Current Projects
I am currently working on 2 mini projects 1) Installing and using Vmware VIMA to administrate my esxi server. 2) Setting up Splunk to Splunk logging over HTTPS (with a certificate obtained from a commercial CA).
I have discovered two things 1) There is a driver for the i-key 3000 for Vista/32 2) Goldkey Hardware Encryption Token (www.goldkeytoken.com).
Mac tidbits
It is a pity you run mac mail as a standalone RSS reader. I like the fact that the mail icon notifies you if there is a new unread item (rss or email). Why not use mail for your email you ask ?
Google apps web front end is better than mail. IMHO. No contact syncing (without a command line hack). In my linux days (not that I have abandoned linux, it is still my favorite server o/s) I would have been happy to dive into the console and edit files in /etc but since using ubuntu and OSX I have adopted a “your o/s is only as good as the shipped defaults” attitude and generally only like to use a feature if it is properly supported by the vendor.
I have tried other news readers but just don’t trust them with my authenticated RSS feeds. Their built-on browsers also make me nervous as I believe web browsers are the no. 1 vector for nastyware.
I bought a Airport extreme last week. It it nice having a 130mbps wireless connection and being able to use a USB HDD connected via the airport as a Time machine backup.
One Qualm I have is that if the device is in “Bridge Mode” (in conjunction with another firewall) it does not bridge the ethernet ports to the wireless interface and hence the switch is a separate physical network from the WAN port.
I am tired
I have been reading up on yubikeys and security for the last hour and a half. I am now exhausted and my eyes are squiting at the screen. I need to pick Jus up in 15 minutes from work. I also managed to bake a banana loaf (using a premade-thingy). I used my watch’s countdown timer to alert me as to when it was ready.
I read this first, which lead me to read a review of Yubikey security (highly recommended reading) which got me onto reading this. TheFrog had some good points and made me rest a bit on my effort to use a Rainbow ikey 3000 to secure my stuff. Then I thought about the reality of using a usb smartcard on non-50hour-customized-software-running-on-hardware-that-I-can-control !!!
Smartcards are still the security high ground I think. I have also been enjoying “Noble Beast” by Andrew Bird. No other music has entered my mind’s ear since I bought it two weeks ago. I wonder how Nathan’s blog is going. I thought about moving my website and blog from slicehost to my own server to save cash and make use of the resources that I have. I originally planed to do my assignment but got carried away reading security posts. I did feel quite obliged to do my assignment ( I wanted to play on my server) but in retrospect I should have just played on my server and enjoyed it. I am tired. Good night.
What where they thinking !
Go to www.bigpond.com Their webserver redirects you to http://www.bigpond.com/homepage (as if you did not know that you were visiting their homepage after typing it in a few seconds ago) Ok maybe you were spammed by the team of russian kitsch anarchists who hacked www.bigpond.com.
Wait a minute. Bigpond’s ‘portal’ has always been an abomination and actually hasn’t been hacked ! Perhaps a recession starved cupid charmed Telstra management to make a homepage with red and blue and pink as neighbors.
It is an ugly site and is contempuos to generation-i (Internet Generation) as to sell rubbish and use plugins on the landing page (and of all plugins in the know universe WHY JAVA !? – who is going to install Java so that we can buy a weight loss ?!)
I can almost feel my retina detaching, trying to slip away down my optic nerve to get away from this horrid vision. Telstra please remove all flashing bobs and whistles and java applets and red covering yellow next to blue next to pink. Make the site simple and fresh. We’d like to believe that you value product and service rather than selling us flowers and weight loss products. At the moment your site feels like a fruit market, not a top telecommunications company.
Keyboard layouts and culture
I always wondered why operating system / computer manufacturers did not just standardize on a keyboard layout. I recently just bought a macbook and when I use it at my desk I plug in my Microsoft keyboard which I have grown up with and am familiar with. It feels quite awkward not knowing what the shortcuts are and even what certain buttons do.
I have used Sun Sparc workstations before and remember feeling quite frustrated at the “silly” keyboard layout that they use. A good friend of mine, Rory who is a solaris engineer was never bothered by the keyboard layout.
I started to ponder why the keyboard layout doesn’t bother people and why people are happy to learn new keyboard layouts. Obviously all keyboard layouts work and some are better for getting particular tasks done than others but I think that the layouts also differentiate the differences in culture of the sets of users respectively.
I think that it helps accentuate that surface tension that exists between any the said cultural groups. You are likely to feel “outside” when you can’t use a Mac keyboard. The Mac folks are likely to feel “warm(er)” when they see a windows user feeling uncomfortable using a Mac keyboard.
ebox fun and games
Incase anyone else has been trying to use ebox to configure openvpn on Ubuntu; Don’t ! There is no way to configure openvpn to use tun devices instead of tap devices (ebox’s default).
Ebox does do a nice job of managing the CA part of the solution and also creates nice client config packages (windows and linux) for your openvpn clients.
