Dick of the week

https://lists.fedoraproject.org/pipermail/devel/2012-May/167057.html

different runlevels in gentoo

new pc, new toy

ssh with different private keys

SSH is probably one of the most used command line tools on linux. If you want to connect to another linux host it's the best way to go. It's also very secure and since security is really important nowadays many hosts on the Internet choose a public key authentication. This method is really smart because it only let people connect if they know their password AND their public key is in the "authorized_keys" file on the host.

For some time now i started a gitolite services at home. It's just for my own usage and thus not available over the Internet. Every script which i write is stored on the gitolite server.
This is quite handy because i can easily switch back to an older version of a script in case i made a mistake. Besides that I'm also forced to learn git which i really want to learn. 

AthCon 2012 Review

Alternate title: “Being a lamb around a pack of wolves” … A venue full of hackers that are eager to attack your systems…

On 3-4/05/2012 the third AthCon conference was held in Athens. AthCon is an international security conference whose motto is “The First HIGHLY TECHNICAL Security Conference in Greece”.

Even though I am not a security professional, my daily job title is “Systems and Services Engineer” which of course includes various aspects of security but I am certainly not a security researcher, I had decided months ago that I would be attending this year’s AthCon. Since I like messing a lot with IPv6 for the past 2-3 years, I decided that I could try and submit an introductory talk about IPv6 security issues. My talk was accepted, so I was not only attending AthCon this year but I was going to give a presentation as well.

My presentation – Are you ready for IPv6 insecurities ? was during the first day of the conference. I am always worried when I give presentations on IPv6 that the people attending have probably no clue about this ‘not-so-new’ protocol. Most people think that IPv6 is like IPv4 with bigger addresses and ‘:’ instead of ‘.’ to separate the address groups, which is of course a HUGE mistake/misunderstanding. I was hopeful that this wouldn’t be the case in AthCon, so when I started my presentation and I asked the crowd ‘how many of you know what SLAAC is ?’ and I only saw 3-4 hands raised I kinda froze, I was expecting at least a double digit…I was going to give a presentation on IPv6 security concepts to people that have absolutely no idea what I’m talking about. Being prepared for the fact that some people would need some ‘refreshing’ on their IPv6 knowledge, I had prepared around 20 introductory slides explaining some IPv6 concepts before I entered the security details, but I doubt these were enough for most people there. I am hopeful though that some of the attendees might be motivated to read more about the protocol since I think my security slides contained enough details, references and links to get people started. If someone needs more details feel free to contact me.

Enough with my presentation, what about other presentations ?
My personal view is that this year’s AthCon had some great talks, some that were ok and some that I didn’t like. I won’t mention which ones I didn’t like, but I noticed that a LOT of people were gossiping about these in the hallways. I will only mention here the ones that I really liked.

Day 1:
“Packing Heat!” by Dimitrios Glynos
A presentation that every pentester should download/watch somehow. Techniques about packing your executables to avoid detection by anti-virus programs, need I say more ? Great content and very well presented. Congrats Dimitris!

“PostScript: Danger Ahead” by Andrei Costin
How to use PostScript programming language to take advantage of Printers, OS, etc. Very interesting concepts were presented and also the examples/demos shown were pretty cool and easy to understand.

Day 2:
“Apple vs. Google Client Platforms” by Felix ‘FX’ Lindner
I guess mostly everyone reading this blog knows FX and what a great speaker he is. If you don’t then start watching his previous presentations and start reading about his work. His presentation at AthCon, apart from being the best one in terms of “presenting it”, was also extremely interesting. He connected the security concepts behind Apple’s iOS and Google’s Chromebook with their business tactics and policies. Just wait for AthCon to publish the videos and watch it. Probably the best talk at AthCon 2012.

“Advances in BeEF: RESTful API, WebSockets, XssRays enhancements” by Michele Orru
Jaw-dropping. That’s all I have to say about BeEF. Scary. Watch it to see what browsers and IDS have to face and defend against…not in the future but right now.

“Exploitation and state machines” by Halvar Flake
This presentation was about exploitation techniques and why automated exploitation engines don’t work that well. Even though reversing and exploitation is far from my interest topics I enjoyed the talk a lot. Very well structured and very clear points. Too bad this talk did not appear on the schedule and was there as “tbc”, I am sure many more people would come just to listen to this talk and speak to Halvar.

If I were to suggest a couple of things for next year…
a) Please put the CTF in separate slots within the day, not at the same time with the presentations. In a conference of 150-200 people (just guessing here) having 30+ people leaving the presentation room and just attending the CTF all day long leaves the main room a bit empty. I am pretty sure there were people that wanted to attend both the presentations and the CTF, unfortunately they had to make a choice.
b) Send some details/info to the speakers about the conference a few days earlier. Maybe non-greek presenters were given but we weren’t, at least I wasn’t.
c) The venue is really nice, but maybe it would help if the next AthCon was organized somewhere downtown. Yeah I can understand that the cost would be higher but number of people attending would also raise (I think).
d) Give us even more highly technical presentations/speakers! People starve for these kind of talks!

My congratulations fly to AthCon people for organizing the conference. See you next year!

You can find some of the pics I took from the speakers at: AthCon 2012 speaker pics (if any of the speakers wants his pic removed please contact me ASAP)

Keeping /selinux

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux file system through a call to libselinux) is trying to mount it on – well yes – /sys/fs/selinux but at that time, /sys is not mounted yet.

