Friday, October 31, 2008

SELinux on Ubuntu LTS: Baby Steps

Silly me, I didn't know SELinux was built into the kernel (or at least available) on Ubuntu LTS, until I saw a kernel message this afternoon, so while waiting for my daughter to fall asleep with here Little Bear video, I decided to give it a shot on my Thinkpad.

Do the apt dance

apt-get install selinux

or maybe installed python-selinux, can't remember, but a whole bunch of shit got installed.


Edit GRUB kernel options

I got rid of splash and quiet, always hated those.


ro apparmor.enabled=0 selinux=1 enforcing=0



Use syslog-ng to capture audit events


destination df_selinux { file("/var/log/selinux"); };
filter f_selinux {
match("audit") or match ("restorecond:");
};
log {
source(s_all);
filter(f_selinux);
destination(df_selinux);
};

Then reboot, it is normal for it to relabel the fileystem.

Now to figure out what the hell all this means..

Oct 31 21:03:31 mfranz-t61 restorecond: terminated
Oct 31 21:04:35 mfranz-t61 kernel: [ 15.685858] audit: initializing netlink socket (disabled)
Oct 31 21:04:35 mfranz-t61 kernel: [ 15.685935] audit(1225501446.416:1): initialized
Oct 31 21:04:35 mfranz-t61 kernel: [ 18.857262] audit(1225501456.585:2): policy loaded auid=4294967295
Oct 31 21:04:35 mfranz-t61 kernel: [ 36.373309] audit(1225501474.769:3): avc: denied { mmap_zero } for pid=5224 comm="vbetool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=memprotect
Oct 31 21:04:36 mfranz-t61 restorecond: Reset file context /var/run/cups: system_u:object_r:var_run_t->system_u:object_r:cupsd_var_run_t
Oct 31 21:05:27 mfranz-t61 restorecond: Reset file context /etc/resolv.conf: system_u:object_r:etc_runtime_t->system_u:object_r:net_conf_t

Would this happen at a Palin rally?

This goes out to all my white boys that say "they don't like either candidate." And I've heard this from a lot of folks, actually.



If you really believe that...

Keep it real and vote for Ron Paul or Bob Barr

or stay home on Tuesday.

Cellphones != PLCs?

From the newly released SP 800-124

What do think has

a limited set of functions than as general-purpose desktop systems with the capability for expansion. Operating system upgrades and patches occur far less frequently than with desktop computers, and changes to firmware can be more daunting to carry out and have more serious consequences, such as irreversibility and inoperability. Augmenting a device with defenses against malware and other forms of attack is an important consideration in planning, as is centralizing device security management.


Nope, not PLCs. SCADA is special.

Nuthin like it. Say it ain't so Joe!

Wink Wink!

SEL and the Sweet Smell of the 21st Century



Checking watch, George H.W. Bush style, what year is it? Hey, but watch out for SNOSOFT!

Hat Tip: who the hell do you think?

pflow: a reason to play around with OpenBSD again

I know it is possible to use pfflowd, but pflow looks cool.

From the man page

# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234

Thursday, October 30, 2008

Back to SCADASEC when the Election is Over?




So I heard about the fun thread on one-way communication over on SCADASEC-L (by the way I turned off "Safe Renew" on scadasec.net so I won't make the same mistake as last year) so maybe by next Wednesday I can quit going to five-thirty-eight and the Huffington Post so often. Or perhaps not if Palin-McCain somehow manages to pull an upset, not only will I be praying for McCain's health, but I will be whetting my lips for 4 years of Palinisms and looking forward to the Daily Show's coverage of that frightening woman from Alaska (who my wife thinks is actually less articulate than Joe the Plumber).

Wednesday, October 29, 2008

It's on you

In the last twenty years I only voted in two presidential elections. Four years ago I voted against the obnoxious Michael Moore left and cast a ballot for W, voting against my Central Austin neighbors with their Impeach Bush stickers. And, first, in 1988, when I came back from basic training, and voted for his father.

I sat out the 90s, cynical, and still complained, believing the line about if you don't vote, you can't complain was utter bullshit. (I still believe that actually)



When I cast my vote for Obama in the Illinois primaries it was more a vote against Clinton than for Obama. On that snowy day in Skokie, I still had respect for McCain.

When I go to downtown New Market, past all the McCain-Palin, signs, and vote against, once again, in the minority, I won't be voting against anyone.

Once in your lifetime, you can lose the cynicism, fear, and apathy and believe again, if only for a little while.

It doesn't hurt, much. At least not right now.

Do the Right Thing.

Etch and a Half and Python SELinux



So by about 10 o'clock on another day off I finally managed to stop checking my work email. Something to feel proud off. I guess I knew it was time when I sent somebody at work a sarcastic email saying I couldn't answer their email because I was on PTO.

And after getting back from having another freaking tire replaced (thank God for Sears Road Hazard) I actually managed to get some computer time since my daughter is feeling better.

Since times are so tough I canceled my VPS, so I've been using Google sites instead and I started a new Linux Security Page to cover stuff on SELinux and AppArmor, both of which I've wanted to play around with for a long time. Also added some new virtualization projects to my watch list which uses the "lists" feature of Google Sites. Very nice.

