Wednesday, December 31, 2008

Unmasking the Mysteries of the Moodle User/Course Database: Part I

CAVEAT: From this blog post you'll [correctly] conclude I have way too much time on my /hands, but heh, when you work on your day off you can be as inefficient as you like!

(Oh yeah and all of this, running moodle, mysql, mysql GUI tools, gimp, etc. was all done on my Netbook. These are decent little machines. I'm glad I bought a hard drive instead of a flash because you can use them for real apps. All in a 2 pound package. I would recommend an external mouse/trackball if you want to save you thumbs). A bit hotter than


mfranz@mfranz-s10:~$ uptime
09:23:44 up 15:39, 4 users, load average: 0.53, 0.63, 0.59

mfranz@mfranz-s10:~$ free
total used free shared buffers cached
Mem: 1543920 1505324 38596 0 106532 571888
-/+ buffers/cache: 826904 717016
Swap: 1983988 668 1983320


A bit hotter (CPU-wise) than I'd like but Opera was the only thing that bogged down a bit.

The Problem: How do you programmatically find out which students are enrolled in a given moodle course? Since the new authorization/enrollment model implemented in Moodle 1.7 (IIRC) this becomes a little more difficult because the data is spread across a number of tables in the moodle database

Basically you want to find out something like this.



I'm the only student in CF102.

So we start with mdl_user (the table we retreived the metadata on in a previous blog)



Remember, my id is 3

Now to look at the courses (mdl_course)



Remember that CF102 has an id of 3 as well.

Here is where it starts to get interesting. The role_assignment table shows that my user has a roleid of 5 and a contextid of 11. Both of these are necessary to understand what a given use can or cannot do/view in terms of course content.



The role_capabilities table defines what roleid 5 is.



The roleid of 5 corresponds to a student and and the capability is self-explanatory.

Now back to the contextid (from the role_capabilities table), which is the indirect link to the course through the mdl_context table. For once I actually highlighted the correct row. In this case we are interested in a contextid of 11.



I cut the field names off, but the third field is instanceid (which is 3) and points us back to the courseid which corresponds to CF102.

Simple, eh?

In the next blog post on this topic I'll write some Python/SQLAlchemy code to retreive a list of users that are enrolled in a given course or which courses a student is enrolled in.

Tuesday, December 30, 2008

Why use Python to access your Moodle User Database?

Well, besides that PHP is an absolute shit for brains language and basic stuff like yaml, displaying syntax errors in imported modules and other sane things you would expect after using Python or Ruby just ain't there.

And oh yeah, and it is is butt ugly ($, ->, ::, ?> etc.)

Not only that because because I was able to whip this up cool script with SQLAlchemy (no I'm not using the ORM, just want to avoid MysqlDB)

mfranz@mfranz-s10:~/crap$ cat alctest.py
#!/usr/bin/env python
from sqlalchemy import *
from pprint import pprint
e = create_engine("mysql://moodle:blackboard@127.0.0.1/moodle")
m = MetaData(e)
user_table = Table('mdl_user',m,autoload=True,autoload_with=e)
pprint(user_table.columns.keys())
mfranz@mfranz-s10:~/crap$ ./alctest.py
[u'id',
u'auth',
u'confirmed',
u'policyagreed',
u'deleted',
u'mnethostid',
u'username',
u'password',
u'idnumber',
u'firstname',
u'lastname',
u'email',
u'emailstop',
u'icq',
u'skype',
u'yahoo',
u'aim',
u'msn',
u'phone1',
u'phone2',
u'institution',
u'department',
u'address',
u'city',
u'country',
u'lang',
u'theme',
u'timezone',
u'firstaccess',
u'lastaccess',
u'lastlogin',
u'currentlogin',
u'lastip',
u'secret',
u'picture',
u'url',
u'description',
u'mailformat',
u'maildigest',
u'maildisplay',
u'htmleditor',
u'ajax',
u'autosubscribe',
u'trackforums',
u'timemodified',
u'trustbitmask',
u'imagealt',
u'screenreader']

Now that I've got that off my chest.

So what I was trying to do, since Moodle is PHP (and I'm stuck with Moodle) and we are a PHP shop and I thought I would do the right thing and try to use PHP even though I hate it, know it is evil, etc.

The app is in PHP and there are obviously some higher-level APIs/ for accessing Moodle tables, so it makes sense I should write my scripts in PHP?

And there were.So I started using DML (although I was using Pre-2.0 has awful documentation on the wiki, so I basically had to look at the source, which at least has decent internal documentation) to provide external (meaning not through the Moodle web UI) to the Moodle user database.

But that took way too long. Of course it has been years since I've touched any PHP, so I'll admit that was part of the problem. Mainly, forgetting semi-colons. What kind of insane language requires semi-colons as statement separators?

