7 results back to index
bank run, barriers to entry, bash_history, Bernie Madoff, computerized markets, computerized trading, Flash crash, housing crisis, index fund, locking in a profit, London Whale, market microstructure, merger arbitrage, prediction markets, price discovery process, Sergey Aleynikov, Spread Networks laid a new fibre optics cable between New York and Chicago, transaction costs, zero day
For example, Lewis tells us that after Aleynikov copies Goldman’s source code to a third party location for later retrieval: “…then he did what he had always done since he’d first started programming computers: He deleted his bash history – the commands he had typed into his own Goldman computer keyboard. To access the computer, he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system.” From a technical perspective, this is rife with errors. First, one’s “bash history” is not visible to anyone who has access to a system. It is only visible to the system’s administrators. The system’s administrators can already see any file on the system, and they don’t need Sergey’s password to do so. Further, a user’s login password is never stored in the bash history anyway. The only password that one might find in the bash history would be one that Aleynikov used to connect to the third-party server to which he sent Goldman’s source code. Even in that case, it’s quite unusual for anyone to specify a password on the command line – in fact, it’s against all security best practices.
For example, I’m not sure where Lewis gets the idea that deleting one’s bash history is a “common practice.” In Chapter 5 we already saw that it was unnecessary on two counts: (a) protecting his password from the system administrators – the only people who can view his bash history, and the only people who can already read any file he has – is pointless, and (b) even rookies know that you’re not supposed to use a password on the command line, anyway. The only reason somebody “needs” to delete their command history is that they don’t want anyone to know what they are doing. Lewis sums up the discussion with what he calls the “obvious” question: “If deleting the bash history was so clever and devious, why had Goldman ever found out he’d taken anything?” The technical answer is that when you delete your bash history, you replace the entire log of everything you have done on your computer with a single entry which says that you deleted your bash history.
The technical answer is that when you delete your bash history, you replace the entire log of everything you have done on your computer with a single entry which says that you deleted your bash history. Effectively, you replace the security video tapes for the last six hours with a single thirty-second clip of you erasing all the security footage. Any reasonable system administrator would find this highly suspicious, and would review other activity logs to piece together what happened. Fundamentally, though, the idea underpinning this question is rather naive: you can’t call Aleynikov clever or devious, because he got caught. I’m not a lawyer, but I don’t think this is a good argument for the defense to make. By this logic, no criminal should be called devious, since they got caught. Lastly, there is the question of why Sergey did not take Goldman’s “secret sauce” strategies.
Hacking Exposed: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray, George Kurtz
For example, the .bash_history may look something like this: tail -f /var/log/messages vi chat-ppp0 kill -9 1521 logout < the attacker logs in and begins his work here > id pwd cat /etc/shadow >> /tmp/.badstuff/sh.log cat /etc/hosts >> /tmp/.badstuff/ho.log cat /etc/groups >> /tmp/.badstuff/gr.log netstat –na >> /tmp/.badstuff/ns.log arp –a >> /tmp/.badstuff/a.log /sbin/ifconfig >> /tmp/.badstuff/if.log find / -name –type f –perm –4000 >> /tmp/.badstuff/suid.log find / -name –type f –perm –2000 >> /tmp/.badstuff/sgid.log … Using a simple text editor, the attackers will remove these entries and use the touch command to reset the last accessed date and time on the file. Usually attackers will not generate history files because they disable the history feature of the shell by setting unset HISTFILE; unset SAVEHIST Additionally, an intruder may link .bash_history to /dev/null: [rumble]# ln -s /dev/null ~/.bash_history [rumble]# ls -l .bash_history lrwxrwxrwx 1 root root 9 Jul 26 22:59 .bash_history -> /dev/null Cleaning Countermeasure U Log It is important to write log file information to a medium that is difficult to modify. Such a medium includes a file system that supports extend attributes such as the append-only flag. Thus, log information can only be appended to each log file, rather than altered by attackers. This is not a panacea, as it is possible for attackers to circumvent this mechanism.
Next, a manual edit (using vi or emacs) of the secure, messages, and xferlog log files will further remove their activity record. One of the last steps will be to remove their own commands. Many UNIX shells keep a history of the commands run to provide easy retrieval and repetition. For example, the Bourne again shell (/bin/bash) keeps a file in the user’s directory (including root’s in many cases) called .bash_history that maintains a list of the recently used commands. Usually as the last step before signing off, attackers will want to remove their entries. For example, the .bash_history may look something like this: tail -f /var/log/messages vi chat-ppp0 kill -9 1521 logout < the attacker logs in and begins his work here > id pwd cat /etc/shadow >> /tmp/.badstuff/sh.log cat /etc/hosts >> /tmp/.badstuff/ho.log cat /etc/groups >> /tmp/.badstuff/gr.log netstat –na >> /tmp/.badstuff/ns.log arp –a >> /tmp/.badstuff/a.log /sbin/ifconfig >> /tmp/.badstuff/if.log find / -name –type f –perm –4000 >> /tmp/.badstuff/suid.log find / -name –type f –perm –2000 >> /tmp/.badstuff/sgid.log … Using a simple text editor, the attackers will remove these entries and use the touch command to reset the last accessed date and time on the file.