I don't have any CentOS boxes handy at home but SELinux is available in Debian 4.0 so I gave the latest release a try.

Wow, the python wrappers for SELinux are so cool:


debian4-1008:~# python
Python 2.4.4 (#2, Apr 15 2008, 23:43:20)
[GCC 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import selinux
>>> selinux.is_selinux_enabled()
1


Sure, whatever.

Finally Going After Palin (Sort of)

I'm actually not surprised they waited until the end.

Love the wink!

Tuesday, October 28, 2008

We will see

Heady stuff, we'll will know in a week about the youth vote.



Was down in DC at Children's National today for my daughter's eye surgery. Lots of Obama ads on the TV in the waiting room, a bunch of nervous parents watching his PA speech live while their kids were in surgery. Nodding heads. A couple of middle-aged white women talking about how Palin scared them. A handful of African-America. A granola-looking white woman with an African-American husband. She said she was a Christian (responding to a spot on CNN) and was voting for Obama. A handful of Spanish-speaking families and Asians.

Good to be back in Real America. Real 21st Center America where whites hardly break 50% of the population (think California and Texas or even NOVA) vs. the racist hinterlands feeling sorry for themselves. Went pheasant hunting up in Western. Once again am struck how the most beautiful plasses in the land are often the most backwards.

After a decade and half in Texas and a year in Skokie, these racist, low-class xenophobic, anti-immigrant, white f***s that seem to be everywhere here in Maryland -- talking about "Mexicans." Please.

It is difficult to take. Nobody would dare make those comments in Texas, even if they thought them. God, I'm turning into a reactionary.

Monday, October 27, 2008

Blogging vs. Standards Work (SCADA Style)

What is the difference between a good technical blog post and content that is best left for a standards groups?

One is interesting and perhaps even inflammatory and always crystallizes something important or urgent with a clear distinctive voice.

The other is dry, boring synthesis, that is at beast informative.

Recent blogs by Digital Bond and Wurldtech are examples of the latter.

Come on guys, "sex it up" a bit or publish it elsewhere.

Sunday, October 26, 2008

I usually don't approve Anonymous blog comments but...

In response to my post on skin cancer (which I actually do have some experience in the family with) I couldn't help but approve this.


Skin cancers and melanomas are the curse of God against white people for their skin sins and continued evil of today. In Daniel, Isaiah and Revelations God warns He will curse the evil with the Sores That Do Not Heal. Skin cancer and melanomas are these sores.

Based on their skin color, whites exalted themselves above everyone else on the planet and called everyone else: ugly, evil and inferior.

Now, that giving everyone else life burns whites’ skin.

That giving everyone else life is God. The sun is God. The sun hates white people. God Hates White people.

God has fixed His holy light to discriminate between black and whites so that it burns the whites.

Ultraviolet light is the fire of the 2nd Rapture burning evil from the earth.


It is really hard to know how to read this. Satire? Serious? Crazy?

Into the Mind of the Manchurian Candidate

From Dark Night of the Soul

Barack Obama is noted for his powerful intellect, but I don't think he gets nearly enough credit for the mental dexterity it takes to be simultaneously an Islamic theocrat, atheistic communist and national socialist while posing as a center left candidate. Those must be the compartmentalization skills they taught him at that Manchurian madrasah in Indonesia. The fact that Obama embodies the worst nightmares of so many on the political right says far more about them that it does him.

Thursday, October 23, 2008

So what happened with those TCP DoS Attacks?



In all the excitement in dealing with the kind folks at Countrywide (see ya!!) and Cook County (did I pay taxes yet) I missed all the excitement of those scary new TCP attacks.

Based on Fyodor's updates I guess not much. Another overly-hyped vulns that did not bring down the Internet? Or did I miss something.

God this makes me want to write some another vulnerability parody.

Misses Palin: I want to fly into your airspace

Great video from Russia

Conservatives for Change

Yes you can!

Wednesday, October 22, 2008

Leaving Chicagoland: Reflection & Closure

With the exception of one late night blog from a motel outside Toledo while my 9-year old, two dogs, and an old cat slept soundly (well, maybe not the cat) I really haven't engaged in that much reflection (too painful), but there has been a whole lot of 2nd guessing and too much worrying.

Why did we ever leave Texas? Should we have stayed in Chicago? What were we thinking buying an expensive house in Skokie as the housing market started to tank? And on and on. As much as Illinois is and was a strange and foreign place to briefly live, a few moments stand out.

Many of these are bittersweet, like the excitement and expectation in November 2006 when we stayed in the Embassy Suites downtown and visited the Children's Museum at Navy Pier, first feeling the wind off lake Michigan, taking the news from our realtor back in Austin that we had received two nearly fully-price offers on our house back in Allandale.

Driving through the Skokie and Morton Grove streets for the first time (the mounds of leaves still piled up neatly on the side) noticing how ugly the houses were compared to Texas. The bleakness of split levels. Could we really live here?

The 3-day road trip from Texas in our new Honda van. Christmas in Vernon Hill in corporate apartments.

A year later, having survived our first winter, we would be used to it and we would experience the first amazing Spring in a temperate climate. A Spring that counts, like nothing you would see in Texas. Ever.