I was contemplating some a weird hack (which I know works just fine, because I've done it before) of sending YAML over SSH (in lieu of XMLRPC, which is a pain in the ass to secure) but php-syck is completely broken with CentOS and I wasn't able to build the PHP module manually, which I shouldn't have to, anyway.

So the long and short of it. I completed in Python (and my Python is rusty) in an hour what took me 3-4 in PHP so Python it is. Honestly, much of the time could have been saved If PHP had an interactive interpreter like Ruby or Python so could quickly test out the new APIs I was learning, inspect objects, etc.

Verisign: Hardly (or, do we have a new disclosure model here?)

Now I only caught that last 5-10 minutes of the Q&A from the big talk this morning and what I heard (especially about the differences among browser implementations) was pretty interesting. Wish I would have heard the whole thing.

The whining form vendors (or so it is said in the blogs) about "wish they had been told earlier" has been amusing. Waaah.

And I like this new disclosure model (which turns the existing model upside down, vendors have to sign NDAs instead of the the researchers, brilliant!) end the fact that there is a real exploitation (however limited) prior to a fix which brings the end-user community into the disclosure dance.

However, I can't help but think this was sort of a letdown (and I don't think it is just because crypto puts me to sleep) and I liked this summary from This morning's MD5 attack - resolved

Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.


It bothered me that this was positioned as "critical internet infrastructure" attack/vulnerability/compromise to me which pretty much means routing or nameservice or some other collosal failure in the transport layer or below. Which this was not. Web security completely broken I could buy but Internet security, let alone Critical Internet Infrastructure security.

Hardly is a pretty good summary.

Monday, December 29, 2008

Some Non-Speculation on the CCC Breaking the CII Talk Tomorrow

I'll fess up right away. I have no interest in playing hermenuetical games with redacted texts or trying to divine the flaws that will be released tomorrow.

And the first time I read the talk writeup I thought, "Oh, God, here we go again... more preconference disclosure bullshit."

And of course they were allready at it over on Dailydave. BGP. Crypto. Everybody loves BGP and Crypto. Some new DoS?

Get ready for the FUD machines to start. Time to get ill. Get the bucket ready. But after reading HD's blog (which was based on knowledge of the vulnerability) a second time (once wasn't enough) I'm thinking perhaps this one is different:

Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works.

Not in terms of the vulnerability (or vulnerabilities) to be disclosed (although that very well be) but as way of disclosing critical vulnerabilities that does neither trivializes nor desensitizes flaws that need to be addressed by vendors and the end-user community. The current model isn't working so well.

As you can already see, if folks within the hacker/researcher community (who should know better) conflate all the scary Internet infrastructure vulnerabilities of course folks technology journalists will.

In the broader IT press, Kaminsky's DNS will be treated the same as Watson's TCP as Gont's ICMP as Oulu's ASN.1/SNMP as Guardent's TCP as Lee' TCP, etc. ad naeseum.

(If I weren't typing on this damn Netbook I'd add links but google them yourself if you are interested. But you get the point)

Within the mainstream media, each of these will be covered with approximately the same number of words, the same oversimplification and carefully selected, out of context quotes, regardless of the technical merit of the research, regardless of the scope of the flaws, and the professionalism (or lack thereof) of the finders.

And each time there where will be the Oh-My-God-the-Internet-is-Doomed-thank-God-for-the-Hackers-that-Saved-It narrative.

(Compare the recent wired article on Summer DNS flaws with the coverage of the 2003 TCP vulnerability discovered by Paul (Tony) Watson (aka the man that saved the Internet) and you will see an eerie similarity.)

Another wasted news cycle, and despite the claims of the finders, the security of th e Infrastructure is not improved. End users are either confused or cynical. It is conference season again. It is just too easy to dimiss the research as an individual trying to make a name for themselves and climb the corporate security ladder, a consulting company marketing its services or a vendor hawking their wares in the guise of a BlackHat talk.

Unless there is proof.

And that is where it looks like this will be different. There is a huge difference between what you can prove with a few boxes in your basement, a one-rack testbed with 50-100k of gear, an ISP with live users, or the larger Internet.

Each environment to demonstrate attack vectors and vulnerabilities is increasingly less contrived and more and more like reality. Each is an environment less out of the control of the attacker/adversary/researcher which is where it starts to get interesting. Meaning attacks on an Internet scale.

That is why real incidents (i.e. the smurf attacks of 98, the DDoS of 2000, the worms) teach far better lessons. They provide real data. They impact the bottom lines of vendors and users and impact operational best practicies.

Compare that with flash in the pan vulnerability presentations and you'll see why in the long run I wish more researchers would go beyond proof of concept and operationalize their exploits and discovered vulnerabilities.

Regardless of the technical details of the disclosure, it will be interesting to watch what happens. Will this be more of the same or the start of something new?

