Browsed by
Tag: geeky

Why Security on the Internet is an Afterthought

Why Security on the Internet is an Afterthought

This WaPo article gives us an historical perspective on why the Internet was designed to operate mostly with no encryption.  The money quote:

“Back in those days, the NSA still had the ability to visit a professor and say, ‘Do not publish that paper on cryptography.’ ”
As the ’70s wound down, [Vint] Cerf and [Robert] Kahn abandoned their efforts to bake cryptography into TCP/IP, bowing to what they considered insurmountable barriers.

This is really a great piece on how the internet morphed from an academic & defense research project to the collective nervous system of humanity.  I came into the field during the second decade of the Internet and it was not really a part of my life until about four or five years in.  I really enjoyed the insight into the earlier days.  Note the role Richard Stallman took back then – it hasn’t really changed much, at its core.

h/t to Rob Slade via CISSPForum.

Biometrics Are NOT Passwords, Dammit!

Biometrics Are NOT Passwords, Dammit!

Today in Stupid Extensions of Biometric Authentication: this item from Sophos.  Brainprints will apparently be the new fingerprints.

Here is what the press (and from the looks of it, half the security industry) seems unable or unwilling to get: you cannot change your biometrics.  You cannot ever change your fingerprints.  Nor can you ever change your iris, your retina, your “brainprint,” or any of the other too-clever-by-half schemes researchers may yet dream up for biometric authentication.

In fact, the whole idea of two-factor authentication has traditionally been based on “Something you know, something you have, something you are… pick two.”  We need to drop the last, and go with “Something you know and something you have” – period.

Fingerprints are already easier to steal than a password ever was.  Digital photography is probably good enough by now that iris patterns are equally easy, and retinal scans from afar cannot be that far behind.  What was that twinkle?  Oops, too late.  Once the “brainprint” technology is usable, its targets will be equally pilferable.

Just because it looked cool in 1970’s SciFi does not mean it’s truly going to be valuable in this century.

Day Against DRM

Day Against DRM

“Digital Rights Management” is one of those things that sounds so benign.  Like “Patriot Act”.  In fact, DRM is a willful effort to make sure that your computer is not really your property, and that legitimate uses of it are under control of the corporations you bought media from.  Oh, sorry, “bought media” is a misstatement.  Under DRM, you cannot actually buy media.  You can give corporations money, yes, but they retain the ownership of everything.  You have only bought a license to use the media until… well… until they decide you can’t use it anymore.  When this day arrives, you will have no recourse.

Security?  Broken software is not secure.  Proprietary encryption algorithms make me pull my hair out.  DRM requires that you hold all the information in your hands and yet you are subject to arbitrary restrictions about how it may be used.  The theme of all DRM is, or should be, “Defective by Design.”  Because the only way to make DRM start to work is to break your software or device in some way, and then arbitrarily forbid you from fixing them.

Why the sudden DRM screed today?  May 6th is the International Day against DRM and this has been welling up for some time.

This is a security issue.  There will be more to come on this topic….

Meanwhile, a big tech book publisher is having a sale; go buy something.

The Painful Joys of Learning a New Technology

The Painful Joys of Learning a New Technology

I decided a while ago that I wanted to try a next-gen firewall.  So I recently acquired a small ARM-based PC with dual LAN interfaces, installed a disk in it and set to work getting Sophos Home UTM running.

An old friend and co-worker of mine once pointed out that we programmers and other IT types often find ourselves working at a tough problem or bug for hours or even days.  Then we hit upon the solution.  Now at this point, in the popular imagination, we erupt in celebratory exclamations along the lines of, “Eureka!”  Any of us who have been through the process, however, know that what is vastly more likely is that we erupt in vicious, self-directed insults along the lines of “Idiot!”

I have had my share so far of “Idiot!” moments.  Let me share them with you.


By the way: my only justification for being such a moron in the vignettes that follow is, this is my hobby and even though it is frustrating at times, I am having fun.

I got the software and tried several different utilities to make a bootable USB stick from the ISO.  A Linux utility called “USB Image Writer” quickly proved itself nigh-on useless.  Unetbootin works well for Windows or Ubuntu, not so much for anything else.  I discovered that there is one of this scruffy class of programs that actually works well, including adjusting the varieties of the output USB stick formats to how the ISO it’s laying down is set up, and that is Rufus.

Now, with a USB stick in hand that would boot the installer and begin, I quickly encountered an error message during the formatting of the disk, “install.tar not found”.  I probably could have resorted more quickly to the “just google the error message verbatim” strategy and saved myself a lot of time on this one, so that will count as my first “Idiot!” moment.  It turns out that you have to work around the fact that the Sophos ISO is designed to lay down a CD image with links to files as well as files, and this is not well-replicated on the USB version.  Also, for reasons not clear to me, the installer dismounts the install medium during the disk formatting process.  So you need some redundancy that the Rufus utility will not create.  I found this sequence of commands, which worked well:

Start the Installer, then

1. On the First Screen, hit Alt-F2. [gets a command prompt]
2. bash-3.2# mount /dev/sdb1 /mnt [mounting your install USB]
3. bash-3.2# cd /install
4. bash-3.2# mkdir install
5. bash-3.2# cd install
6. bash-3.2# cp -a /mnt/install/* .
7. bash-3.2# cd ..
8. bash-3.2# cp -a /mnt/* .
9. bash-3.2# cd /
10. Hit Alt-F1  [returns to main installer]
11. Finish the Installation, Reboot.

