Wednesday, November 28, 2007

File IO in Dynamic Languages or Fun Political You Tube?

Forget about Simple File IO in Dynamic Language when you've got a very pregnant wife with a bad YouTube habit, you are bound to find some good shit.

Tonight it is Clifton's Notes (and if you don't get his schtick you obviously don't know who Cornel West is) from David McMillan.

This guy is a genius.

Tuesday, November 27, 2007

Must Read Atlantic Piece on Obama

Andrew Sullivan get's really gets it. You must read Goodbye to All That in The Atlantic (which like the Economist is is about the only thing worth buying in airports--how can anyone read Wired after 9/11, oh for the shiny happy 90s).

As someone a few years shy of 40, he really nails on the need to get over the debates of the 1960s and the concerns of our parents, the baby boomers.
At its best, the Obama candidacy is about ending a war—not so much the war in Iraq, which now has a mo­mentum that will propel the occupation into the next decade—but the war within America that has prevailed since Vietnam and that shows dangerous signs of intensifying, a nonviolent civil war that has crippled America at the very time the world needs it most. It is a war about war—and about culture and about religion and about race. And in that war, Obama—and Obama alone—offers the possibility of a truce.
However many irrational political arguments (although they happen much less frequently now) I've had with my wife, we agree on Obama. His authenticity (most recently his comments on "inhaling" were a case in point).

And on the surface, this Obama "soft power" War on Terror seems compelling:
It’s November 2008. A young Pakistani Muslim is watching television and sees that this man—Barack Hussein Obama—is the new face of America. In one simple image, America’s soft power has been ratcheted up not a notch, but a logarithm. A brown-skinned man whose father was an African, who grew up in Indonesia and Hawaii, who attended a majority-Muslim school as a boy, is now the alleged enemy. If you wanted the crudest but most effective weapon against the demonization of America that fuels Islamist ideology, Obama’s face gets close. It proves them wrong about what America is in ways no words can.
And the willingness of Independents (who might lean more Rep than Dem) on some issues, putting the issues aside

Of the viable national candidates, only Obama and possibly McCain have the potential to bridge this widening partisan gulf. Polling reveals Obama to be the favored Democrat among Republicans.... It isn’t about his policies as such; it is about his person. They are prepared to set their own ideological preferences to one side in favor of what Obama offers America in a critical moment in our dealings with the rest of the world. The war today matters enormously. The war of the last generation? Not so much. If you are an American who yearns to finally get beyond the symbolic battles of the Boomer generation and face today’s actual problems, Obama may be your man.
And on Senator Clinton:
Her liberalism is warped by what you might call a Political Post-Traumatic Stress Syndrome. Reagan spooked people on the left, especially those, like Clinton, who were interested primarily in winning power. She has internalized what most Democrats of her generation have internalized: They suspect that the majority is not with them, and so some quotient of discretion, fear, or plain deception is required if they are to advance their objectives. And so the less-adept ones seem deceptive, and the more-practiced ones, like Clinton, exhibit the plastic-ness and inauthenticity that still plague her candidacy. She’s hiding her true feelings. We know it, she knows we know it, and there is no way out of it.
And on Obama's authentic spirituality
To be able to express this kind of religious conviction without disturbing or alienating the growing phalanx of secular voters, especially on the left, is quite an achievement. As he said in 2006, “Faith doesn’t mean that you don’t have doubts.” To deploy the rhetoric of Evangelicalism while eschewing its occasional anti-intellectualism and hubristic certainty is as rare as it is exhilarating. It is both an intellectual achievement, because Obama has clearly attempted to wrestle a modern Christianity from the encumbrances and anachronisms of its past, and an American achievement, because it was forged in the only American institution where conservative theology and the Democratic Party still communicate: the black church.
And the final pargraphs on the stakes of the waning years of the first decade of the 21st century

The paradox is that Hillary makes far more sense if you believe that times are actually pretty good. If you believe that America’s current crisis is not a deep one, if you think that pragmatism alone will be enough to navigate a world on the verge of even more religious warfare, if you believe that today’s ideological polarization is not dangerous, and that what appears dark today is an illusion fostered by the lingering trauma of the Bush presidency, then the argument for Obama is not that strong. Clinton will do. And a Clinton-Giuliani race could be as invigorating as it is utterly predictable.