Sunday, December 28, 2008

Libgmail, Twitter, Ideapad S10 Hardware Info on Linux

Not sure why but (under Ubuntu) the fan has been running nonstop for the past hour (not sure why, perhaps because the temperature is 61 C, who knows) even booted into fluxbox. I have a little project/tool involving gmail that I'm hoping to get done before the end of the year (not a vuln or anything, don't get too excited) that I've had my head in libgmail for the past 24 hours as well as starting to sort of get the point of Twitter (notice my tweets on the side) but I started poking around at /proc and lshw/dmidecode, etc on the S10. There is definitely something funky with power management. A couple of times (even under XP) the battery value doesn't show up properly and gnome-power-manager doesn't start up properly 20-25% of the time.

description: VGA compatible controller
product: Mobile 945GME Express Integrated Graphics Controller
vendor: Intel Corporation
physical id: 2

description: Ethernet interface
product: NetLink BCM5906M Fast Ethernet PCI Express
vendor: Broadcom Corporation
capabilities: pm vpd msi pciexpress bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=tg3 drive rversion=3.94 latency=0 link=no module=tg3 multicast=yes port=twisted pair

description: Wireless interface
product: BCM4312 802.11b/g
vendor: Broadcom Corporation
capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 28
model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
stepping : 2
cpu MHz : 800.000
cache size : 512 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts pni monitor ds_cpl est tm2 ssse3 xtpr lahf_lm
bogomips : 3191.95
clflush size : 64
power management:
cpuid level : 10
wp : yes00:00.0 Host bridge: Intel Corporation Mobile 945GME Express Memory Controller Hub (rev 03)
00:02.0 VGA compatible controller: Intel Corporation Mobile 945GME Express Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 02)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 02)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) SATA IDE Controller (rev 02)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 02)
02:00.0 Ethernet controller: Broadcom Corporation NetLink BCM5906M Fast Ethernet PCI Express (rev 02)
05:00.0 Network controller: Broadcom Corporation BCM4312 802.11b/g (rev 01)

Wednesday, December 24, 2008

Belief comes last

My wife turned me on to this...

Are you down with OSCP?

I'm generally weary (not wary!) about anything related to SSL or MITM  (and particularly SSL MITM's) but Traffic for Revoked TLSv1 Certificate is actually pretty interesting drink coffee while only the 1 year old is up and toddling around, catch up on blogs on your new Netbook activity.

And Richard's traffic dissection, reminded its been weeks (months?) since I've fired up Wireshark. Tcpdump, every other day, but Wireshark, not so much lately.

Merry Christmas!

Tuesday, December 23, 2008

Ideapad S10 Upgrade Complete

So I only ended up working a half-day today, so this afternoon (in between watching the kids and doing some last minute shopping for Christmas) I put in my old 120GB drive from my wife's dead MacBook and started the arduous process of copying a drive image from the original 80GB drive that ships with it, to the new. 

(The added bonus was that I Ubuntu automatically mounted the HFS+ so I was able to recover a bunch of picture from iPhoto and phone booth)

And none of this would have been possible without UNetbootin.

It is definitely the hero of the day.

So the S10 has a weird partitioning layout. It only uses the first half of the drive (in my case 80GB) for the XP Home (FAT32) partition there are 3-4 other partitions, some more or less hidden for the backup features that I would know about if I had bothered to break the seals on the product documentaiton.

Of course dd|gzip (then back again)  on an Atom processer takes forever so there was a lot of downtime. 40 GB images. I think it compressed down to 7GB or so, but to and from an external USB drive. You get the point. Drive imaging is slow, but now I have a dual boot (8.10 and XP Home) S10. This is the 2nd time I installed 8.10 and the long and short of it it is supported pretty well. No more quirks than on other Laptop hardware.

Monday, December 22, 2008

First Ideapad Blog

Well my Lenovo Ideapad S10 came today, several days ahead of schedule. I guess one of the benefits of a global economic downturn is fulfillment centers chock full of crap that people shouldn't be buying in the first place.

It turns out I had ordered a white one. Oh well, couldn't remember. I thought that might be the case. That's OK need to find some small stickers (OpenBSD, not!) to put on it to look cool.

Still running XP for now (will probably leave it on the 80GB that came with it) but I did boot off 8.10 from a USB key and the only thing that didn't appear to work was the batter life indicator. I didn't try WPA, only briefly hopped on a neighbor's open AP to test the browser because I couldn't remember my WPA2 key and haven't added the MAC to the router yet. Popped in the RAM from my wife's MacBook and up to 1.5.

If you ordered the sleeve (and are a man who is not manly enough to not care if you had a pink notebook sleeve) it is reversible.

