Archive

Dreams and Crypto-Fiction… now that’s weird.

Published by bobgerman on June 18, 2008 in Dreams and Reading. Comments

So the other day, Sunday morning I think it was, I woke from a dream in which my wife was asking me, “Who is iang?” She was pronouncing it as a word, but in my mind I saw it spelled that way. I take dreams as hints, so I immediately cracked open the laptop (what? we don’t ALL sleep with a laptop within reach?) and opened a Google window, typing in iang. Imagine my surprise when the second entry is directly relevant to recent experience and reading:

iang.org

Blog on Financial Cryptography · Free Banking Page · Papers · European Digital Money · Rants · Crypto Fiction Reviews · SSL Considered Harmful
iang.org/ - 2k - Cached - Similar pages
Relevant because I recently read the prime example of modern crypto fiction, Cryptonomicon, and of course isn’t everyone in the IT industry touched by examples of encryption these days? SSL certificates, encrypted file systems, VPNs, PGP, etc. I’ll wager that 10-20% of us can wax poetic about which encryption algorithms provide the best protection and which have been cracked.
Fascinating because I had never heard of IanG or his blog/site, and it came to me in a dream.
It gets weirder. Of course the first link I clicked on IanG’s Crypto Fiction Reviews page was down at the bottom:

Unsolved and Solved Ciphers

Elonka maintains a list of well-known unsolved codes and ciphers. A couple of the better-known unsolved ancient historical scripts are also thrown in, since they tend to come up during any discussion of unsolved codes.

Elonka’s list includes a mention of the fascinating Voynich Manuscript, an old unsolved illustrated manuscript. Voynich is very similar to the Codex Seraphinianus in that it is also illustrated and unsolved. I actually own a copy of the Codex. I found it interesting that Elonka doesn’t mention the Codex, and emailed to mention that fact. No response yet.

Old-Skool Videogames… or… PROGRESS

Published by bobgerman on May 28, 2008 in Games. Comments

So I finally got back on my GTA game, first time since September really, and finished off the last two missions that open up Tierra Robado. Now I have a whole new area to explore without the SWAT teams coming after me for territory violations.

I had been attacking TORENO’S LAST FLIGHT with the wrong approach, stopping every time I saw the chopper and trying to shoot it down. The approach that finally worked was getting ahead of the chopper and shooting it as it approached me. I have my doubts as to the accuracy of these virtual weapons — I don’t think I was shooting at it any more accurately from the front than from the rear. But it’s done, in any case.

YAY-KA-BOOM-BOOM was almost pitifully simple. Kill all the guards you can see before you drive the car into the crack lab, then fewer of them will be around to shoot at your car and potentially blow you up before you get it parked in there. Escaping was no big deal either, just jump the ramp over the freight containers and you’re good to go.

I guess I’m taking this more seriously so that when we get a WII, GTA will be in the past, and I won’t have those unfinished missions hanging over my head.

If I could just figure out how to pass the BURN AND LAP portion of Driving School, I’d be a much happier camper.

Audiobooks

Published by bobgerman on May 28, 2008 in Information Technology and Reading. Comments

I bought a copy of Cryptonomicon. As an IT professional working in the security field, it seemed to fall right into place as the next book to read. It was originally recommended by Mike Terry, who seems to be a big Neal Stephenson fan. I was liking the book, but having limited time to read it now that I’m no longer commuting by train, I picked up the AudioBook of it.

Now I’m simultaneously gratified and annoyed. Sure, I can listen to it during my commute, and that works out well, especially with the Prius’ integrated audio and navigation system. When I get a call from my wife during the commute, the bluetooth-integrated system intercepts the call, PAUSES the CD while I take the call, and then resumes when I hang up. But I’m finding there are things I don’t like about audiobooks, especially for large books such as Cryptonomicon. Namely, the abridgements. I had left off reading the book shortly after a particularly satisfying brawl scene in a sushi bar, which had elements of comedy and adventure that I found fulfilling. This entire scene is left out of the audiobook and only referred to vaguely when describing the other character as having been met in a bar fight.