But if you sense, as I do, that greater danger lies ahead, and that our divisions and recent history have combined to make the American polity and constitutional order increasingly vulnerable, then the calculus of risk changes. Sometimes, when the world is changing rapidly, the greater risk is caution. Close-up in this election campaign, Obama is unlikely. From a distance, he is necessary. At a time when America’s estrangement from the world risks tipping into dangerous imbalance, when a country at war with lethal enemies is also increasingly at war with itself, when humankind’s spiritual yearnings veer between an excess of certainty and an inability to believe anything at all, and when sectarian and racial divides seem as intractable as ever, a man who is a bridge between these worlds may be indispensable.

We may in fact have finally found that bridge to the 21st century that Bill Clinton told us about. Its name is Obama.

I fear the future of a rematch from the past

Sunday, November 25, 2007

Syslog-ng For Dummies (or SCADA Folks)

Continuing on the cleaning up my home network (aka Dummy!) theme , I decided to turn on remote syslog from one of my routers. We use syslog-ng on a lot of our boxes at work, but I've never actually configured it on any my Debian/Ubuntu boxes at home. How hard could it be? (HINT: A hell of a lot easier than on *BSD or *&$%*! Solaris)

1) Install the package

apt-get install syslog-ng

This removes the default syslogd and creates a nice config file in /etc/syslog-ng/syslog.conf that mirrors (I think) your old syslog.conf

2) Enable remote UDP syslog:

Uncomment the udp() line in s_all

3) Add a destination

destination my_cisco { file ("/var/log/851.log"); };

4) Add the filter to grab stuff from my router

filter f_my_cisco { host(""); };

5) Put them all together at the end of the file:

log {

Oh if you are wondering about the SCADA/Dummy in the title. It refers to a thread on Server Monitoring on the SCADA Mailing list and the frequent tendency for control system folks to do a "default deny" and reject mature technologies (firewall, AV, IDS) or practices (patching security vulnerabilities or public disclosure of vulns by CERT/CC) as "office" or "IT" and therefore completely inappropriate for consideration in control system devices, applications, servers, networks, etc. Or perhaps it is just the light, or lack thereof, this far North.

851 ISR's use SNTP Dummy!

So I've configured NTP on quite a few Cisco and non-Cisco devices and I expected it to be an "ntp ?" away. NTP was only mentioned in the ports reference in the configuration guide and I didn't feel like resetting/remembering my password to be able to check the good old IOS feature navigator.

sntp server

851w#conf t
Enter configuration commands, one per line. End with CNTL/Z.
851w(config)#sntp ?
broadcast Configure SNTP broadcast services
logging Enable SNTP message logging
multicast Configure SNTP multicast services
server Configure SNTP server
source-interface Configure interface for source address

Of course this worked like a charm on one of my 851's but the other (with a nearly) identical config (I hope) is still having problems both syncing time from that router and through the router (ntpdate's are failing from a Linux box behind it, no NAT) although the packet traces superficially look fine. The other oddity is that the OpenWRT box that is front-ending (as in iptables-masquerading) all of these (as well as a Linksys AP, probably VXWorks based) is occasionally sourcing some of the NTP traffic from UDP port 6 -- or at least that is what the tcpdump from OpenWRT says, which *can't* be right. Can it?

Tuesday, November 20, 2007

Best Small Case for 14" T-61/MacBook

A month ago I lamented the lack of a perfect case for my Thinkpad. Basically I wanted something small, very snug that I could fit the power supply, some tiny crap (like cell phone, secureid, or keys or whatever) when I didn't want to carry a backpack. I was hoping for something under $75 but I didn't find it, plus I just trust Booq for good gear so I ended up going with the Boa Slimcase M even if I though it might be a bit smug. The rep online suggested a bigger XL, and that would have been a mistake. Oh and it also fit MacBooks just fine.

