Clinically Awesome

Alice In Wonderland

Sat, 06 Mar 2010 23:34:52 -0800

Saw “Alice In Wonderland”. Meh. Glad I didn’t pay to see it in sphincter-puckering IMAX 3D. The casting was good, the acting was good… I just felt that it wasn’t engaging.

Properly Deploying a Private CA Cert in Ubuntu

Thu, 25 Feb 2010 21:59:48 -0800

I think the true strength of the certificate PKI is the ability to set up a CA for your organization and mint your own certs. You get the advantage of proper certificate validation without the cost of paying a third party to validate your identity (snicker).

There are copious sets of instructions on how to create your own CA but I had a very difficult time finding proper instructions on deploying the cert to clients. Most of them simply say, “post it on your web server, visit it in your browser, then click Trust.” That’s fine on your computer but what about a larger organization. Are you going to just tell all your users to do this and expect them to get it done? What about multiple browsers? That kind of solution just doesn’t scale.

In my personal environment my clients are Ubuntu Karmic. I’ve seen some kind of hackish solutions where you put the cert in /etc/ssl/certs then add softlinks or run c_rehash if you’ve read some man pages. After searching the Internet and not getting far I finally started digging through /usr/share/doc/ca-certificates and found the README.Debian file. It states that the proper way to install private CA certs is to put them in /usr/local/share/ca-certificates and ensure that the names end in .crt. Once that’s done you run update-ca-certificates and the appropriate linking is done for you. With that complete you may need to start your various clients but it should be working for your command line web tools and graphical browsers.

I said visiting a URL in the browser and having users click through dialog boxes was unrealistic. Frankly, it’s cumbersome, but is copying the file out to each machine and running a command any better? Because I run cfengine, absolutely! My additions look something like this:

control:

    AddInstallable = ( ... NewCACert  )
...
directories:
    /usr/local/share/ca-certificates owner=root group=root mode=0666
...
files:
...
   $(masterfiles)/CA/cacert.pem
      dest=/usr/local/share/ca-certificates/lub-dub_CA.crt
      mode=0444
      owner=root
      group=root
      inform=true
      encrypt=true
      define=NewCACert
      server=$(policyhost)
...
shellcommands:
...
   NewCACert::
      "/usr/sbin/update-ca-certificates"

The only thing missing is the fact that while my desktop systems are Ubuntu my server systems are Debian Lenny. The Karmic version of ca-certificates is 20090814 while the Lenny version is only 20070303. The update-ca-certificates script in the Lenny version doesn’t look in /usr/local/share/ca-certificates so I’ve had to add that myself.

The Secret Life of Chaos

Sun, 21 Feb 2010 17:09:06 -0800

The Secret Life of Chaos:

If you’re even remotely interested in science or mathematics, set aside an hour to watch this.

ideasareawesome: The Vendor Client relationship - in real world...

Fri, 19 Feb 2010 13:43:30 -0800

ideasareawesome:

The Vendor Client relationship - in real world situations (via zeorge497)

Mitre's 25 Most Dangerous Programming Errors

Wed, 17 Feb 2010 20:26:00 -0800

Mitre's 25 Most Dangerous Programming Errors:

I look at those things and I fear that people will look at it as “Oh, as long as I do these n items I’m fine.” Those people convince themselves they’re safe when they’re not. If your application has error #26, or #52, or #375, it’s still broken, it’s still insecure. The attackers don’t care if your application has RFI, SQL injection, or has a backdoor account. Anything that lets them in is fine.

In my mind I criticize these kinds of lists but really I think usually the people that make those kinds of lists are earnestly trying to help people and improve the situation. I just think their approach is futile. Then I ask myself if I have a better solution and of course I don’t.

I wonder how long each of the programming errors on that list have been spoken about on the Internet as a hazard. I’m sure each one has been discussed ad nauseum on lists like this for a few years at least. Still, we have programmers who don’t care, programmers who don’t bother reading the list, programmers not aware of the list, and “programmers” who wouldn’t understand the list if it were right in front of them. There is an endless supply of new, bad, and apathetic programmers to replace any corrected by such lists.