Energy Efficiency

Published by bobgerman on May 28, 2008 in Energy. Comments

Having a Prius seems to be affecting my thought processes concerning energy conservation.

This past weekend (Memorial Day weekend) I did a fair amount of yard work.  Mowing, weeding, trimming, weedwacking and “cultivating,” for lack of a better term (installing iron trellises for our three productive yet unweidly rosebushes and our two baby climbing vines).  My upper forearms are sore from repeated attempts at starting the weedwacker, because the gas inside it had become stale.  My lower back is sore from all of the combined efforts of carrying, bending, and pulling.

I got to thinking about whether it would be easier and more efficient to use electric tools.  One of my neighbors has an electric mower.  I just can’t visualize lugging an extension cord around the entire yard while mowing or weedwacking.  I also can’t imagine that these electric tools have the same horsepower as their ozone-depleting, smog-emitting, carbon-eating equivalents.  Is there such a thing as a 6HP electric mower that will kick the ass of giant two-foot clumps of grass that I’ve neglected?

Then, I came home with a flat last night.  The Prius was kind enough to tell me about it on the dashboard indicator.  The light looks something like this:  (_!_)   — which is one of the symbols used to indicate an ASS in chat for old-school net junkies like myself.   As in, “Look, ASS, I’m not going to go much further unless you put some air in your tires.”  I pulled into a gas station in stafford, and it was completely flat.  Odd.  I filled it to 33, the recommended pressure, and the indicator didn’t go away.

I drove the rest of the way home, it still looked fine, then I went hunting for my portable compressor/inflator, which seems to have disappeared.  Ran down to Wally World to pick up a new one for $30, and it’s CORDLESS.  Meaning, you can either run it off the 12V DC power supply in the vehicle (it used to be called a cigarette lighter port, but now that smoking is less cool, vehicles are no longer built standard with ashtrays — you have to pay EXTRA for the “Smoker’s Package”) or you can charge it in your garage and use it cordlessly, which will come in REALLY handy for vacations when I have to blow up all of the pool toys on day 0.

iptstate — Your new connection-viewing friend

Published by bobgerman on May 13, 2008 in Information Technology. Comments

In my security-related roles at various past jobs, I have often found the need to view open connections to a server. Sometimes I suspect a compromise, sometimes I’m troubleshooting a network issue. I had always used netstat to show me those open connections. Well, no more. I discovered iptstate (iptables state top), quite by accident, when pruning a distribution for size. From the man page:

iptstate displays information held in the IP Tables state table in real-time in a top-like format. Output can be sorted by any field, or any field reversed. Users can choose to have the output only print once and exit, rather than the top-like system. Refresh rate is configurable, IPs can be resolved to names, output can be formatted, the display can be filtered, and color coding are among some of the many features.

Improve your yum-based repository mirror’s efficiency…

Published by bobgerman on April 23, 2008 in Information Technology. Comments

If you do a lot of Linux installs, and have a local mirror repo, you’re probably used to changing your /etc/yum.repos.d/ files to reflect your mirror after every install, and after some upgrades. You can make this more efficient and less painful by rebuilding the release RPM to point to your local mirror. This way, anyone who installs from your mirror will come back to your mirror for updates.

This is a trivial process, but none of the places I’ve worked have done it. If you do this, care must be taken to prevent the next update of the mirror from clobbering your customized release.

I’m going to demonstrate how to do it in CentOS, but RedHat and Fedora are similar, of course.

First, go to a computer with your distro freshly installed. Install the additional package rpm-build, then install the rpmrebuild package from http://sourceforge.net/project/showfiles.php?group_id=57523.