Saturday, November 17, 2007

Only 12 Beds? (and "the West" of Jack Burden)

Call me crazy, but you'd think childhood psychiatric units in major hospitals on the rich, white side of the third largest city in America would have more than 12 "beds" each for inpatient care. But that seems to be a magic number. Wonder how they came up with that? Highland Park, Lincoln Park, and Park Ridge. Like hell I'm driving down to Rush or even bothering to give them a call. No room in the inn. One of the more surreal experiences: "we've got 20-30 kids in the emergency room, it's the crazy time of the year." Tell me about it.

I remember being surprised hearing about the low number (maybe less than a 100) of "beds" (are these "beds" individual rooms or two neat rows of six where they strap screaming kids down) available in post-Katrina New Orleans (and all the mayhem that ensues), but I guess that is the state of mental health care system in America. Which is something I've been meaning to blog on for a while, cause I've got some stories to tell. And folks think the "normal" health care system is messed up?

But things are strangely peaceful as I struggle to assemble cheap Ikea dresser, in preparation for the baby (my daughter urging me to get back to work) listening to the title track Lucinda Williams latest album:

Who knows what the future holds
Or where the cards may fall
But if you don’t come out west and see
You’ll never know at all

I look off in the distance
And blow a kiss your way
The thousand miles between us
Will disappear some day

I watch as all the starling
Fly in from the north
The beating of their wings
Echoes the beating of my heart

I sleep out in the desert
Under the stars above
And keep making an effort
To wander in your love

Who knows what the future holds
Or where the cards may fall
But if you don’t come out west and see
You’ll never know at all

Every time I hear this song I think of the 6:00 AM American "Nerd Bird" flight from Austin to San Jose. Leave Central Austin by 4:00 AM and be in your first meeting on Tasman by nine as the poor suckers are stuck in traffic on the 101. I loved those flights up over the Hill Country, over the flat West Texas plains, over the Rockies, over the Central Valley, then that last worn line of mountains before that scary approach over downtown. Peace in the sleepy silence of a Super 80. Catch a bit of shut-eye and wake up for an crystaline ice cream sundae if you were lucky enough to upgrade to first class.

That is the west and this westward movement was as close as I've come to Jack Burden's road trip in All the King's Men. And this rainy late Fall/Early Winter evening (the orange leaves, as bright as inthat fight scene between Maggie Cheung and Ziyi Zhang in Hero, neatly raked into piles on the narrow Skokie streets) is as about as far from the West as you can be.

Thursday, November 15, 2007

Ubuntu JeOS: Its the thought that counts

You'd think JeOS wou actually work on Ubuntu and VMWare Server.

"Canonical has produced a robust virtualised OS core in the Ubuntu JeOS Edition that is optimized for virtual appliances," said Dan Chu, vice president of emerging products and markets at VMware. "Virtual Appliances are fundamentally changing how software is developed and deployed, with ISVs now including a thin and highly optimized OS along with their application in a ready-to-run virtual machine. We are excited that Canonical is providing Ubuntu JeOS for vendors interested in building VMware virtual appliances."

But you'd be wrong.

It took three times to get it to install.

And then 3 more times to get a prompt. Oh yeah, notice the (initramfs)

Use Ubuntu Server or a Debian Etch Network Install Boot CD id you want a small distro for appliances.

That actually works.

Wednesday, November 14, 2007

IOS + NET-SNMP v3 = F.U.N. (just like it said on our badge)

Statement: So anything that remotely has anything to do with ASN.1(or perhaps it is International standards organizations) is going to be a pain in the ass.

Explanation: I've been trying to squeeze in here an there some time to get Cacti working with SNMPv3 on my 851 at home (12.4(15)T). I warn you. Don't bother trying to do this intuitively -- meaning just thinking you can fill in the forms and "question mark" your way to getting the config right in IOS. Plus net-snmp command line options are also painful.

