Q: What do you think of outsourced backup solutions? Are they secure? Would you use one? I want to backup my data but I’m not sure I can trust an outsourced backup provider.
A: Moved to ISISBlogs
Less
More
Last week I went to the Gotham Girls Roller Derby Championships between Bronx Gridlock and Queens of Pain, and wow, I think I have a new favorite sport! The season starts up again in April and I will definitely be going to games. Mike’s girlfriend, Diana, was taking pictures of us the entire time and she took this one that I thought was really cute of Strat, Alicia, and me.
Update 6/25/2007: I’ve been made aware of Cr0’s Kernel Security package repository.
Sorry in advance for the awful linebreaks!
I told myself I’d go to bed 2 hours ago, but I went to NYSEC6 tonight and the paranoia is finally starting to sink in. The good guys are just really damn good and there’s very little you can do to protect yourself if one of the guys at that table were going after you (I’m looking at you Dave!). Realizing I had to do something to prevent potential self-pwnage, I was reminded of a recent e-mail Dave himself sent out to his mailing list:
I have to wear a suit today, otherwise I’d wear the “Brad Protects Us”
tee-shirt.For those of you who don’t know Brad - grsecurity.org has some
information on his main project, a “for hackers, by hackers” kernel
patch. Because hackers hate getting owned while they own you.- -dave
Dave is right, I DO hate getting owned! Grsecurity is no easy task to get running on your system if you want to stick as close as possible to the distro kernel like I do so I spent some time and experimented a bit and wrote up what worked best for me below. Now if only Ubuntu would pick this up as part of their default patchset…
Some things I realized while writing this tutorial:
- Ubuntu makes it hard to find which minor release of the vanilla Linux kernel theirs is based on (linux-image-2.6.20-15 from ubuntu != 2.6.20.15 from kernel.org)
- grsecurity patches get released for specific kernel versions for a reason. Don’t try to patch a kernel that your grsec wasn’t specifically made for. You’re wasting your time. Caveat - development grsecurity patches are different, use patch –dry-run.
- Check the Restricted Drivers Manager for any modules you’re running outside what’s included with the vanilla kernel. You’re gonna need to get those on your own after you’re done with this tutorial. For most people this means installing Envy and getting those VMWare scripts ready.
cd /usr/src
sudo apt-get install build-essential libncurses5-dev fakeroot kernel-package
*** NOTE: Kernel and Grsecurity patch levels will have changed by the time you read this. Get newer ones. ***
sudo wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.bz2
sudo wget http://www.grsecurity.net/test/grsecurity-2.1.10-2.6.21-200705071727.patch
sudo tar xjf linux-2.6.21.1.tar.bz2
cd linux-2.6.21.1
sudo cp /boot/config-2.6.20-15-generic .config
patch -p1 –dry-run <../grsecurity-2.1.10-2.6.21-200705071727.patch | less
patch -p1 <../grsecurity-2.1.10-2.6.21-200705071727.patch
sudo make menuconfig
Go to ‘Load Alternate Configuration File’ and load ‘.config’ (the default). Then go to ‘Security options’ and turn Grsecurity on. Setting ‘Security Level’ to ‘Medium’ is a good starting point (see confighelp).
sudo make-kpkg clean
sudo make-kpkg –initrd kernel_image kernel_headers*** make-kpkg also has useful –revision=1 and –append-to-version=-2.1.10 parameters you might want to use ***
cd ..
sudo dpkg -i kernel-image-2.6.21.1-grsec*.deb kernel-headers-2.6.21.1-grsec*.deb
Almost done. Now reboot and see if what you just made isn’t a heaping pile of shit.
If it worked, now you need to configure grsecurity’s RBAC system. You’ll need gradm2 for this so install it now:
sudo apt-get install gradm2
Quoting from an already written tutorial located at http://grsecurity.net/quickstart.pdf (no sense in rewriting an already good explanation!)
