Posts Tagged ‘paranoia’

bup quick reference

Thursday, April 25th, 2013

Git is nice and flexible. I wish my backups were that flexible. Thankfully, my wishes have been answered, as bup was created.
I used to lookup the 28c3 bup slides for a quick reference, until I realized I was always looking for just one page of the slides. Best docs are short docs.

# Install
sudo apt-get install python2.6-dev python-fuse python-pyxattr python-pylibacl
git clone
cd bup && make && make test && sudo make install
# index zz's home directory
bup index -ux /home/zz
# backup to default BUP_DIR and label the backup 'laptop'
bup save -n laptop /home/zz
# backup to remote myserver, naming the backup 'laptop'
bup save -r myserver -n laptop /home/zz
# index /home/zz on myserver
bup on myserver index -ux /home/zz
# backup myserver:/home/zz, naming the backup 'server'
bup on myserver save -n server /home/zz
# check the latest laptop backup
bup ls laptop/latest/home/zz

It’s hard to migrate from tivoli, rsnapshot, tarsnap and friends when you don’t know how. So here we go, without further ado, all you needed to know about bup but never daret to ask, ie

Some reasons to use bup:

  • global deduplication
    • rsnapshot: 4.97G = 2.18G with bup
    • rsnapshot: 12.6G = 4.6G with bup
  • save transmission time
  • backups are oneliners
  • anytime snapshots
  • uid,gid,permissions,acl,selinux
  • par2 anti-bitrot and corruption resistance
  • runs on dd-wrt

This is awesome, but there are two caveats. One is I am unaware of Enterprise&tm; shops using bup yet, the other is a common question: no, bup doesn’t encrypt data.

You can either encrypt or deduplicate. Choose. If you want the other, you probably want duplicity or tarsnap.

the paranoid console viewer

Tuesday, June 19th, 2012

Hi all,
I know it’s been a while since my last post.
There is lots to talk about, but let’s start afresh with something short and sweet.

Let me paint a picture for you:
There is something broken in the most holy and secure part of your network. You need to call support to have them look at it. The support rep wants console access, but you can’t give them axx to your holiest cream pie.
They offer to take over your desktop with a java rootkit app like TeamViewer, GoToMeeting or WebEx.
You decline. You need to stay in control, but show them what they need to see, that and only that.

Let me be clear on the problem statement:
Read-only shell access to the most secure host, which is not available over the wire, viewed by multiple parties at the same time.

Here’s how to do that with SSH, screen(1) and some foo,
with ssh->chroot->rbash->readonly multiuser screen->reverse ssh->openvpn:

You will need a linux server in an “unsafe” zone which is exposed to your support rep on the internet or thru VPN.

  1. Create the user to be contained on your unsafe box, with the restricted bash shell:
    unsafe# export user=rep; adduser $user; chage -s /usr/bin/rbash $user
  2. (Bonus:) chroot/contain the user within sshd_config
  3. Setup multiuser screen on the unsafe box. There are lots of guides for it, but the short and sweet of it is: unsafe# chmod +s `which screen`; chmod 755 /var/run/screen Indeed, this increases the attack surface, and therefore we call this box the unsafe one.
  4. ssh from secure zone to unsafe server:
    secure# ssh -R 2222:localhost:22 screen
  5. Run screen from YOUR account and do :addacl $user :chacl $user -w "#" :chacl $user -x "?" Replace $user with whatever from step 1. Then, still in your screen: :multiuser on
  6. Win! Now you can reverse ssh back to the secure zone and let $user on the unsafe box read the terminal without being able to access anything but what you show her.
  7. Bonus: Add `screen -r $youraccount` in $user/.profile and $user will drop straight into locked screen, and remember that multiuser screen is read-write-execute for all accounts that are addacl’d
    so you might want to chacl before enabling the $user account login.

