Saturday, 31 January 2015

Cuba - Internet, currency, and other things

Just a month and a bit before the United States began to open up dialogue with Cuba, my girlfriend and I took a trip to Veradero and Havana. For years, we had discussed going there and I had been wanting to visit the country for some time (as Canadians, entering and exiting Cuba is fairly uneventful), so we decided that we'd finally go.

Me (back-facing, right) wandering the streets of Havana.

I highly recommend that if you get the chance to go that you do so. If you're American and can go now, I am also envious of your alcohol and tobacco allotment--I'll explain a bit later on.

Some of the photos in this post were taken by my girlfriend (included the above).

The Internet and Mobile Phones

At least for tourists, access to the Internet was rather easy to come by but on the flip side it was not cheap. No free Wi-Fi was readily available wherever we stopped as being that the market was in control by the state, so too were all the goodies.

The Veradero airport left much to be desired too. Also this is how the West protests.
For 30 minutes of Internet access, you had to pay 4 CUC (about $4 USD). Internet can be purchased either in 30 minute or 1 hour blocks. Only cash is taken for access as you are required to speak to a person to get an access card--it should be noted that I don't recall seeing a single vending machine for anything while there.

Typical 1-hour access card. (Source)
The access card contains a one-time code you scratch for and details on how to connect to the wireless network. Upon connecting and opening your browser, you get a standard pay-wall you require identifying to. You then enter your code and the clock begins to tick away. If you disconnect from the wireless network or sign out via the pay-wall, your remaining time is valid for up to 30-days. You cannot share the code either without having the previous device disconnected.

I had no trouble accessing any Western media outlets and nor did I run into trouble viewing my favourite websites. Connecting to my home computer via SSH did not create any troubles either. However, knowing the state that Cuba is, I would not be surprised if my actions were monitored the whole time I was signed in. Having said that, my name was never attached to that code that I purchased either so in some ways I was anonymous.

I did not investigate any further what sort of setup there was but the access points were from Huawei (much like a lot of equipment I saw in Cuba).

The price may seem expensive but it is nowhere near as bad as trying to use your mobile phone. Upon my landing in Veradero, I was sent a text by my carrier, informing me that calls would be $3-4 CAD per minute and that all outgoing texts would cost me $1.50 CAD. But then the data cost came up: $20 CAD per MB--to put that into context, an Ubuntu ISO would cost me $19,500 CAD just to download.

So yeah. Stick with using the Wi-Fi there.

Currency

Cuba has two currencies: the Cuban Peso and the Cuban Convertible Peso (CUC). The Peso in itself is really meant for the locals and cannot be converted to CUCs or any other currency, but CUCs themselves can be converted to Pesos (for nationals only) or a foreign currency--including American Dollars. When we were there, we were informed that the Peso would be retired in favour of the CUC much to the delight of Cuban residents--CUCs have incredible buying power there.

You'll need cash to buy hand-made goods.
That aside, I wanted to write about acquiring the CUC notes as it is different than anywhere I've gone before and I had made a quip last week about how it was less complicated than Bitcoin.

Before leaving the country, it's considered best practice to load up on whatever your local currency may be--assuming you have a reserve currency like a Euro, US Dollar, Canadian Dollar, or Pound Sterling. At the hotel, you can bring up your money to the front desk and they will record how much money, your name, and what hotel room you had in a ledger. The exchange itself would be whatever the CUC translates into from your currency plus a fee of a few percentage points--no more than 5% I believe. This is the easiest way to do this.

However, if you end up being away from your hotel, acquiring CUCs requires you to go to a Cuban state bank branch. Upon your arrival, you will wait in line and will require your passport to retrieve any cash. They'll record your passport number in a ledger alongside your name and the amount you took out, plus the aforementioned fee.

All of these prices are in CUCs and are more or less equal to the US dollar.
It's really just that and far simpler than Bitcoin. I do however suggest not exchanging your currency back from CUCs as you'll be doubling up your fees--I did spend the $450 CAD I brought with me but I didn't exchange it all at once.

One other thing: credit cards. If you have a credit union-derived credit card in Canada, it will work--this goes the same for most banks from my country as well. If your credit card is from an American-based network like Capital One or Chase for example, it won't. This is likely to change soon under the new relationship we're seeing between the United States and Cuba.

Alcohol and tobacco

Alcohol is dirt-cheap in Cuba.  How cheap? Well, a 750 mL bottle of Havana Club 7-Year Old costs $34 CAD for me in Vancouver, but was just 8 CUC (or like mentioned before, $8 USD) at the grocery store we went to in Veradero. Earlier, when I mentioned that I was jealous of the alcohol allotment that Americans were getting, I was not kidding about it. You can get a serious amount of decent rum for the $100 limit that is being set.