Since the general strategy of grsecurity is “detection, prevention, and containment,” the RBAC system is key to the containment component. Grsecurity’s RBAC system allows you to grant only the privileges necessary for a process or user to accomplish their tasks. Unlike other systems, grsecurity’s RBAC system provides a functional, human-readable, centralized configuration file, and does not require much manual configuration.
Full-system learning will generate a least privilege policy for your entire system that anticipates normalized usage. In other words, it is not necessary to run the learning mode for weeks and use every single utility on your system several times in every possible combination. The learning mode will anticipate this usage while still enforcing a secure policy. Through graph and heuristic analysis, a secure policy is generated. A few basic rules are followed when generating the policy. If a process uses special “root” privileges, accesses the Internet, or modifies important files or directories, it is marked as a privileged process and segmented from the rest of the system. The learning mode is designed to be as easy to use as possible. To begin full system learning, enter:
gradm –F –L /etc/grsec/learning.log
Then use your system normally. It may be necessary to run the system for more than a day so that time-based applications such as cron can be recognized and profiled.
Do not perform any administrative tasks while running in learning mode. This includes starting/stopping system services, adding or removing users from the system, or adding or removing new software. These kinds of tasks should only be performed under the administration role once the learning phase is over. Remember that “root” can no longer be trusted, so assume root is the attacker and do not do anything you would allow an attacker to do.
When you decide to end the learning phase, enter:
gradm –F –L /etc/grsec/learning.log –O /etc/grsec/acl
You will now be able to enable the RBAC system with your new learned policy.
Ok go on now, don’t get pwned!
ps. I’d appreciate any input anyone is willing to give on this topic.
I spent a ton of time looking for the perfect storage solution for myself and ended up with a Synology CS407 [1]. I just figured I’d share this knowledge with you, as I just wasted 3 hours of my life finding it and don’t want anyone else to do the same.
Backstory:
I’m getting a MacBook (sooner or later) and when I do, it won’t have enough storage on it to satisfy me. This would normally mean that whenever I move back and forth from MD to NYC to Long Island that I’d have to lug my desktop around with me and keep it powered on at all those places. Right now I’m barely getting by with port-forwarded SSH and a DynDNS account.
My requirements were:
- Can connect to a stock MacBook (USB or Network)
- Supports at least RAID 5
- Space for at least 4 SATA drives
- Comes empty
- Portable (somewhat)
- Quiet
What I found was that USB enclosures generally don’t have RAID 5 and they’re fairly rigid with the features they can offer. NAS was a better solution because of its flexibility. One of the first products I found that satisfied my requirements was an Intel SS4000-E [2], but I found out later it was a 1st gen product and it sucked [3]. Then I found SmallNetBuilder (formerly TomsNetworking) has a NAS section and I narrowed it down to an Infrant ReadyNAS NV+ [4] [5], a Synology CS406 [6], and a Thecus N5200 [7].
At that point it became a fight between the small and featureful CS406 and the blazing fast N5200. As I’m not doing video editing or anything else that would require blazing speed, I picked the Synology CS406. I checked their website [1] and they had a newer model available. TigerDirect stocks them for $660 [8].
I should also mention that if you’ve got free time on your hands, spare hardware, and no need for a small and quiet enclosure there’s a great FreeBSD-based distribution called FreeNAS [9] that can help you get going with a DIY NAS. If I wasn’t so sick of building computers I might just go down that route…
[1] http://www.synology.com/enu/products/CS407/index.php
[2] http://www.intel.com/design/servers/storage/ss4000-E/index.htm
[3] http://forumz.tomshardware.com/network/Intel-RAID-NAS-Makes-Grade-ftopict21360.html#83416
[4] http://smallnetbuilder.com/content/view/29829/75/
[5] http://www.engadget.com/2006/10/12/infrant-releases-the-readynas-nv/
[6] http://smallnetbuilder.com/content/view/28618/75/
[7] http://smallnetbuilder.com/content/view/29616/75/
[8] http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=3032754&CatId=2670
[9] http://www.freenas.org/
All future security-related posts will be made at ISIS Blogs from today onward.
