LinuxWorld/OpenSolutions World San Francisco 2006

Posted on August 19, 2006 by D-Caf

Well, I just got back from LinuxWorld and have to say I had a great time. This was a much better show than Boston was. Actually, after attending this show I realized how much the Boston show lacked for attendance and things happening. I still think part of what killed the Boston show was the move out of New York to Boston, but now that that the Boston show has been dropped and the LinuxWorld Summit in New York set as a replacement, hopefully it will get back on track.

Anyways, had a lot of fun at a couple of the booths, notable were the Fedora guys, who willingly let me hose the FC6 test 2 box in the name of experimentation, the USENIX booth for some good information, and the Trolltech booth with their cool developer phone coming out soon. Outside of the actual show, I had a good time hanging out with Joshua Abraham (pbnj developer) and Jon “maddog” Hall. Both of them were very cool, and introduced me to several other very cool people. Unfortunately, I’m terrible with names, and besides Pixel (aka “Bob”), can’t remember who I had the pleasure of having dinner and hanging out with Wednesday evening. Here is a rather bad picture taken with my Treo at dinner of some of the folks:

LinuxWorld group at dinner in SanFrancisco
Posted in David, Linux, Technology | Leave a comment

My actual interview article at Network World

Posted on August 10, 2006 by D-Caf

Ok, here is the actual interview that I had with Network World.  I really like how it came out, I think Phil Hochmuth did an excellent job taking what I had said and presenting it to the reader.  This is also the interview where they had taken the quote from for the previous article.   Well here it is if you are interested:

LinuxWorld experts: Securing Web-based application on Linux

Posted in David, Linux, Security, Technology | Leave a comment

Cool, I’m quoted in Network World, uncool, it’s got a small error…

Posted on August 7, 2006 by D-Caf

A pretty good article about the upcoming LinuxWorld/OpenSolutions World Conference and expo came out in the online magazine Network World today. I was even quoted in it at the bottom of the second page. It was an interesting interview, and I believe I rambled on for way too long, but they managed to get my main point, that is, Security is about finding the right compromises, and there are good tools now and in the near future to help us get there.

Now there is one small issue, and I’m posting this as a correction. I am not currently working on development of SELinux technology. I am working on some policy stuff, but I am not active in the community development of the technology currently. I have worked on it in the recent past, and plan to continue in the near future (though I am thinking of helping out indirectly via SEDarwin). I just wanted to make that clear. I support SELinux, I’m trying to help promote and improve SELinux, but I’m not a core developer of the technology. There are others such as the NSA, Trusted Computer Solutions, IBM, Tresys Technology and several other groups and companies that are putting in the hard work to make this technology a reality in the production world.

Here is the article for those interested.

Posted in David, Linux, Security, Technology | Leave a comment

Wireless Drivers provide a backdoor to hack your computer..

Posted on August 2, 2006 by D-Caf

Interesting article, and I would love to see this presentation at the BlackHat conference. Jon Ellch and David Myanor will be showing off how they can hijack a MacBook laptop in about 60 seconds using vulnerabilities in the wireless card driver. There are a couple of things that make this interesting:

1. All that has to happen is that your wireless card be turned on. You don’t have to be connected to a network. If you wireless card is on, you are a target, period.

2. In theory, there is nothing to say that BlueTooth is safe from this either. I would imagine that similer vulnerabilities could be found in Bluetooth drivers as well.

3. This is not Mac OS specific! Though they used a Mac for the demo, they have also discovered vulnerabilities in Windows. And I see no reason that it couldn’t affect Linux/*BSD as well.

4. Firewalls and anti-virus programs won’t and can’t protect you from this. This is a much lower level attack and will always bypass this. The only way to protect against it is either through better device driver security or not using wireless. SELinux/SEBSD/SEDarwin may help this somewhat, but again drivers are usually in the OS kernel and once you’re in the kernel it’s hard to stop attacks. I’ll have to look into the SE* solutions and see if they might be used to help mitigate this attack (though I’m doubtful).