Having mojitos at the same hotel Jimmy Carter once stayed at
Rum is open-poured everywhere and they make it easily accessible for you if you're a tourist. Personally, I am not a fan of Havana Club now having tried other Cuban rums but anything from the island is still the most superior of the Carribean. If you get a chance, try Santiago de Cuba or Santero, which are both just as cheap.

Foreign liquor as you might not be surprised are not cheap and seem to match the prices here at home.

Cristal and Bucanero beer.
Beer in Cuba is also easy to find but admittedly not as good. Bucanero and Cristal are the most common and at the resort we stayed at, Cristal was dominant. Foreign beers just like foreign liquor is available but the cost is significantly higher.

One of many cigars I picked up.
Tobacco while plentiful in Cuba is not as cheap as the rum and beer. Twelve cigars will run you about 85 CUCs. Having said that, the smell is awesome.

Other things

There were a few other things I can remark on that were interesting.

The stage it was sitting on was of even worse quality.
Expect to find that everything in Cuba is either hand-made or made to at least be repairable at the cheapest cost. Electrics taken on a lassez-faire sort of approach wherein it was not uncommon to find things that otherwise would never pass code back here at home. My favourite was the wooden electrical strip (pictured above) which was being used by the DJ at the resort on random nights.

The "reader" made it look like a Japanese manga. I did not look at it.
Books that were available to tourists tended to be about Cuban revolutionaries and are usually in either English, Spanish, or Russian.

The airport's only highlight was literally this.
They're also a tad more liberal about acquiring pharmaceuticals. At the Veradero airport, I had the ability to purchase Valium or Viagra without a prescription. I have to wonder how Canadian customs would have felt if I had tried to bring that back home.

Closing

I'll close off with this:

The water is nice and warm too.
About 150-200 KM from where I took this photo lied the United States. It just seemed tragic that for over half-a-century, the two countries were not on speaking terms yet were so close physically.

If you get the opportunity to visit Cuba, go. You will not have a bad time and you will want to come back.

Thursday, 22 January 2015

Taking back my money from Bitcoin -- an adventure with the BTC ATM

This opening image sums up my 'fun' with the Bitcoin ATM

Over a year ago, I had written about using the world's first Bitcoin ATM--run by Bitcoiniacs. At the time it was a pretty unique experience because never in my life have I ever had to have someone process a transaction manually for an 'automated teller machine'--not sure how this term even makes sense for what the machine does but I digress. However, I did drop $20 CAD into the machine and then promptly watched over the course of the past year and a bit the value go as high as $120--I had purchased 0.094 BTC.

To make matters even more interesting, I apparently showed up in the New York Times' website after they used a photo from that day for an article.

I'm the fellow in the centre holding a phone, wearing a black jacket
Gone is the day where there was a line up waiting to try out this new fangled ATM, a first of its kind it was touted as. I didn't need to wait 15 minutes for some guy on a laptop to its left to process my transaction as it was instead sitting idle, waiting and perhaps begging for someone to be interested in it.


However, a lot of things have changed: the machine no longer wanted to scan my palm in order to identify me. Instead, it asked for me to sign up with my mobile phone number, enter a PIN of my choice and then confirm, and then enter a six-digit number it sent via SMS. To add to that, it asked for a scan of my ID--however the ID scanner was broken and I was just asked to point whatever I identified with to the web cam above the screen.

Post-It Notes are quite professional
Also what the heck happened to the palm scanner and what did they do with that information?

Being that I suspected I either have gone dormant with them or they just completely ditched old data, I went along with using my new account. However, it had no details about who I was and told me that I would have to send money to an address it specified and then wait for it to be confirmed.

I've used ATMs in so many countries and in every case it's a matter of inserting my card, feeding it some numbers to identify that it's actually me (hopefully), and then magically money comes out if I have enough of it in whatever currency it may be--the only thing I need to be concerned about it is if my card is compatible with the network it uses. In the Bitcoin world, you have to make sure you have your Bitcoin wallet set up on your phone or you need to bring something that can make a transaction (such as a laptop or maybe a tablet), you then need to tell your wallet to send the money to an address the ATM specifies, wait for it to be at least confirmed by at least one other address, and then magically the ATM will let you pull it out when it's good and ready.

This more or less describes Bitcoin
How long does it take to retrieve real, useful money from an actual money ATM? Well maybe a few minutes but rarely have I have I needed to spend more than 45-60 seconds to get my money out and the majority of the time is just waiting for the machine to talk to my financial institution.

With this BTC ATM? It took me 25 minutes but only once I had gone through a bunch of hoops. The only place on Earth I've experienced where real, actual money has even come close to taking as long from starting a transaction and finishing it was when I was in Cuba and had to get some extra CUCs (Cuban Convertable Pesos) as I had run out and wanted to exchange my Canadian currency for it--I've been meaning to write about being a tourist in Cuba for a while and at some point I will.

