Monday, February 28, 2011

holy ipv6, batman

i just realized my server is passing ipv6 traffic through ssh for my clients. i enabled ipv6 on a windows laptop (netsh interface ipv6 install, not ipv6 install) and told putty to connect to an ipv4 address, tunneling a dynamic socks proxy on both ipv4 and ipv6 to my remote server (which has an average ipv4 and ipv6 network with 6to4 set up for whatever my isp's 6to4 gateway is). then set up my browser to use the dynamic forward port as its proxy, and hit 'ipv6.google.com'.

BOOM. page comes up. ipv6.google.com<->my6to4box<->putty<->windows<->browser. it just friggin works! http://test-ipv6.com/ says it is indeed the ipv6 addy of my6to4box that it's seeing, so ipv4 and ipv6 really are being tunneled automatically. this is pretty cool.

NOW WHY ISN'T EVERYONE DOING THIS YET?!

(what's funny is i only tested this today because xkcd kindly informed its readership that they finally fucking set up an AAAA record which i'd been complaining about for over a year)

it had to happen sometime

i predicted this years ago when my last company first thought of migrating to a 3rd party to host their mail cheaper. i don't remember if they ever implemented a strategy to back up the mail remotely, though i do remember for a while the "beta testers" had their mail sent both to exchange and gmail.

point is: don't tell me just because a company is large or reputable that the basic procedures of any IT department should be ignored. if you have data and it's important you need to keep a backup, and you need to be able to verify the backup. if you can't put your hands to a redundant offsite copy of your data it's going to vanish eventually.

to all the people that lost their mail: i feel for you. i've lost data before too because i didn't back it up. however, we do learn that most of our correspondence's history is unnecessary. nice to have "in case of emergencies", but unnecessary. do i really need those mailing list threads from 3 years ago? will that website confirmation really be necessary down the road? nah. the personal messages passed between family and friends may be missed, but i've never really "gone down memory lane" before and doubt i would in the future.

this is also the risk you take when you rely on web-only email. luckily i believe gmail allows any user to make an offline copy of their mail, but some services like yahoo and hotmail do not (unless you pay). i'd like to see a push for competing providers to mirror other providers' datasets for redundancy but that might just make them less important in the end.

Thursday, February 17, 2011

why your company needs to use 2-factor security now

so this story points out one of the pink elephants in corporate security: accounts are often left open after employees leave the company. the other pink elephant they won't talk about is shared accounts.

i can't tell you how many people's passwords have been told to me by users while i was an admin. if i wasn't creating them an account i'd just be troubleshooting something and they'd just give me their password, like it was a free coupon. aside from this there's co-workers who often share passwords to get access to files locked away by strong permissions or to work on the same project for brief periods, or just for the hell of it. they don't really care about security and they don't think anyone's going to abuse the trust. but there's very little trust in real security.

so here you have ex-employees who potentially know several other employees' passwords. if all you use is a password for, say, VPN and e-mail, your company has been owned. there are case studies in how you will get hacked just by pilfering an e-mail account. so clearly, this shit needs to be locked down. you can't just rely on a password - you need another authentication factor.

don't want to pay for expensive RSA SecurID? that's fine; use VeriSign's free OpenID provider and a $5 hardware authenticator from PayPal (or a $30 version from VeriSign) and you have effective, open 2-factor authentication.

is it possible to steal someone's authenticator and get away with a similar hack? of course. but it's a lot easier for someone just to log in using someone else's credentials and escalate to wherever they want to be.

Wednesday, February 16, 2011

most tech stays the same

Sometimes I get a little scared of the future. I'm not exactly a luddite but i'm pretty close to it considering i'm supposed to be some computer-whiz hacker guy. Most of my hardware is years old by the time I buy it and I keep it around until it falls apart. My software... well, i'm a Slackware user, let's leave it at that. I still don't use any programming languages other than Perl and C. And apparently I can still make a very good living like this.

That's the funny thing i'm realizing... While we always have to adapt to some newfangled apparatus, in general everything is the same. We're still using computers based on a friggin' 26-year-old processor. We're still using the operating systems designed for them. We're still programming in and using the products of languages just as old and older. While the fashion may change, at the end of the day we're still wearing pants, and still writing code that doesn't sanitize input.