Do lists like this make things any better?

Microwave + RFID = Plasma

Mon, 15 Feb 2010 21:13:08 -0800

It would appear that RFID chips in a microwave make plasma, and plasma melts glass microwave turntables. While I understand the latter, I was not expecting the former. The impressive thing was it kicked off at about 2.5 seconds. I wonder if it would have been “safely” destroyed in a glass jar submerged in water, this being a bank card.

Hopefully I’ve never made claims that I’m notably smarter than anyone else.

PCI

Fri, 12 Feb 2010 15:50:00 -0800

The security of a transaction-processing network varies inversely with the value the operators place in PCI.

Apply directly to brain.

Tue, 09 Feb 2010 18:27:36 -0800

Apply directly to brain.

0(mfg)day

Tue, 09 Feb 2010 18:04:00 -0800

The term 0day has lost any significance in meaning. The original meaning was that a public vulnerability disclosure was made and the same day someone produces a working exploit.

Now 0day can mean a lot of things. It usually means something to the effect of “an exploit for which there is no patch available” but depending on who you ask it might mean “an exploit that’s leet because I wrote it”.

I’d like to throw some terms out here that are much more sensible than 0day. The scary thing about 0day is that there’s isn’t a fix for it. Perhaps in one situation it’s because no one knows about the vulnerability. Maybe the exploit was discovered being used in the wild. In any case, the fear is not that some shadowy person or organization has an exploit that they aren’t sharing; the scary thing is that there’s no fix. It is an unpatched vulnerability. If last Wednesday there was an announcement on bugtraq of a vulnerability in Flash, and today you got hacked (because it’s not Adobe’s Patch October yet) you didn’t necessarily get hacked by 0day. You got hacked by an unpatched vulnerability. Maybe the exploit was created the day of the announcement, maybe it was created days later. It doesn’t matter. You got breached because there was no fix and you didn’t disable Flash.

The term unpatched vulnerability is being used here and there on the Internet already. A term that isn’t being used but really should be is proprietary exploit. At the time of this writing a google search for “proprietary exploit” (quotes included) returns 449 results. When people talk about 0day exploits because they want to sound cool, what they’re often thinking of are proprietary exploits. These are exploits that aren’t being shared. Maybe the vulnerability isn’t patched, maybe it’s not even publicly known. That’s really the essence of the threat with proprietary exploits: maybe people are breaching your systems using attacks your scanners can’t detect because no one even knows there’s a vulnerability. That’s why people use the term wanting to sound cool, “I’ve got 0day so you can’t keep me out.” Perhaps after some high-profile compromise (Google/Aurora) people will capture samples of the exploit code and figure out what the vulnerability is.

Anyway, the purpose of this is not to inspire fear for threats you can’t fully defend against. I’m just sick of the term 0day and the way it’s used by people who don’t know what they’re talking about. If you understand the difference, will you pick terms with less ambiguity and media baggage?

Lock Picking Observations

Sun, 07 Feb 2010 20:00:22 -0800

In a previous comment I noted that I intended to share my observations on beginning lock picking. I’ve only really been raking so far, not per-pin picking.

First, it’s very easy to apply too much pressure to the torsion wrench. Start by applying just a little bit of pressure and slowly increase the pressure. The wrenches with the half twist will absorb some of the pressure by bending so they may be a good choice while you get a feel for the right amount of pressure. The downside is that you lose some of the sensitivity of what’s going on with the plug. While I was getting a feel for it I would vary the pressure as I was raking. Sometimes I would let up to much and give up pins I had set, sometimes I would press too hard and false set some pins. Eventually my hands learned the proper range of pressure. If you eat sushi I think the right pressure range is what you might use picking up a cut roll with chopsticks. If you don’t eat sushi, you’re missing out.

Second, the raking pressure should also be pretty light. I think of it like brushing teeth. You’re not trying to rub your gums off but you are trying to remove plaque. Raking too hard has less of a negative impact than applying too much torsion.