So here are the first impressions:
  • It is definitely smaller than I expected, and the keyboard is more cramped than I expected. TAB key is very tiny making shell expansion difficult under cygwin/remote system. But it is usable (typing on it now)
  • Performance is snappier than I thought, given the lousy benchmarks I read about. Chrome on Atom is a nice platform.
  • It definitely feels solid, not like a toy, as I envisioned the Dell Mini 9 to be. Hinges are nice and stiff.
  • Get rid of Norton and their stupid phishing toolbars which suck up screen geometry. Lots of apps barely fit.
  • The touchpad rocks. Hell of a lot better than crappy Dell touchpads (at least the ones I used on Latitude/Precision.
  • It is sort of tricky removing/putting the expansion cover (for HD and RAM) on and off. I was afraid I was going to break it.
  • The is a  noticible audible blowing sound (the fan I believe)
  • Speakers are about what I expect. Not great. Not terrible.
  • Watched the start of the latest episode of Chuck on Hulu and was decent.

Sunday, December 21, 2008

Forget about OWASP, go for Webkin Application Security!



So my daughter received an early Christmas present, a Webkins Clydesdale horse, and when I registered this "adopted" pet (as an adoptive parent, I'm always find stuff like this mildly offensive) I was shocked to see the number of disclaimers, guidance on passwords security, protecting your secret code, etc. during the initial registration far exceeds many security products and public web portals, online banking sites, etc.

And most effective was the animated goose (with glasses propped down on her nose) scolding you about the dangers of a weak password or sharing your secret code.

Of course coming up with the squid proxy whitelist was sort of painful because they use a lot hardcoded IP address in their app like below:

1229885588.050 117 192.168.10.103 TCP_MISS/200 1081 GET http://www.webkinz.com/XML/InstanceFactory/InstanceFactoryData.xml? - DIRECT/66.114.49.27 text/xml
1229885588.056 139 192.168.10.103 TCP_MISS/200 2406 GET http://www.webkinz.com/XML/L10N/TransList.xml? - DIRECT/66.114.49.27 text/xml
1229885615.945 136 192.168.10.103 TCP_MISS/200 851 GET http://www.webkinz.com/XML/WEBSTAT/call_config.xml? - DIRECT/66.114.49.27 text/xml
1229885615.977 953 192.168.10.103 TCP_MISS/200 6437 GET http://www.webkinz.com/XML/vnum_API.xml? - DIRECT/66.114.49.27 text/xml
1229885616.007 177 192.168.10.103 TCP_MISS/200 1713 POST http://66.48.69.99/sindex.php - DIRECT/66.48.69.99 text/xml
1229885617.630 101 192.168.10.103 TCP_MISS/200 359 POST http://66.48.69.99/getdate.php? - DIRECT/66.48.69.99 text/html
1229885617.647 116 192.168.10.103 TCP_MISS/200 672 POST http://66.48.69.99/sindex.php - DIRECT/66.48.69.99 text/xml
1229885617.656 136 192.168.10.103 TCP_MISS/200 374 POST http://66.48.69.123/sindex.php - DIRECT/66.48.69.123 text/xml
1229885617.902 122 192.168.10.103 TCP_MISS/200 470 POST http://66.48.69.123/sindex.php - DIRECT/66.48.69.123 text/plain
1229885617.956 175 192.168.10.103 TCP_MISS/404 630 GET http://66.48.69.104/DAS/2008_12_21.xml? - DIRECT/66.48.69.104 text/html

Friday, December 19, 2008

Is conntrackd really pfsync+CARP for Linux?

Say it aint' so Joe, but conntrack-tools says it "provides and equivalent of OpenBSD's pfsync."
What can do the conntrack-tools for me?

Lots of cool things. conntrackd covers the specific aspects of stateful Linux firewalls to enable high availability solutions and it can be used as statistics collector of the firewall use as well. The command line interface conntrack provides an interface to add, delete and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table and monitor connection tracking events among many other.
This is something I've been wondering about for a while and it looks like this project has been around since 2006.

Here is a presentation on the capabilities of this. There isn't much test data here, but based on the stats in the talk, the performance of conntrackd (my testing/production observations was done on similar hardware DL-145G3) look a significantly worse than FreeBSD/OpenBSD with PF+pfsync+CARP. Note that the CARP/VRRP functionality is performed by keepalived.

*BSD can be used in the Enterprise for high availability gigabit packet filtering, but it would be interesting to see if anyone is using iptables+conntrackd+keepalived for this?

Update
This presentation about a successful migration from Linux to OpenBSD confirmed my suspicions about conntrackd not being ready for prime time. And This USENIX article provided an interesting comparison between OpenBSD and Iptables.