Secondly if you want to use ebox on Ubuntu 8.10 (Intrepid), don’t ! There is a broken dependency and it won’t install.
On a positive side I must say that slicehost’s management interface rocks ! I have been working on these systems all day and the rebuild, backup and restore functions are a great time saver. Another cool find is Viscosity; a great Openvpn client for Mac OS X.
Grace and it’s significance with regards to Salvation
This is an assignment that I have completed toward my “Cert IV in Christian Ministry” course at the Gold Coast Christian Training Institute (GCCTI).
What is grace ? Grace in the context of salvation is the unmerited favour of God toward mankind. Grace is just one aspect of the nature of God. God is also Holy and Righteous and Just and hence requires that law breakers be punished. Romans 6:23 “For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.”
So who cares ? Why should I be interested in grace ? We are all lawbreakers or sinners as it says in Romans 3:23 “for all have sinned and fall short of the glory of God” and fall under God’s wrath. See also Romans 6:23 – Spiritual death is a result of God’s wrath. God’s wrath is terrible and God commands us to choose life instead of death in Deuteronomy 30:19 “I call heaven and earth to witness against you today, that I have set before you life and death, blessing and curse. Therefore choose life, that you and your offspring may live,” and gives frightening descriptions of God’s wrath in Revelation 6:16 “calling to the mountains and rocks, Fall on us and hide us from the face of him who is seated on the throne, and from the wrath of the Lamb,”.
What is sin ? Sin is an indifferent attitude or ignorance of God. Sin can be wrong attitudes or actions or a lack of action or attitudes. For example it is sinful to know what is right and to not do it ( I need a scripture reference here ). We have a sinful nature by default since man’s fall – Romans 5:12 says “Wherefore, as by one man sin entered into the world, and death by sin; and so death passed upon all men, for that all have sinned:”
Ok so I am a sinner and am in deep trouble. How can I fix it ? If the bible could speak it would say “I knew you were going to say that human!, and you can’t fix it yourself!”. Romans 6:20 says “When you were slaves of sin, you were free in regard to righteousness.” We were slaves to sin and were enemies of God.
What if I keep the ten commandments ? That is not enough – you have to keep 100% of the law 100% of the time as we see in James 2:10 “For whoever keeps the whole law but fails in one point has become accountable for all of it.” So what is the law for ? In this context the law is there to point us toward a saviour as we see in Galatians 3:24 “So then, the law was our guardian until Christ came, in order that we might be justified by faith.” The fact that we can’t save ourselves is the hardest fact to accept. We want to be our own saviours or “gods”. We don’t want God making the rules and being who he actually is. This attitude is caused by our proud hearts.
So then how can I be saved ? By Grace alone, through faith alone ! God’s attitude towards us, even in view of our hostility towards him is one of abounding love and mercy. So much so that he gave his only son so that mankind could be saved.
This is really really good news for us ! It did not come without a cost though; because God is righteous and Holy, he requires a penalty for sin, which his son Jesus Christ paid when he lived a perfect life and was crucified on a cross and died; Hebrews 4:15 says “For we do not have a high priest who is unable to sympathise with our weaknesses, but one who in every respect has been tempted as we are, yet without sin.”
This penalty was very severe and required that Jesus suffer all of God’s wrath for all humankind’s sin in our place. It also shows us that there was no other way as we read in Galatians 2:21 “I do not nullify the grace of God, for if righteousness comes through the law then Christ died needlessly”. This is an awesome and wondrous fact : that an almighty, all knowing and omnipotent God died for sinful mankind, especially since he would have known about the sacrifice he would eventually make for us at the time when he created us. Awesome !
Only Jesus could do this for us. Only he is perfect or good as we see in Matthew 19:17 “And he said to him, Why do you ask me about what is good? There is only one who is good. If you would enter life, keep the commandments.” We can see again from this scripture that God is the only one who can keep his commandments perfectly as he requires. Salvation is dependent on God’s grace through his gift of Jesus’ life and death on the cross.
Unfortunately far too often people think that human effort or merit (including man made religions or belief other than in Jesus) can measure up to God’s standards for mankind. Tragically modern Christianity often places an emphasis on Christians obeying God’s law to the loss of realisation of how they believed in the first place. This was also the case with the Galatians in Paul’s time in Galatians 3:3 “Are you so foolish? Having begun by the Spirit, are you now being perfected by the flesh?” as they were justified by faith and were trying to remain in the lord by their own works.
The bible is very explicit about this Acts 4:12 “And there is salvation in no one else, for there is no other name under heaven given among men by which we must be saved.” As stated earlier, but nonetheless necessary to re-emphasise here if salvation could be obtained elsewhere then Christ died needlessly (Galatians 2:21).
We don’t deserve the mercy that God displayed through his son Jesus – we were God’s enemies at the time as we see in Romans 5:6-8 explains “For while we were still weak, at the right time Christ died for the ungodly. For one will scarcely die for a righteous person—though perhaps for a good person one would dare even to die but God shows his love for us in that while we were still sinners, Christ died for us.”