Currently, there isn’t much you can do to protect yourself. Just turn off wireless when you don’t need it. Apple’s patches just came out, but there was no mention of a fix for this. The researchers are talking to Apple, Microsoft, and others to get this fixed. Also, they are not showing how they did it, just that they did it, so no current “in the wild” exploits are known of at this point.

Posted in David, Linux, Mac OS X, Security, Technology | Leave a comment

Currently experimenting with new Themes

Posted on July 31, 2006 by D-Caf

I’ve gotten a little tired of the default WordPress theme, so I’m experimenting with a few new ones. Once I find one that’s close to what I want then I’ll go through and do a little custom editing on it. So please excuse the mess as things move around (to the 2 people who actually visit the site 😉 ).

Update: I like this current Coffee theme with the tweaks to font and options I’ve added. I will change over the colors some and create a new graphic banner. Nothing against coffee, it’s one of my favorite drinks, but I do want to be just a little different…

Posted in David | Leave a comment

Locking down Mac OS X

Posted on July 10, 2006 by D-Caf

Ok, I recently have been given the opportunity to play around with a new MacBook Pro 15″ laptop (Mac OS X 10.4 – Tiger). So far I’m impressed, clean easy to use user interface with a nice Unix/BSD system underneath. In the process of getting it set up, I did go through and take care of some security issues to make sure I was happy. Some of these are obvious, some less so:

I. Click on the Apple Icon on the top left and select System Preferences

1. Click on Security
 a. Set a master Password, and don’t forget it, this is used to recover lost accounts and such.
b. Turn on FileVault, this is a great security item, but will slow down your computer and could make crash recovery harder. I haven’t done this one yet.
c. Check require password to wake computer.
d. Check Disable Auto Login, don’t make it easier for someone who steals your laptop, it can happen.
e. Check Require password to unlock secure system preferences, this will help against trojans and such that could attack MacOSx.
f. Check user secure virtual memory, this is mostly for a multiple user system. I haven’t done this yet myself.
g. Check disable remote control infrared receiver, less critical, but if you aren’t using, why enable it?

2. Click on Bluetooth
a. Disable Discoverable, you don’t need to advertise that you are a possible hacking target. Most bluetooth devices you use don’t require your desktop to be discoverable. Only when you are trying to send files and such to the desktop for the first time with a device does this need to be enabled. After a pairing trust is setup you don’t need this enabled again for that device.

3. Click on Network
 a. Select Airport and then options, then check Require admin password for Computer-to-Computer networks. There have been attacks in the past where machines (in that case, Windows) were able to create a computer-to-computer network while sitting in the airport without the need for the users’ intervention. It’s best to set this option just to make sure it doesn’t happen without your express consent.

4. Click on Sharing
 a. Turn on “Remote Login” this turns on the ssh daemon so you can ssh into your box like you normally do with linux.
b. Choose Firewall and turn it on. By default, it seems MacOSX doesn’t turn on its firewall. I personally prefer to have it up and running. You can then enable different remote services though the firewall below that. I enabled Remote Login – SSH, iChat, and Network time.
c. Under Firewall Advanced, enable Block UDP Traffic and Stealth Mode. So far, neither of these have blocked traffic such as iChat Video/Sound or anything else, so better to block unwanted traffic.

5. Click on Startup Disk
 a. Make sure that the lock icon on the bottom is selected. Unless you are reinstalling your base OS, no reason to have this easily changed.

Those are the preference you can change via gui. Here are some to change via command line Terminal:

II. Start Terminal, you can find this by clicking on the search tool (magnifying glass in the top right corner) and using the term terminal.


1. Set a root password. There is a root user on MacOSX, and by default it’s disabled from normal use. But I’m paranoid, so unless I know the root password I don’t like it. You can set it by using the command “sudo passwd root” which will then ask you for the new root password. You may want to set this to the same as the masterpassword. I’m not positive, but they may be linked, I haven’t researched it that far yet. Warning, this will enable the root user account. I still prefer having the password set to something I know vs being blank and disabled. Consider this optional and your preference.

