What programs are listening to the network?

Sometimes, I’d like to know what programs on my system are listening to the network, and to quote the Perl motto, “there’s more than one way to do it”. On Linux, there’s `lsof -Pi` and `netstat -p`. On Windows XP and Vista, there’s the built-in `netstat -b[v] -a` and a separate utility called [tcpview](http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx). I’ve included example usages and outputs.

__lsof__ (Linux)

sudo lsof -Pni

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
python 1886 root 4u IPv4 6621 TCP 127.0.0.1:2207 (LISTEN)
cupsd 1898 root 3u IPv4 6663 TCP 127.0.0.1:631 (LISTEN)
cupsd 1898 root 4u IPv6 6664 TCP [::1]:631 (LISTEN)
cupsd 1898 root 6u IPv4 6667 UDP *:631
sshd 1912 root 3u IPv4 6711 TCP *:22 (LISTEN)
httpd 20084 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20085 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20086 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20087 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20088 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20089 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20090 apache 4u IPv6 7293 TCP *:80 (LISTEN)
httpd 20091 apache 4u IPv6 7293 TCP *:80 (LISTEN)

__netstat__ (Linux)

sudo netstat -lp –inet –numeric-hosts

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1912/sshd
tcp 0 0 127.0.0.1:ipp 0.0.0.0:* LISTEN 1898/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 1886/python
udp 0 0 0.0.0.0:ipp 0.0.0.0:* 1898/cupsd

Where’s `httpd`? It should be there, and it is, when I exclude the `–inet` option:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::http :::* LISTEN 2038/httpd
tcp 0 0 ::1:ipp :::* LISTEN 1898/cupsd

__TcpView__ (Windows)

[Download](http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx) and start TcpView. From the menu, choose File > Save. Here’s the output from the file.

Process Protocol Local Address Remote Address State
svchost.exe:1064 TCP jareds-xp:epmapi jareds-xp:0 LISTENING
System:4 TCP jareds-xp:microsoft-ds jareds-xp:0 LISTENING
svchost.exe:976 TCP jareds-xp:3389i jareds-xp:0 LISTENING
nxssh.exe:2032 TCP jareds-xp:11000 jareds-xp:0 LISTENING

__netstat__ (Windows)

Note that this runs quite slowly on Windows.

netstat -bva

Active Connections

Proto Local Address Foreign Address State PID
TCP jareds-xp:epmap jareds-xp.mydomain.com:0 LISTENING 1064
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP jareds-xp:microsoft-ds jareds-xp.mydomain.com:0 LISTENING 4
— unknown component(s) —
[System]

TCP jareds-xp:3389 jareds-xp.mydomain.com:0 LISTENING 976
— unknown component(s) —
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP jareds-xp:11000 jareds-xp.mydomain.com:0 LISTENING 2032
[nxssh.exe]

TCP jareds-xp:3389 jareds-xp.mydomain.com:0 LISTENING 976
— unknown component(s) —
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

Security vs Privacy is false dichotomy

Jon Stokes, Senior Editor, Ars Technica [reported](http://voices.allthingsd.com/category/ed-giorgio/) on the following:

> “We have a saying in this business: ‘Privacy and security are a zero-sum game.’ ” Thus spake security consultant Ed Giorgio in a widely quoted New Yorker article on the U.S. intelligence community’s plans to vacuum up and sift through everything that flies across the wires.

Security expert Bruce Schiner wrote a [Wired article](http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0124?currentPage=all) addressing the false dichotomy between security and privacy:

> I’m sure they have that saying in their business. And it’s precisely why, when people in their business are in charge of government, it becomes a police state.

> The debate isn’t security versus privacy. It’s liberty versus control.

> “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligence. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to *give up control of your privacy to others, who — presumably — get to decide how much of it you deserve*. That’s what *loss of liberty* looks like.