Security isn't any better than it used to be. Firewalls are still relatively dumb beasts (do you know any large company that does layer 7 filtering that isn't just proxies?). Anti-virus software is about as accurate against modern obscure trojans as they used to be. It's possible that web application writers are even less intelligent than they used to be, seeing as their output is the rife fodder for a new generation of penetration testers. Hell, we're still using passwords for root accounts. (We still HAVE root accounts!?)

Probably the one thing that is quickly changing is the barrier to entry. It used to be you'd pay a hundred bucks or more for a menial dedicated server. Now four dollars US will get you 15 gigs of space, a gig of ram and 200 gigs of bandwidth on a 100mbit shared pipe. PER MONTH! You spread that hundred bucks out and you've got an impressive server farm by 1999's standards. And computers in general keep getting cheaper, meaning more kids can get their hands on a netbook and start hacking away. Pretty soon you'll see a new start-up sector dedicated to youth and college kids, who join forces and collaborate - not to write free software like Linux, but free apps for Android and web development farms.

And still, the tech remains mostly the same. Web apps (we used to call them 'cgi scripts') and their backend counterparts interfacing with relational and non-relational databases (we used to call them 'BerkeleyDB') just become the modern fashion of development, with mobile platforms being the meatiest new market to squeeze some bucks out of. But all the old standards will still be there. Some guy will still be assembling a C library for some high-speed low-latency backend app to interface with his Clojure mobile app. The devs will write some Python or Perl script to get their app staged on their workstations and hand it off to the sysadmins to run in production (with minor edits, of course). Security goons will continue to scan their networks and sites for unexplored chasms of potential vulnerability.

We'll never really reach a utopia where modern technology becomes re-invented and everything is magically better. Everything pretty much stays the same.

Friday, February 11, 2011

encrypted message passing with plausible deniability

so, RedPhone is encrypted VoIP with an intermediary to pass the connection off. with this it's possible for a foreign power to force you to reveal the nature of the call. their other product, TextSecure, offers little in the way of "encrypted SMS" because they use OTR which is effectively pointless with a man in the middle. however, if you wanted to transmit a message with plausible deniability, you could do it like this.

create a store-and-forward service for anonymous message pushing and pulling. make all messages encrypted and have a set size. something decent enough for a small compressed media file. every time you connect you push an encrypted message of this size and you pull one of the same size. every single time. time between each successful communication should be something like every half hour or every hour.

the result should be that nobody can tell if you were actually sending or receiving anything because it always sends and receives something, all the time, regardless of whether you needed to do anything. you could also have it encrypt like a matroska file so you can encode multiple files, and possibly even an encryption package which only decrypts parts of the payload as determined by the encryption term used, so if you used one decryption term it decrypts an MP3 file, and another decryption term reveals secret documents. plausible deniability!

a week with a robot

sometime last week i bought my first Android phone. i've never owned an iPhone so i can't compare it to that, but i have owned S60 and Windows Mobile phones, so we can start there. this is the LG Optimus V from Virgin Mobile.

pretty much every carrier except AT&T has a version of this phone now, and i personally think this one looks the nicest. you can probably get it for free on another carrier by getting a contract, but the phone only costs $150 without a contract, making it (afaik) the cheapest android phone on the market. with month to month plans with unlimited data and texting starting at $25, this is the cheapest smartphone and plan in the united states. but since the price is so low, there have been some problems.

the battery sucks. the damn thing could hardly stay on for 8 hours after the first charge. after killing the battery 3 times the battery slowly started to gain some extra life (after about 4 or 5 days). some forum browsing had me try a few tricks like turning on airplane mode or turning off data, and this has something to do with the "cell standby" battery-sucking thing in the phone's battery use screen. i haven't measured the battery life since the last charge, but if the phone is alive when i wake up in the morning it will have lasted just past 12 hours on standby. this is HORRIBLE standby battery life for any modern smartphone, but to be honest if i can just make it stay alive for 3/4 of a day i will live with the crappy battery life. (this is all with gps, bluetooth, wifi and google syncing turned off and brightness set to the lowest setting)

the keyboard (both android keyboard and swipe) lock up randomly in some apps like the browser. like 4 times in a day. i installed the "gingerbread" keyboard from android 3.0. it doesn't do swype (which is kind of annoying) but at least it isn't freezing up all day now. it seems like portrait typing is a lot more accurate than landscape which is kind of the opposite of how i thought typing accuracy would go.

