Friday, June 30, 2006

Article Roundup

Ivan Ristic (the author of ModSecurity), talks about some of ModSecurity's new features.

Some decent tips for securing Linux distributions, mainly concerned with Red Hat-like distributions.

Over at Desktoplinux.com, Jem Matzan comments on how desktop Linux distros are headed in the wrong direction. His main point is that developers are trying to compete with Vista and Mac OS X by incorporating eye-candy into their desktops, when they should be trying to innovate in the application space. This is probably more about the widely-used desktops KDE and Gnome used in most popular distros - they are agonizingly slow on older hardware, and are even sluggish at times on newer hardware. Of course, if you are developing a commercial Linux distribution, the snazzy graphics give you good screenshot fodder, and increase general interest.

Bruce Byfield talks about how GPL enforcement may have a chilling effect on the smaller Linux distributions.

Mark Pilgrim updates his Ubuntu essential software list after his switch from Mac. His first one is funny:

1. Ubuntu, which is an ancient African word meaning "can't install Debian".

Interesting commentary on whether or not Computer Science Majors make good programmers. My take - not necessarily, but what is learned in a compsci degree program makes a good foundation if one is so inclined.

Monday, June 26, 2006

Requiring IE for Security Reasons - Huh?

I had an amusing exchange recently when I was calling a big-name security vendor for support on behalf of a client. I had been mildly irritated that I couldn't access their support portal with Firefox, since I wanted to open a ticket online. I suspected it was one of those 'IE-only' sites you hear about. Becoming less-and-less frequent, those. No easy way for me to test it, not a Windows box in sight...

Me: "Are you aware your support portal doesn't work with Firefox? Do other people complain about it?"
Engineer: "Yes, we get complaints about that. It only works with Internet Explorer, for security reasons".
Me: [Laughing out loud]..."You realize how that sounds?"
Engineer: "Yes, I use Firefox, too - for security reasons."
Me: "[More laughs]... Did they say if they would fix it?"
Engineer: "I don't think they will. Anyway, I don't have much of a say in the decision."

Wow. You would think a security company would know better.

Technorati Tags: , ,

Saturday, June 24, 2006

Article Roundup

Cracking buggy wireless drivers. Makes you glad some operating systems don't ship with binary-only drivers.

Debian Administration tells us about stack-smashing protection (SSP) now in Debian Sid. Also a good overview of shellcode exploits.

Yet another person who doesn't understand the false dichotomy between Free and commercial software. I'm glad that in the end, he saw the value in and was able to make use of GNU Privacy Guard (GPG).

Steve Yegge tells us about some of the new features in the development version of Emacs. I've been using CVS Emacs for a while (what will become Emacs 22) - in fact I'm typing this post in a version I compiled last week, it really is a pleasure to use. Here is a detailed feature list, and instructions for checking out your own copy. Read the 'INSTALL.CVS' file after you checkout the source. Be sure to report any bugs you find (I haven't found one yet in daily use).

Fedora Core 5 is one of the better Linux distributions around, according to this opinion piece. I still think most of these articles and distro reviews need to distinguish between desktop and server use (but see my next link). I guess a shell prompt doesn't make a good screenshot.

TechTarget talks about Ubuntu Dapper's bid for the enterprise server market. A good quote:

"The problem with the subscription model is that they feel a lot like licenses," Zachary said. "For Ubuntu to be different, it needs to focus on enterprise support deals. Whether Ubuntu is installed on five or more computers and they charge X amount a year on support, it doesn't matter because it decouples the install from services and makes the customers feel that they are more in control of their choices," he said.

Thursday, June 22, 2006

OpenBSD VPN Goodness

Well, OpenBSD keeps getting better and better as a firewall platform. First, pf, CARP and pfsync for failover or load-balanced firewall clusters, and now IPSec VPN failover. Sounds like it will be ready for the next release this fall. While this has been available as a feature in expensive, proprietary firewalls for some time (think Check Point), I don't know of any free-software implementation that offers this. Add to this OpenBSD's BGP and OSPF implementations, and you have a very nice, open redundant routing platform. Developments like this are a welcome relief to small businesses and others that have a hard time affording proprietary solutions, and I'm not just talking about the monetary costs. After all, you still need someone with a clue to install and support your firewalls, and those people don't come cheap. I'm really talking about the hidden costs - like vendor lock-in, license management and disturbingly bad support.

Technorati Tags: , , ,

Tuesday, June 20, 2006

Article Roundup

A good interview with Eugene Spafford about the prevalence of network security risks, and how current trends are increasing them. He points to three factors:

  • Deployment of cost-saving technologies without thinking through the consequences (VOIP, wireless)
  • The disappearance of the network perimeter
  • Relying on one security vendor for all your products.

He has one interesting comment concerning the dangers of losing Net Neutrality:

A threat that is not so much technology as it is governance is the trend toward preferential treatment for commercial traffic. Big ISPs and companies are installing spam filters that block traffic from other countries, companies, ISPs or domains. It's effectively a breakdown of the end-to-end model. You cannot depend on your e-mail going through. You've got some countries setting up their own domain roots. We're losing the underlying commonality that the Internet grew on.

