0xfeedface Tech musings and rants

One of OpenSolaris's heralding features is a next-gen filesystem called ZFS. Managing ZFS backups could not be easier. All you need to run is zfs snapshot tank/dataset@backup. If you want to replicate or store that snapshot on another machine, you can run zfs send tank/dataset@backup > backup.zfs.

I'll be demoing how to use GPG2 to encrypt ZFS backups created with zfs send. Here's the commands I used to do it:

root@shawn-desktop:~# chmod A+user:shawn:full_set:fd:allow /datumz/
root@shawn-desktop:~# logout
shawn@shawn-desktop:~$ zfs create datumz/demo
shawn@shawn-desktop:~$ echo "this is a test" > /datumz/demo/testfile
shawn@shawn-desktop:~$ zfs snapshot datumz/demo@backup
shawn@shawn-desktop:~$ zfs send datumz/demo@backup | gpg2 -e -r "Shawn Webb" -o datumz_demo\@backup.zfs.gpg
Warning: using insecure memory!
shawn@shawn-desktop:~$ zfs destroy -r datumz/demo
shawn@shawn-desktop:~$ gpg2 -d datumz_demo\@backup.zfs.gpg | zfs recv datumz/demo
Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "Shawn Webb "
4096-bit RSA key, ID F751C7BB, created 2010-04-27 (main key ID 5B242D25)
can't connect to `/home/shawn/.gnupg/S.gpg-agent': No such file or directory
Warning: using insecure memory!
gpg: encrypted with 4096-bit RSA key, ID F751C7BB, created 2010-04-27
"Shawn Webb "
shawn@shawn-desktop:~$ ls /datumz/demo/
testfile

So you can see how easy it is to manage and create snapshots and backups of ZFS datasets. I love that the backup files are never stored in plaintext. They're stored encrypted.

I completely ditched Linux at home. I'm now running OpenSolaris on all machines I actively own and use. The only exception is my netbook, which is running Win7 Starter. I don't really count that--I only use it for travel.

These past few days, I've been spending my time reading endless amounts of documentation and Google results figuring out why NFSv4 isn't working with me. I had NFS working a few months ago. Why would NFS stop working on a fresh install of OpenSolaris build 134?

After a few emails on the nfs-discuss mailing list, Tom Haynes, the project lead for OpenSolaris's NFS implementation, had helped me out quite a bit. He helped me figure out that the user "nobody" needs read access to the share. I never read that in any of the documentation.

Essentially, autofs tries to mount the share. Root permissions are needed to mount filesystems, causing autofs to authenticate as the root user--not the currently-logged in user as I had assumed. On the server, NFS will map UID 0 to the user "nobody". Since my user was the only one with read access, the mount naturally failed.

After giving nobody read access to the share, I could use the share like normal. Here's the minimum ACLs needed for an NFSv4 share:
$ /bin/ls -vd /tank/shares/shawn
d---------+ 13 shawn root 20 Apr 20 10:28 /tank/shares/shawn
0:user:nobody:list_directory/read_data/read_xattr/read_attributes
/read_acl:allow
1:user:shawn:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow


Thanks Tom for helping me figure this out. I appreciate the time you spent.

My dream job would be to be a security analyst. I love finding and exploiting vulnerabilities. I naturally think more like an attacker than a developer. Today, my employer fully switched me from software engineering (web development) to security analysis. As of today, I'm officially in charge of developing 0days, reporting vulnerabilities to the development team, managing risks, and security-related trainig . I'm no longer a software engineer.

Now all that's left is to get my dream pay. That'll come with time, education, and experience.

CyanogenMod is a popular custom firmware written by a dude that goes by the name of Cyanogen for certain Android-powered devices. He works hard to produce a great product with few bugs and many enhancements. All the Android devices I've owned have run CyanogenMod at some point of time. My Nexus One currently runs CyanogenMod.

Ultimate Droid is another custom firmware for Verizon's Droid. The beauty of opensource is the ability to incorporate other's work into your work. The issue at stake is that the administrators of Ultimate Droid ripped Cyanogen's firmware without giving Cyanogen proper credit. Ultimate Droid is claiming completely original work. Cyanogen approached Ultimate Droid on their forums. The forum administrators quickly deleted Cyanogen's posts and banned him from the forums.

I love the concept of opensource. I love being able to see the inner workings of programs and fix bugs myself. I love being able to mod software to do what I want it to do without resorting to nasty hacks. What gets me is ripping code without giving credit. I admit to using other's code in my projects (both professional and hobby), but I always give credits where they're due. It's common courtesy. Not giving credit will land you in the same trouble Ultimate Droid is running into now. They're losing their userbase and potential users simply because they stole code.

Props to Cyanogen for creating an awesome firmware and calling others out on stealing his hard work.

Medium- and large-size businesses everywhere are victims of countless hacking attempts. Attacks come from those that are curiously, chaotically, and financially motivated. As a security analyst for a successful company which grosses millions of dollars in profit, it is my job to ensure the security and integrity of the network. The company deals with retaining sensitive data for longer periods of time. Thus, preventative measures and proper response measures play a vital role in every aspect of the company.

We recently had a surprise penetration test. No one in the company (not even me) except the president of the company knew about the penetration test. The test was twofold: to find potential vulnerabilities in our web-based product and to see how the security team (mainly just me) handles a hack attempt. The security analyst started out with Nikto, generating thousands upon thousands of 404 errors. We first caught wind of the penetration test because of how loud Nikto is. We quickly firewalled that IP. The attacker then used a proxy and continued attacking. He was able to find valid login credentials after a few brute force attempts. We then learned something really important: our intrusion detection methods weren't up to par.