The long morning-sick summer of Sam, when I was Mr. Mom. The awful humidity of a Skokie August. My nerve racking first Annual Enrollment. Constantly fighting the PF bugs. Compaq. DL-380G3, DL-380G4, DL-385G1. What, no SMP? Watching state tables, interrupt load, and Intel packet drops. The Black Monday when the Internet went down that I had saw coming on a Thursday morning, helpless with my Ruby statistics monitoring scripts. DL-145s with shitty ILOs. Bill's mysterious lockups.

The bleak sickness (of a another type) of a year ago. The tense days adjacent to the birth of Sam. One too many special education meetings.

Back and forth on Dempster from the Psych unit at Advocate Lutheran to the maternity ward at Rush North Shore. On one of the darkest days my mother in law, praying, convinced that something good would come from all this. And she was right.

The fresh snowfall on the morning we would drive Sam home, greeted by two parking tickets from the village.

And some time in January when we would decide to try to move back East.

Monday, October 20, 2008

At least the bleeding has stopped!

On the market from 4/15-10/20, but finally sold!

Now that we don't have a mortgage to worry about, the 2nd Great Depression can begin!

From leaving-skokie-20-june

Saturday, October 18, 2008

An Interesting Blog on Software Security (for a Change)

Either because I was never really all that good at it or because the only reason I liked trying to break things was to learn about what I was trying to break, it is safe to say I don't spend as much time thinking about software security but I did actually find the bugs vs. flaws entry on toasa sort of interesting and not just because it got me curious was mjr's "bad science" was (a question that might liven up a team meeting next week) because for many years in various presentations I've been giving for years (including in the intro my current Nessus course I teach) the existence of three distinct types of vulnerabilities: design, implementation, and misconfiguration.

Of course I caveat this proclamation that there are probably a hundred different vulnerability taxonomies out there and this is an obvious oversimplification. And I think this oversimplification originated in the introductory prezos I used to give to Cisco product teams, many which weren't so security clueful around 2000. It was a simple, high-level conception that also corresponded to a phase of the software development cycle. Sort of, because there was the weird case where testing actually discovered design flaws in applications, which should not really be the case, but actually was.

But something about this admittedly oversimplified scheme was bugged me for a while (e.g. if someone has uncovered a fundamental design flaw in DNS or TCP, then why does everybody have to fix their implementations?) and I think John McDonald articulates some of the difficulties in maintaining (and even the value of) such as scheme.

Most compelling, to me, is the argument that the [thought] process for discovery of many classes of vulnerabilities is essentially the same.
I’ve audited for both classes of issues and everything in between. One thing I’ve observed is that the thought process is very similar. You have a system, which has data-flow and control-flow, which turns into an algorithmic system of logic. You have to brainstorm pathological ideas and trace them through the system. Or, you observe potentially problematic elements or nuances in the system and try to trace in both directions to see if you can leverage them to do something "unusual."

When it’s most fun is when you observe multiple atomic actions you can perform in the system, both legitimate and some born of mistake (like a subtle logic oversight). You then use those actions to form a system of logic of your own and in essence create your own "evil" language. You try to find some way of achieving an end by stringing all these atomic actions together programmatically. If you’ve spent a lot of time breaking systems, you probably know what I mean. If not, I assure you that I’m not just making up words to sound cool. (Yeah, this is what I think cool sounds like. The ladies love it.)

Comparing auditing assembly to auditing C is another good example. These are essentially similar tasks but performed at a different layer of abstraction. There’s myriad technical differences in what you do and how you do it, but the actual thought processes are pretty much the same.


So our presentation on BGP Vulnerabilities back in 2003 reflects this simplified view of the problem space, as well as the challenges of maintaining such a framework.

For example, the bugs discovered [through fuzzing] in IOS and gated BGP implementations (failure to properly validate bgp lengths or handle truncated BGP Opens and whatever else I can't remember) are clearly implementation vulns (or bugs). No arguing that, but the differing responses of BGP implementations to SYNs or BGP Opens sort of explodes the division.

If we look at the behavior of the IOS BGP implementation which refused to acknowledge (yes at the TCP layer) if the source IP was not a valid peer, is that a design strength (or some other term, meaning the opposite of a vulnerability) where the fact that Juniper and some of the others allowed you to send SYN's to identify Juniper BGP-listening routers. These are definitely out of scope of RFC 1771, but does that make them implementation issues. Quite, literally yes. But on the other

Which leads to the division of intentionality and culpability, which makes this design v. implementation issue useful. Design flaws/errors (or whatever) are intentional whereas implementation errors/flaws/bugs are accidental. This distinction also helps clarify by the blame game, especially if you toss in [mis]configuration flaws, which are obviously the fault of the end user -- whereas design and implementation flaws are the fault of the vendor.

Or so the mythology goes. If you get owned by something you screw up it is your fault if it is due to something you couldn't control it is obviously somebody else's problem. Well of course, even this is a little more complicated than it would seem, because if you don't patch your systems to a disclosed implementation flaw it magically now becomes also a misconfiguration flaw and it is on you.

Proving I do more than blog on weekends

2008 Summer-Fall

I am the Enemy (a.ka. the SME)

Over on the Rapid eLearning Blog there is an interesting post on dealing with SME's.