Linux is, in general, more efficient than OpenBSD. In both router and bridge configurations, it spends less time forwarding packets. Furthermore, iptables filters packets more quickly than PF, with only one exception (in our testing): if the transport-layer protocol of the transit packet, say, UDP, differs from the specifiedtransport-protocol type of a sequence of rules—“protocol type” set to “TCP”in this example—PF ignores those rules and confronts the packet only with the rest of the set, acting more efficiently than Linux, which confronts the packet with all the rules in the set.

This feature of PF is very interesting. UDP-based attacks are very insidious, and most firewalls have rules to prevent many types of UDP datagram from accessing the network. Nevertheless, most traffic from and to a protected network is made up of TCP streams (protocols such as HTTP, SMTP, and FTP all use TCP). In such a case, PF may be more effective: it does not spend processing time comparing TCP packets with the set of rules destined to block UDP datagrams, avoiding delay in processing legitimate packets. Finally, unlike iptables, PF performs automatic optimization of the rule set, processing it in multiple linked lists [7, 8]. A way to optimize the search on the rule set for iptables is to resort to the “jump” parameter [18] for jumping to a subset of rules (i.e., a chain) reserved for TCP or UDP packets, depending on protocol type.


Of course even discounting performance, the iptables rulesets are much less elegant than ipf/pf.

Webjob




WebJob looks more interesting that you would think from the description:

WebJob downloads a program or script from a remote WebJob server and executes it in one unified operation. Any output produced by the program/script is packaged up and sent to a remote, possibly different, WebJob server. WebJob is useful because it provides a mechanism for running known good programs on damaged or potentially compromised systems. This makes it ideal for remote diagnostics, incident response, and evidence collection. WebJob also provides a framework that is conducive to centralized management. Therefore, it can support and help automate a large number of common administrative tasks and host-based monitoring scenarios such as periodic system checks, file updates, integrity monitoring, patch/package management, and so on.


When you look at the use cases:


To date, WebJob has been successfully used to:

* Automatically harvest argus, ifconfig, lsof, netstat, ndd, patch, ps, tcpdump, (name your utility), etc. data
* Automatically update cron tabs, DNS records, password files, snort rules, web sites, (name your application), etc.
* Automatically update system binaries when their MD5s do not match expected values
* Conduct massive searches for credit card numbers, social security numbers, and suspect hashes
* Deploy FreeBSD, Linux, Solaris, and Windows packages
* Drive GUI-based Windows utilities via AutoIT scripts
* Harvest evidence and diagnostic information from hundreds (300+) of systems in parallel
* Harvest system information to perform security audits or compliance verification
* Implement a Virtual Evidence Locker (VEL)
* Implement and maintain a Poor Man's Compile Farm (PMCF)
* Implement and maintain a distributed malware test harness
* Perform integrity monitoring with FTimes
* Periodically perform administrative tasks on a 950+ node Content Delivery Network (CDN) and the list goes on and on...



I haven't tried it (and it would be interesting to see if it really can scale) but I will!

Thursday, December 18, 2008

Andy v. Alan: Two Man Enter

Having been on both sides of the fence this is amusing.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

Wednesday, December 17, 2008

Lenovo Ideapad S10 it is



Well I did my small part in propping up post-late-capitalism-2.0 by purchasing necessary consumer electronics devices, by finally ordering an Ideapad S10 Netbook (512MB/80GB) I think it was a black one, can't remember.

A number of stars aligned and it was a tossup at the end because there was Dell Mini-9 package for around $410 with 8GB SSD with Ubuntu and I really wanted to support a vendor that preinstalled Ubuntu (because I will be running it afterall) but here are the reasons I went with the Lenovo:
  • I hate Dell Laptops, although the M4300 I'm using right now is tolerable but I love my Thinkpad T-61. I had positive experiences with Lenovo support, the unknown of Dell support scares me. They don't call it "Dell Hell" for nothing
  • Expandability - the Lenovo case is really easy to pop open and the drive is a SATA, so I can pop in the 120GB from my wife's dead MacBook. And I can wait until prices some down on SATA SSD's. I think the 1GB stick from the MacBook should work, too. Dell just has 1 SODIMM slot. PCI-Express port., probably more for a SSD than wifi since I have a USB, although the 2 USB ports could come back an bite me.
  • Price - with the Lenovo Corporate discount, it was $30-40 cheaper.
  • Aesthetics - Lenovo is boxy with a matte finish vs. rounded and shiny. Looks more professional
  • OS/Storage - I can install my Own Damn Linux and it is not a bad thing to have another OS with XP on it. It will be interesting to see how lame the Atom is, but the larger hard has the potential of making it usable as a real computer (or so I think) vs. only as Linux netbook. I will either dual boot or pop in a new drive.
  • Screen Size - 10" vs. 8.9 with my eyes really blurry right now I need every larger pixel I can get.
The battery life is going to suck compared to the Mini-9 but there is a 6-cell that is available.