I haven’t been able to reproduce just yet, because I just recently had to move all my systems to use an initramfs (thank you you-need-an-initramfs-when-you-have-a-separate-usr-partition) which premounts /sys. But the current workaround should be to keep /selinux for now. The utilities support it still, and that gives me some time to look and investigate the issue.

Happy Day Against DRM

Books are 50% off at O'Reilly today, using code DRMFREE. (This includes my book, Clojure Programming, by the way...) I'm a bit late with this, given the offer expires in 9 hours, but there's still time.

Whether you want to buy books today or not, it's worth pointing out that today is International Day Against DRM!

Brand Loyalty. Step 1: Make good stuff.

My anti-DRM article is quickly going to turn into a pro-O'Reilly Media infomercial, so you've been warned.

I am not the kind of person to feel any kind of brand loyalty. I'm the kind of person who deliberately buys a different brand of peanut butter every time I go to the grocery store, to try to screw with the store's customer-tracking database.

O'Reilly is probably an exception. I like O'Reilly. Why is that?

First, O'Reilly books tend to be pretty good. At least, I have yet to buy one that wasn't pretty good.

Allow me to digress. My college's CS curriculum was based around C++. Now, I'm the kind of person who thinks that programming is vaguely enjoyable no matter what I'm doing. Computers are fun. But for a new programmer, coding in C++ is like an hours-long shouting match with the compiler where your goal is to try to get the compiler errors to shut up. Producing a working program is an occasional side-effect. C++ doesn't exactly promote explorative, imaginative programming.

The first class I had in college where I actually enjoyed programming was a class that taught Perl. My textbook was Learning Perl, aka the Llama Book¹. What a good book. I still have it. I remember feeling like I learned more reading that book that I had in two years of slogging through C++ data structures. And what fun Perl was. <insert analogy="analogy" and="and" between="between" here.="here." nerdy="nerdy" programming="programming" some="some" wizardry="wizardry">

I remember immediately spending a bunch of money I should've saved for food, and getting Programming Perl, aka the Camel Book¹. So good! Who knew a book could be witty and fun, and teach you things at the same time. You can tell when a book is written by someone who knows their stuff, and who enjoys talking about their craft.

Not sure if it was Perl itself, or the great Perl books, or probably some combination. But I've been cemented in dynamic, vaguely-Perly, powerful and fun languages since then. First Ruby, then Clojure.

I'm also likely to buy an O'Reilly book, given a choice between alternatives.

Step 2: Be Humans and give a crap.

A second thing that creates brand loyalty is when a company seems to be made of human beings that you can relate to.

When I heard O'Reilly was writing a Lisp book, and what's more, it was a Clojure book, and what's more, I could be involved in writing it... I was pretty excited.

Our book was written in ASCIIDOC, and lived in an SVN repo hosted at O'Reilly.² We could upload code with a certain string in the SVN commit log, and that'd trigger a rebuild of the ASCIIDOC on O'Reilly's server, which was compiled into PDF, and then we could download the PDF from SVN to see how the final product would look. Turnaround time was about 10 minutes. It was a nice, programmer-friendly setup, to be sure.

Whenever I dealt with people at O'Reilly, I generally got the feeling that I was working with programmers, or people who cared about programming. There aren't a lot of Clojure gurus there, but there were people who knew why wrapping long lines of could needed to be handled just right.

It's a great feeling to work with people whose goal is advancing the craft, as opposed to some kind of Death-Star-like entity whose goal is wringing extra pennies out of customers' bones.

DRM sucks

So does O'Reilly actually give a crap? Well, fiiiiiiiiinally getting to the point: O'Reilly's stance on DRM is pretty much spot-on. O'Reilly books are sold without DRM. DRM is not the way to make good stuff. DRM is a good sign that you don't give a crap. DRM doesn't advance the craft, but rather does the opposite.

I leant a guy my copy of K%R a while back. Now there's one more person in the world with a bit more knowledge of C. This is a really good thing. If my copy of K&R was a DRMed ebook that I couldn't lend out, the world would be a tangibly worse place.

I highly recommend this article by Mike Hendrickson at O'Reilly where he talks about piracy, DRM, and making books. Also this one by Tim O'Reilly where he talks about the same.

Now that my name is on a book, have my opinions about DRM changed? Not really. I'd obviously prefer that people pay for my book. I pay for books. It's only fair.

At the same time, I would be really disappointed if my book was sold with DRM all over it, and I'm glad it isn't.

Treating your customers like thieves a priori is not the way to build brand loyalty. Thinking that DRM is going to stop anyone from pirating a book is pretty much delusional. Using DRM to maintain some kind of iron-fisted control over stuff you're selling to other people is morally sketchy.

DRM is not the way to advance the craft. Advancing the craft is the important thing.