At a recent conference, we were asked what typically held up the production process for elearning courses. The number one response was working with the subject matter expert. This makes sense since they play such a critical role in the course’s success.

The subject matter experts know the content and understand the work environment. Because of this, much of your project hinges on their time and the commitment they make to the project. The challenge is that our subject matter experts are like the rest of us and just don’t have a lot of time to spare.

Fortunately (or unfortunately) in my career, I've always been in relatively small/informal training teams where the SME, Course Developer, and Instructor were the same person: me.

When doing technical training, the idea of an instructor teaching courses he/she didn't develop has always bothered me. In my training program at Tenable I certainly work with product engineering to help fill in gaps of my product knowledge, but how as an instructor/course developer can you depend on someone else to "know the content and the work environment?"

Having mastery of the content is the third leg of the stool that also includes curriculum and instructional methods.

The Cisco McCain Connection

Network World Has an Interesting exploration on all the connections between Cisco and the John McCain campaign. Liberals often worry about the influence of corporations on policy-making when the reality is that policy-making are often directly done by the private sector. I saw this first-hand with groups such as the NIAC. Now obviously one could make a case that the private sector should be making policy because "the government," (never mind the revolving door between private sector and public sector) simply does not have the expertise on many technical issues.

Perhaps the real meaning of the public private partnership that is so necessary for critical infrastructure protection is that the government has a hands-off view of the industry and creates policy. But perhaps I'm being too cynical?

Hat Tip :fergdawg on the Cisco Alumni mailing.

How is CIP different from "Joe the Plumber" security?



When I was a member of CIAG Research, one of the problems that I had to grapple with was distinguishing normal "network security" or "Internet security" from "Critical Infrastructure Protection."

Given that our [dangerously vague] charter was to conduct and fund research that would improve the security of the critical infrastructure[s] we engaged in a lot of soul searching [and heated discussion] about which projects were appropriate? Was web application security within the domain of CI? Probably not, but maybe? How about routing protocol security. BGP security, definitely. RIP, not so much. How about L2/L3 Enterprise best practices? Maybe? Certainly, if they applied were applied to manufacturing and control system networks. Adding SCADA protocol awareness to firewalls, definitely.

So through these are the mud-colored glasses that I read Perry Pederson's inaugural post at Wurldtech.

So on first blush, and after suffering through a number of Control Systems standards efforts that spent too much time focusing on whether attackers were terrorists, disgruntled employees, or script kiddies, I was sympathetic to his lack of concern for the identity or motivation of threat agents:

So, when it comes to protecting these critical infrastructures, the motivation of the attackers is of less value than the response. In other words, it really does not matter if it was a terrorist, an animal rights group, or someone protecting the environment from us humans.


But I would argue that this is equally true for "Joe the Plumber" security as well. You know, the dirty jobs that small and large companies have to deal with: patching, logging, vulnerability management, application security, incident response, etc. Unless they translate into concrete defensive actions (blocking specific target sources or enabling monitoring for specific toolsets) it is irrelevant who or why you are being attacked. Besides, "Joe the Plumber" does not have access to the sort of [classified] threat intelligence that would make this relevant.

On the other hand (particularly in this season of government intervention to secure the private sector ) perhaps motivation and identity is more important to Critical Infrastructure Protection. If the largely privately-owned critical infrastructure is of so critical to the national interest and there is actionable intelligence to intervene through some national-level asset (electronic, physical, military, etc.) in order to obviate the need for a response within the private sector. But given that critical infrastructure depends on the public private partnership (and this should not just be a cliche on the part on government agencies to let Industry and public infrastructure owners to do whatever they hell they want without fear of regulation) the private sector should focus on the response but the public agencies must focus on incident prevention -- and this requires actionable intelligence on threat identity, capabilities, and intentions. Perry also discusses this need for prevention however I think "information sharing" is another one of those critical infrastructure cliches that executives like to talk about (and have been talking about since PDD-63) but sharing information is a means and not an end to itself. Besides information sharing across large enterprise IT organizations (each which is trying to cover it's ass in response to an incident or outage) is probably no different than the sort of challenges in sharing information between the private and public sector or within government agencies in response (or prior to) incidents.

Based on my experience in the first Cyberstorm exercise (and not just because I've heard directors and VP go on and on about them ad nauseum) I can't help but be a little cynical about efforts to that focus on "information sharing," incident response, "situational awareness", and "connecting the dots." Not only are these problems not unique to critical infrastructure but more often that not "raising awareness" and "improving communication" often are a cheap substitute for action.

Skin Cancer or Arab Terrorist: Which is scarier?



WaPo explores the survival rates the type of Melanoma that McCain had. Of course the folks that think Obama is a Terrorist are the same one's that just love Palin, so it is a win-win, right?

Thursday, October 16, 2008

Words Fail Me



(Yeah, the line about flamethrowers)

As they say in Kansas, "Fat Chance!"

MATTHEW, your request to pay off your loan has been received. If you're currently in the process of financing with another lender, we want to keep your valuable business.

Based on your current payment history, we are now authorized to offer you a Preferred Customer Discount of up to 1 point off the discount points on your next home loan.¹ This means you may save thousands of dollars² — the larger your loan amount, the larger your discount value!¹


You mean you actually want people that pay their bills?