Now, update your /etc/yum.repos.d files to point to your local mirror, and then check their syntax using the yum check-update command. Assuming it works, you’re ready to rebuild your release rpm. (The centos-release, fedora-release, etc. package owns your repository files) The command to rebuild a CentOS release file is: rpmrebuild centos-release. It will confirm that you want to include the updated files, then it will ask if you want to change the release number (the default is no, so I stick with that). Once you accept these, it will tell you where it puts your newly-repackaged RPM.

Simply overwrite the original RPM in your repo with this one, and the next person who installs from your repo will have your customizations already included.

Honeydew Weekend

Published by bobgerman on April 20, 2008 in Personal. Comments

Yesterday was a busy day around the house. Aside from the critically important tasks, which included researching ways to update the maps in our new used Prius’ navigation system without paying $250-$300 to the dealer for the newest update, I attacked a number of things on the honeydew list.

I planted tomatoes and peppers.

I mulched the Japanese maples in the yard.

I weeded the lilac and butterfly bushes.

I refinished the surface of the dining room table.

I put grass seed down in the front yard.

Oh yes, I forgot to mention, the next-door neighbors who were renting to own moved out. I said it from the beginning, renting to own never works. It’s always structured in an unbalanced way in favor of the landlord/seller.

Today I just kind of sat around trying to nap. Watched Fight Club, had a beer, etc.

And yes, we bought a Prius the other night. My commute is 55-60 miles, and now we’re spending a lot less in gas to get me to and fro.

Post-RHCE: Studying for RHCSS, Part 3 of 3: SELinux Policy

Published by bobgerman on April 16, 2008 in Information Technology. Comments

This is the third and final installment in the RHCSS Study series. With this installment, especially since it is a newish technology that can be difficult to wrap your head around at first, I recommend studying the course objectives listed below along with one or more of these fine publications:

RHS 429: SELinux Policy Administration

Unit 1 - Introduction to SELinux

* Discretionary Access Control vs. Mandatory Access Control
* SELinux History and Architecture Overview
* Elements of the SELinux security model:
o user identity and role
o domain and type
o sensitivity and categories
o security context
* SELinux Policy and Red Hat’s Targeted Policy
* Configuring Policy with Booleans
* Archiving
* Setting and Displaying Extended Attributes
* Hands-on Lab: Understanding SELinux

Unit 2 - Using SELinux

* Controlling SELinux
* File Contexts
* Relabeling Files and Filesystems
* Mount options
* Hand-on Lab: Working with SELinux

Unit 3 - The Red Hat Targeted Policy

* Identifying and Toggling Protected Services
* Apache Security Contexts and Configuration Booleans
* Name Service Contexts and Configuration Booleans
* NIS Client Contexts
* Other Services
* File Context for Special Directory Trees
* Troubleshooting and avc Denial Messages
* setroubleshootd and Logging
* Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy

Unit 4 - Introduction to Policies

* Policy Overview and Organization
* Compiling and Loading the Monolithic Policy and Policy Modules
* Policy Type Enforcement Module Syntax
* Object Classes
* Domain Transition
* Hands-on Lab: Understanding policies

Unit 5 - Policy Utilities

* Tools available for manipulating and analyzing policies
o apol
o seaudit and seaudit_report
o checkpolicy
o sepcut
o sesearch
o sestatus
o audit2allow and audit2why
o sealert
o avcstat
o seinfo
o semanage and semodule
o Man pages
* Hands-on Lab: Exploring Utilities

Unit 6 - User and Role Security

* Role-based Access Control
* Multi Category Security
* Defining a Security Administrator
* Multi-Level Security
* The strict Policy
* User Identification and Declaration
* Role Identification and Declaration
* Roles in Use in Transitions
* Role Dominance
* Hands-on Lab: Implementing User and Role Based Policy Restrictions

Unit 7 - Anatomy of a Policy

* Policy Macros
* Type Attributes and Aliases
* Type Transitions
* When and How do Files Get Labeled
* restorecond
* Customizable Types
* Hands-on Lab: Building Policies