When you make smart decisions like not selling DRMed books, the result could be dorks like me spending an hour or two unprovoked, writing an article about how good your company is. And yeah, this is surely a bit self-serving because I want to sell my book, but I'd have written this same article two years ago too.

newspages, quotability and wikis

Evopedia Icon

for quite some time i use a wiki at lastlog.de, a mediawiki to be precise, and i wonder why there is no wide adaptation towards the wiki principle. with that i don’t mean collaborative editing but, somehow in contrast, the principle to be quotable.

lately, out of curiosity, i scrolled through my diploma thesis and checked the overall link stability. some were broken. however, all wikipedia links worked. as stated in the document itself, i explicitly link to the wikipedia because of its link stability. if i would have liked i could have even linked to a certain revision. but i decided not to, as the reader always has the option to look at an older revision, based on date and time.

the more interesting aspect, that is why i linked to wikipedia articles, is that i don’t want to waste time describing something when there is a different place doing so already. if someone is smart enough to follow my ideas in my diploma thesis i assume the same when it comes to judging about the quality of wikipedia articles. and before linking a keyword (like ‘package manager’) to a certain wikipedia article, which should describe it, i always read the article. the idea is twofold: first i like to see if my conception or understanding matches with what is in the article. second, if that is the case, i would simply link it and forget about the whole thing. but if my understanding does not match with the article i can evaluate my or their version as being better and pick what fits best.

for some online articles i had to link, i wasn’t even able to provide a direct link and therefore added a google search link into the document.

wiki editing has so many benefits, like being able to rollback to a previous version. do collaborative work. why is there no wiki like support, say when editing libre office/word documents? maybe because back in time that was considered a waste of bits&bytes but using compression that can’t be an argument today.

here is a use-case where that would be great: say you write a document and you pass it to someone else for review and corrections. often i would like the other person doing whatever change he wants to do and later be able to rollback this or that change. with a wiki like document structure this would be very easy.

if you don’t follow, just have a look at this link:

http://en.wikipedia.org/w/index.php?title=Linux&diff=490431450&oldid=489027763

and about link stability: this link might even work when this blog is long gone. 

i see so many benefits by using wikis and wiki like concepts but despite of the wiki-web principle and decentralized VCSs there seems to be no wide use of it.

IMHO i think a webpage, even this wordpress blog, which does not implement a wiki principle, is kind of stupid as one can never be certain what is going on. one could say such a page is schizophrenic to some degree.

hopefully this will change in the future.

update: 11.5.2012 – it would be desirable if the mentioned link stability would be independent of a strict TLD (top level domain). for example: if i move this blog to a different location, say to invalidmagic.de then all the articles here stop working and the links from other pages into this article will fail.

AthCon 2012 – Are you ready for IPv6 insecurities ?

My presentation for AthCon 2012 is now available online: Are you ready for IPv6 insecurities ?

notify script for cmus

#!/bin/bash
KDIALOG="/usr/bin/kdialog"
GREP="/bin/grep"
AWK="/bin/awk"
CMUSREMOTE="/usr/bin/cmus-remote"

declare -i duration=$($CMUSREMOTE -Q|$GREP "duration"|$AWK '{ print $2 }')
declare -i position=$($CMUSREMOTE -Q|$GREP "position"|$AWK '{ print $2 }')
percent=$[100*position/duration]

artist=$($CMUSREMOTE -Q|$GREP "tag artist") # ${artist:10}
title=$($CMUSREMOTE -Q|$GREP "tag title") # ${title:9}

$KDIALOG --title "CMUS is playing... ($percent%)" --passivepopup "${artist:10} - ${title:9}" 3

cursorcolumn / cursorline slowdown

The cursorcol and cursorline options in Vim are great. Enabling them, and setting up your syntax highlighting correctly, will highlight the line and column that contains the cursor, drawing a sort of "crosshairs", to let you find the cursor easily.

This is especially useful when editing non-sourcecode files, like giant fixed-with data files. Or when you need to keep switching your attention back and forth from Vim to something else; the visual cue to draw your eyes back to the cursor can be useful to prevent a mental page fault.

Great. However, the help info for cursorcolumn says this, in part:

    Highlight the screen column of the cursor with CursorColumn
    |hl-CursorColumn|.  Useful to align text.  Will make screen redrawing
    slower.

"Will make screen redrawing slower" is an understatement, unfortunately. Over the past who-knows-how-long, I've noticed Vim slowing to a crawl when editing certain files, mostly big Ruby files. Moving the cursor around or scrolling the window became pretty painful. I could never quite figure out why, but today I got sick of it, and eventually found an old message on the Vim mailing list explaining the problem.

Apparently when you have cursorcolumn or cursorline enabled, the whole screen is redrawn every time you move the cursor. That explains a lot. When I disabled these options, editing complex Ruby files once again achieved notepad.exe-level speed.

I guess there's this:

function! CursorPing()
    set cursorline cursorcolumn
    redraw
    sleep 50m
    set nocursorline nocursorcolumn
endfunction

nmap <C-Space> :call CursorPing()<CR>

This will flash the cursor crosshairs for 50 milliseconds when I hit CTRL+Space in normal mode. Better than nothing.

20120215 policies now stable

Today I’ve stabilized the sec-policy/selinux-* packages that provide the 20120215 “series” of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace tools soon (as they are now deprecated). The documentation has been updated to reflect this too.

Some of the enhancements include
• support for permissive domains (allowing users to mark one specific SELinux domain, such as mplayer_t, as permissive (even though the rest of the system is running in enforcing mode)
• support for file context translations, so we can now say “/usr/lib64 (and below) should have the same contexts as /usr/lib”
• support for role attributes, which means for policy developers, we now have similar freedom as with type attributes
• support for named file transitions, so a policy rule can say that domain A, if creating a file in a directory labeled B, then that specific file should have label C. Same for directories, btw.