In No sex please, robot, just clean the floor, researchers are already starting to wrestle with a robotic code of ethics.

Yet another reason not to leave Emacs...an elisp version of Sudoku with about 200 built-in puzzles and the ability to get more from the 'Net. Four difficulty levels are supported. Put the following in your .emacs:

(add-to-list 'load-path "~/elisp") (autoload 'sudoku "sudoku" "Play a game of Sudoku" t)
Then put the 'sudoku.el' you downloaded into ~/elisp, and run 'M-x sudoku'. You can customize the options with 'M-x customize-group RET sudoku RET'. Here's what it looks like:

Emacs22
           and
           Sudoku

Andy Lester talks about how geek culture can be harmful. I can definitely relate to the phrase 'flipping the bozo bit':

The Bozo Bit was introduced in Dynamics of Software Development. It's the mythical switch you flip on someone after they've done or said something that you deem stupid. It's a permanent black mark against that person, and once its set, anything else coming from that person is deemed worthless. "And as far as his making a contribution is concerned, he's just dead weight, a bozo."

An interesting interview with Debian project leader Anthony Towns and his deputy Steve McIntyre. They talk about what lies ahead for Debian, and how well the Debian and Ubuntu projects work together.

Tuesday, June 13, 2006

Article Roundup

I came across this nifty Perl script for starting services in /etc/rc.d on Slackware (easily modified to run on other Linux or *BSD variants). This is like Red Hat's service command (e.g. 'service sshd restart'), just more concise and with fewer options, but still very usable.

There are two articles about switching back to Linux from Mac OS X, one by Chromatic at the Linux Devcenter, the other at Mark Pilgrim's blog (the author of Dive Into Python). Having never used Mac OS X, I can't say I know how they feel, but as a free-software advocate, I have never felt the urge to go the Apple route. To me, they Apple is just another proprietary OS vendor, complete with closed hardware, DRM and vendor lock-in. No thanks.

I mentioned Firefox for Emacs Users in a previous post. Here is part II, with lots of tips.

Why Enterprises are Adopting Open Source.

Linux.com tells us about Using Debconf to configure a Debian system.

This is a doozy - from Google Research, Nearly All Binary Searches and Mergesorts are Broken. This is decades-old software.

Finally, a bit of humor.

Monday, June 12, 2006

Comments on Dapper Drake

There is a not-so-nice review of Dapper Drake, Ubuntu's new release, over at Tectonic. A few comments - I'm typing this on my laptop running Dapper as we speak, and it has been pretty stable for me, once I got it installed. One complaint I did share was the mysterious removal of some packages during my dist-upgrade from Breezy, like Evolution, Openoffice.org and Gaim. It wasn't that big of a deal, I just re-installed any missing packages afterwards, but it was still rather odd. I also did try to upgrade using the live CD, but found the installer horribly slow and the partitioning tool almost unusable - I actually rebooted into my old system to do the command-line dist-upgrade, which worked with a few missing packages. While the live-CD installer is a nice feature, I much prefer something like Debian's text-based installer, which is much more responsive. Text-based installers are underrated.

I do share some of their concerns about stability:

The first mistake, I think, was its desire to be a bleeding edge distribution, rather than a leading edge distro. Basing itself on Etch, Debian's unstable release, could be a problem. When the early versions of Ubuntu used the then-unstable Sarge as their foundations, it wasn't a risk -- Sarge was on the cusp of being released. Etch, on the other hand, is brand-new, and far from getting a thumbs-up as a stable distribution.

I think it's important to specify desktop vs. server here, I see a lot of reviews that make assumptions about how a system is being used. Debian Etch makes a fine desktop, even without the Ubuntu touch. I do wonder how Canonical can keep their server and desktop variants in synch with one another, however - the two have different goals. Desktop users tend to value applications and bleeding-edge hardware support, while server admins value stability. It's difficult to reconcile the two under the same codebase. Debian has been dealing with this issue for years ('Stable' is out of date, etc.), and has dealt with it pretty decently, I think (you run Debian testing or unstable if you want an up-to-date desktop). It seems difficult, if not impossible, to produce a well-tested and stable server distribution if key components of it like the compiler, kernel and C library are less than six months old. I've always thought of Ubuntu as a polished Debian meant for desktops, anyway, and reserve Debian stable for production servers. In the end, Ubuntu is still a rather new distribution, and I think it still remains to be seen if they can break into the enterprise server space in a meaningful way.

Technorati Tags: , ,

Thursday, June 08, 2006

Article Roundup

I guess Emacs really can be used as an operating system.

Over at O'Reilly blogs, Brian Jepson gives us some more humor as he is outsmarted by a chatterbot - this for fans of Monty Python.

It seems bloggers really like Ubuntu.

Two good articles on Pre-seeding Debian installations: Part I and Part II.

A former NSA cryptologist gives us a fascinating look at breaking a 137 year-old Confederate code.

Linux.com tells us how to suspend and hibernate a laptop under Linux.