google navigation is *amazing*. it's like i finally have a real car gps. even if you're not looking at it, you can listen to it and follow the directions just fine. kind of hard to hear it over music in the car but i'll figure out a way around that eventually.

the phone as a whole is very fast and i never see anything lag or skip really. considering this is a "slow" 600mhz processor i'm kind of impressed, and it's definitely worth the money speed-wise.

what the hell is with Android that you can't close apps? there's a way to "force stop" applications in android, but it's just dumb to me to clutter up your OS with applications you aren't using. some of the apps when you "background" them don't do anything, but some definitely do, robbing you of battery life and using data. just let me close the damn apps android. it makes me feel better.

the "market" feels just like s60 app downloading: a bunch of shoddy, not-quite-trustworthy developers making useless apps for free and requiring you to fork over access to practically the entire phone to do something like download news updates.

it's difficult to do something trivial like just set a black background or select an MP3 as a ringtone. they were nice to provide a tutorial for things like Swype but everything else is a clunky learning process. i think at least once there was some simple action i wanted to do but i had no idea how to do it in android and had to go digging around in google and knowledge bases to no avail.

the camera and video are pretty decent. there's no flash of course, but beggers can't be choosers with a cheap thing like this. it's nice to have 30fps video again.

it's also nice to have a standard 3.5" headphone jack and mini-usb connector for once. i've settled for proprietary connectors most of my life and now i can actually go get a giant microsd card and listen to music with a normal headset. of course there's no media buttons anywhere on the device, but there's a headset with media controls that i might be able to get for it, or make for it.

oh yeah, and i was right about touchscreens: they're shit for texting while driving. you have to look down all the time for what you're typing and correct it, unlike a real keypad. with swype i'd have a pretty good chance of just getting words out a few letters at a time, but since i have to use the gingerbread keyboard there's a high likelihood i'll screw up and it'll take a lot longer to finish just one word.

they tell you some crap in the reviews about "it doesn't have tethering or flash." you can use a browser that transcodes flash to html 5 (skyfire or something), and the tethering is just hidden; a free app download will "push the button" for you and enable it. you can also root the phone but so far i have no need to do anything that requires rooting.

in general i think the Android OS is immature and not as useful as something like s60 or sony ericsson. they're still behind the curve, trying to provide the same user experience that has sat there for years in other more "common" devices. hell, just the "main menu" is awful: 100 different apps crammed into one screen and if you want to separate them you have to do it yourself on one of the 4 or 5 panes of the main workspace screen.

i'm going to terminate my AT&T account and go with just this phone and virgin mobile. the price can't be beat. and now that i have an android phone, all of my texts and calls both come from and to my google voice number, so it appears to everyone that it's "my real number." no more of this 2-phone-numbers crap people had to figure out with me before. it's beautiful.

Wednesday, February 9, 2011

caching the internets

say you wanted a project to provide a small amount of internet bandwidth to a large number of users (say, an african town via a satellite link, or a few blocks in egypt with a t1 line). you'd need some serious caching, access control and traffic shaping to ensure it kept working.

first of all you have to determine capacity and limit use. you can't just allow a thousand retards to start torrenting every season of House from a fucking satlink. total outbound and inbound traffic must be regulated to allow a usable number of connections at a usable bandwidth (so for the sake of argument, slightly slower than a 56k modem). no more than $BANDWIDTH/$MODEM_SPEED streams at a time with a timeout (tcp keepalives disabled). big syn backlog buffer to wait for an available slot while trying to connect.

also you need to shape a couple protocols for less latency. ssh gets higher priority, but up to a certain amount of bandwidth... if an ssh session uses more than 5 megabytes of traffic, somebody is fucking scp'ing so kill that connection (not that they can't get around that with an rsync loop). SIP and some other protocols also low latency.