Although some of these enhancements were available as features individually, the policies we had were not aligned with it – and now, that has changed ;-)

booting nixos from lvm on top of mdadm using GPT

what is this?

i recently upgraded my hetzner root server and therefore had a system with 2x3tb disks. as fdisk can’t be used to partition disks > 2tb i had to use gpt instead which was quite tricky until it was working. so here is my installation guide. parts of it applies also to other distributions.

this guide uses concepts from the hetzner wiki OpenBSD installation guide [1].

note:

• gpt is used for both disks
• there is no extra /boot partition (the system will directly boot from the lvm which is on top of the mdadm); this works since grub2
• this setup is pretty similar to using fdisk (MBR) partitions
• this guide still uses BIOS to boot (no EFI/UEFI)
• /dev/sda1 and /dev/sdb1 are very small partitions (2Mib); they are used to store the grub2 boot stages, see [5]

disk layout

the installation

first remove old partitions/mdadm setups

uninstall:

lvremove /dev/myvolgrp/home
lvremove /dev/myvolgrp/system
lvremove /dev/myvolgrp/swap
vgremove myvolgrp
pvremote /dev/md0
mdadm --stop /dev/md0
# to remove the md0 permanently
mdadm --zero-superblock /dev/sda1
mdadm --zero-superblock /dev/sdb1

creating the partitions

parted /dev/sda
mklabel gpt
mkpart non-fs 0 2
mkpart primary 2 3001G
p
Number Start End Size File system Name Flags
1 17.4kB 2000kB 1983kB non-fs
2 2097kB 3001GB 3001GB primary

set 1 bios_grub on
p
Number Start End Size File system Name Flags
1 17.4kB 2000kB 1983kB non-fs bios_grub
2 2097kB 3001GB 3001GB primary

creating the new mdadm softraid device

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
mdadm: Note: this array has metadata at the start and
may not be suitable as a boot device. If you plan to
store '/boot' on this device please ensure that
your boot-loader understands md/v1.x metadata, or use
--metadata=0.90
Continue creating array? y
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.

LVM+filesystems

pvcreate /dev/md0
Physical volume "/dev/md0" successfully created

vgcreate myVolGrp /dev/md0
Volume group "myVolGrp" successfully created

lvcreate -n system -L50G myVolGrp
lvcreate -n swap -L8G myVolGrp

mkfs.ext4 -O dir_index -j -L system /dev/myVolGrp/system
mkswap -L swap /dev/myVolGrp/swap

note: the disk layout diagram mentiones a tmp partition which happended to be added later

using a virtual machine + vnc to boot the iso image

preparing the host system:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

on the hostsystem

#download latest console only 64bit nixos installer
nixos-minimal-0.1pre33860-33874-x86_64-linux.iso

make sure /dev/myVolGrp/system and /dev/myVolGrp/swap are not in use:

apt-get install sudo
qemu-system-x86_64 -enable-kvm -m 1024 -hda /dev/md0 -net nic -net tap -cdrom nixos-minimal-0.1pre33860-33874-x86_64-linux.iso -boot d -vnc localhost:0

note: in contrast to original article [1] i use ‘-enable-kvm’ which speeds things up!

from your homecomputer

execute this two commands (in two different shells):

ssh -L 5900:localhost:5900 root@176.9.99.117
vncviewer localhost

inside the qemu/kvm system via vncviewer

how we have to prepare install the system on the devices we had preparted in the steps before:

inside do:
login as root
mount -L system /mnt

cd /mnt
nixos-option --install
vi /etc/nixos/configuration.nix

stop dhcpcd
ip a add 172.2.0.2/16 dev eth0
ip r add via 172.2.0.1
echo "nameserver 8.8.8.8" > /etc/resolv.conf
# use ping www.google.de to verfy that the routing is working

# example url, configuration.nix is appended to this article
curl http://lastlog.de/configuration.nix
mv configuration.nix /mnt/etc/nixos/configuration.nix
# now the installation, make sure you read the nixos installation guide as well, but in short:
nixos-install
# only the grub2 installation should have failed (as there is no /dev/sda1 in the virtual machine!)
#finally we halt the system
halt

im hostsystem we need to install grub2:

apt-get install grub2
grub-install --no-floppy --root-directory=/mnt --recheck /dev/sda
Installation finished. No error reported.

grub-install --no-floppy --root-directory=/mnt --recheck /dev/sdb
Installation finished. No error reported.

# now we add a ssh key so we can login into this system later on
cd /mnt
mkdir root
cd root
mkdir .ssh
chown 0700 .ssh/
cd .ssh
echo "ssh-rsa AAAAB3Nz.....aU79sGVhyOPRz joachim@ebooK" > authorized_keys

from your homecomputer login into the installed system (reboot the host) and then issue this command:

ssh root@176.9.99.117 -i ~/.ssh/myprivatekey

after the first login, nixos-rebuild switch might fail with this error message:

nixos-rebuild switch --fast
building the system configuration...
updating GRUB 2 menu...
installing the GRUB bootloader on /dev/sda...
/nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe: error: no such disk.
Auto-detection of a filesystem of /dev/mapper/myVolGrp-system failed.
Try with --recheck.
If the problem persists please report this together with the output of "/nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub" to
grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub
grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f556643', skipping.
grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f5363a6', skipping.
grub-probe: info: changing current directory to /dev.
grub-probe: info: changing current directory to pts.
grub-probe: info: changing current directory to shm.
grub-probe: info: changing current directory to myVolGrp.
grub-probe: info: changing current directory to md.
grub-probe: info: changing current directory to disk.
grub-probe: info: changing current directory to by-label.
grub-probe: info: changing current directory to by-uuid.
grub-probe: info: changing current directory to by-partlabel.
grub-probe: info: changing current directory to by-partuuid.
grub-probe: info: changing current directory to by-path.
grub-probe: info: changing current directory to by-id.
grub-probe: info: changing current directory to snd.
grub-probe: info: changing current directory to mapper.
grub-probe: info: opening myVolGrp-system.
grub-probe: error: no such disk.