Third, don’t try to hard. The more you work at it the less success you have. Keep your practice lock, torsion wrench, and pick/rake at your desk. Pick them up and fiddle with them when you’re thinking or need to take a break. Just don’t focus on it. Your hands need to figure things out on their own. I found that my first half dozen or so times getting my practice lock I was absently fiddling and had no idea what I had done to make it work. Every time I’d try to figure it out and get nowhere. When I stopped paying attention I eventually found that my hands just knew what to do.

4chan

Sun, 07 Feb 2010 16:35:00 -0800

4chan is an Internet fever dream.

Vint Cert on Cloud Computing: Everything Old Is New Again

Fri, 05 Feb 2010 08:43:26 -0800

Vint Cert on Cloud Computing: Everything Old Is New Again

Spoofing For Charity... or Not

Thu, 04 Feb 2010 17:01:40 -0800

The media is reporting a lot about SMS charities. You send a text message to a certain number and your cell phone company bills you $10 or whatever. The company keeps a percentage or flat fee and passes the rest on to a charity. It’s a very convenient way for charities to get money. Of course it’s huge for Haiti charities.

What if you set up your own SMS “charity”. Then you get yourself a PBX system that can send text messages with whatever caller/sender number you want. You then send out texts to thousands of cell numbers with the caller/sender as your charity number. The messages you send are those that are likely to illicit a response, even if just a “WTF?”. Perhaps they say, “Where are you?” or “Who is this?” or “I just found out she’s bi” or “Mom’s dead” (thanks Aaron). People reply to ask you who you are or what you’re talking about and boom you just made $10.

Maybe if you’re nice(ish) you spoof the number of a real charity. Of course, a lot of those people would want it taken off their bill which means it would have to be taken back from the charity. This would really be the opposite of nice(ish).

Ain't No Mountain High Enough

Mon, 01 Feb 2010 13:06:50 -0800

Some of my friends know that I have clinical depression. For the most part I have it licked; I was on medication for a couple years while I learned how to deal with it. Now I occasionally go through some bad patches but they usually don’t go on for longer than a week. I’ve learned that if I just wait them out they’ll pass. I had been stuck in one for all of January which finally broke last Saturday.

Something people often don’t understand about depression is how it impedes your ability to get simple, important things done. Even when depressed if you have a gun to your head you can usually do just about anything required of you but there never really is a gun held to you head. Frankly you can probably do the laundry tomorrow when you might feel better. Today you just feel terrible.

Used to be I couldn’t get much of anything done. I couldn’t go grocery shopping, I couldn’t take care of our pets, I couldn’t get my bills paid even though I had the money. This month I could take care of the bills mostly. I could go grocery shopping because we’re pretty thoroughly resolved not to go out to eat during the week. I could take care of the pets because I’ve seen how much happier they’ve been when I’m taking care of things properly. The laundry had been piling up on the floor and the dishes piling up in the sink because I just couldn’t muster the will to take care of them. Saturday it broke, I felt great, and I knocked those things out. Overall this bad patch wasn’t as bad as they’ve been in the past but it was much longer for reasons unknown.

I was explaining the situation to a friend and he had a hard time understanding lacking the will to take care of these basic, small things. He did acknowledge that there was a reason for it but that he didn’t have the experience to wrap his head around it.

Eventually I thought of away to explain it that I hadn’t really thought of before. If you’ve ever been exposed to a motivational speaker or anyone similar you’ve probably heard something to the effect of: If you have the will to succeed, the size of the challenge doesn’t matter. The idea here being that the challenge can be very, very large but the will to succeed will make you overcome the challenge. Here’s another version that is also true: If you lack the will to succeed, the size of the challenge doesn’t matter. In this case the challenge can be very, very small but lacking the will to succeed will make it insurmountable.

Depression robs you of your ability to try, even things you’re good at and you know can succeed at.

Locks... not so much

Sun, 31 Jan 2010 23:35:28 -0800

I started practicing lockpicking with a basic set of lock picks. So far I’ve really just been raking and I’ve found that the C rake works best for me. I’ll eventually work up to per-pin picking but for now I happy just having success raking and getting a feel for things.