    And there you have it, superparanoid reverese secure-unsecure remote shell viewer.


pixie dust

Thursday, February 2nd, 2012

we’ve booted backtrack off usb before, now that’s kinda
boring and installing backtrack onto the usb with unetbootin
is painfully slow and not the same as bootin strait off the
usb which is what we want in this case; not an install
but a fresh copy every boot

there is someone disagreeing in the back of the room, now
wouldn’t this be a lot more complicated? No sir. on the contrary
booting fresh every time makes work a lot simpler; you gain a
direct relationship to what you store where, and where you
access your data from

but there is another one in the front;you sir, you feel that
one would have to sacrifice many of the comforts such as all
any tools of the trade at hand and permanent local storage -
but at best this is a lazy roadblock to salvation; by booting
off of local storage we have local storage at hand in a more
practical format, be that even a microscopic carrier can be
removed and replaced with sufficient storage for everything
and then some

the medium can be embedded, destroyed or ingested, so
the impermiableness of accidentally recorded data and the
robustness, accessability and portability of removable storage
comes very much in hand upon situations that either require
inconspiciousness, anonymity, covertness, plausible deniability
or a high degree of reliability in day-to-day computing

the totalality of the system given to remaining only in memory
causes it to be independent of other storage for operations, and when
operations cease from loss of any exterior preconditions, the
system simply ceases. when preconditions reoccur – by powering on
and executing the first block – the system can be relied upon to
simply starts afresh, completely unperturbed by any previous history

should the need arise to patch the system; say some new app or
capability is called for where there is no time to rebuild,
a patch should be scripted always when there is certanity that
the capability will require a repeat performance. It is advised
to devise a patch which includes all dependencies.

thus the fresh system becomes more capable and more accessible
over time, just like an install. patches can then easily be
rolled into the system should they proove useful to others.

But how does one do it? Well, it’s easy but unfortunately
not as easy as overwriting the boot device; it’s just not
practical because partitioning is always an individual consideration

  • . there are often other files on the block device
  • . choice of filesystem and memory technology has much bearing
  • . the block device is larger or smaller than expected
  • instead, we allow any bootable partition scheme and any
    filesystem and memory technology, as long as the storage
    requirements of the system are met;

    here’s to clone how:

    cp -a boot/ apt/ casper/ gone/ preseed/ syslinux/ 
    syslinux /dev/partition
    mbr /dev/device

    but that’s fine, it’s been done and all, but even the ability to
    boot the system with precisely zilch local storage comes in
    handy, and for that we have pixie dust.

    pixie daemon and tiny ftp should be pointing a path
    exactly matching the dhcp-provided patch.. otherwise
    you will have worries!


    service=X86PC,0,0,local,Local boot




    “high speed” tftp daemons and multicast can be found but it is
    advised to stick to tftpd-hpa and dnsmasq with no esoterics due
    to the sheer amount of variables introduced.


    # not strictly necessary but makes the menu pretty
    menu hshift 13
    menu width 49
    menu margin 8
    menu title BackTrackBoot
    default vesamenu.c32
    display f.txt
    timeout 600
    label local
    menu label Local Harddisk
    localboot 0
    menu begin bt
    menu title BackTrack 5
    # ok here comes the real shit
    label backtrack5
    menu label BackTrack R1
    kernel bt5/vmlinuz
    append boot=casper netboot=nfs nfsroot=vulcano:/mnt/bt5 initrd=bt5/initrd.gz text splash vga=791 file=/cdrom/preseed/custom.seed --
    menu end

    you’ll need to copy to tftpboot/bt5 the initrd.gz and vmlinuz from the backtrack ISO /casper folder (which you can mount -o loop -t iso9660 bt5.iso /mnt/bt5

    the rest of the files you provide to the bootee over NFS


    mount -t iso9660 -o loop BT5R1-GNOME-32.iso /mnt/bt5

    add a http server with kickstart / preseed files for an ever more powerful setup,
    in which case you replace the file= stanza in the append line with

    more on preseeds… maybe later.

    Now restart all dependent services:

    /etc/init.d/nfs-kernel-server restart
    /etc/init.d/tftpd-hpa restart
    /etc/init.d/apache2 restart
    /etc/init.d/pxe restart

    debugging this setup usually requires tracing the process that is failing, so:
    - dhcp options tracing (dnsmasq verbose and tcpdump / wireshark)
    - verbose pxe
    - verbose foreground tftpd-hpa : in.tftpd -v -v -L /var/lib/tftpboot

    CPM 0.26 the Console Password Manager

    Monday, December 5th, 2011

    Some of you might have noticed that I’ve adopted this little program while its original author is MIA, and that my efforts have resulted in its inclusion into debian wheezy earlier this year.