Returning to John Stokes, who [said](http://voices.allthingsd.com/category/ed-giorgio/):

> The story of Fidencio Estrada, a drug runner who bribed Florida Customs agent Rafael Pacheco to access multiple federal law-enforcement databases on his behalf, suggests that when it comes to the government collecting data on innocent civilians for law-enforcement purposes, privacy and security are essentially the same thing.

Read Office 2007 documents on Linux

I’ve had a few occasions where I’ve needed to read Microsoft Office 2007 documents, even though I don’t have Office 2007. There are several approaches.

Office 2007 stores it’s files and a zip archive, with xml files inside. This means that they’re somewhat human readable. I’ve used unzip to extract the file, and poked around until I found the xml file that represented the document (word/document.xml for docx). This works fairly well for Word and Power Point documents, but I’m not so sure that it would be good for Excel files.

Novell has provided a [converter](http://odf-converter.sourceforge.net) that converts Office 2007 documents to Open Office documents, and allows Office 2007 to save in Open Office format. The command line converter appears to work well, in my limited experience. Thanks to [this blog post](http://www.oooninja.com/2008/01/convert-openxml-docx-etc-in-linux-using.html), here’s how I installed it on a Fedora/RedHat system:

* “mkdir converter“
* “cd converter“
* “wget http://download.go-oo.org/red-carpet/ooo-680/sled-10-sp-i586/odf-converter-1.1-7.i586.rpm“
* “rpm2cpio odf-converter*rpm | cpio -ivd“
* “sudo cp usr/lib/ooo-2.0/program/OdfConverter /usr/local/bin“
* “cd ..“
* “rm -rf converter“

Run it as follows:

* “OdfConverter /i example.docx“

Windows users with MS Word 2000, 2002 or 2003 can install the [Microsoft Office Compatibility Pack](http://office.microsoft.com/en-us/word/HA100444731033.aspx). For those without MS Word, there’s the read-only [word viewer](http://www.microsoft.com/downloads/details.aspx?FamilyId=3657CE88-7CFA-457A-9AEC-F4F827F20CAC&displaylang=en)

Mac OS X Tiger office applications reportedly open Office 2007 documents.

Mac, Linux and FreeBSD users can use an online document conversion service such as [http://www.docx2doc.com/](http://www.docx2doc.com/) and [http://docx-converter.com/](http://docx-converter.com/) — with the caveat it may be unwise to submit confidential or proprietary documents to a third party.

Palm TX: There’s more than one way to install an application

When I got my Palm TX, I didn’t realize that the Palm Desktop software wasn’t completely compatible with Windows Vista. For example, I can’t install new palm apps via hot syncing. Here are some alternative install paths:

1. Attach the pdb files to an email, and send it to myself. Use VersaMail to retrieve the message, and install the pdb attachments.
1. Use the web browser to download and install a pdb file.
1. Have someone beam it using the IR interface.
1. Have someone send it using bluetooth.
1. Install from an SD card. I haven’t verified that this works.

While I’m at it, it seems like configuring Linux to hotsync with Palm devices can be a pain. As an alternative, I think I’ll get an SD card and use [nvbackup](http://handypalmstuff.sourceforge.net/) to backup to SD, and then copy the backup from SD to my Linux box and use it with JPilot.

There’s more than one way to do things, especially for a Palm equipped with built-in WiFi, bluetooth and an SD expansion card.

Disk Encryption: Not as secure as I thought

Apparently, it’s easier than I thought to recover disk encryption keys from a stolen laptop computer. The attack works against “several popular disk encryption systems: BitLocker (a feature of Windows Vista), FileVault (a feature of Mac OS X), dm-crypt (a feature of Linux), and TrueCrypt”. Watch the demonstration video at [http://citp.princeton.edu/memory/](http://citp.princeton.edu/memory/).

> The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Encrypting a disk drive _does_ increase the confidentiality of data. It’s just not as secure as once thought.

Sidenote: Software and hardware based [key loggers](http://en.wikipedia.org/wiki/Keystroke_logging) can reduce the security of encryption as well.

