind an aluminium G4 PowerBook to mess around with, I actually kinda like OSX, but there’s no way in living hell I’m paying that much for the pleasure. Especially when it’s been suggested that Snow Leopard will be exclusively x86.

6) People who think Apple isn’t out to screw your ass so tight you’d think it had healed over. They’s just as “evil” as, or moreso than, Microsoft or Google or any other company Apple fans so despise for being uh… not Apple. They’ll lock you in, they’ll make you feel all warm and fuzzy, then they’ll shit on you from a height you never even dreamed shit could fall from, whether it be by changing their connectors or charging you for firmware (hey, Microsoft doesn’t charge for firmware, take a tip).

7) People who think anything anyone else does is a direct result of Apple doing something first. So people borrow others’ ideas. Isn’t that where Apple came from in the first place, way back in the Xerox days? No? Contrary to popular belief, Apple didn’t fucking invent everything.

I wouldn’t bitch about half this stuff if people didn’t act like it was the dog’s bollocks all the damn time. It’s OK though, the nasty Antichrist has stopped bashing Apple now, you can go back to tossing off over the iPhoneOS 3.0 announcements already, I’m going to go and install Linux on some iPods and Windows on some Macs.

“It doesn’t matter if my computer’s infected, I’ve got nothing to hide.”

Don’t you EVER, EVER let me catch any of you fuckers saying this to me again. I’m fucking serious. If you’re anywhere I am online and you’re not openly admitting that you know fuck all about computers than you shouldn’t be saying this. EVER. YOU HEAR ME? EVER. UNDER ANY CIRCUMSTANCE.

If you have an infested machine and you know it, don’t fuck about, nuke the fucking thing. Right now. It’s OK, I won’t go anywhere, I’ll still be here when you get back.

Anyone with any sliver of a clue knows that an infection is a bad thing. If your box is rooted then…

…you know what, if you’re reading this shit then you already know this. I’m preaching to the choir, but if any of you motherfuckers encounter anyone this fucking stupid then please do deal with them as you deem appropriate. As long as what you deem appropriate involves high voltage jump leads and a vat of acid.

If I EVER hear any fucker say this again it’ll be before I’m ready to hear anyone being that fucking ignorant again. Seriously.

Underground, Overground, Wombling Free

For all my rants and outpourings, I have been outclassed. In a Phrack article published some time ago a certain Mr A. Nonymous managed to sum up an awful lot of my intentions and thoughts in what might originally seem a rather simple collection of words. I could give it no better introduction so a link shall have to suffice.

http://www.phrack.com/issues.html?issue=65&id=13#article

(As the above link is currently non-functioning, please take a moment more to scroll down to article 0×0d, The Underground Myth, at http://www.textfiles.com/magazines/PHRACK/PHRACK65.)