We rely on error emails (404 and 500/503) to tell us when an intrusion occurs. After monitoring emails for a while, we only know a handful of things: the IP, the date/time of the attack, and what types of attacks. We don't know if the attacker was successful. After a few hours of research, I was able to gather that the attacker successfully logged in. It really should not have taken hours just to find out if he logged in.

It was on that day that I fully realized just how important detection is as a method of protection. Instead of looking at data for hours and guessing potential outcomes, proper detection and logging allows the security team to make accurate, timely decisions. Even now, a few days later, I don't know what the attacker accomplished. Without an audit trail, there's no way for me to tell what happened or how. Intelligent detection should be a part of every company's security plan. Without it, time is wasted and the chance of being fully compromised is much greater.

So, to sum up, make detection a part of your security plan. Detection allows your IT department to know what's going on and what actions to take in an efficient, affordable manner. If intrusion detection and logging is not a part of your security strategy, you'll end up doing what I did: spent hours just trying to figure out whether the attacker successfully logged in.

I came across a recent paper detailing how government agencies can easily hijack SSL connections. The paper is well written and the authors definitely did proper research. The solution they came up with is elegant despite only being able to catch a few attack scenarios.

Overall, the paper describes difficulties in the current implementation of SSL. Users have to trust that Certificate Authorities (CAs) are always 100% trustworthy. Users also have to trust that governments around the world are also trustworthy. While the attacks aren't new, they are detailed in great manner. Moxie Marlinspike of Thought Crime talked about defeating SSL in his BlackHat USA 2009 video (a video I will upload soon). The paper mainly follows the concepts talked about in Moxie's video.

I'm impressed with the solution the authors of the paper created. They wrote a Firefox extension which caches the SSL cert the first time an SSL site is visited. Each time the user visits the same site, the Country Code of the cert is verified. If the Country Code changed, then the user is warned and prompted to continue or cancel. As a user of Google's Chrome, I might consider porting this Firefox extension to Chrome. I'm excited to see their Firefox extension take off and be further developed.

I'll conclude with an excerpt from the whitepaper:

VeriSign, the largest provider of SSL certificates in the world, whose customers include many foreign banks, companies and governments from countries that do not have friendly relations with the United States, also happens to make significant sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement and intelligence agencies. This fact alone may be sufficient to give some foreign organizations good reason to question their choice of CA.

The source code for Win2k3, the most popular version of Microsoft's server operating system, has been leaked. The source code is available to MSDN Academic Alliance (MSDN AA) Administrators (college/university professors). The leak only contains the kernel. It can be compiled and installed on any Windows Server 2003 x86/64 computer.

I'm happy that this has been leaked. Being out of college (and not a professor) means I don't have access to MSDN AA. I have a Win2k3 VM and can now toy with the kernel. I'd like to see how Microsoft implemented ASLR and DEP. I'd like to see about strengthening the implementations.

I just bought a new netbook this week. I bought the Asus 1005PEB. It came with Windows 7 Starter, 1GB RAM, 250GB harddrive, and 11 hours of battery life. I'm sitting at Technaglass right now, using their free wifi on my netbook. I love how small this thing is. I can put it in the glove compartment of my car and take it anywhere I want. I set up tethering from my rooted Nexus One to my netbook, so even if there's no free wifi, I have internet where ever I go.

The netbook runs great for what I expect it to do: surf the web, chill on IRC, and write code in a simple text editor. I just installed Netbeans 6.8 on it and have yet to use it. Installing and uninstalling apps and updates does take a bit of patience.

The main reason why I love having a netbook is simply how mobile it is. My laptop is big and clunky. It takes forever to boot up, and even longer to get on the internet. I have a habit of reinstalling the OS quite often. We'll see how long I can last having Win7 Starter installed.

Upgrading Drupal could not be easier when it's run on an OpenSolaris server. I just recently upgraded Drupal from 6.15 to 6.16. The upgrade process took less than three minutes to complete. Here's the steps I used:

1) download tarball
2) zfs snapshot
3) rm -rf
4) untar tarball
5) cp -r .zfs/snapshot/[snapname]/sites/* sites

If something bad happens, I can just revert back to the snapshot. The process would have to be changed a bit if you have custom mods to your Drupal installation. My installation is a stock install with added modules and themes. Let me know if there's a more efficient way to upgrade Drupal on an OpenSolaris server.

I bought a Nook this week from Barnes and Noble. I love that it's powered by Android. If you haven't figured it out yet, I'm an Android fan. This is the first time I've seen first-person the e-ink technology. It's amazing! My mind gets tripped out every time I look at it. My mind knows it's looking at a digital device, but it's tricked into thinking it's real ink on real paper.

The device overall seems a bit sluggish. Both 3G and WiFi are unreliable and often randomly failing. While the Nook contains an awesome display that is extremely easy on the eyes and a simple interface, the Nook falls short of providing a completely comfortable eReading experience. When I click the next-page button, I have to wait a few seconds to make sure the click registered.

Even with the mentioned shortcomings, I still love having an eReader. I'm somewhat happy with my purchase and I suspect I'll be even happier in the Fall when I go back to school. If I can get all my textbooks on my Nook, I'll be one happy customer. I'm sure that I would have been even more disappointed with the Kindle.