‘iotop’ shows top I/O consumers

Want to know why your Linux box is sluggish? Some program is probably hogging disk I/O. I just discovered a cool utility that shows what programs are using the most disk I/O: [iotop](http://guichaz.free.fr/misc/). To install it on Fedora, run

yum install iotop

Otherwise, download and run [iotop.py](http://guichaz.free.fr/misc/iotop.py) — it requires Python 2.5+ and Linux kernel 2.6.20+

Evince broken: unhandled x-extension-pdf

On Linux and the Gnome Desktop, Evince is the default application for viewing Adobe Acrobat (PDF) files. Recently, it started giving me the message “Unhandled MIME type: ‘application/x-extension-pdf'”. Here’s how I fixed it.

1. Edit $HOME/.local/share/mime/packages/Override.xml
2. Replace “application/x-extension-pdf” with “application/pdf”
3. Run “update-mime-database $HOME/.local/share/mime”

[Reportedly](http://www.mail-archive.com/evince-list@gnome.org/msg00485.html), a bug in the Nautilus file manager causes this behavior.

XRandR in Fedora 8

Fedora 8 ships XRandR 1.2 (the X Rotate and Render Extension), which makes it possible to render a screen onto an overhead projector, among other things. Here’s instructions on [how to do useful things with XRandR](http://www.thinkwiki.org/wiki/Xorg_RandR_1.2#Using_xrandr_to_do_useful_things) (not Fedora specific). For now, control of XRandR is handled through the command line. In Fedora 9 or 10, there will likely be better user interfaces to configure XRandR.

Security Lessons from Dick Marcinko

In January, [Dick Marchinko](http://www.dickmarcinko.com/) spoke to my company. Here are some of the lessons that I drew from his hard-to-follow speech:

Most importantly, he said, there is no substitute for human intelligence.

Attackers can…

1. defeat security systems, such as locks, by replacing them with their own security system in advance of a break-in. Security response will trust in their security system to help catch or contain attackers, not realizing that it was replaced and turned to the service of the attacker.
1. use decoys to mislead security response. For example, crews might diffuse one bomb, and they forget to look for a second one.
1. attack during noisy, chaotic, busy times, like shift-change. (My note: Hackers like to hide their malware on busy networks and on busy file servers, such as in university or ISP networks.)
1. trip alarms to assess response capabilities. Once assessed, booby-trap the response capabilities so they are ineffective.
1. evade security systems. TSA secures airports from passengers, but what about security airport construction sites and access? America’s ports and waterways are largely unprotected.

Vista’s VirtualStore silently causes problems

When our household bought a Vista laptop, I migrated our install of Quicken 2002 to the new computer. My wife and I have separte accounts, and we update the checkbook separately. When she went to balance the checkbook, she noticed that my entries were missing.

On further investigation, it turns out that when I run Quicken, I can see my entries, but not hers. When she runs Quicken, she sees her entries, but not mine. It appeared that we are using two different databases. Quicken 2002 is supposed to write its files to the c:\Program Files\QUICKENW directory. I had given each of our non-Admin users access rights to write to that directory. I installed [Process Explorer](http://download.sysinternals.com/Files/ProcessExplorer.zip) so that I could see what files Quicken had open, and their location. It turns out that Quicken was writing its files to C:\Users\\[USERNAME]\AppData\Local\VirtualStore\Program Files\QUICKENW\. Why was it doing that? What is this VirtualStore thing?

Apparently, Windows Vista enforces security policy and doesn’t allow applications to write to C:\Program Files. Instead, it redirects badly behaved applications, like Quicken 2002, to write files to a per-user [VirtualStore](http://www.google.com/search?q=vista+virtualstore) directory, and it does this silently (for backwards compatibility). I wish Vista had simply denied write access to Quicken, so I would have known that there was a problem early on, before getting into this mess of having two diverging checkbook databases. I like the additional security that Vista enforces, but it’s inconvenient in subtle and exasperating ways.

Now I need to figure out how to merge our separate copies of the checkbook.

Update: I never did merge the two quicken databases.