Tuesday, December 16, 2008

OpenVZ Virtual Ethernet Devices

By default, OpenVZ uses the venet devices which on the network have the same mac address as the host (VE0/CT0). This actually proved to be a problem when I was trying to [Nessus] scan OpenVZ containers from the host.

(Basically I'm trying to migrate Linux VM's some of which are targets that we scan in class away from VMWare Server, and the behavior was that students were only able to scan the VE's if they were connected to a Nessus scanner that was not on the same physical system as the other containers. Got it?)

So I had seen an eth0 within the container and wondered what it was and how it is configured. Well the virtual ethernet device wiki page has the answers although I was not unable to get this working after waking up at 1:30 AM and being unable to go back to sleep. Will try again tomorrow.

Monday, December 15, 2008

CyberSecurity Sanity We Can Believe In



With everybody and their pocket yoyo trumpeting the need for a Cyber-Czar it was good to see Dale's comments over on Digital Bond

1. The reorganization of responsibility will introduce delay and is unlikely to improve the situation

Let’s say the National Office for Cyberspace comes to be early in the Obama administration. We are in for an ineffective time period and disruption while the new organization is ’stood up’ and everyone figures what their new role is in this organization. Is it six months, a year or longer before the new organization is effective? Anyone who has dealt with government stand up efforts and associated bureaucracy is probably shaking their heads.

Many loyal blog readers have been involved in one or more re-orgs of large organization, especially with arrival of new management. How often has that really made a dramatic difference? I don’t see the organizational structure being even close to the biggest impediment to date.

2. This whole consolidation / czar concept that is the rage is flawed, at least as related to information security.

We like to think that we can bring in a superstar with charisma to become the czar, e.g. drug czar, education car czar, cyber security czar, …, and all will be well. In this control system cyber security effort I’d argue the key is the people three, four and five levels down from this charismatic czar.

We don't need to be creating new organizations.

We don't need a Cyber Defense Agency (or a Control Systems CERT for that matter).

Just do your F-ing jobs, people.

Saturday, December 13, 2008

Major Vendor Netbook Pricing Showdown

I've been longing for a Netbook for a while and am still watching craiglist like a hawk as well as pricing from Netbook vendors.

  • HP Mini HP 1000/1GB Ram/8GB SSD with 2 year warranty (WinXP obviously) - $459
  • Dell Inspiron Mini 9/512GB/8GB SSD with 2 year warranty (Ubuntu) - $463
  • Lenovo S10 IdeaPad/512GB/80GB SATA with 2 year Warranty (XPSP3) - $408
I'm sort of anal about getting warantees on laptops and I don't trust Acer, Asus, etc.

Ubuntu reportedly runs on these, but the Lenovo looks really tempting (especially because I'm somehow on their employee discount list). It looks easy to upgrade, like to put in a SSD when they get a little cheaper and it also has a express card slot which I would be more interested more for storage although looking at the BIOS it doesn't look like you could boot from it. It would be trivial to dual boot on the SATA drive, but it seems like the whole point of having at netbook is to have a SSD drive.

XDot Graphviz Viewer

The last time I was using Graphviz I was mostly using the Mac, which had a nice viewer, but XDot seems to be the best option for Linux. It is a single Python script and all the dependencies are available in the repos.

Friday, December 12, 2008

Chuvakin waits for the "Retarded" SCADA 09 Predications

I'm with Anton Chuvakin on this one:


“SCADA anything REALLY bad” (here) – to be really honest, I have not really seen it yet this year so no link, but it will come. Help yourself to previous year embarrassments :-)

Thursday, December 11, 2008

Forest and Trees?

Along with the neverending drumbeat from ElasticVapor on CyberSecurity, now even Tom Peters is bullish on the idea of a CyberSecurity czar and an increased focusing on "CyberSecurity" in the next administration.

While Mr. Bush did increase spending on cyberthreats, much, much more emphasis is called for—and the topic is too important to bury in DHS.

But if if you "create a new White House office to protect cyberspace from hackers, thieves and foreign agents, coordinating security efforts across U.S. military, intelligence and civilian agencies" isn't that creating another DHS?

The problem is not coordination (of all things) we don't need another figurehead or another advocate for "CyberSecurity."

The issue is implementation. This is dirty, tedious work that creation of another agency or czar is not going to solve.

Tuesday, December 09, 2008

Remember CP/M ladder?



At bedtime, my son always asks me about what it was like when I was a kid and tonight I was telling him how much more powerful his Nintendo DS was than the first computer we owned, a Kaypro II but I remembered my favorite game Ladder that I was very pleased to find a Java implementation.

Pure genius.

Correction, my favorite game was Rats! when I was able to go into my dad's lab.

Monday, December 08, 2008

Whisky, Tango, Foxtrot, over?

From U.S. is Losing Global CyberWar. '

What the hell does that even mean?