This provides network engineers a window on what is occurring over the wire, allowing them to troubleshoot or model network behavior by viewing packet traffic in its most raw form. An example of such a packet trace appears next. The user ID is “guest” with a password of “guest.” All commands subsequent to login appear as well. ------------[SYN] (slot 1) pc6 => target3  %&& #'$ANSI"!guest guest ls cd / ls cd /etc cat /etc/passwd more hosts.equiv more /root/.bash_history Like most powerful tools in the network administrator’s toolkit, this one was also subverted over the years to perform duties for malicious hackers. You can imagine the unlimited amount of sensitive data that passes over a busy network in just a short time. The data includes username/password pairs, confidential email messages, file transfers of proprietary formulas, and reports. At one time or another, if it gets sent onto a network, it gets translated into bits and bytes that are visible to an eavesdropper employing a sniffer at any juncture along the path taken by the data.
Flash Boys: A Wall Street Revolt by Michael Lewis
automated trading system, bash_history, Berlin Wall, Bernie Madoff, collateralized debt obligation, computerized markets, drone strike, Fall of the Berlin Wall, financial intermediation, Flash crash, High speed trading, latency arbitrage, pattern recognition, risk tolerance, Rubik’s Cube, Sergey Aleynikov, Small Order Execution System, Spread Networks laid a new fibre optics cable between New York and Chicago, the new new thing, too big to fail, trade route, transaction costs, Vanguard fund
He pulled up his browser and typed into it the words: “free subversion repository.” Up popped a list of places that stored code for free and in a convenient fashion. He clicked the first link on the list. To find a place to send the code took about eight seconds. And then he did what he had always done since he’d first started programming computers: He deleted his bash history—the commands he had typed into his own Goldman computer keyboard. To access the computer, he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system. It wasn’t an entirely innocent act. “I knew that they wouldn’t be happy about it,” he said, because he knew their attitude was that anything that happened to be on Goldman’s servers was the wholly owned property of Goldman Sachs—even when Serge himself had taken that code from open source.
McSwain clearly found it damning that the website Serge used was called a subversion repository, and that it was in Germany. He also seemed to think it significant that Serge had used a site not blocked by Goldman Sachs, even after Serge tried to explain to him that Goldman did not block any sites used by its programmers but merely blocked its employees from porn sites and social media sites and suchlike. Finally, the FBI agent wanted him to admit that he had erased his bash history. Serge tried to explain why he always erased his bash history, but McSwain had no interest in his story. “The way he did it seemed nefarious,” the FBI agent would later testify. All of which was true, as far as it went, but, to Serge, that didn’t seem very far. “I thought it was like, crazy, really,” he says. “He was stringing these computer terms together in ways that made no sense. He didn’t seem to know anything about high-frequency trading or source code.”
As one pointed out to Serge directly, lots of thieves are sloppy and careless; just because he was sloppy and careless didn’t mean he was not a thief. On the other hand, they all agreed, there wasn’t anything the least bit suspicious, much less nefarious, about the manner in which he had taken what he had taken. Using a subversion repository to store code and deleting one’s bash history were common practices. The latter made a great deal of sense if you typed your passwords into command lines. In short, Serge had not behaved like a man trying to cover his tracks. One of his new jurors stated the obvious: “If deleting the bash history was so clever and devious, why had Goldman ever found out he’d taken anything?” To these new jurors, the story that the FBI found so unconvincing—that Serge had taken the files because he thought he might later like to parse the open source code contained within—made a lot of sense.