    This is great news and makes it a breeze to get up and running with CPM with a simple apt-get install cpm

    However, it seems that most people are interested in running CPM on older distributions, realistically the stable distribution codenamed squeeze is a favorite, as well as the Ubuntu LTS release 10.4 codenamed lucid lynx.

    So I have built some updated packages of CPM for these oldies but goodies:
    * CPM for squeeze i386
    * CPM for squeeze amd64
    * CPM for lucid i386
    * CPM for lucid amd64

    Remember to install the dependencies though. On squeeze, they are:

    me@mine:~# apt-get install \
        libcdk5 libcrack2 libdotconf1.0 libgpg-error0 \
        libgpgme11 libxml2 libxml2-utils libpth20

    File us a ticket if you run into trouble with these packages or need cpm working on some other distribution.

    CPM is a simple, paranoid password manager for the console with some cool features that make it stand out:

    * data files can be encrypted for more than one person
    * data files are signed by the last person who saved it so forging data files is not possible
    * data files are en- and decryptable directly by gpg and gzip
    * the application memory is protected from paging, core dumps, ptrace attacks and runtime environment
    * data is validated using an internal DTD
    * several passwords per account are possible to store
    * it’s possible to handle several data files, each encrypted for different people
    * cracklib checks of password strength and warnings about weak passwords
    * user definable hierarchy with unlimited depth
    * long comments for any node in the hierarchy
    * password generator
    * only one password visible at a time
    * searchable database from the command line
    * user definable search patterns (e.g. user@hostname)
    * several hits can be displayed at once (e.g. several accounts per host)
    * conversion scripts for Password Management System (pms), Password Safe and CSV files

    oh noes, o cert my *sniff* cert

    Monday, September 26th, 2011

    papieren bitteI’m not going to tell you about DigiNotar, whose file of bankruptcy this month held shock for no one after recently having lost the keys to the grand vault, in which the government held much stock. Though I have many comments upon the sophistication of the player that so thoroughly owned the most trusted agencies of the digital age….

    The cracker hardly needed them skillz, considering it has been a challenge to keep that whole corrupt industry accountable. The trouble with the central authority system is that even if only one of the keys is compromised, the system is broken and gives no assurances whatsoever. No warning bells either. Just a sweet silent man in the middle, passing along all the best parts to his lover.

    It’s not a joke for the 300,000+ people who documentedly had their emails and facepalms compromised. We thought he was kind to give an interview and we wait in awe for his next move.

    I’m not going to mention the fatal flaws in certificate revocation that became embarrassingly apparent when the damage was done.
    What’s hardly the matter since this kind of thing is bound to crop up, that hole in TLS was deemed unexploitable – now there’s a Titanic if I ever saw one. Un sinkable. Too fat to die.
    cert failure

    SSL is an open book for those who dare to look, and it’s got more than a couple old bugs. It’s okay though, we can patch it, they will say. Dare to look the other way!
    Not that you need those anyway, since there are some really nice sslsnarfing techniques out there that entirely forgo attacks on SSL as “too inefficient”.

    But I say nay! Unacceptable. There is another way.. and we’re already doing it! We sign our own signatures and we back each other’s signatures.
    Now that’s business, something that the companies on your CA trusted list were painfully aware of when they laid down the law of the code and put themselves on the trust list. Yet still ca-cert is not on your trust list, and warning bells fly off on some of the most trustworthy sites- self-signed ones.

    Just don’t ask them why or how, or anything that isn’t directly relevant. Do you even know what is on your trust list? You might just be surprised at what you can find.

    # ls -al /etc/ssl/certs | wc -l

    How many of these do you trust? How many of these should you trust? I’ll tell you: *none*.