so what is inside this device.map anyway?

cd /boot/grub
cat device.map
(hd0) /dev/disk/by-id/scsi-35000c5003f556643
(hd1) /dev/disk/by-id/scsi-35000c5003f5363a6

Jordan_U#grub@irc.freenode.net recommended to remove the device.map. that made it work:

rm /boot/grub/device.map

summary

took quite some time to figure all this out so i guess someone else might have interested in this guide as well. i also tried to install, using EFI, but soon discovered that this might be a very complicated road to go and therefore skipped that.
it is cool to see that there is a very helpful community surrounding key projects required to get this installation done. i would have had to spend much more time if i wouldn’t have had someone to ask from time to time.

links

[1] http://wiki.hetzner.de/index.php/OpenBSD
[2] https://wiki.archlinux.de/title/Gpt
[3] https://wiki.archlinux.org/index.php/GRUB2#GPT_specific_instructions
[4] http://www.wensley.org.uk/gpt
[5] http://en.wikipedia.org/wiki/GNU_GRUB#GRUB_version_2

configuration.nix

# Edit this configuration file which defines what would be installed on the
# system. To Help while choosing option value, you can watch at the manual
# page of configuration.nix or at the last chapter of the manual available
# on the virtual console 8 (Alt+F8).

{config, pkgs, ...}:

{
require = [
# Include the configuration for part of your system which have been
# detected automatically.
./hardware-configuration.nix
];

boot.initrd.kernelModules = [
# Specify all kernel modules that are necessary for mounting the root
# file system.
#
# "ext4" "ata_piix"
"af_packet" "snd_pcm_oss" "snd_mixer_oss" "rtc_cmos" "rtc_core" "rtc_lib" "snd_hda_codec_via" "i915" "joydev" "drm_kms_helper" "snd_hda_intel" "rng_core" "drm" "snd_hda_codec" "thermal" "i2c_algo_bit" "button" "snd_hwdep" "intel_agp" "psmouse" "i2c_i801" "evdev" "snd_pcm" "video" "agpgart" "pcspkr" "serio_raw" "iTCO_wdt" "i2c_core" "snd_timer" "output" "e1000e" "snd" "soundcore" "snd_page_alloc" "sg" "loop" "ipv6" "kvm" "freq_table" "processor" "thermal_sys" "hwmon" "ext4" "mbcache" "jbd2" "crc16" "raid456" "async_pq" "async_xor" "xor" "async_memcpy" "async_raid6_recov" "raid6_pq" "async_tx" "md_mod" "sd_mod" "crc_t10dif" "sata_sil" "ata_piix" "dm_mod" "usb_storage" "usb_libusual" "usbhid" "hid" "ohci1394" "ieee1394" "ahci" "libata" "scsi_mod" "ehci_hcd" "uhci_hcd" "usbcore" "nls_base" "scsi_wait_scan" "unix"
];

boot.loader.grub = {
# Use grub 2 as boot loader.
enable = true;
version = 2;

# Define on which hard drive you want to install Grub.
devices = [ "/dev/sda" "/dev/sdb" ];
};
boot.extraKernelParams = [ "vga=normal" "nomodeset" ];

networking = {
hostName = "nix9000"; # Define your hostname.
# wireless.enable = true; # Enables Wireless.
};

# Add file system entries for each partition that you want to see mounted
# at boot time. You can add filesystems which are not mounted at boot by
# adding the noauto option.
fileSystems = [
# Mount the root file system
#
{ mountPoint = "/";
#device = "/dev/sda2";
label = "system";
}
#{ mountPoint = "/boot";
# label = "boot";
#}

# Copy & Paste & Uncomment & Modify to add any other file system.
#
# { mountPoint = "/data"; # where you want to mount the device
# device = "/dev/sdb"; # the device or the label of the device
# # label = "data";
# fsType = "ext3"; # the type of the partition.
# options = "data=journal";
# }
];

swapDevices = [
# List swap partitions that are mounted at boot time.
#
{ label = "swap"; }
];

# Select internationalisation properties.
# i18n = {
# consoleFont = "lat9w-16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };

# List services that you want to enable:

# Add an OpenSSH daemon.
services.openssh.enable = true;

# Add CUPS to print documents.
# services.printing.enable = true;

# Add XServer (default if you have used a graphical iso)
# services.xserver = {
# enable = true;
# layout = "us";
# xkbOptions = "eurosign:e";
# };

environment.systemPackages = with pkgs; [
zsh wget wgetpaste vimprobable2
];

# Add the NixOS Manual on virtual console 8
#services.nixosManual.showManual = true;
}

New KVM Ohai Plugin

I wrote a new KVM plugin for Ohai which gives a ton of important information about KVM guests, which is stored in the node attributes for the host.  This makes it easy to find out which guests are currently on a host and other information about the guest, such as: cpu allocation, memory usage, persistence, autostart, etc.