How quaint.

(Quaint is obviously my bitter word of the evening)

What the hell did McCain think he was selling last night?

So You say that like it's a bad thing sums up a lot of what I was thinking. All this talk of earmarks, socialized medicine, 3 Million dollar projectors and so much other silly rhetoric I can't remember? Compared to the collapse of home values, 401ks, rising copays and premiums -- who does he think cares about these quaint 1980s Republican talking points?

Monday, October 13, 2008

SCADASEC-L: More Security Cliches Than You Can Shake a Stick At!




You know the world has gone crazy when I agrees with Joe on something but (just like the McCain-Palin rhetoric) I guess ignorance is strength, freedom is slavery, capitalism is socialism, etc.

So I decided to see what was up this month on SCADASEC-L.

Here is quick rundown:

My favorite SCADASEC CTO thinks all your IT belongs to us

If your car is connected to an IP network and it receives and sends data to that IT network then it has become an IT device. The space station has IT devices in it that communicate back to the Internet on earth.
I probably actually agree with this although I would never admit to it in a public forum. But this makes me chuckle every time I read it.

KF and the Department of Redundant Posts. The whole problem with this list was quantity over quality. A case in point.

A CISSP Channels Palin.

For the record, I am not saying anyone on this list doesn't understand -it's just a long standing issue not easily settled with a definition (not that this is the intent of this thread).

and even more incoherent:
I submit to the list that the definition at hand is too broad for our purposes on this list. For the context part of this example, I am a truck owner and operator. Adriel has put forth that my Avalanche becomes an IT device once I mash the OnStar button (or when my diagnostics are remotely monitored by Chevy). I, as the truck owner/operator, still have to disagree.


I'm confused

So you are driving down the road an you are covered with snow?

Do what?

Obviously if this is non-native English speaker I take it all back. Ah GOBBLES.

Kevin McGrath opens up the can of serious whoop-ass on Security Researchers!!!!

Those that can do,
Those that can't teach,
Those that can't teach administrate,
Those that can't administrate apparently do research
In the most highly arrogant, and sometimes ignorant, manner possible.


True that. Yeah, doing stuff is hard. That is why I teach now


An oldie but a goodie on legislating software patches in which Walt can't resist chiming in


Fact is, Boeing's IT staff DID have plans to do hotfixes on the 777 and 787 _in flight_ but the plant IT staff got wind of it and killed it. The IT guys didn't understand why this was a Bad Thing(tm).


Thank god for Plant IT! IT Who?

Country First!

Sequoia on Startups and the Downturn



This was an interesting presentation. I still need to spend some time on. My only window into what is going in Silicon Valley was a couple of weeks back when I heard a friend of mine's startup was going to shit.

The LinkedIn metric? When folks add contacts within their company (outside the normal growth cycle) the company is getting ready to go down?


Hat Tip: James Fallows

Sunday, October 12, 2008

Valium 08

So back in late December I started to get interested in Obama particularly do to Andrew Sullivan's article: Goodbye to All That

Well Sullivan has another extend piece on him that is worth reading.

Here are the highlights:

Obama rarely directly attacks. He subtly baits. His most brilliant rope-a-dope of the entire campaign was against Bill Clinton in the spring. In a newspaper interview, Obama cited Ronald Reagan as the last transformational president. He didn’t mention Clinton. The former president was offended by being implicitly dissed, took the bait and unleashed a series of unwise public scoffs at the young Democrat, culminating in a dismissal of Obama as another Jesse Jackson. Suddenly, black Democrats abandoned Clinton’s wife, and the Clintons’ base collapsed. Obama merely stepped out of the way as the Clintons self-destructed. He didn’t just end their campaign; he helped to bury their reputation.

And that’s exactly how Obama has handled McCain. Instead of attacking him frontally, he got in his head and provoked him into error. It’s easier with McCain than with the Clintons, because McCain is more volatile and more easily provoked. And so Obama cruised through August, picking a conventional running mate and punching his foreign-policy-credentials card with trips to Iraq and Europe. McCain’s response? He put out an ad equating the son of a poor single mother who made it to become president of the Harvard Law Review, a University of Chicago professor and the first black nominee for president with . . . Paris Hilton, whose only accomplishments are being born into immense wealth and making an internet porn tape.

When that didn’t work, and an unfazed Obama ran a flawless convention, calmed the Clintons and delivered one of the best acceptance speeches in modern times, McCain blew himself up with the Palin pick. His one sure-fire advantage – experience – was thrown away. His real base – independent voters and the media – was first wowed and then woke up. And as Palin became a national and international joke, as her ratings plummeted and as she lost her debate to Joe Biden (quite hard to do, given Biden’s capacity for verbal diarrhoea), McCain got even crankier and more unstable.

Saturday, October 11, 2008

Apache2 Forward Proxying with Digest Authentication



Since WPA is so flaky under Linux with the Westel's provided by Verizon DSL I often connect to my kid's wireless network which is sort of wide open. When I connect I've been using the built-in SOCKS proxy in SSH but I've started using Opera (9.6) since the font rendering is a little nicer on the eyes, but it doesn't support SOCKS?