    We should not be adding static lists of central signing authorities to our systems. This is a brittle and dangerous system. We knew this, but hackers have now thankfully demonstrated it.
    A better way is for every person (and by extension every browser) to keep their own list of signing certs, and to exchange these certs with their friends (automagically, if you like). Your friends lists can come out of a social network, any social network, and it will mean that any site that has been vetted by one or more of your friends will likely be safe for you to use as well. It’s even better than that, you can check certs from multiple friends and detect discrepancies.

    green padlock
    That, my friends, is called the Web of Trust, and is a design that is heading in the right direction. is doing something similar already to a Firefox near you, while GPG has worked like this for three decades!

    It has to be simple. It has to be very simple. And it has to be chemically free of one word: ‘central’.

    One real easy way to do this on linux would be using git and signed manifests. I already do this in gone to assure that only files on a manifest signed by a trusted key get installed.

    firefox + geolocation = m0ar paranoia

    Friday, August 26th, 2011

    Just a quick note pertaining to a previous post, namely the new evil that is firefox geolocation. This is new in firefox 3.5. Yes, it is opt-in and yes firefox does not track you but yes the servers you opt in to will track you and that my friends is one of the most serious misfeatures of our times, repeated again and again in stuff like Google Latitude, Android and Apple photo geo-tagging.
    If you care about your personal security at all you do not want the internet tracking where you are, which is essentially what this amounts to.
    Disable it now by going to the about:config location in your firefox, typing geo. in the search field and double clicking the geo.enabled line so that it says

    geo.enabled    user set  boolean   false

    That’s it for now.

    datalagring i praksis: politiraidet mot autistici

    Tuesday, January 18th, 2011

    Historien om politiraidet på den frivillige italienske organisasjonen Autistici er et praktisk eksempel på hvorfor Datalagringsdirektivet ikke bør innføres. er en non-profit organisasjon som tilbyr betalingsfrie e-post og bloggtjenester laget for å være motstandsdyktige mot sensur.

    Her er en kort oppsumering av saken:

    • Som ledd i tiltakene mot sensur ligger Autistici sine tjenester fordelt på servere over hele verden, og dataene ligger kryptert på disk.
    • Autistici logger ikke oppkoblinger og bevarer ingen personlig informasjon om sine brukere.
    • Ett av Autistici sine tjenere står i serverparken til en norsk organisasjon for fremmelsen av fri programvare.
    • Den 5. november 2010: Politiet beslaglegger en harddisk fra serverparken basert på en anmodning fra italiensk politi.
    • Anmodningen fra Italia navngir én e-postkonto og ber om innhold, innlogginger og endringer på gitte e-post konto.
    • Beslageleggelsens begrunnelse er en trusselsak.
    • Den italienske anmodningen beskriver det straffbare forhold som fornærmelser mot omdømmet til to ledere av den neo-fascistiske organisasjonen Casa Pound.
    • Norsk politi går utover anmodningen og tar speilkopi av to harddisker, som inneholder e-posten til 1500 brukere og kontoinformasjonen til 7000 brukere.
    • De beslaglage diskene inneholder ikke e-postkontoen nevnt i den utenlandske anmodningen.
    • Lignende andmodninger antas å ha blitt sendt til Autistici sine serverparker i Nederland og Sveits.

    Onkel tar allerede for mange friheter med andres data. I dette tilfellet har 1500 uskyldige menneskers private e-post blitt rammet av en ransaking på vegne av en anmodning fra en fremmed nasjons interesser, innblandet i et forhold av tvilsom legalitet, der siktede er en ukjent person.

    Saken ruller videre for å undersøke beslagets lovlighet og sikre at kopiene ikke uleveres i sin helhet til italienske myndigheter.

    Saken er også omtalt i:

    Morsomme eksempler på fremtidig misbruk av DLD kan du finne på #DLDloggen.