One of the things you can do once you have this plugin installed and running on the host is have the guest perform a search to find it’s host and then save that information somewhere on the guest.  This is very convenient if you’re on a kvm guest and you want to know right away what it’s host is.

In you Chef code, just use something like this to find the current guest’s host:

parent_host = search(:node, "virtualization_kvm_guests:#{node[:hostname]}").first

This plugin uses the same naming scheme for listing guests as my Linux VServer Ohai plugin, so it’s easy to search for the host of a guest, regardless of virtualization type. I often find myself using knife to search for the host of a guest using this:

knife search node "virtualization_*_guests:<myguestname>"

I think of this as a poor man’s KVM management system.

quantium cracking

i just finished listening to “Episode 176: Quantum Computing” [1] and this is really a great podcast. like the whole SE-Radio btw!

this podcast really inspired me and on the way back from work, i was thinking about the possibility to exploit software using quantum computing.

quantum cracking that is. it would work like this: assume you have a program or function which gets input. the ultimate goal is to find some input which will crash the program. using a quantum computer this is probably not that hard to compute.
i could imagine that quantum computing could also be used for software verification, which is actually quite the opposite of what quantum cracking would be.

so when quantum computers arrive we do not only lose AES/RSA but our computers will be open to everyone with such a system. hopefully such systems spread soon, which might compensate the negative effect, maybe with quantum cryptography.

but as martin laforest says: at the end of the day i still don’t know when this technique will arrive. but when it arrives it will turn security upside down.

the most promising aspect of quantum computing, which is mentioned in the podcast, is that it will enable detailed quantum research which i consider a very cool thing as it will help to understand what goes down there.

links

http://www.se-radio.net/2011/06/episode-176-quantum-computing-with-martin-laforest/

Paludis 0.74.1 Released

Paludis 0.74.1 has been released:

• Compilation fix for certain compilers.
• Fixed a segfault when encountering blockers inside || ( ) dependencies.

Split page vertically in CSS (minus pixels)

I was designing an online database application recently. The layout I wanted was, I thought, fairly simple:

• N pixel header at the top
• The rest of the page split vertically into two panes
• Each pane should scroll independently

Super easy to do in CSS, right? Of course not! You can't do this:

#header {  height: 50px; }

#panels {  height: 100% - 50px; }

#top, #bottom { overflow: auto; }

This is because (of course) you can't do simple arithmetic in CSS.

I can't think of a reason why it's not supported. My browser knows the height of the window at any given point in time. The browser can surely subtract two numbers. If someone knows of a solid reason why we can't do this in CSS, please clue me in.

I can think of many reasons why I would want to do it though. The above use case is just one of them.

I really dislike resorting to this (which does work, as seen here):

#header {  height: 50px; }

#panels {
    position: absolute;
    top: 50px;
    left: 0px;
    right: 0px;
    bottom: 0px;
}

#top, #bottom { overflow: auto; }

Whenever I start using absolute positioning, I know something went off the rails somewhere.

The worst part isn't that CSS doesn't support this, it's that even if CSS did suddenly support it, I couldn't use it until sometime in 2023 when all the major browsers implemented it and everyone using the old browsers switched or died of old age.

Why do I publish so much of myself?

As some of you may know I am a somewhat outspoken critic of privacy in the way we handle it today and do even call myself somewhat of a post-privacy advocate (when I do call myself anything; self-descriptions are the hardest!).

If you look to the right of this text you can see where I checked in last, my Foursquare profile is public, looking at my twitter feed you know when I am awake and usually even what I do. On this site  you can see me legal name and address as well as my phone number. If you invest a few minutes with your search engine of choice you can find out a lot about me, my family, my upbringing: I live in the open.

Looking at how I advocate a very open lifestyle and try to lure people away from the false promises privacy offers you  could consider me being very open just “eating one’s own dogfood”. On the other hand I have gotten quite some criticism about how dangerous my position is and what a bad sort of advice it might be to people living under oppressive governments, people who are being discriminated against or people with little political or economical power. And that criticism is true. And also misses the point.

I live an extremely privileged life. I am a white, healthy, heterosexual male in Europe. I have a good education and a well-paid and interesting job. It’s actually hard to find any aspects in my life that open me up for the sort of sexist, racist or otherwise-ist attacks and discrimination so many other people face every day even in the so-called “first world”. And if I compare my situation to people living in poorer parts of the world the difference becomes even more grotesque.

But in my perspective, my privileged life commits me to this open lifestyle. Not because I know that it will never have negative consequences but because I see it as an experiment.

Who if not me, a super privileged individual, can test these ideas in the real world? The dangers for me are marginal compared to most people on this planet, hell even in this rich country! I run my life as a test case for my theories, try to reflect upon why a certain aspect works for me and what the preconditions for that success were, try to explicitly trace dangers down to their causes.

Post-privacy is not a utopia you just slap on our world today for everyone and it would work. Like every big social change it takes a lot of time (or probably a catastrophe which is nothing I want to see happen to anyone, anywhere for whatever good it may do) for a society to change in that fundamental way . But in order to even properly discuss it, we need to determine the terms and conditions for a post-private society. What economical or political environment is necessary? What new or changed rights does the individual need?