Oh I know I could come up with selective authorization under squid depending on if I login or the kids do, but I'm too lazy for that so I decide. But to find an HTTP proxy other than squid that supports authentication and is available as a Debian package. Pretty tough. Zorp looked interesting but too painful.

So I've used Apache as a reverse proxy but never a normal forward proxy. Maybe all the cool authentication methods that work with Apache would work with mod_proxy?

Well I had nothing better to do while waiting for my daughter to fall asleep tonight. Damn red velvet cake my wife made had her totally wired. And I'm shocked as hell I got all this working, since I'd never even done Digest Authentication before on anything.

These are the modules you will need enabled although most of these were dependences: mod_proxy, mod_digest I think were the only ones I added.

nikolas:/etc/apache2/mods-enabled# ls
alias.load autoindex.load proxy.conf
auth_basic.load cgid.conf proxy_connect.load
auth_digest.load cgid.load proxy_http.load
authn_file.load dir.conf proxy.load
authz_default.load dir.load setenvif.load
authz_groupfile.load env.load ssl.conf
authz_host.load mime.load ssl.load
authz_user.load negotiation.load status.load




The Gotchas
  • You have to open up two listening ports, one for HTTP and the other for SSL. I'm using 1080 and 1083. You then specify this in the browser proxy config. You have to use SSL for some reason, weird. Update: actually if you use AllowCONNECT 80 443 you can listen on a single port.

  • The Apache documentation is either wrong or Debian is broken. You do use AuthUserFile, not the one it say in the mod_digest documentaiton

  • The realm you specify in the apache config has to match what you specify with htdigest.

    So this works on Firefox 3.0.3 and Opera 9.6 but SSL is not properly forwarded with IE7 despite applying the MSIE BrowserMatch

    Here are some the errors I had along the way...

    [Sat Oct 11 19:46:34 2008] [warn] proxy: No protocol handler was valid for the URL sitecheck2.opera.com:443. If you are using a DSO ve
    rsion of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

    [Sat Oct 11 20:18:48 2008] [crit] [client 192.168.10.128] configuration error: couldn't perform authentication. AuthType not set!: ht
    tp://gmail.com/

    [Sat Oct 11 20:37:59 2008] [error] [client 192.168.10.128] Digest: user `mfranz' in realm `Blah' not found: http://gmail.com/

    And the Error I get on IE7

    [Sun Oct 12 08:12:45 2008] [error] [client 192.168.10.129] Digest: uri mismatch
    - does not match request-uri
  • The Upside of Black Swans




    Tom Peters has been blogging about Black Swan's for a while and he recently posted some rules for success in "Looney Times" such as these. Some good

    My favorite one was

    This is your life. Think upside!


    Much more inspirational than watching your IRA/401k go to shit.

    McCain Reaping the Whirlwind

    Now my wife doesn't blog on politics but this post by Josh Marshall nails the sentiment she had last night about the pickle McCain has found himself in with inciting the fear and range.

    And yet this conveys too much suggestion of planning and intent. I have more the sense of someone desperately casting about and losing control of the situation itself. Even hypocrites can get in over their heads. Indeed, in a more nuts-and-bolts strategic sense McCain has really gotten himself into a hole because the campaign he's been running has almost entirely been premised on the claim that you should be scared of an Obama presidency. Not that McCain, if he'd run a very different campaign, couldn't have run on issue disagreements with Obama. But right now if you take away fear of Obama becoming president, there's almost no reason not to vote for him since McCain has basically conceded the issue agenda to Obama. If you look at every poll for months, voters are dying for change. Fear of Obama is the only thing keeping him from leaving McCain in the dust. Take that away and McCain's done.


    Just as it is possible to feel some sympathy for Bush in the waning days of his presidency, you can actually feel for McCain. While I certainly have become to doubt the "old McCain" of 2000 who I would have voted for, you definitely get the sense of a man whose personal integrity has actively or passively been compromised and he knows it.

    As for Palin she is just a freak, a cardboard cutout (also my wife's term) who the sooner we year less of her, the better.

    Thursday, October 09, 2008

    You wouldn't see this in the South

    I'll tell you, if you watch these latest rallies you see these angry, ugly people. Some of them even look like zombie. As Joe Biden would say, "I repeat, literally, zombies" Where they hell they get these people from. Not the sort of people I'd want behind me if I were talking and trying to inspire people to vote for you. Oh, that's right, McCain-Palin are not trying to do that.



    Country First!

    Wednesday, October 08, 2008

    Advantage Obama

    Noam Scheiber has one of most cogent wrapups of last night's debate:

    By contrast, Obama really benefitted from his years as a law professor. He was fluent and very much at ease walking and talking at the same time. He had a professor's knack for making eye contact and maintaining it while he walked a questioner through a multi-step response. And his answers were much more concrete and intuitive than I'd ever heard them. It's as though it took fielding questions from ordinary people to remind him of this latent professorial talents.

    And Sullivan's Liveblog capture the view of the carnage.