    Din sikkerhet og datalagring

    Monday, December 27th, 2010

    Det er en stund siden jeg tok taxi – tror jeg – og det er kanskje derfor jeg ble svært overrasket når jeg satt meg inn i en taxi her om dagen og oppdaget at den er videoovervåket! Endringen må ha skjedd så og si over natta her i Oslo, og nå kan du knapt finne en uovervåket bil til tross for at video-overvåknings-ordningen er valgfri for sjåførene. Nåja sier jeg, den er nok ikke helt valgfri, det er bileieren som velger å overvåke bilen – sjåføren velger ikke om det skal overvåkes, og passasjeren aller minst. Videoovervåking er bra svarer sjåføren, de som ikke gjør noe galt har ikke noe å frykte.

    storebror ser deg
    Jeg tror det er nettop de som ikke har gjort noe galt som har mest å frykte. Taxi-sjåfører lever allerede i en verden der hele arbeidsdagen deres blir overvåket. Hva synes du om at nettop din arbeidsplass videoovervåkes? På kontoret, sykehuset, i butikken? Hva med i bilen din, på skolen eller i barnehagen? (For øvrig skjer dette allerede). Når kommer vi til å “frivillig” sette kamera i hjemmet, for å koble dem til videosentraler der menn betales for å sitte hele dagen og hele natta og stirre på skjermer?

    Hvor er all dokumentasjonen som sier at vi blir tryggere av alle disse kameraene? Er det bare undersøkelser som er sponset av sikkerhetsfirmaer som tjener godt på den økte mistilliten, eller er det noen uavhengige sikkerhetseksperter som har uttalt seg?

    Svaret er selvfølgelig at sikkerhetseksperter har uttalt seg, eksperter med millitær bakgrunn såvel som politimyndigheter og påtalesmakter, og det har også jurister og etterforskere av volds- og pedofili-saker, og det viser seg at ekspertene er enige i at økt overvåkning ikke vil føre til flere oppklarte saker, og at det tvert imot vil føre til at vi som blir overvåket gir opp vårt privatliv, ergo vår personlige sikkerhet blir med ett utslettet av at alt vi foretar oss blir logget og sporet.

    Kriminelle trenger ikke å bry seg om personvern, om overvåkning og om hva som er rett og galt – de kan stjele identiteter, skjule seg bak falske adresser, kontonummre og proxy servere. Kriminelle kan stjele mobiltelefoner og kaste dem etter bruk, eller de kan som alle andre, bruke krypterte forbindelser og anonymiseringstjenester. Det krever litt ekstra kompetanse, men kriminelle har ekstra incentiv. Derfor vil ikke datalagringsdirektivet få has på kriminelle: ikke bare er direktivet rent teknisk bak mål, men grunntanken bak at økt overvåkning reduserer kriminalitet og øker oppklaringsevnen – er feil!

    Nå vil jeg nevne at jeg har fulgt utviklingen av saken om Datalagringsdirektivet med stor interesse siden jeg hørte om forslaget et par år siden. Derfor tok jeg meg en tur til Rosenkrantzgate når det var DLD seminar i november. Her trekker jeg fritt paralleller til videoovervåkning selv om det dreier seg om mye mere: det dreier seg om geografisk sporing av deg og meg via posisjonssensor på mobilen, og det dreier seg om kartlegging av alle personer du har kontakt med noensinne over epost, telefon, SMS og sosiale medier.

    Spesielt interessant har det vært å høre om implementasjon av det tilsvarende EU-direktivet i forskjellige land i Europa, og hvordan leverandører av kommunikasjonstjenester forholder seg til direktivet her hjemme. På seminaret stod sikkerhetssjefen i Tele2 frem og fortalte at de pr i dag lagret noe informasjon i 3 til 5 måneder av hensyn til faktureringsspørsmål, og her har det alltid vært snakk om hvor fort de kan slette informasjonen for å begrense resurssbruket. Datalagring vil føre til en regimeendring, sier han, der de må opprette og drifte en egen datalagringsbase i tilfelle myndighetene skulle trenge informasjonen.

    Allerede nå har det vært tilfeller der myndigheter uten fullmakt til slik informasjon har prøvd å få tak i telefonlogger og fakturaer og lykkest i flere tilfeller på grunn av at personer ansvarlige for informasjonen ikke er sikre på hvordan de skal forholde seg til forespørslene.