I life my life in this extremely open way to determine said conditions. It’s not a way of living I can recommend for every individual today. But with a lot of work maybe in a few (probably many, probably many more than I have left on this planet ) years there will be a world, a society where everybody can live this open and this freely. And if I can just nudge mankind a little bit in that direction, the few risks I take are really nothing I can invest more than a shrug into. And move on.

Linux Sea now in ePub

On request of Matthew Marchese, I now automatically build an ePub version of Linux Sea for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources and zip the created directory structures (OEBPS and META-INF) to get to the ePub file.

Paludis 0.74.0 Released

Paludis 0.74.0 has been released:

• The way || dependencies are handled has changed to allow upgrades in certain situations that would previously be blocked.
• Previously file descriptors would be leaked when adding certain types of files to a tar being created for a pbin. This is now fixed.
• We now strip certain kinds of trailing garbage from tar files, to deal with upstreams who insist upon distributing corrupted tarballs.
• We now define ${T} to something usable in pkg_pretend.
• The order of arguments passed to econf has been tweaked, to make it easier to override defaults.
• cave print-ids etc now have a ‘%u’ format, for a uniquely identifying spec.
• Added cave print-checksum, for convenience.
• We now use metadata/md5-cache if it exists.
• We now ignore self-blockers for Gentoo EAPIs, to avoid problems with developers screwing up package moves.
• Compilation with GCC 4.7 should now work.

Why both chroot and SELinux?

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate an application so it only has access to those resources it needs. Chroot does this on file-level basis (and a bit more with grSecurity), SELinux on more general resources. However, things that make SELinux strong (flexible and detailed policy language, fine-grained authorizations) are also its weakness (consolidating files into groups having the same file label), and chroot does have an advantage on this.

Suppose that a flaw exists in BIND through which an attacker can read files on the host (through BIND). With SELinux, the domain in which BIND runs is prohibited from accessing and reading files whose label is not one of the labels that the policy thinks BIND should be able to read. More specifically, the BIND policy in the reference policy (which is what both Gentoo and RedHat base their policies on, and generally policies are only enlarged, never really shrinked):

• etc_runtime_t (read) means access to the files in /etc that are modified at runtime (like mtab, profile.env, gentoo’s /etc/env.d)
• named_var_run_t (read) is access to /var/run/bind and /var/run/named (and a few other related locations)
• named_checkconf_exec_t (read/execute) is access to read and execute /usr/sbin/named-checkconf
• named_conf_t (read) to read the BIND-related configuration files
• dnssec_t (read) to read the DNSSEC keyfiles
• locale_t (read) to access /etc/localtime, /usr/share/locale/*, /usr/share/zoneinfo/*
• etc_t (read) to read the general configuration files in /etc (including passwd, fstab, …)
• proc_t (read), proc_net_t (read) and sysfs_t (read) to access those pseudo filesystems
• udev_tbl_t (read) to access /dev/.udev and /var/run/udev (but I have no idea yet why this is in)
• named_log_t (read/write) for the log files of BIND
• net_conf_t (read) to access /etc/hosts (including deny/allow), resolv.conf, …
• named_exec_t (read/execute) the BIND executables
• named_zone_t (read) to access the zone files, also write access in case of slave system
• cert_t (read) to read certificate information
• named_cache_t (read/write) to access its cache
• named_tmp_t (read/write) to work with temporary files

Isolation provided by SELinux is as powerful as the width of its labeling. For instance, by giving the named daemon read access to /etc files like passwd, fstab, group, hosts, resolv.conf and more, a malicious user who can exploit this hypothetical vulnerability can obtain information that might help him in his further attempts. By chrooting BIND, the files placed in the chroot itself should not offer the information he might be looking for (for instance, the passwd file, if needed at all, is limited to just the named and root accounts, etc.)

Chrooting, but not enabling SELinux, could lead to escalation. A chroot cannot restrict what a process is allowed to do beyond the regular access privileges that are given on the user. If a user can upload an exploit through BIND and have BIND execute it, he can use this as an attack vector for further activities. SELinux here prohibits BIND to write stuff it can also execute (there is no write and execute privilege defined here). It also ensures that the BIND daemon never exists his security domain (transitioning towards another domain with perhaps other privileges) as there are no transition rules from named_t to any other domain.

Another MAC system that would be better suited to fit both is grSecurity’s RBAC model. Iirc, it uses path definitions to say which files are allowed to access and which not. The weakness SELinux here has (aggregation into sets of files with the same label) doesn’t exist for grSecurity. This debate on path-based versus label-based access controls have been going on for very long time now – just google it ;-)

So, Alexander, in short: chroot further limits the SELinux-allowed privileges to a more fine-grained set of file system resources (files/directories).

Chrooted BIND for IPv6 with SELinux

BIND, or Berkeley Internet Name Domain, is one of the Internet’s most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I’ll give a quick intro on how to use it in Gentoo Hardened (with PaX)… chrooted… for IPv6… with SELinux ;-)

Installing is of course, as usual, dead easy on Gentoo (Hardened/SELinux). Make sure you have USE=”ipv6″ set, and then emerge bind. Also install bind-tools as they contain some great tools to help with DNS troubleshooting. Then we’re editing /etc/conf.d/named to set the CHROOT variable. I also set CHROOT_NOMOUNT so that Gentoo doesn’t bind-mount the information in the chroot but instead uses the files in the chroot.