    This was, I think, a mauling: a devastating and possibly electorally fatal debate for McCain. Even on Russia, he sounded a little out of it. I've watched a lot of debates and participated in many. I love debate and was trained as a boy in the British system to be a debater. I debated dozens of times at Oxofrd. All I can say is that, simply on terms of substance, clarity, empathy, style and authority, this has not just been an Obama victory. It has been a wipe-out.It has been about as big a wipe-out as I can remember in a presidential debate. It reminds me of the 1992 Clinton-Perot-Bush debate. I don't really see how the McCain campaign survives this.


    I missed the first few minutes. Was getting back from a trip from CVS paying for $50 for name brand meds for my son (so Obama's words on rising co-pay's rang true and how small companies get screwed in terms of health care premiums) so I missed the initial presentation of McCain's "Hail Mary" to bailout homeowners.

    McCain's performance was limp and pathetic and strained, sort of an aging Beavis. More of the "I know"/"I understand" language that hurt him in the first debate and the gleeful creepiness of the "That One" remark. Oh to see McCain speak without the influence of nueroleptics dampening his emotion. I guess this is about as un-glued as we will see him.

    Monday, October 06, 2008

    I'm with Joe on SCADASEC

    Not like I care anymore (or even bothered to check out what he was referring to,) but I guess it was an an interesting week on SCADASEC which I unsubscribed from a while back since I view control systems security as a quaint museum artifact and the lack of adult supervision and recycled discussions on the list were far too frustrating.

    Maybe after campaign season I'll resubscribe. Or perhaps by then we'll be in the midst of the Second Great Depression (25% unemployment they say?) and I will have packed up my family in our Honda minivan to go pick fruit back in Texas. And the memory of SCADA security will be a relic of more prosperous times.

    Yeah, that's an allusion to the Grapes of Wrath if you didn't get it. And contrary to what they said after 9/11, we will still have irony.

    Sunday, October 05, 2008

    Candidate Train Metaphors


    from Kos.

    The Real Stinking Corpse

    From What Palin Tells us about the GOP.

    Short and sweet:

    Palin is the aroma that rises from the corpse of American conservatism. And they find it invigorating.


    The Ignorance is Strength of Bush-Palin Republicanism is is one of the reasons why so many lifelong Republicans are "voting Democrat" this year.

    That and that some good old-fashioned Matthew 21:43-44 style retribution, courtesy of this week's Gospel reading:

    That is why I tell you that the kingdom of God will be taken away from you and given to a people who will produce fruit for it. The person who falls over this stone will be broken to pieces, but it will crush anyone on whom it falls.”


    I'm not claiming this is what this passage means, I just like metaphor and the imagery and the notion that power should be taken away from those who abuse it.

    Saturday, October 04, 2008

    What? Palin thinks Whites can be Terrorists too?

    It seems Palin has broadened her definition.


    "We see America as the greatest force for good in this world," Palin said at a fund-raising event in Colorado, adding, "Our opponent though, is someone who sees America, it seems, as being so imperfect that he's palling around with terrorists who would target their own country."


    I thought it was just Muslims "over there" (you know Iraq, Iran, etc.) that could be terrorists. Good for her!

    Thursday, October 02, 2008

    What would Cheney say about Palin?

    It hard to know if Palin is serious about Cheney but I would love to hear what Cheney would say about Palin. Cheney is pretty much pure evil, but I've always liked/respected him.

    Are these "new" TCP DoS attacks the dreaded "naptha" attacks of 2000?




    Just saw the SecurityFocus article and it is hard to tell from Fyodor's article or Robert Lee's post but these smell a lot like a variation of CA-2000-21 also known as as Naptha attacks where a relatively low number/rate of sessions could kill apps and devices or at least spike their CPU pretty nicely.

    I was always surprised these didn't get more play, because they were pretty nasty. I even built a Trinux package for the tools that were released. I also thought there was more potential in terms of spoofing application layer messages and the link layer (meaning not relying on connect()) to send an HTTP GET Request or some other first message, especially if it was a crypto protocol.

    I remember a certain crappy implementation of SSH where you could peg the CPU with stale sessions because it did whatever RSA foo way too early.

    But anyway, it is almost 2009 and who still gives a shit about TCP DoS vulns? I know I don't, but I'm probably just burned out on the whole vuln scene. After all it is all about getting your name in lights, right? Be a king for a day?

    Oh that's right Fernando Gont and CPNI still do.

    UPDATE:

    Damn! Jose Nazario beat me by a day. What else is new.

    And from Robert Graham

    The problem, in a nutshell, is that they can open a TCP connection that will never be closed. The only way to get rid of them is to reboot the server. This means that I can connect to the Internet with a dialup connection, then quickly take down www.google.com (or any other server) by maxing out the number of connections.


    If this statement is true, "that the connection will never be closed" (which to me, means the same thing as never timing out this was not the case with many of the implementations that I did testing of with the Naptha toolset (the srvr responder in particular) released in 2000. Some stacks did time out with a reboot. And depending on the state you were trying to exhaust different states had different thresholds, as well. Exhausting the ESTABLISHED state would respond differently to the LAST_ACK state.

    Of course some stacks (and applications) just died, as well.

    Wednesday, October 01, 2008

    What really bugs me about "E-Learning 2.0"

    So my previous post on must have struck a nerve.