EDIT: This is a lie.
I know what I want for Halloween 
I posted the following on Bruce Schneier’s blog after reading about the latest brou-ha-ha over ‘potential 0-day exploits for Firefox‘
All software has bugs, that fact won’t change no matter how many times people audit their code. Big software, like Firefox, has LOTS of bugs, including bugs that no one has found yet.Why are people so surprised and appalled every time a “0-day” comes out? The researcher didn’t MAKE the bug, he just found one of likely many more.Want to see a list of bugs with code changes in the latest trunk of Firefox? Run this: http://metasploit.com/users/hdm/tools/mozdig.rb
It just seems like a worthless truism every time someone claims that a given body of code has bugs. Yeah, it does. Duh!
I was going to buy this great new phone. It’s got SIP, Skype, Wifi, and it only costs 150 dollars. Then a good friend emailed me a review from OSnews: Review: FiWin SS28S WiFi VoIP SIP/Skype Phone
I’d give you a few good quotes, but it’s almost too depressing. Just go read the article for yourself.
I’m looking for as many good solutions as there are to do video chat/calls between a Mac and Windows/Linux. Right now I’ve only been able to find two reliable and acceptable solutions and a whole bunch of unanswered questions.
Over the AIM network
- Windows: Trillian Pro, AIM v5.9 (Triton does not video chat with iChat, yet)
- Mac: iChat
- Linux: gaim is dragging its feet on video support (Adium doesn’t support video or voice because of this reason)
Over the Skype network
- Windows: Skype
- Mac: Skype Video Preview
- Linux: The latest Linux Skype v1.3 beta does not support video
Over SIP
I found that WengoPhone and X-lite support video chat through SIP signaling and both have Windows/Mac/Linux support, but I don’t know the extent of their interoperability. What other clients can talk with them? Where is the best place to get a SIP account (I have one at gizmoproject.com and ekiga.net already)? I posted in both their forums so hopefully I’ll have an answer soon.
Over Jabber w/Jingle
Last year, Google and the Jabber Foundation released the Jingle spec which extended Jabber to do signaling for arbitrary media types (voice, video, whatever you want). It’s hard to determine which clients fully support the Jingle spec without testing them; the official C++ library is a bit of a moving target and significant efforts to implement it elsewhere are not yet mature. I found Coccinella implemented Jingle video support, but Trillian, who implemented AIM video, did not implement Jingle at all. I also don’t know if iChat uses Jingle when it does iChat-iChat video conferencing or if it uses something proprietary. Even more, I’m not sure if Jingle is simply a client modification or if your Jabber server needs to be ‘Jingle-aware’ for it to work.
Lastly, there’s also the existence of this strange Asterisk-IM plugin from Jive. Somehow, this piece of code connects Jive Wildfire (Jive’s Jabber server) to Asterisk over its management interface (AMI). What I don’t know is whether you would use a SIP client with Jabber support or a Jabber client with SIP support, if it supersedes SIMPLE support in Asterisk, if Asterisk will transport video with SIP signaling or if Wildfire will transport video with Jingle signaling, what clients it works with and what clients can receive audio/video through it. Asterisk-IM confuses the hell out of me.
So if anyone knows the answers to some of the questions I’ve raised, please comment! Thanks.
Installing Trac is a pain in the ass! It took me 6 HOURS to get it running on a shared dreamhost account. I found this guys walkthrough about 5 hours in and it totally saved my life. There were a few mistakes (things have likely changed since he wrote it) but I’m really glad he put it all out there.