CHROOT="/var/named/chroot"
CHROOT_NOMOUNT="1"

Now we need to either temporarily add some privileges in SELinux, or run the portage_t domain in permissive mode. If you go for privileges, then add the following:

allow portage_t var_t:chr_file { create getattr setattr };

If you however want to temporarily run the portage_t domain in permissive mode, do that as follows:

~# semanage permissive -a portage_t

We are doing this because we are now going to ask the BIND ebuild to prepare the chroot for us. Doing so however requires portage to work on our live file system (and not in the regular “sandbox” mode). SELinux however forces portage in the portage_t domain and only gives it the privileges it needs for building and installing software.

~# emerge --config bind

When done, remove the previous SELinux allow rules again (or set the portage_t domain back in enforcing mode, through semanage permissive -d portage_t). Next we need to relabel the files in the chroot. By default, all files are labeled by SELinux as var_t in that location because it isn’t aware that it needs to see /var/named/chroot as a “root” location.

~# setfiles -r /var/named/chroot /etc/selinux/strict/contexts/files/file_contexts /var/named/chroot

So far so good. Now let’s create a simple named.conf file (in /var/named/chroot/etc/bind):

options {
  directory "/var/bind";
  pid-file "/var/run/named/named.pid";
  statistics-file "/var/run/named/named.stats";
  listen-on { 127.0.0.1; };
  listen-on-v6 { 2001:db8:81:21::ac:98ad:5fe1; };
  allow-query { any; };
  zone-statistics yes;
  allow-transfer { 2001:db8:81:22::ae:6b01:e3d8; };
  notify yes;
  recursion no;
  version "[nope]";
};

# Access to DNS for local addresses (i.e. genfic-owned)
view "local" {
  match-clients { 2001:db8:81::/48; };
  recursion yes;
  zone "genfic.com" { type master; file "pri/com.genfic"; };
  zone "1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "pri/inv.com.genfic"; };
};

The zone files referenced in the configuration file are located in /var/named/chroot/var/bind (in a subdirectory called pri – which I use for “primary”). The regular one would look similar to this:

$TTL 1h ;
$ORIGIN genfic.com.
@       IN      SOA     ns.genfic.com. ns.genfic.com. (
                        2012041101
                        1d
                        2h
                        4w
                        1h )

        IN      NS      ns.genfic.com.
        IN      NS      ns2.genfic.com.
        IN      MX      10      mail.genfic.com.
        IN      MX      20      mail2.genfic.com.

genfic.com.     IN      AAAA    2001:db8:81:80::dd:13ed:c49e;
ns              IN      AAAA    2001:db8:81:21::ac:98ad:5fe1;
ns2             IN      AAAA    2001:db8:81:22::ae:6b01:e3d8;
www             IN      CNAME   genfic.com.;
mail            IN      AAAA    2001:db8:81:21::b0:0738:8ad5;
mail2           IN      AAAA    2001:db8:81:22::50:5e9f:e569;
; (...)

while the one for reverse lookups looks like so:

$TTL 1h ;
@       IN      SOA     1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa ns.genfic.com. (
                        2012041101
                        1d
                        2h
                        4w
                        1h )

        IN      NS      ns.genfic.com.
        IN      NS      ns2.genfic.com.

$ORIGIN 1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

1.e.f.5.d.a.8.9.c.a.0.0.0.0.0.0.1.2.0.0         IN      PTR     ns.genfic.com.
8.d.3.e.1.0.b.6.e.a.0.0.0.0.0.0.2.2.0.0         IN      PTR     ns2.genfic.com.
; (...)

We can now start the init script:

~# rc-service named start

On the slave, don’t set the allow-transfer directive and set its type to “slave”. In each zone, you will need to tell where the master is:

zone "genfic.com" {
  type slave;
  masters { 2001:db8:81:21::ac:98ad:5fe1; }
  file "sec/com.genfic";
};

By default, the SELinux policy for BIND does not allow BIND to write stuff in its directories. On the slave system, you will need to change this. A SELinux boolean here does the trick:

~# setsebool -P named_write_master_zones on;

There ya go ;-) Okay, all very condensely written, but it should give some feedback on how to proceed. I’m adding this information to the new online resource I’m writing – A Gentoo Linux Advanced Reference Architecture. Nothing really ready yet, just writing as I go forward with exploring these technologies…

Documentation updates for initramfs needed?

A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file bugreports and have them block bug #407959. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and added an Initial ramfs Guide.

The tracker bug is also used to check if and when the eventual roll-out of software can happen, and we want to make sure that we do not forget documentation (something we learned from the openrc migration). Not that the change is as large as was the case with openrc, but it is still nice to have updated documentation in time ;-)

VBA oddities

Riddle me this.

If I create two strings in VBA (Visual Basic for Applications) like so

Dim string1 As String
Dim string2 As String

When I turn a watch on for them, both variables are listed as type “String.” If I were to use the following code though, which I understand to be the exact same thing just with different sytnax,

Dim string1, string2 As String

string1 will be listed as type “Variant/Empty” but string2 will still be listed as type “String.”

I’m using Excel 2007 is that makes a difference. Can anyone please explain to me what on earth is going on here?

Kitten

Image courtesy of Place Kitten