This salvation plan was God’s idea. It is all about him and the glorious riches of his grace as we read, finally in Ephesians 2:4-7 “But God, being rich in mercy, because of the great love with which he loved us, even when we were dead in our trespasses, made us alive together with Christ—by grace you have been saved—and raised us up with him and seated us with him in the heavenly places in Christ Jesus, so that in the coming ages he might show the immeasurable riches of his grace in kindness toward us in Christ Jesus.”
Security as a Function of Time & Cost
Three weeks ago I finished my 2-factor authentication project after it began, rather subconsciously about 4 years ago. First I tried to use a rainbow ikey 3000 to store my ssh key, but a lack of alpha quality support for smartcards in openssh bashed that idea up.
I have been wondering lately how secure is a network or system if i takes 4 years to implement and more importantly how security works as a function of Time & Cost. I was thinking specifically ; What if I simplified my network to reduce the complexity of it’s configuration and reduced it’s deployment time so that I could respond to security incidents quickly if they ever did occur (I seem to spend forever taking precautions for things that may never happen).
I would thereby reduce the risk of total compromise by having simpler and hence “shallower” or isolated systems ? I stumbled upon this thought why wondering why I seemed to be the only one insistent on requiring 2-factor authentication to access my systems.
I was thinking of all those linux sysadmins out there with their ssh-agents and their ssh keys. Are they safe ? I guess. I guess a ssh key + a passphrase is, strictly speaking 2-factor authentication. if someone had compromised their desktop they could use a keylogger to steal their passphrase and if the baddie was able to install a keylogger then they can read the keyfile on their system, but how often really does this happen ?
I bet it is less than 0.001% of the all attacks. Okay so Linux or * nix has a 2-factor authentication capable secure access mechanism that includes mutual authentication (ssh host keys). What else makes these systems *reasonably* secure ? Simplicity. I bet that they have no Directory System, No Group Policy, no Graphical User Interface, a good firewall ruleset and an admin that has a clue and keeps his boxes up to date.
I wonder if our complicated centralized directory system, centralized logging, Intrustion Detection systems and Public Key Infrastructures are so complicated and time consuming that they are less secure in practise than our simple non multi-homed *nix amoebas ?
Using Wikid 2-Factor Authentication with Monowall
I found out about monowall about a year and a half ago and really love it. Some of it’s best features are :
- Easy to deploy (via PC / Embedded or even as a VM)
- Easy to Manage (web based management interface second to none)
- Powerful. It is easy to create a good strong firewall rule set. Traffic Shaper, Captive Portal, PPTP and IPSec VPNs, User manager, Single config file (easy backup of configs) and the list goes on.
- Reliable & Good community support available
In the last month I bought a 2-Factor Authentication system from Wikidsystems.com and have set it up as my authentication mechanism for my monowall-terminated PPTP VPN. The steps to set this up are :
- Install Wikid Auth server via the ISO or use the RPMs (I found the ISO easier and just upgraded the RPMs after install)
- Enable the Radius Protocol modules for your wikid domain (I have the IP Address for the Radius server set as 127.0.0.1 – not sure why that works but it obviously still spawns a radius daemon on the wikid auth server’s real interface) I also had the “Multihomed” setting set to ‘on’ (the default).
- Setup a network client for your monowall using radius and a shared secret (I have the network client pointing to the interface address of my vlan, not the LAN interface address)
- Setup a Token Client and ensure that you can authenticate to the wikid auth server.
On the monowall :
- Set the PPTP VPN settings to use Radius authentication. Set the IP address of the radius server to the IP of the Wikid Auth server and set the shared secret that you specified on the Wikid Auth Server.
- **Reboot the Monowall** – I spent a day trying to figure out why this was not working. I setup a Iptables firewall rule to log all traffic and could not see any traffic coming from the monowall while trying to authenticate to the VPN. Eventually out of frustration I rebooted the firewall and viola it worked !!
Since then it has been working pretty well. I have a Token on my phone and one on my Mac, although the mac token and phone tokens are a few versions behind the current version (the current token wants a higher Java version than you can get on a Mac, which is quite frustrating).
One other issue I have is I have to request a passcode 2-4 times before I get a passcode. On my phone this is not the case so it could be a network issue or perhaps a mac / token issue. Frustrating nonetheless.
Other than those two minor issues the solution works well and I like the Wikid Auth system. Another cool feature is you can have wikid “domains” which allow you to have different zones of authentication while using only one token, for example I can use a domain to authenticate to my VPN and another (same token, protected by a different PIN) to authenticate to my linux servers !
Zero Day Internet Explorer Exploit
Check it out : http://www.microsoft.com/technet/security/advisory/961051.mspx
I hope to catch the exploit in the wild and inspect it. It would be cool to create a inline snort rule to catch this to protect networks.
leave a comment