OK, now with this scriptlet, I can get the install to run to completion.  Along the way it takes a default for its static IP, which occasioned my “Idiot!” moment #2, by just clicking past that.  Oh, it also takes a default for the netmask, so my “Idiot!” moment #3 followed #2 pretty quickly.  I hear you objecting that we can change these after install with ifconfig.  It’s true, yes… but are you willing to assume that the installation of all that other firewall functionality did not record those bad defaults somewhere your after-the-fact change will not reach?

Let’s just say, I got good at that command sequence above.

Last but not least, after getting it working to the point of being able to put it on the bench and do as much pre-configuration work as possible prior to setting it inline and trying it out… I made the one mistake that should really have me considering a second career in pottery.  I created a new admin account with a complex password that I recorded in my password manager… and then deleted the default admin account… and then discovered that the new admin password was mistranscribed and therefore useless.  After a break, I get to practice that command sequence again.

And yet, I know how this movie ends.  My persistence at these things is close to boundless, and I will have a functional installation at the end.  And a newly deepened respect for sysadmin and netadmin types who do this for a living.

Tech To-Do List

Tech To-Do List

My home tech to-do list (in no particular order)

  • Network Zones: I would like three segregated network zones in our home LAN.  One for our general purpose computers, one for our Android and BlackBerry devices, and one for our printers and connected entertainment boxes (Roku, TiVo, etc.).  There does need to be some traffic between them, however; at least the computers need to be able to communicate with the printers. I have at my disposal for this an ASUS WiFi router and a TP-Link managed switch.  I may also soon add…
  • A UTM device in front of our Internet connection.  That ASUS router is currently connected straight to the DOCSIS 3 cable modem, and doing boundary duty as well as all its internal responsibilities.  I am considering Sophos Free Home UTM, and pfSense.  I have purchased the Intel Atom D2500 for the hardware base.  This will probably handle the Sophos – if not, pfSense will be no challenge to it, for sure.
  • Need to find a way to set up a group of Raspberry Pi units with USB DVD drives to bulk-rip all our movie and TV DVDs into a format that Plex or Serviio will serve.  This is a living-space-placement issue as well as a tech challenge because cats.
  • We have a Sony Bravia TV and a BD player/receiver combo that do a nice job of switching the sound to our 5.1 speakers… some of the time.  The receiver also has a bunch of streaming applications that are now mostly duplicated on other devices.  So I think it might be time to replace the BD-Receiver.  Anyone who knows of a non-Sony device that does “Bravia sync” please comment.  I’m willing to put in two devices here only if absolutely necessary.
  • I am trying out SpiceWorks for a combination of ticketing and monitoring but I’m leery of giving an online service the amount of internal access and authentication that a monitoring system does need.  If anyone knows of a similar facility I could stand up and host internally, shout it out.
There are probably more but they are all much lower priority.  In fact, the priority is so low I can’t think of them now.  This is why I need a ticketing system.
Getting Ready to Present

Getting Ready to Present

Every month at my office, I hold an informal Lunch & Learn.  I take the opportunity to enlighten any of my colleagues who want to listen about some topic related to Information Security.  This is available to anyone in our IT operation who’s interested, anywhere in the world.  Since this event has attracted a bit of a following in the UK, I feel bad for them that it’s always at 5PM local.  Especially since it’s always on a Friday!  So a couple times a year, I will do it at 7AM (or 8AM, as I did today) in order to hit noon UK time.

Between these lunch & learn sessions, and two to four conference talks a year, I have started to notice that the experience falls into a fairly consistent pattern.

  1. A last minute rush of tweaking my slides, which is not helped by the fact that I love to compose the actual presentation in the last 24 hours before presenting.  I will read and research for weeks but I seldom commit anything to PowerPoint before the last 24 hours.
  2. About 30 minutes before my talk I start checking out the logistics: connection to projector and/or conferencing utility software, phone hookups, etc.  Probably because of…
  3. Nerves.  I get nervous, performance-anxiety feelings anywhere from 1 to 8 hours before presenting.  Every damn time.  I am somehow convinced that this helps me do well, so I am okay with it.
  4. Will anyone show up?  I always worry about this in the last few minutes.  Always for no good reason.  I suppose it’s a side-effect of #3.
  5. Presenting begins.  I always feel like I talk too much, I talk too fast. 
  6. I want questions, and at first I usually get silence.  Then I finally get one… then another.  And they’re good! Smart questions!  
  7. I love it!  Want to do it again, and again!
Strange as it seems for someone as introverted as I am, I really enjoy making these large group presentations.  My efforts seem to be pretty warmly-received, and I get asked back.  So I guess I am not just a victim of the Dunning-Kruger Effect here.