Aside from that bullshit install, I’m very impressed with it. Now that I’ve practically learned python, Trac will be an option for any future project I have in need of an SCM. One thing I’d like to see improved is their support for a wider variety of languages to continuously integrate (automated unit testing and all that). All that’s available now is Java and Python 
Seahorse 0.9.x does SSH key management in addition to PGP. This should make my life much easier. I’m very excited.
I settled on a CentOS-based installed of FreePBX (formerly AMP). Their project looked much more professional than Trixbox (formerly Asterisk@home) and I liked the fact that they used Trac for their project management. I unconsciously survey every open source project for characteristics that successfully leverage their community and rule out using or participating in projects that aren’t open enough. The latter tend to die slow deaths at the hands of incompetent management and dwindling participation. See my post on Gaim for more details.
I used a FreePBX howto I found while browsing their site for documentation. The only part I modified was the part where you check out Asterisk sources via SVN so that the sources were in folders ending in -1.2 so I remembered what version they were. A word of advice though: you have to create a number of passwords during this install, write them all down!
I was able to access the FreePBX admin panel at the end of the install no problem, but it started getting a little tricky at this point. They don’t tell you that an admin user has already been created for you and that you need to enable the core services module to access anything in the web console. This seems like a bunch of security hooey that doesn’t do much of anything. The Gallery folks have it the best; you go to their install on the web, it associates a PHP Session ID to you and gives you a hash value, you make a text file in the webroot with that hash value, and it lets the Session ID that was given that hash value set the admin password, done.
Right now I’m having some small problems getting Asterisk to start (I think there is a problem with one of the kernel modules it needs). I’ll continue my review when I get it running.
UPDATE: Asterisk was missing some configuration files. I had to go back to my asterisk-1.2 source folder and run ‘make samples’ to get Asterisk to start properly. FreePBX should be able to configure those for me. Looks like everything is working now.
Apple ships its computers with a different DVD of MacOSX than what you get if you buy it in a retail box at a store. The software is exactly the same, but the OEM discs are usually locked to the particular series of hardware you bought it with: a Powerbook G4 with 1.67Ghz for example.
Yesterday I needed to use one of those discs to install MacOSX 10.4 onto a Powerbook G4 1.5Ghz, so I was in a bit of a bind. I had to figure out how this stupid copy protection worked.
A script is run at install-time that pulls information out of the OpenFirmware and checks it against a blacklist and a whitelist included in that script. That script is a text file on the DVD at /System/Installation/Packages/OSInstall.mpkg/Contents/OSInstall.dist
If you take a quick glance at it you might first think that you need to modify ‘badmachines’ to be an empty array, but you’d be mistaken. ‘badmachines’ is a list of computers that OSX legitimately cannot be installed on (like the Clambook, remember those?). Instead, I had to strip out most of the script and replace almost every function with ‘return true’ to get it to work.
After thinking about it, I guess it wasn’t a crazy decision to make this kind of copy protection even though it inconvenienced me and probably does to others all the time. It prevents casual sharing while recognizing that there is nothing you can do to stop hardcore pirates from patching the hell out of your software to get it to work (WGA). I also heard that if you ever get a MacOSX disc that you can’t get to work on your computer, you can call Apple customer support and they’ll mail you a new one (still a high enough barrier that casual sharing is discouraged while reducing customer frustration). It’s not that bad a trade-off.
I’m doing my end of the summer computer services refresh. Here’s the plan:
- I’m trashing phobos and putting up a CentOS box with Scalix instead (I’m now officially dependent on Outlook+Exchange because of work, thank god Novell/Gnome started working on Evolution again).
- I’m throwing away my mini-Reverse Engineering VMWare GSX server and turning it into an Asterisk PBX instead.
- The CryptoCity frontpage will go through a bit of a reorg to point to the new services.
Expect a report documenting my experiences with both the Scalix and Asterisk servers and whether they’re useful for personal use.
Comments
andres, Dan Guido, DoubleD WRTHoG [...]
nekostar
Peter, Christos
Can Bariscan
Rob Thomas
Dan Guido, Natmaster