Real World Haskell by Bryan O'Sullivan, John Goerzen, Donald Stewart, Donald Bruce Stewart
bash_history, database schema, Debian, digital map, distributed revision control, domain-specific language, en.wikipedia.org, Firefox, general-purpose programming language, Guido van Rossum, job automation, Larry Wall, p-value, Plutocrats, plutocrats, revision control, sorting algorithm, transfer pricing, type inference, web application, Y Combinator
,"lib","srv","media","lib64","opt", ".ccache","bin","selinux",".","lost+found","proc",".autorelabel",".autofsck", "sys","misc","home","tmp","boot",".bash_history","root","sbin","usr"] getDirectoryContents returns a list for every item in a given directory. Note that on POSIX systems, this list normally includes the special values "." and "..". You will usually want to filter these out when processing the content of the directory, perhaps like this: ghci> getDirectoryContents "/" >>= return . filter (`notElem` [".", ".."]) ["dev",".vmware","mnt","var","etc","net","lib","srv","media","lib64","opt", ".ccache","bin","selinux","lost+found","proc",".autorelabel",".autofsck", "sys","misc","home","tmp","boot",".bash_history","root","sbin","usr"] Tip For a more detailed discussion of filtering the results of getDirectoryContents, refer to Chapter 8.
algorithmic trading, automated trading system, banking crisis, bash_history, Bernie Madoff, butterfly effect, buttonwood tree, Chuck Templeton: OpenTable, cloud computing, collapse of Lehman Brothers, computerized trading, creative destruction, Donald Trump, fixed income, Flash crash, Francisco Pizarro, Gordon Gekko, Hibernia Atlantic: Project Express, High speed trading, Joseph Schumpeter, latency arbitrage, Long Term Capital Management, Mark Zuckerberg, market design, market microstructure, pattern recognition, pets.com, Ponzi scheme, popular electronics, prediction markets, quantitative hedge fund, Ray Kurzweil, Renaissance Technologies, Sergey Aleynikov, Small Order Execution System, South China Sea, Spread Networks laid a new fibre optics cable between New York and Chicago, stealth mode startup, stochastic process, transaction costs, Watson beat the top human players on Jeopardy!, zero-sum game
A few days later, working from his home computer on the night of June 4, shortly after 11 P.M., Aleynikov accessed the German server—designated SVN.XP-dev.com—and uploaded the code. The next day, his last at Goldman, he transferred more code at 7:07 A.M. Then, at 5:23 P.M., he ran a program to upload even more code to the German server. At last, hoping to cover his tracks, he swiped clean his computer’s “bash” history, a record of activity on its hard drive. He shut down the computer, said good-bye to his colleagues, and walked out of Goldman’s office for the last time. Aleynikov felt positive that he’d pulled it off. With the Goldman code, he’d have a cheat sheet to create new, even better code for Teza. But he’d slipped. Goldman’s security experts had detected the transfer of exactly thirty-two megabytes of data from its computer system to an outside server.
Python for Unix and Linux System Administration by Noah Gift, Jeremy M. Jones
Amazon Web Services, bash_history, Bram Moolenaar, cloud computing, create, read, update, delete, database schema, Debian, distributed revision control, Firefox, Guido van Rossum, industrial robot, inventory management, job automation, Mark Shuttleworth, MVC pattern, skunkworks, web application
Here is an example of the whos function used with no command-line arguments: In : whos Variable Type Data/Info ---------------------------- a int 1 aa str one b int 2 bb str two c int 3 cc str three n str cc And as we can with who, we can filter on type: In : whos int Variable Type Data/Info ---------------------------- a int 1 b int 2 c int 3 In : whos str Variable Type Data/Info ---------------------------- aa str one bb str two cc str three n str cc History There are two ways to gain access to your history of typed-in commands in IPython. The first is readline-based; the second is the hist magic function. Readline support In IPython, you have access to all the cool features that you would expect to be in a readline-enabled application. If you are used to searching your Bash history using Ctrl-s, you won’t have a problem transitioning to the same functionality in IPython. Here, we’ve defined a few variables, then searched back through the history: In : foo = 1 In : bar = 2 In : bam = 3 In : d = dict(foo=foo, bar=bar, bam=bam) In : dict2 = dict(d=d, foo=foo) In : <CTRL-s> (reverse-i-search)`fo': dict2 = dict(d=d, foo=foo) <CTRL-r> (reverse-i-search)`fo': d = dict(foo=foo, bar=bar, bam=bam) We typed Ctrl-r to start the search, then typed in fo as the search criteria.
The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas
bash_history, Debian, distributed generation, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, x509 certificate, zero day, Zimmermann PGP
Forensic Analysis Now that the service has been restored, it is time to have a closer look at the disk images of the compromised system in order to understand the attack vector. When mounting these images, care should be taken to use the ro,nodev,noexec,noatime options so as to avoid changing the contents (including timestamps of access to files) or running compromised programs by mistake. Retracing an attack scenario usually involves looking for everything that was modified and executed: .bash_history files often provide for a very interesting read; so does listing files that were recently created, modified or accessed; the strings command helps identifying programs installed by the attacker, by extracting text strings from a binary; the log files in /var/log/ often allow reconstructing a chronology of events; special-purpose tools also allow restoring the contents of potentially deleted files, including log files that attackers often delete.