Unit 8 - Manipulating Policies

* Installing and Compiling Policies
* The Policy Language
* Access Vector
* SELinux logs
* Security Identifiers - SIDs
* Filesystem Labeling Behavior
* Context on Network Objects
* Creating and Using New Booleans
* Manipulating Policy by Example
* Macros
* Enableaudit
* Hands-on Lab: Compiling Policies

Unit 9 - Project

* Best practices
* Create File Contexts, Types and Typealiases
* Edit and Create Network Contexts
* Edit and Create Domains
* Hands-on Lab: Editing and Writing Policy

Virtualization Strategies, Part 2: VMware ESX vs XenEnterprise

Published by bobgerman on April 16, 2008 in Information Technology. Comments

XenSource published an interesting comparison of VMware ESX against XenEnterprise. It appears to be a rebuttal of an earlier VMware report, and places them neck and neck in terms of hypervisor performance. Take a look:

A Comparison of Commercial Hypervisors

Post-RHCE: Studying for RHCSS, Part 2 of 3: Directory Services and Authentication

Published by bobgerman on April 15, 2008 in Information Technology. Comments

In the first installment of this series, I discussed the overall structure of Red Hat’s advanced certifications (beyond RHCE — RHCSS, RHCDS, and RHCA), and listed the objectives for the first exam of the RHCSS certification, the Network Services exam. By the way, all Red Hat exams cost $749, or $549 if purchased with the corresponding class. Most classes are four days, with the exams scheduled on Friday, and most classes cost $2,898, with the exception of the clustering and storage class, which is $3,998, probably due to the additional cost of enterprise-class storage hardware for the labs.

In my humble opinion, these exams are far too expensive. I think the “certificate of expertise” exams, which together comprise the advanced certs, should cost $250 each. This way the two next-step certs (exam-only, of course) end up each costing approximately what the RHCE costs, and the RHCA ends up being $1,250. There is something to be said for the current lack of study materials for these exams outside of Red Hat’s official curriculum — this places a premium on those who obtain the cert, because you know they either took the official approved course or they know their stuff. They didn’t cram for free, because there’s nowhere to cram.

Here are the objectives for the second exam in the RHCSS series:

RH423 Red Hat Enterprise Directory Services and Authentication
Course Outline

1. Introduction to Directory Services
* What is a directory?
* LDAP: models, schema, and attributes
* Object classes
* LDIF
2. The LDAP Naming Model
* Directory information trees and Distingued Names
* X.500 and “Internet” naming suffixes
* Planning the directory hierarchy
3. Red Hat Directory Server: Basic Configuration
* Installation and setup of Red Hat Directory Server
* Using the Red Hat Console
* Using logging to monitor Red Hat Directory Server activity
* Backing up and restoring the directory
* Basic performance tuning with indexes
4. Red Hat Directory Server: Authentication and Security
* Configuring TLS security
* Using access control instructions (ACI’s)
* ACI’s and the Red Hat Console
5. Searching and Modifying the LDAP Directory
* Using command line utilities to search the directory
* Search filter syntax
* Updating the directory
* Using graphical LDAP client utilities
6. Linux User Authentication with NSS and PAM
* Understanding authentication and authorization
* Name service switch (NSS)
* Advanced pluggable authentication modules (PAM) configuration
7. Centralized User Authentication with LDAP
* Central account management with LDAP
* Using migration scripts to migrate existing data into an LDAP server
* LDAP user authentication
8. Kerberos and LDAP
* Introduction to Kerberos
* Configuring the Kerberos key distribution center (KDC) and clients
* Configuring LDAP to support Kerberos
* Access control with Simple Authentication and Security Layer (SASL)
9. Directory Referrals and Replication
* Referrals and replication
* Single master configuration
* Multiple master configuration
* Planning for directory server availability
10. Authenticating Windows Clients
* Windows networking overview
* Configuring a Samba primary domain controller (PDC) using LDAP
11. Windows Domain Authentication and Linux Clients
* Active Directory servers
* Linux as a client
* Active Directory and NSS
* OpenLDAP
* Winbind