Thursday, February 25, 2010

Properly Deploying a Private CA Cert in Ubuntu

I think the true strength of the certificate PKI is the ability to set up a CA for your organization and mint your own certs. You get the advantage of proper certificate validation without the cost of paying a third party to validate your identity (snicker).



There are copious sets of instructions on how to create your own CA but I had a very difficult time finding proper instructions on deploying the cert to clients. Most of them simply say, “post it on your web server, visit it in your browser, then click Trust.” That’s fine on your computer but what about a larger organization. Are you going to just tell all your users to do this and expect them to get it done? What about multiple browsers? That kind of solution just doesn’t scale.



In my personal environment my clients are Ubuntu Karmic. I’ve seen some kind of hackish solutions where you put the cert in /etc/ssl/certs then add softlinks or run c_rehash if you’ve read some man pages. After searching the Internet and not getting far I finally started digging through /usr/share/doc/ca-certificates and found the README.Debian file. It states that the proper way to install private CA certs is to put them in /usr/local/share/ca-certificates and ensure that the names end in .crt. Once that’s done you run update-ca-certificates and the appropriate linking is done for you. With that complete you may need to start your various clients but it should be working for your command line web tools and graphical browsers.



I said visiting a URL in the browser and having users click through dialog boxes was unrealistic. Frankly, it’s cumbersome, but is copying the file out to each machine and running a command any better? Because I run cfengine, absolutely! My additions look something like this:




control:

AddInstallable = ( ... NewCACert )
...
directories:
/usr/local/share/ca-certificates owner=root group=root mode=0666
...
files:
...
$(masterfiles)/CA/cacert.pem
dest=/usr/local/share/ca-certificates/lub-dub_CA.crt
mode=0444
owner=root
group=root
inform=true
encrypt=true
define=NewCACert
server=$(policyhost)
...
shellcommands:
...
NewCACert::
"/usr/sbin/update-ca-certificates"


The only thing missing is the fact that while my desktop systems are Ubuntu my server systems are Debian Lenny. The Karmic version of ca-certificates is 20090814 while the Lenny version is only 20070303. The update-ca-certificates script in the Lenny version doesn’t look in /usr/local/share/ca-certificates so I’ve had to add that myself.

Sunday, February 21, 2010

The Secret Life of Chaos

The Secret Life of Chaos


If you’re even remotely interested in science or mathematics, set aside an hour to watch this.

Wednesday, February 17, 2010

Mitre's 25 Most Dangerous Programming Errors

Mitre's 25 Most Dangerous Programming Errors


I look at those things and I fear that people will look at it as “Oh, as long as I do these n items I’m fine.” Those people convince themselves they’re safe when they’re not. If your application has error #26, or #52, or #375, it’s still broken, it’s still insecure. The attackers don’t care if your application has RFI, SQL injection, or has a backdoor account. Anything that lets them in is fine.



In my mind I criticize these kinds of lists but really I think usually the people that make those kinds of lists are earnestly trying to help people and improve the situation. I just think their approach is futile. Then I ask myself if I have a better solution and of course I don’t.



I wonder how long each of the programming errors on that list have been spoken about on the Internet as a hazard. I’m sure each one has been discussed ad nauseum on lists like this for a few years at least. Still, we have programmers who don’t care, programmers who don’t bother reading the list, programmers not aware of the list, and “programmers” who wouldn’t understand the list if it were right in front of them. There is an endless supply of new, bad, and apathetic programmers to replace any corrected by such lists.



Do lists like this make things any better?

Monday, February 15, 2010

Microwave + RFID = Plasma

It would appear that RFID chips in a microwave make plasma, and plasma melts glass microwave turntables. While I understand the latter, I was not expecting the former. The impressive thing was it kicked off at about 2.5 seconds. I wonder if it would have been “safely” destroyed in a glass jar submerged in water, this being a bank card.



Hopefully I’ve never made claims that I’m notably smarter than anyone else.

Friday, February 12, 2010

PCI

The security of a transaction-processing network varies inversely with the value the operators place in PCI.

Tuesday, February 9, 2010

Apply Directly To Brain

Mandelbrot Fractal Set Trip To e214 HD from teamfresh on Vimeo.


Apply directly to brain.

0(mfg)day

The term 0day has lost any significance in meaning. The original meaning was that a public vulnerability disclosure was made and the same day someone produces a working exploit.



Now 0day can mean a lot of things. It usually means something to the effect of “an exploit for which there is no patch available” but depending on who you ask it might mean “an exploit that’s leet because I wrote it”.



I’d like to throw some terms out here that are much more sensible than 0day. The scary thing about 0day is that there’s isn’t a fix for it. Perhaps in one situation it’s because no one knows about the vulnerability. Maybe the exploit was discovered being used in the wild. In any case, the fear is not that some shadowy person or organization has an exploit that they aren’t sharing; the scary thing is that there’s no fix. It is an unpatched vulnerability. If last Wednesday there was an announcement on bugtraq of a vulnerability in Flash, and today you got hacked (because it’s not Adobe’s Patch October yet) you didn’t necessarily get hacked by 0day. You got hacked by an unpatched vulnerability. Maybe the exploit was created the day of the announcement, maybe it was created days later. It doesn’t matter. You got breached because there was no fix and you didn’t disable Flash.