But here is how what I got working with with AuthNoPriv with a little bit of help from here. Yeah, don't go to any of the creepy Russian sites that are the top google hits for "net snmp ios snmpv3"

The stuff that shows up in your config will be. You'll probably have to define the views first.

snmp-server group cactigroup v3 auth read readview
snmp-server view readview internet included
snmp-server view readview mib-2 included
snmp-server view readview system included
snmp-server view readview interfaces included
snmp-server view readview chassis included
snmp-server location blah
snmp-server contact donkey

and the line that won't (God Bless the SFB, yeah you know what I'm talking about)

851w(config)#snmp-server user cactiuser cactigroup v3 auth md5 whateverman

And then you can make sure they are there

851w#sh snmp group
groupname: cactigroup security model:v3 auth
readview : readview writeview:
row status: active

851w#sh snmp user

User name: cactiuser
Engine ID: 8000000903000014A40E21BD
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: cactigroup

Oh, and the worst part

mfranz@gutsy61:~$ snmpget -v3 -u cactiuser -l authNoPriv -a md5 -A whateverman system.sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: donkey

Did it work on Cacti, don't know. Must sleep. Ubuntu says 19 minutes of battery left.

Tuesday, November 13, 2007

HEW vs. CSCO (Maddening, I tell you Maddening)

I do not own any Hewitt stock. I do own Cisco, even some ESPP'd at under $10. I was going to sell, some. I swear I was. Right at the tippy top. Not quick enough...

Monday, November 12, 2007

Killing SATA Compatibility Mode on T61

So the default Gutsy Gibbon kernel packages don't enable modules for ahci or the Intel SATA drivers necessary for you on the latest Intel laptop chipsets (like the Santa Rosa used in T-61s and in whatever is used in MacBooks) so you'll have to change the driver to compatibility mode to get it to boot after the install. Since I was used hand-rolled kernels under Etch, I didn't have to do this before. Unfortunately I've encountered some nasty (but temporary) freezes on Gutsy (drive spins for a while, I lose total control) under Gnome. This often happens with VMWare. So I thought compatibility mode might be the culprit.

1) Update /etc/initramfs-tools/modules to include the following:


2) Rebuild your initramfs

# update-initramfs -k all -u

3) After a reboot, check the modules

mfranz@gutsy61:~$ lsmod | grep ahci
ahci 23300 2
libata 125168 3 ata_generic,ata_piix,ahci

Sunday, November 11, 2007

Quick Thoughts on 170th Diocesan Convention

So it is unfortunate (but not terribly surprising, since most of the time I've had personal experience on some topic that has made it into the mainstream press, they get it wrong) that the headline summing up the two days of the 170th Convention of the Episcopal Diocese of Chicago was "No Lesbian Bishop for Chicago Diocese." The AP news stories on the topic cast the election of the Rev. Jeff Lee as a vote for "the moderate."

But having been at the convention, I don't buy either of these. Moderation maybe, but the tone of the election (and the convention) didn't seem overtly political to me. True, the broader concerns of the Anglican Communion were in the background, bubbling under the surface but the results did not send a strong message (nor should they, in my opinion, either way --) on the ongoing strains over human sexuality and the consecration of openly gay/lesbian bishops.

Although she was an impressive candidate (and she was in my "top 3"), the Very Rev. Tracy Lind just did not make the cut. And this not only means the complex mix organizational/leadership skills, spirituality, the right personality, training and experience -- but the political savvy necessary to build alliances and campaign. I really doubt the final result would have been different if she had not been a lesbian, although it might have taken more ballots and we wouldn't have been through by 2:30 on Saturday afternoon.

This is not only based on the convention but from attending the "walkabout" in Lake Forest last month, where the 8 candidates for the 12th Bishop of Chicago gave short keynotes then entertained questions from members of the diocese in small breakout sessions. In the words of Petero Sabune (who I shifted my vote to in the 2nd ballot, after voting for Lee in the initial ballot) gays and lesbians are "already on the bus." The decision has been made. Some Episcopalians might be uncomfortable with it, but in the parish's I've attended, it is a done deal, they are in. Views on human sexuality was simple not a differentiating issue (at least based on their statements and the way they answered questions) of any of the 6/8 candidates I heard speak.