    Synes du at NAV skal få tilgang til fakturaene dine når de behandler en søknad fra deg? Hva med fullstendig kart over hvor du har vært de siste 5 årene? Hvis ja, hvem andre bør få tilgang når du selv ikke har innsyn?

    Pressen vil værne kilder selv om de utsettes for press på å utlevere kildene sine. Menneskerettsdomstoler krever tillit til kildeværn. Verktøyet (datalagring) blir fort misbrukt, og det må settes begrensninger for ellers vil det bli misbrukt! Det kan dreie seg om utilsiktet oppdagelse av identiteten til kilder.

    Påtalemyndighet som jobbet i narkosaker var med på DLD seminar og forklarte at hun har brukt lagret data i etterforskning. Hennes konklusjon var at vi må tåle noe kriminalitet, ellers lever vi i en politistat! Det er politisk vanskelig å si nei pga EU/EØS, men dette dreier seg om paradigmeskifte som snur vitnesbyrde opp ned. Redd et barn fra Helga Pedersen! Problemet er når vi ikke har mistenkte. Skal vi sitte og søke etter mistenkte?

    Når vi trår inn i Orwells styggeste fantasi, skal vi da gi individuell tilgang til data? Skal vi åpne for at det finnes noen anonyme samtaler, for eksempel kilder til journalister eller hjelpelinjer for voldtektsofre? Hvordan skal vi sortere og analysere dataen, og hvor lenge? Straks vi setter igang lagring blir det vanskelig å bli kvitt dataene, og vanskelig å holde styr på lovendringer og tilganger, de som forvalter dataene, altså telefon og data-tilbydere, har ikke kapasitet eller kompetanse til å lagre dataen forsvarlig.

    EU-direktivet sier at hver medlemsstat kan trekke seg fra datalagring hvis de kan begrunne hvorfor – og Romania og Tyskland har sagt nei fordi det strider mot grunnloven!

    Hvis du tilfeldigvis befinner deg 100 meter fra stortinget idet en voldelig demonstrasjon pågår, og denne informasjonen blir lagret, hvor lenge tror du du må forklare deg for å slippe å bli implisert i volden? Norsk politi har allerede brukt posisjonsdata for å kalle inn til avhør 100 mennesker som var i nærheten av en kriminell hendelse. Glimrende politiarbeid, vil jeg si!

    Om en kjent kriminell ringer opp en kjent og kjær politiker som Storberget og legger på idet den andre tar telefonen, og samtalen blir logget vil da Storberget kunne assossieres med kriminelle og kalles inn til avhør basert på mistanke. Lekker saken om innkalling til avhør er politikerens karriære over uansett om han var skyldig i noe eller ei.

    Der ble meg fortalt en søt men sann historie fra USA, der myndighetene i en liten delstat på landet vant en stor pengepremie som de skulle bruke på å øke sikkerheten i delstaten. De brukte pengene på å sikre demninger i delstaten, og når sikkerhetsfolk kom på besøk og spurte dem hvorfor delstatskontoret var åpent og usikret forklarte senator i delstaten at hvis det er noen som vil ha ham til livs, får de bare komme og skyte ham nårsomhelst. Han var mere opptatt av sikkerheten til folket sitt, og den var best tjent ved å sikre mot flom og andre naturkatastrofer.

    Det viser seg forøvrig, ved hjelp av de meget hjelpsomme cablegates, at i hvert fall ett lands datalagringslovgiving har blitt satt på den politiske agendaen med sterke føringer fra en ekstern supermakt. Hvem trenger å snakke om konspirasjonsteorier og paranoia, når vi har ekte konspirasjoner.

    Siden en av oppgavene mine er nettopp sikkerhet og overvåking av nett tenkte jeg det verdifult å dele med deg mine erfaringer med datalagring og hvordan ditt privatliv vil bli direkte berørt av et lovforslag som er konstruert for å gi store gutter flere leketøy og inget annet. Dette oppå eksisterende lovgivning som tillater overvåkning av kriminelle.