Here's how it went down step by step:

I show up at the ATM and immediately discover I have to create an account to use it. Fine. So I go through the process I had outlined earlier. Now I have an account with them and then attempt to withdraw money--it is at this point I realise I need a Bitcoin application on my mobile phone.

I downloaded the default Bitcoin application and find out that I cannot enter my private key easily so I opt to download Mycelium after searching around via Google to find one that would just let me do that. Why is it that a non-mainstream Bitcoin wallet is needed to do something as simple as enter a private key? I am sure it is doable if I connect my phone via ADB, but that's ridiculous.

In the meantime, I've left the coffee shop and gone to grab a slice of pizza from a place around the corner using real, physical money. How long did the transaction there take? Probably 2 minutes as I was having the pizza reheated in their oven.

The related apps made me raise my eyebrow a bit
OK. Great. I have downloaded the supposedly useful Bitcoin application and now managed to enter my private key. Time for me to go back to the coffee shop and extract that money.


As you can see, 8 minutes has passed since I had downloaded and installed the wallet application--and for reference, I started at around 12 PM.

Oh. But now there's a new catch: the ATM won't be able to do anything until you've had at least one confirmation. How long does it take for one to occur? Well here's what the app shows at this point:


Four minutes has passed since I sent the BTC to the address the ATM told me to. OK. What shall I do? I guess I'll go check out the comic book store around the corner and see what's new. That will occupy enough time right?


Great. I've avoided spending any real money at the comic book store and finally have a confirmation--the confirmation itself did not appear for 5 minutes after it came to be. Back to the coffee shop I go!

I do the same process again: sign in, request some money, and immediately get told that I have insufficient funds. At this point I am pretty much near "fuck this" and am considering going back to the office but I now see I have another confirmation!


OK. Let's try this again. Oh. What is this?


I have $23.24 available for me to withdraw! Finally! What time is it now? 12:45 PM? What time did I start? 12:00? Did I wait in a queue to use this thing like the last time? No? What the hell.

/r/actualmoney is going to nuts after they see this
Seriously, real money doesn't require this much effort and getting a bank account isn't this painful either.


What a fucking dumb experience this was.

Edit - 20:43 PDT:

I forgot to mention that there was a funny flaw I found in the ATM: if you enter your phone number and PIN, then wait for the SMS to come but cancel out, you can do the same process again, have it send you a code again but use the unused code from before. You cannot however reuse a code that was sent.

Monday, 19 January 2015

Discovering and remediating an active but disused botnet

On a network I help manage, we kept getting malicious DNS alerts for “luna1.pw” on an appliance we had installed. Due to the way the network was configured, we were able to see the name request coming in but no traffic activity. This was unusual because the appliance was configured to monitor all traffic but why was it not picking up anything further than what it was reporting? Why didn’t the supposed malware connect? Resolving the domain lead to an answer:



This explains why the alerts were only coming up as DNS and not capturing any traffic to the domain. The question now is: who owns it?



So the domain doesn’t exist any longer. This became even more unusual because why would malware be connecting to a non-existent domain? Did the domain become lapsed? Did the botnet get shutdown? Well, it did as it turns out that the specific malware using the domain also used other domains and were shut down.
Since the domain was no longer in the possession of anyone and I was seeing attempts to reach it, I decided that the best course of action was to acquire the domain so DNS could be controlled and to also satisfy a curiosity if the malware was still active. The domain was purchased and then immediately I pointed the domain at a server I had in a data centre operated by a friend of mine.



Using ‘tcptrack’, I was able to see that there were a number of machines still looking for this domain. They were all attempting to connect to connect to my machine on port 2009. Now we can just use ‘nc’ to listen on that port to see what is being requested.


Quite the password for this IRC server it was once being controlled by.

I then compiled a simple IRCd and then watched as they all connected.


Immediately I had hundreds of machines ready to do my bidding if I so chose. I let it sit for a bit and at its peak, I had about 325 machines. All of them were identified with their OS, country, and then a random code. Here are some statistics on where the machines were located:

  • Argentina, 5.00%
  • Brazil, 0.45%
  • Chile, 5.91%
  • Colombia, 1.36%
  • Malta, 0.45%
  • Mexico, 73.18%
  • Peru, 2.73%
  • Spain, 14.55%
  • Venezuela, 1.36%

Once satisfied with the reconnaissance, I went and pointed the domain at an internal server and discovered the location of the machine and had it remediated as usual.

An abuse complaint did however come in during the time I was investigating the issue so while the domain had since fallen out of use, someone was still monitoring it. The domain has since been pointed to the ShadowServer guys for them to remediate any machines that are still remaining.