Sunday, November 04, 2007

Some previously disclosed Cisco CLI Vulns, the joys of youth hockey practice, and fuzzing like a ninja

The highlight of my Sunday is my son's hockey practice at the Skatium here in Skokie. Among the more amusing things that almost always happen:
  • One of the parents (who acts & looks like a coach, but I don't think he is) arguing with the real coach about religion (the parent is a Christian, probably fundamentalist, and the coach is Jewish, I assume)
  • Eight and nine year olds tripping and falling on the ice and occasionally doing some nasty checks on each other (usually unintentionally)
  • The previously mentioned parent (who is out on the ice for some reason, has a flattop and is a damn good skater) doing "hockey stops" (resulting in a shower of ice fragments) in the faces of kids. Today he also banged on his son's knee with his stick shouting "knee's can't get hurt" while his son was flat on his back, not wanting to get up.
All Good stuff. But other than that (and the upcoming election of the 12th Bishop of the Episcopal Diocese of Chicago , today I've been sort of been fixated on CLI vulnerabilities after my last blog entry on the futility of router vuln work in 2008 and Thomas's Quarterly Affirmation (reversing IOS images is not an option for a whole lot of reasons) so I was curious what was out there:

In cisco-sa-20060712-cucm we see this
The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.
And in cisco-sa-20010131-arrowpoint-cli-fs
The Cisco CSS11000 must be configured to permit command line access to users by providing a management address and defining user accounts. Once command line access is gained by non privileged users (defined user accounts without administrative privileges), running a command requiring a filename, and providing a filename that is the maximum length of the input buffer can cause the switch to reboot, and a system check to be started which will prevent normal function of the switch for up to 5 minutes. The show script, clear script, show archive, clear archive, show log, and clear log commands are capable of causing the CSS to restart if the specified file name is the maximum length of the input buffer. Cisco Bug ID CSCdt08730.
And from cisco-sa-20060719-mars
The CS-MARS CLI is a restricted shell environment which allows authenticated administrators to perform system maintenance tasks. The CLI contains several privilege escalation vulnerabilities which may allow shell commands to be executed on the underlying appliance operating system with root privileges. These vulnerabilities are documented by Cisco bug IDs CSCsd29111 ( registered customers only) , CSCsd31371 ( registered customers only) , CSCsd31377 ( registered customers only) , CSCsd31392 ( registered customers only) and CSCsd31972 ( registered customers only) .
And Cisco Security Response: Cisco IOS Reload on Regular Expression Processing
Some regular expressions that make use of combined repetition operators ('*' or '+') and pattern recalls ("\1", "\2", etc.) into the same expression may result in a stack overflow on the Cisco IOS regular expression engine. A stack overflow will result in a reload of the device.
Given the ubiquity of dumb (IOS-like) shells on network devices (and not just on Cisco boxes), it would appear that this might be fertile ground for a tool that:
  • Allowed you to connect to various transports (SSH, Telnet, serial)
  • Obviously support authenticated/unauthenticated sessions and configuration modes
  • Using built in command expansion and help documentation, map out the various commands (and their syntax) depending on the helpfulness of the shell you could probably prepopulate various payloads for common configuration parameters that have to be parse (IP addresses, netmasks, hashes, etc.)
  • Could leverage some existing fuzzing/fault injection framework so you would have to generate control characters, malformed arguments, and other sequences
Although this is sort of intriguing, I doubt I have the time to pull this off. And if I've managed sketch up this idea, somebody has probably already written a tool like this somewhere. And if not, it would certainly be a more useful project than what they are teaching the kidz these days at Berkeley. Of course I'm probably just bitter that I couldn't get into any dept. there, let alone that one. Yeah some parent's hard-earned cash is going towards having their little one learn how "fuzz like a Ninja."

Saturday, November 03, 2007

Hacking Vyatta (or is there any interesting router vuln work to be done 2008?)

In one month I will be clean. Straight. Sober. No vuln work for a year. A year ago I was struggling to finish up the ICCP vulnerability paper I presented at S4, although I've had a few tempted a few times in 2007. Like before Fortify released their Java script Hijacking paper, I was sort of of interested in JSON and JSON-RPC.