To compile the report, which is entitled "Securing Cyberspace in the 44th Presidency," commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a "red team" to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. "We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.

So the need to replace their old checklists with new checklists and start testing for vulnerabilities.

Which genius thought that up?

Chess? Win vs. Lose?

If only they knew about the Petraeus doctrine

Define the problem in these terms, and winning battles becomes less urgent than pacifying populations and establishing effective governance.

War in this context implies not only coercion but also social engineering. As Nagl puts it, the security challenges of the 21st century will require the U.S. military “not just to dominate land operations, but to change entire societies.”

If you can't even define victory in Iraq (conventionally or unconventionally) how can you define victory in "Cyberspace?"

(And of course over on ElasticVapor they think this is a great article which confirms my suspicions)

Please tell me what all this is going to accomplish or attempt that has not already been tried in the last decade?

Sunday, December 07, 2008

But Is Intrepid Ubuntu Enough?

Several years ago my wife was using Hoary Hedghog on her laptop and it suited her just fine, but I really haven't tried switching family members away from Windows to Linux. Actually I have counseled them to get Mac's but they haven't gone for it.

But this week my sister in law got some nasty malware from Facebook (this appears to be going around) and spending a few hours descending into safemode trying to get rid of of it with McAfee, Windows Defender, and ClavAV. No luck. Yesterday I had booted up with a Fedora 10 LiveCD and my brother liked the look of that and given the hell of dealing with malware they are willing to give Ubuntu a shot. They already use OpenOffice and Firefox sould it is the ideal case. But we'll see if it is painless enough.

So I added Ubuntu 8.10 to the Dell Optiplex 330. Added medibuntu repos, installed flash, Realplayer, and the codecs for mp3's even added the Gnome weather applet to the toolbar. Hell, even imported their pictures into F-Spot. What I was most pleased about what that the several year old D-Link PCI Wireless card worked out of the box, even with WPA.

What didn't work well was the GUI partition resizing, which failed silently, but I was able to drop down and do an ntfsresize -i to see that it was unclean NTFS partition.

So there is no way that an average user could do Dual Boot or setup all the repos and install the software themselves without doing a whole of lot of reading, but now we will see how painful it is. I'm particularly concerned about printing. My sister in law still needs access to some windows programs so I'll try Dual Booting and/or possibly VMWare Player.

If this is successful I want to replace XP Home on my mom's 3-4 year old Dell laptop because it is starting to die a slow death.

Thursday, December 04, 2008

Fedora 10 on T-61 Passes the Sniff Test (But Fails the Virtualization Test)

Did the install from the LiveCD. First go around I had forgot to unmount /dev/sda1 (where I was going to install it) so it failed but on the 2nd try booted just fine. Installed Flash from the repositories. Added another repo so I Gstreamer could handle mp3 streams. Sound works. Haven't tried WPA but that should work too.

Still not as smooth as the last two (or three) Ubuntu releases for but still usable, but the two things I do like

1) Fedora GNOME install has mini-commander. Yeah!!!
2) Fonts are bigger for an old guy like me ;)

But easy virtualization (compared to Ubuntu) forget about it

No easy OpenVZ. KVM (which sucks with QEMU)/Virtual Machine Manager didn't work out of the box (or at least not in 5 minutes the way it does on Ubuntu) and no dom0.

Lame. I really wanted a Xen-friendly distro to dual boot for my Thinkpad, since Centos/RHEL kernel is so old it won't support the hardware.

Trisano: Open Source & National Security

As opposed to my previous blog Trisano would be a real example (if it does what it say) that Open Source improves national security:


TriSano™ is an open source, citizen-focused surveillance and outbreak management system for infectious disease, environmental hazards, and bioterrorism attacks. It allows local, state and federal entities to track, control and ultimately prevent illness and death.

Open Source Cliches of the Day

First it was ludicrous article Open source is dead long live open source (don't get me started about the notion that Open Source code is so good that it doesn't need support, put the crackpipe down!) and then Bejtlich Cited in Economist.

While kudos go out to Richard (and I'm quite jealous) about being cited in The Economist I wish it would have been about NSM and not Open Source:
One way for governments to do this [to become resilient to cyber attack], says Richard Bejtlich, a former digital-security officer with the United States Air Force who now works at GE, an American conglomerate, might be to make greater use of open-source software, the underlying source code of which is available to anyone to inspect and improve. To those outside the field of computer security, and particularly to government types, the idea that such software can be more secure than code that is kept under lock and key can be difficult to accept. But from web-browsers to operating systems to encryption algorithms, the more people can scrutinise a piece of code, the more likely it is that its weak spots will be found and fixed. It may be that open-source defence is the best preparation for open-source attack.
Besides being included in article on my non-favorite topic of late (cyber-anything makes me ill) I think Richard is repeating one (or maybe two) security cliches: the "more eyes mean greater security" and the oft-repeated negation of "security through security."