    And while I take no offense (ironically, that is my current job title on business card, which I must change when I get new ones, says "training specialist." But I guess I'm supposed to be offended that Dr. Karrer doesn't consider me a training specialist.
    saw a post by Matthew Franz - where he tells us - I don't get e-learning 2.0 - and it made me wonder if Franz is a training specialist - who's not looking at more than training as a model for learning.
    But forget about that...

    The key issue is whether learning|teaching|training|education|instruction are fundamentally altered by these supercool "2.0" technologies like wikis?

    When I taught Reading & Texas History to 7th & 8th graders, in both subjects focusing on critical thinking skills and using techniques like the Socratic seminars espoused by folks like Mortimer Adler, that was definitely education. When I taught TCP/IP Security and Open Source network security tools that was purely training (clearly more worthy, if less lucrative) as is the current courses I teach on Tenable products.

    I'd like to think there is a bit of education in some of the training I teach. I'd also like to think that maybe reading Paulo Freire makes me a better able to teach about vulnerability and compliance management and allow security auditors to name the pain of dealing with obtuse requirements.

    I admit there is no small amount of irony that principles developed for teaching literacy to Brazilian peasants might be applicable to teaching for-profit courses to folks who have (or aspire to have) six figure salaries, but I digress.

    The problem I have with this concept of "eLearning 2.0" and all the hype about blogs and wikis (both of which I know and love and one of which I do use in my ILT classes and in my own personal learning, MoinMoin Desktop Edition rules!) is that it seems yet another educational fad, another "gamechanger" marketed to teachers and trainers that does not fundamentally alter the equation. Why even adopt the lingo of 1.0/2.0?

    How is a blog any more revolutionary (or fundamentally) different than Nancie Atwell's Reading-Writing workshop? Since I'm not a training specialist (but a security technologist and practitioner that happens to develop and deliver training and is current working developing an eLearning solution) I don't keep up with adult learning and instructional design as much as I should, but as a public school teacher and a student of the history of education that there are wave after wave of fads which are often mindlessly adopted by (or forced down the throat of) of teachers.

    When I was a technology trainer, when I developed the first Internet use policy for my school down in Texas, when we evaluated proposals from the teaching staff on how they would integrate technology into their classrooms in the mid 1990s I heard the same sort of pie in the sky buzzwords that I see on these e-Learning 2.0.

    When I taught history, I used collaborative writing software with my students back in the mid 1990s. These were MacLC II's with LocalTalk vs. AJAX and TCP/IP. And no, I don't see Google Documents as fundamentally revolutionary in the context of training or instruction--or at least no more revolutionary than outside the use of training. It is not wikis don't provide value they just don't provide any more value in the context of teaching and learning than in their "normal" use.

    The hype about eLearning 2.0 smacks of another fad which does not fundamentally alter the effectiveness of teachers and the learning of students. I actually do think wikis are revolutionary and were a fundamental tool in my toolkit when I was a consultant. But I do not believe they are more revolutionary in the classroom than outside the classroom. Training and learning must adopt the tools and techniques of the workplace (and typically adopts these later than the workplace, right?). Congrats, trainers are able to keep up. Barely.

    Even (as my coworkers would attest) though I'm a bit of a WikiZealot, I view the latest and greatest with suspicion. Just another buzzword just like "whole language" "reader response theory" that teachers will grudgingly adopt because they have to, because it is the new dominant paradigm.

    Truth be told, my skepticism is probably also based on the fact that deep down I believe Learning (meaning instructor led training, although I obviously realize that learning does not require an instructor and was a big fan of collaborative learning and student-led learning) is always preferable to eLearning. It is just not always practical. eLearning is a cheap, but scalable, substitute for the real thing if the real thing cannot be had. This bias probably impacts my view of the discussion of the value of these technologies.

    Ready, Willing, and Able

    Turn out the lights, the party's over

    From Penetrating SCADA systems reduced to a video game -- referring to White Wolf/SANS ICE 2.

    Amid the expected "folks are using SCADA incorrectly" and so and so industry/government agency is completely clueless, Joe says:


    Come see this year's Integrated Cyber Exercise II (ICE II) October 1-3 at SANS Network Security 2008 ICE II will feature Paul and Larry of pauldotcom.com in a Hacker throw-down to see who is the best network attacker and defender. Paul and Larry will each have a major network to defend while they also attack each other. The event is open to all SANS Las Vegas attendees. Players can pick a side, defend their own network, attack at will or view and snipe from a distance. This year's event will feature more hardware including VoIP and SCADA. Enhanced scoring visualization and 3D graphics and even a complete traffic generator to hide the attackers. Come hang out in the spectator room and be eligible for random prize drawings sponsored by ThinkGeek, AirScanner, Syngress, CACE Technologies and Lone Pine Embroidery. Watch as phones, servers, cameras and even our own power grid are attacked and defended across three nights of fun, education and mayhem. Fortinet will be providing complete IDS monitoring and reporting while Core Security and Immunity will be demonstrating in the Red Cell room. I find this disturbing in the least. SANS should not be addressing SCADA in this manner for any number of reasons.


    I'm not a huge fan of SANS (or their SCADA Endeavors) but what is the harm of just a little bit of fun between friends?

    What's the worst that could happen, more "IT Security people" get interested in "SCADA?"

    The horror. The horror.