squid or some other more efficient proxy with HUGE cache store at the uplink point. dns proxy as well. also if it's not too much trouble, a pop3/imap caching server, and definitely an (authenticated) smtp relay to pass messages when the link is available again. run an ad-blocking thing in the proxy to strip out all unnecessary garbage content which would just suck up bandwidth otherwise. if you want to get retarded, block all streaming content. if you want to get SUPER retarded, limit allowed content to only a few MIME types (text/html, image/jpeg, text/plain, etc). allow for whitelists of commonly-hit, cacheable content among the stuff that's blocked.

it could be that additional routes are added to this one tiny uplink as the network grows. add a new caching server with the same tweaks at each router so that cache is kept at each subnet and also the main uplink point. this helps reduce bandwidth used getting to the uplink point itself, allowing your intermediary routes to also be weak/small.

what may also help is an additional proxy at the other side of the satlink which compresses content before being sent to the client pipe; kind of like Opera, this would (for example) compress images on a network which had fast internet access and then send across the slow satlink to the caching stuff, further decreasing delivery time and bandwidth.

SSL makes all this caching obviously more hairy and bandwidth demands more intense. perhaps shape down the connection speed of SSL connections since we know they're going to suck more bandwidth and reduce total possible client connections. or, if people would consider this, provide an encrypted VPN solution that people could connect to on the cache box and then do all their traffic via plain-text. another option: run an sslstrip-like app on any site that will work without ssl, and basically just circumvent security and tell the users not to expect privacy. more bandwidth or more security, you decide.

it should go without saying, but nazi-esque firewall policies implemented on the borders. block everything unless explicitly requested and with a good reason. use layer 7 filtering wherever possible to ensure they're really using those ports for what they say they are. if it's to use some common public service like AIM, only allow the servers that AIM uses.

yet more shitty vendor software

Oracle's Client installer is shitty. I think we all know that. There's some arcane mystical process in which you're supposed to figure out how to record an interactive install's options, then repeat the install later with a "silent install" using the pre-recorded steps. That usually doesn't work, either because the documentation is ages old or the syntax has changed or depends on some other shit they haven't told you about and provide no debugging information to figure it out. So pretty much the same as doing a Solaris JumpStart.

RSA is the new vendor hell i'm involved in. These morons couldn't create a software installer to save their lives. They have this huge installer just for their Access Manager product which provides all these dependencies that your OS already has (because it's impossible to just specify requirements for software anymore; they should really ship me a copy of Bash to run the install script). You run the installer bash script, which usually requires root and has about a billion hard-coded paths in it, so even if you pick a new install path it's only going to work in the pre-recorded path. There's also a bunch more scripts which get executed that modify system-level root-owned files, and there's no way to get around these hard-coded paths unless you 1. edit the install script, then 2. create a new RPM database in your user's home directory/modify your rpmmacros file, 3. unpack the RPM that the software comes in (which is for some reason packaged separately from the rest of the install software) and modify all the scripts and paths and re-pack into an rpm. That's for Linux; for Solaris it's near god-damn impossible without root, or just lots and lots more editing and unpacking by hand.

The end result is that you have to fucking re-engineer their whole installer just to get the god damn thing to install in more than one place and without root. What kind of morons are these people? Do they really expect someone with root credentials to sit there and babysit someone installing a shitty instance of their shitty product? I understand that creating user accounts just for the software is up to the root-owning sysadmins, but everything else probably needs to be done by somebody else and in multiple times and multiple paths. Having a "response file" to read and re-install with is nice, but only if you can fucking USE it for something, like actually installing to a non-standard path as a normal user.

Get with the fucking program, shitty 3rd party software vendors. Even Oracle has a "run-as-root.pl" file so the majority of the install can be performed by a not-root terminal monkey. And for fuck's sake, provide some simple documentation and explanation IN YOUR INSTALL FILES. I don't want to dig through 20 PDFs on your shitty knowledge base site or call tech support just to figure out how the the hell to create this god damn response file to install your crap. I have better things to be doing than figuring out your lame installer.