OpenBSD is not PHP.
Linux is not Apache.
Tomcat is not BIND.
Debian is not OpenSSH.
Fedora is not SELinux.
Firefox is not Ruby on Rails.

Each of these may or may not be "more secure" than the other--or compared to an individual development team within a vendor we know and love/hate.

Software security is about tools, talent, and techniques not whether code of open or closed. Developer culture and committed project leadership are what make software secure, not whether the code exposed to clueless masses to find security flaws. Furthermore, there is great diversity in code quality, development (and business/sponsorship) models among Open Source pojrects that make it very difficult to make these sort of generalizations about the security of Open Source, let alone the role of Open Source in "resisting a Cyberattack" and much better case could be made based about the Open Source network security toolset that Richard champions in thwarting attackers -- as opposed to the inherent robustness and integrity of the Open Source codebase. With the exception of the Intel community, how many government personnel (or their contractors) are spending time scrutinizing the Linux kernel source? Jakarta Struts?

Not too many, I would guess.

While I am certainly a huge advocate of Open Source (and have had the [mis]fortune of developing/operating Open Source-based security platforms performingcritical functionality within a large Enterprise to back it up) security would not be at the top of the list as the reason to develop on (or deploy) an Open Source stack. For me it is about control, customization, and cost. Probably in that order. Yes, transparency, can result in improved code security (meaning fewer vulnerabilities per line of code) and better decision making in terms of deciding when and whether to patch (if I can look at the diff I don't have to guess about the true impact of the cryptic Cisco/Microsoft advisory or worse) but this is only a potential that in many (perhaps) Open Source projects don't live up to in reality.

Wednesday, December 03, 2008

Tuesday, December 02, 2008

A Nice Xen vs. OpenVZ Comparison

Why OpenVZ and not XEN has a nice summary of some of the differences that are relevant to some of the comments made in response to OpenVZ fever

OpenVZ has one strong limit compare to XEN, it is not a full visualization and therefore you're limited to Linux only containers. People working with Sun will recognize Solaris zones concept, that was introduced few years ago. Like for Solaris every OpenVZ zones shared the same kernel, which at OVH translate in a Linux-2.6.24.7 kernel. This being said, it is important to understand that Linux distributions are independent of kernel, you can therefore run any Linux distributions you want under a unique kernel. While OVH ships Debian Etch with OpenVZ hyperviseur, you can chose any other distribution for your zones, new version of Fridu mostly operated with Ubuntu, but nothing prevents you from running multiple distributions. OVH ships template for Debian, CentOS, Gentoo and Ubuntu, but if this is not enough you can either create your own template or download one from Internet (OpenVz-WIKI)

OpenVZ includes a set of scripts to create/manage virtual machines, unlike Xen that is shipped naked and where I had to write more or less equivalent scripts by myself (cf: Fridu Xen Quick Start). Furthermore OVH ships OpenVZ with a web console from Proxmox, not that I'm a big fan of having a GUI, but as you can see on the video, it is great to make sexy demos.This console allows you to create a new virtual instances literally in a mater of seconds :) It allows you to start/stop change ram size, IP adresses, etc. on any instances without forcing you to remember any special commands. While Proxmox console misses few features like an SSH applet, a firewall config, or a java VPN. I must say that I get used to it and create every virtual machine through the web GUI.

OpenVZ is very light weight, not only it shares the same kernel, but also the same filesystem and networking stack. Direct result is that, on a given server you can run more OpenVZ zones than you could run XEN virtual-machines. From a user point of view when a zone is up, wether you run OpenVZ or XEN is fairly transparent, this being said they are nevertheless some fundamental differences:

Monday, December 01, 2008

OpenVZ Fever


Just like the recession, it's official. I'm totally hooked on OpenVZ and here are the reasons.
  1. Performance, performance, performance. IO-intensive apps are really sluggish on VMWare. I have OpenVZ running quite nicely on an old AMDK7. I had two VE's running (one with Security Center managing a Nessus scan, in progress) and other Ubuntu server and I was playing a game of Netpanzer with my son with no issues. Now that is a benchmark.
  2. Ease of use and broad Linux distribution support. Debian 4.0r3 slightly edges out Ubuntu 8.0.4.1 and it looks like CentOS (as the host) is straightforward as well. There is also a rich library of Linux OS templates to choose from.
  3. Non-Disruptiveness - a lot of Linux other virtualization solutions don't play well with others. VirtualBox doesn't work if kvm is running. Hell, I've yet to find a Linux distribution where Xen works out of the box, but on Ubuntu I can have VMware Server and OpenVZ together with no issues.
Obviously OpenVZ is only for running Linux VM's but I'm sold.