I’ve been practicing on a cheap padlock I got at a grocery store. A few minutes ago I took a try at my second lock - the deadbolt on my front door. First try took about 30 seconds to figure out the space I could move the rake in. Once I started raking it took about 10 seconds. Thinking I might have gotten lucky I locked it again and it took about 5 seconds to find the working space again and then another 10 seconds to rake it open.

Colo Cage Hunting

Tue, 19 Jan 2010 10:20:59 -0800

I love colo cages because a lot of people think they alleviate the need for cabinets. Just put up four-post racks in your cage and you’re done. The cage gives you all the physical security you need.

I was told the phrase “the cage will keep malicious people from plugging things in”. Aside from the fact that cages can’t sense intent, I don’t think it can keep anyone from plugging things in.

I’d like to tell you a story. The story is about a hunter and his niche - hunting in colo cages. Here’s a photo:

That’s quite a mighty spear he has. Can it penetrate the hearty flesh of your protective colo cage? Let’s take a closer look:

Oooo… looks like U3 Poison. That’s nasty, particularly on Windows systems before Server 2008. Will it have an affect on his game? His quarry today is one of the young of his normal prey, the rackmount server. Perhaps he has a taste for veal:

He stalks his prey into the bush of the cube prairie. Outside its normal protective cage the little one is even more vulnerable. Our hunter attacks!

Quite a nail-biter! Will the hunter get to eat or will the young one escape to live another day?

Looks like our hunter was too fast. Would the little one have survived had he been in his cage? Seems doubtful. That spear is pretty long and could be even longer. This one was rather “field expedient”. He could possibly keep a collapsible, elastic-corded tent pole on his survival pack (netbook bag). What if the U3 poison wouldn’t work on the larger beasts? Many of those larger beast have an unused but enabled second network interface. Many beasts will react to a new ethernet link by asking for DHCP. Other beasts might have a firewire orifice which bypasses their immune system.

If you tend to beasts like this, keep the hunters at bay. Put cabinets in your cage or spay/neuter them using connectors with the cables clipped off. It’s even possible to find chastity belts for yours.

Copying Windows Binaries

Fri, 15 Jan 2010 18:26:36 -0800

Maybe this is piracy, maybe it’s not. I have a tool installed on my computer and when new programs are installed it discovers them and pops up a lovely prompt asking if I will allow the executable to be copied to some computer somewhere. I haven’t looked into it deeply but it doesn’t seem to be aware of software licenses and whether the license for that binary allows for it to be redistributed. Maybe it is and maybe it’s not. It doesn’t seem like the tool is based on some kind of prior agreement between the tool author and the owners of each and every software package that it’s prompted me to allow copying their binaries. If it did, it doesn’t seem like it would need to ask me if it’s okay, except to honor my privacy. Maybe this copying falls under “Fair Use” or maybe it’s just not worth suing over. Maybe it’s piracy and I’m an accomplice.

The tool in question seems to be an inherent feature of Windows 7. It may have been in Vista, which I skipped. If I recall correctly the prompt says it’s part of Windows Defender which I believe is part of Windows security. The obvious conclusion is that it’s grabbing the file to analyze it for malware. If it is, it seems like it could just run a few different cryptographic hash functions over it and if any one of them differ, then it copies the file. I don’t think it’s doing that because I’m sure I’m not the first person to install the latest Acrobat Reader appropriate for my platform. What are they doing with them? Maybe we help them collect binaries for competitive analysis and it’s not just strictly for security.

Maybe it isn’t enforceable or no one would dare sue Microsoft, but it seems to me like I’m violating someone’s copyright or license.

GPEN Certified

Fri, 15 Jan 2010 12:32:30 -0800

I just passed my GPEN at 94%. Wewt.

Chinese Server

Thu, 14 Jan 2010 22:56:35 -0800

I need to get a server in China. Then if I hack something or use it as a phishing site people will just assume the big, mean, Chinese government is behind it.

I Have Comments Now

Tue, 12 Jan 2010 23:01:25 -0800

Sorry about that, Richard. I’ve wanted to have a comment system for a while but tumblr doesn’t have built-in support for it and I was just lazy. I had to switch templates or hack up the HTML and I really want nothing to do with HTML.