Hewlett-Packard has registered Debian Sarge as a Carrier-Grade Linux. Here is the list of other, registered Linux distributions.

Vitavonni.de tells us how to easily and quickly optimize Linux ext2/ext3 filesystems.

Tuesday, June 06, 2006

Safe, Remote Firewall Management

One of the hazards of remote firewall administration is the possibility of locking yourself out after an erroneous rulebase change. It can happen with any firewall. There are various ways around this, I'm going to go over a few of them.

Traditionally what I've used when making major (or first-time) firewall policy changes via a remote SSH session or remote GUI (e.g., fwbuilder or Check Point's "Smart" Dashboard) is a rather ugly hack where I enter a cron job that unloads or clears the firewall policy every five minutes. If I retain remote access after a policy update, I just disable the cron entry. If I accidentally lock myself out, I can just wait a few minutes and establish an SSH session again. This is insecure, but presumably the "open" firewall policy would be corrected after a few minutes anyway. The cron entry (in root's crontab, of course) looks like this:

*/5 * * * * /usr/local/bin/fw-unload.sh
If we are using iptables, fw-unload.sh is something like this:

#!/bin/sh # # fw-unload.sh # Clears an iptables firewall and allows all traffic # IPT="/sbin/iptables" # You may want to disable forwarding until the firewall # policy is fixed # /bin/echo "0" > /proc/sys/net/ipv4/ip_forward # Clear the builtin chains and # delete any user-defined chains $IPT -F $IPT -X # Flush the nat and mangle tables for table in nat mangle do $IPT -t $table -F $IPT -t $table -X done # Default ACCEPT policies $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT
It can also strictly allow SSH from a single host to the firewall, which is obviously a much more secure fallback policy:

#!/bin/sh # # fw-unload.sh # Clears an iptables firewall and allows only SSH # from a single host to the firewall itself # IPT="/sbin/iptables" MGMT_IP="10.1.1.1" # Clear the builtin chains and # delete any user-defined chains $IPT -F $IPT -X # Flush the nat and mangle tables for table in nat mangle do $IPT -t $table -F $IPT -t $table -X done # Default drop policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # Allow SSH to the firewall $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -s $MGMT_IP -m state --state NEW -j ACCEPT
You could also modify it slightly to be a known-good policy that allows not only SSH inbound to the firewall, but also allows outbound traffic and NAT from a protected network, just to keep your users happy. In fact, it would be ideal if the fallback policy was our previous one...read on to see how we can do that. In any case, given that fw-reload.sh enables a firewall ruleset in itself, you should test it to make sure you can rely on it in an emergency.

For a Check Point firewall on Linux or Nokia IPSO, this would work as a cron entry by itself:

*/5 * * * * $FWDIR/bin/fw unloadlocal
If you use fwbuilder, it has a very nice feature where you can choose to always allow SSH access from a single host, regardless of the rulebase that has been applied. From the fwbuilder GUI, highlight the firewall object in question, right-click and choose Edit from the context menu, then click on Firewall Settings... (setting highlighted below):

Ensuring Firewall SSH access
Finally, here is what I think is the best solution for those using iptables-save/restore. Martin Krafft (author of the excellent book The Debian System) has posted a script that solves this problem quite nicely. I like it because it is so simple - you take a firewall ruleset in iptables-save (8) format, and feed it to the iptables-apply.sh script. It prompts you after applying the new ruleset - if you cannot reply at the prompt (within 10 seconds by default), it reverts to your old ruleset:

root@stealth:~# ./iptables-apply.sh firewall-rules.txt Applying new ruleset... done. Ruleset applied; are you seeing this message? apparently not... Timeout. Something happened (or did not). Better play it safe... Reverting to old ruleset... done. root@stealth:~#
Technorati Tags: , , , ,

Sunday, June 04, 2006

Article Roundup

GNU grep may have been around a while, but the developers are still adding some new features. Some of the most notable are a '-P' switch that allows the use of Perl regexps, ,and a '-o' option that causes grep to return only matched patterns (as opposed to entire lines).

Debian/Ubuntu Tips & Tricks tells us how to use debootstrap to Install Debian Etch From a Running Debian-based System. This is nothing new (debootstrap has been around since 2001) - but still quite useful for installing or testing multiple Debian releases. Here are more generic instructions on using debootstrap from any RPM-based Linux distribution.

There's an interesting discussion at Martin Brown's blog on whether GNU/Linux distribution choices are based on fads or favoritism. In some ways this is a chicken-and-egg type question - popular distros like Ubuntu get that way because they are easy to install and use on many different hardware platforms. It's also probably less of an issue when you're choosing a server OS. The preponderance of laptops with proprietary and fast-changing hardware tends to guide (desktop) distro choices.

Nine live mini GNU/Linux distributions on one CD. You can choose which one to use at boot time.

Bruce Schneier talks about Aligning Interest with Capability, and opens up the can of worms (again) that is software liability (further down in the first post). Marcus Ranum has some interesting comments on software liability in another of Bruce's posts last year.