And yesterday, this absolutely silly Network World article on Vyatta (a Linux based on Open Router platform -- I have another blog entry on Vyatta in progress, we'll see if I ever complete it) but as I was walking with my kids to the park I struggled to come up with anything interesting. After FX, after the BGP work Sean Convery and I did, after "Slipping in the Window," after Mike Lynn, after Gadi Evron's routesec list, after whatever Raven Alder was trying to accomplish with her SchmooCon talk, I'm not sure the point. (NOTE: the last two I list as efforts that might show that the field is played out, exhausted, that there isn't much to be done)

What can (or should) be done security/vuln-wise for commodity routing and switching features. Sure, you could fuzz/audit all the Quagga (or whatever they use) protocols and there are probably some more bugs to be found -- just like there probably are in IOS protocol implementations. If they mucked with lower layer (TCP/IP) protocols, well you could look at that. Yawn! And their web interface is an obvious (but also boring) target. Privilege escalation from within the CLI, maybe? We never had much time for post-auth stuff back in the day. Automated CLI testing (and fuzzing?) seems sort of interesting, if only because it wouldn't be protocol work. If they really had some virtualization features (like Cisco's that might be worth looking at) but just running in VMWare? Come on guys! I dunno maybe there is something to look at in their HA features like their VPN clustering technological or their "protocol sandboxing" (assuming that just doesn't mean each protocol is just running a separate Linux process). Who knows? Maybe I'm just not being creative enough.

Friday, November 02, 2007

Back on Ubuntu Again (on Desktop at least)

So has it only been a little under three years since I first installed Hoary Hedgehog on my T40 while I was still at Cisco? Seems like ages.

But I'm pretty pleased with Gutsy on my T-61. I did the alternative install CD and kept my /home partition (this caused some issues with XFCE and gnome settings) and compiz (which is amazingly snappy) didn't work until I checked out the hint on the Thinkwiki page. VMWare Server 1.04 installed without a hitch. Sound (after modified some perms, since it only works on the user you installed with) Flash and Java installed Fine.

Now if only I could get my kids to go to bed on time and keep my dogs from killing each other, I'd be happy.

Believe or not an 80lb lab mix and and 30lb Boston Terrier is a fair fight.

End of Festung Mac (or the curse of Liberal Arts majors turned security pundits)

Lisa Vaas's article "Fortress Mac is Gone" is typical of the vacuous shit that is out there in response to whatever the name the new trojan is. DaveG provided a much needed corrective to this nonsense.

The subtitle? While I don't know if Ms. Vaas has a BA, I certainly do, but from a decent engineering school, damnit!

And yes I'm still pissed about this blogger captcha.

Thursday, November 01, 2007

OpenBSD Kernel Janitors Sound Good to Me

I must be bored because I'm reading I'm reading openbsd-misc but this kernel janitor thread was pretty classic and almost as good as the one last month when a Google recruiter propositioned Theo.

Here are some quotes although I skipped the good ones:

> > Development is not the same process as writing a whiny mail.
> that is a shame. i can probably better understand the relectance to
> re-visit this if it has failed before. perhaps, others are right,
> perhaps linux can tolerate it because it's not as good as openbsd.


> i think we'll simply agree to disagree. i personally find it quite
> disheartening to hear the attitude that prevails here but that's the
> community's decision. it certainaly seems to refelect the attitute
> of it's leaders (developers).

Consider it the voice of experience (bitter).

Its easy to tell which ones are the programmers.

They write code, then they submit it, it does not suck too much and they
take the suggestions of the current project leads. Then they resubmit
better code.

The rest of us should simply buy CD's, ask and answer the occasional
question, and other wise keep quiet.

And those weren't even the best (the one where Theo tells the n00b he has anger issues, in particular) but this Blogger word verification is pissing me off, but if you want ask some questions to the OpenBSD crowd to stir the pot, here are some ideas:
  • Ask if anyone is interested in porting dpkg/apt to OpenBSD (I actually did the former over the Xmas holidays last year)
  • Ask where the "forums" for OpenBSD are and point to the Ubuntu Forums as examples
  • Ask where the "desktop edition" of OpenBSD, you know the one with the GUI isntaller instead of this