The term unpatched vulnerability is being used here and there on the Internet already. A term that isn’t being used but really should be is proprietary exploit. At the time of this writing a google search for “proprietary exploit” (quotes included) returns 449 results. When people talk about 0day exploits because they want to sound cool, what they’re often thinking of are proprietary exploits. These are exploits that aren’t being shared. Maybe the vulnerability isn’t patched, maybe it’s not even publicly known. That’s really the essence of the threat with proprietary exploits: maybe people are breaching your systems using attacks your scanners can’t detect because no one even knows there’s a vulnerability. That’s why people use the term wanting to sound cool, “I’ve got 0day so you can’t keep me out.” Perhaps after some high-profile compromise (Google/Aurora) people will capture samples of the exploit code and figure out what the vulnerability is.



Anyway, the purpose of this is not to inspire fear for threats you can’t fully defend against. I’m just sick of the term 0day and the way it’s used by people who don’t know what they’re talking about. If you understand the difference, will you pick terms with less ambiguity and media baggage?

Sunday, February 7, 2010

Lock Picking Observations

In a previous comment I noted that I intended to share my observations on beginning lock picking. I’ve only really been raking so far, not per-pin picking.



First, it’s very easy to apply too much pressure to the torsion wrench. Start by applying just a little bit of pressure and slowly increase the pressure. The wrenches with the half twist will absorb some of the pressure by bending so they may be a good choice while you get a feel for the right amount of pressure. The downside is that you lose some of the sensitivity of what’s going on with the plug. While I was getting a feel for it I would vary the pressure as I was raking. Sometimes I would let up to much and give up pins I had set, sometimes I would press too hard and false set some pins. Eventually my hands learned the proper range of pressure. If you eat sushi I think the right pressure range is what you might use picking up a cut roll with chopsticks. If you don’t eat sushi, you’re missing out.



Second, the raking pressure should also be pretty light. I think of it like brushing teeth. You’re not trying to rub your gums off but you are trying to remove plaque. Raking too hard has less of a negative impact than applying too much torsion.



Third, don’t try to hard. The more you work at it the less success you have. Keep your practice lock, torsion wrench, and pick/rake at your desk. Pick them up and fiddle with them when you’re thinking or need to take a break. Just don’t focus on it. Your hands need to figure things out on their own. I found that my first half dozen or so times getting my practice lock I was absently fiddling and had no idea what I had done to make it work. Every time I’d try to figure it out and get nowhere. When I stopped paying attention I eventually found that my hands just knew what to do.

4chan

4chan is an Internet fever dream.

Thursday, February 4, 2010

Spoofing For Charity... or Not

The media is reporting a lot about SMS charities. You send a text message to a certain number and your cell phone company bills you $10 or whatever. The company keeps a percentage or flat fee and passes the rest on to a charity. It’s a very convenient way for charities to get money. Of course it’s huge for Haiti charities.



What if you set up your own SMS “charity”. Then you get yourself a PBX system that can send text messages with whatever caller/sender number you want. You then send out texts to thousands of cell numbers with the caller/sender as your charity number. The messages you send are those that are likely to illicit a response, even if just a “WTF?”. Perhaps they say, “Where are you?” or “Who is this?” or “I just found out she’s bi” or “Mom’s dead” (thanks Aaron). People reply to ask you who you are or what you’re talking about and boom you just made $10.



Maybe if you’re nice(ish) you spoof the number of a real charity. Of course, a lot of those people would want it taken off their bill which means it would have to be taken back from the charity. This would really be the opposite of nice(ish).

Monday, February 1, 2010

Ain't No Mountain High Enough

Some of my friends know that I have clinical depression. For the most part I have it licked; I was on medication for a couple years while I learned how to deal with it. Now I occasionally go through some bad patches but they usually don’t go on for longer than a week. I’ve learned that if I just wait them out they’ll pass. I had been stuck in one for all of January which finally broke last Saturday.



Something people often don’t understand about depression is how it impedes your ability to get simple, important things done. Even when depressed if you have a gun to your head you can usually do just about anything required of you but there never really is a gun held to you head. Frankly you can probably do the laundry tomorrow when you might feel better. Today you just feel terrible.



Used to be I couldn’t get much of anything done. I couldn’t go grocery shopping, I couldn’t take care of our pets, I couldn’t get my bills paid even though I had the money. This month I could take care of the bills mostly. I could go grocery shopping because we’re pretty thoroughly resolved not to go out to eat during the week. I could take care of the pets because I’ve seen how much happier they’ve been when I’m taking care of things properly. The laundry had been piling up on the floor and the dishes piling up in the sink because I just couldn’t muster the will to take care of them. Saturday it broke, I felt great, and I knocked those things out. Overall this bad patch wasn’t as bad as they’ve been in the past but it was much longer for reasons unknown.



I was explaining the situation to a friend and he had a hard time understanding lacking the will to take care of these basic, small things. He did acknowledge that there was a reason for it but that he didn’t have the experience to wrap his head around it.



Eventually I thought of away to explain it that I hadn’t really thought of before. If you’ve ever been exposed to a motivational speaker or anyone similar you’ve probably heard something to the effect of: If you have the will to succeed, the size of the challenge doesn’t matter. The idea here being that the challenge can be very, very large but the will to succeed will make you overcome the challenge. Here’s another version that is also true: If you lack the will to succeed, the size of the challenge doesn’t matter. In this case the challenge can be very, very small but lacking the will to succeed will make it insurmountable.



Depression robs you of your ability to try, even things you’re good at and you know can succeed at.