2. If you’re using SSHD for remote login, make it more secure. Using “sudo vi /etc/sshd_config” set “Protocol 2″, “PermitRootLogin no”, and “AllowUsers username” to your “username” for your main account if you only want that account to ever be able to SSH into your Mac. This is very important if you enable the root account like I did in step 1.

3. Double check the sudoers file. By default, it’s set up pretty well, only root and admin users can use sudo (which means do anything as admin/root all powerful user). You might want to double check it to make sure “sudo vi /etc/sudoers”.

4. Change your users directory permission. By default, your new users directory is readable by any user on your computer. Though there may not be another user on your computer, it’s best to change that to only be accessible by you. In the terminal you could type in “cd ..” which will put you in the /Users folder. Type ls -l will give you a list of users, most likely just a Shared and your username. Then issue the command “chmod 750 username” username being your actual username. This will give you full control over your directory, but no other users besides root has access full access and admin users have read access. I would go with chmod 700 to block other admin users, but I don’t know about Mac OSX enough and what other system level problems that might cause with software daemons running.

Well that’s what I found, if you know something I missed, or a mistake I made please let me know. So far I haven’t found anything impaired by these settings for normal day-to-day use, but I’m only starting to play with Mac OS X.

Posted in David, Mac OS X, Security, Technology | Leave a comment

How to redirect a default WordPress URL

Posted on June 28, 2006 by D-Caf

Ok, I was trying to help a friend who is replacing WordPress with another system and needed to redirect the WordPress URLs for old posts to the new URL and the new posts. Doesn’t seem like that would be too much of a problem, except that the default WordPress uses html get values and not URLs to direct to a specific post. Given I’m not a mod_rewrite expert, it took a little digging and playing to figure out how to do it. Below is an example of how to do it using mod_rewrite and the .htaccess file in the root of the WordPress install:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ^p=1$
RewriteRule ^$ http://www.thenewdomain.com/the/new/url/story.html [R=301,L]

This assumes that your hosting provider allows mod_rewrite and that .htaccess overrides are allowed. The only problem with this is that the new url get the ?p=1 part tacked on to the end of the new url after redirect. In this case it didn’t cause a problem, but it doesn’t look perfect. I’m still trying to figure out how to dump this.

Posted in David, Software, Technology | Leave a comment

Microsoft Security Patches en mass…

Posted on June 14, 2006 by D-Caf

Well, Microsoft patch tuesday has delivered a whole host of critical security patches to MS Windows, Office, Explorer, and others. Several of these are actively exploited and can lead to some stranger in a far away land running whatever software they want on your computer.

So go get your updates now.

Here is some more information, and there is a patch for MS Powerpoint on Mac as well:

http://www.theregister.co.uk/2006/06/14/ms_june_patch_tuesday/

http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

http://www.us-cert.gov/cas/techalerts/TA06-164A.html

Posted in David, Security, Technology | Leave a comment

Mozilla/FireFox/Thunderbird update time again…

Posted on June 2, 2006 by D-Caf

Well, more security bugs in the Mozilla, FireFox, Thunderbird batch of programs. There are about 5 bugs that could allow an evil website to run a program on your computer with your user permissions. Not actively exploited at the moment, but better to update now.

More information here.

Posted in David, Security, Technology | Leave a comment

New Brakes installed

Posted on May 31, 2006 by D-Caf

Well, I finally got my new brake kit installed on the truck. This is a set of SSBC 13″ slotted rotors with enlarged 3 piston aluminum calipers. This replaces the stock 11″ rotors with 2 piston steel calipers. This translates into more stopping power as well as more consistent stopping power. Of course, I’ve got the added grip of sport truck tires that have a larger contact patch than the stock tires. Without this, I would just be hitting the ABS threshold faster instead of stopping faster. Here are some before and after pictures.

Before:
Stock brakes

After:
The upgraded brakes
Posted in Cars & Trucks, David, Hobbies | Leave a comment