    … og vet du hva? Taxi-sjåføren visste heller ikke hvor kameraet var hen i bilen. 1984 ringte og vil ha tilbake storebror som alltid ser deg! Kanskje regjeringen burde komme seg på Facebook og “friend-e” alle så de kan følge med på hva som skjer?

    consolekit is evil

    Wednesday, December 1st, 2010

    … and hates me

    I should really tell you about the DLD seminar three weeks ago, or the PARANOIA security conference, or even just that Adobe should be considered harmful but things have been crazy and between this and electromagnetism I haven’t had the mind space. After the 6th of december, I promise I’l come back with pictures and relations and maybe even sounds (I have notes, don’t worry I’ll remember).

    On the other hand here’s a nasty hack to kill console-kit-daemon, which has a really nasty way of polluting the PID-space… and annoys me enough to warrant a public humiliation as well. What does it do, and why? Who cares what it does, it’s doing it poorly enough to catch attention to itself! So here’s how to kill it:

    root@wasp:/usr/sbin# dpkg -S console-kit-daemon
    consolekit: /usr/sbin/console-kit-daemon

    DON’T try to purge the package because that’s just one end of a really big ugly yarn of unneccessary dependency pain that I’d like to spare you…

    DON’T try to replace /usr/sbin/console-kit-daemon with your own stub… turns out dbus autostarts this “service”, and that approach will make dbus block your (ssh) session when you log in… not forever, but that’s even more annoying than the pid pollution.

    Instead, debian bug #544147 and #544483 clewed me in to the following hack:

    cp /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service \
    echo Exec=/bin/false >> /usr/local/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service

    which is a two-liner, and would have been less ugly and easier to debug if it hadn’t been for the fine hubris of the freedesktop dudes…

    OSSEC to the rescue

    Wednesday, October 20th, 2010

    I’m not going to brag about being online for 16 years without being hacked. It simply wouldn’t be truthful and more to the point even if I convinced myself there is little you or I can do to verify the claim. Rather, I’d like to think that by being a little paranoid I’ve managed to avoid some badness. Actually even if you like to think so, it’s rather optimistic to believe in one’s own infallability. The infallability of computer systems? Don’t even get me started.

    Computer security is about turning that trend around, about saying OK where and how did the bad guy get in, lets kick him out and make sure it doesn’t happen again. It’s about fixing the problems before they become really bad. Security is also about not putting all your balls in one basket, not trusting your single point of failure, and being very picky about the things you trust. Because automated systems fail automatically, security is about putting youself in the loop too.

    If you haven’t read this year’s Verizon data breach report [1], the gist is basically that 2/3 hacks are from 3rd parties, that leakage usually occurs 3 minutes into the breach and that most attacks are still discovered by a third party. What more, almost all attacks were made on servers, most of the attacks aren’t even that difficult to do, they leave traces in the log files and the security holes are even easier to fix!

    Now if you’ve been paying attention to the Stuxnet infestation [2], the Microsoft hack[3] or the recent Depnet failure[4], there is no guarantee that your skilled and educated IT staff is on top of that stuff… because they’re too busy delivering the features you demand.

    The problem here is one of control. If you are an admin, you may know what you’ve done on any particular server and you might be on top of what your team has been doing, but the second someone gets in and starts changing things they shouldn’t have, the bets are off. Files get changed: logs get nuked, commands get replaced, databases get UPDATE’d.

    Let me tell it to you straight: a virus, worm, piece of malware is basically a really cool software update.

    What you need is an eventuality: something that leaves a central, verifiable audit log, checks a number of different sources, stores who logged in where how and monitors system integrity. You need something flexible, with 90% of the job already done for you, something that can deal with a bunch of computers on a bunch of different platforms at the same time, and while leaving you in the loop does this in a managable way, so you don’t get overblown by a zillion messages.

    You need something that can respond to its environment, something that sits on every host, something that can take action on its own.

    OSSEC[5] has this three-pronged approach that fits the bill: rootkit checks, file integrity and logfile watching.

    It does these things according to a configurable ruleset. The rules can run on all your computers (yup, windows boxes too) and report to a central OSSEC server securely. OSSEC is also able to respond to alerts, for example by blocking an attacker that is trying to guess the password repeatedly (an everyday occurance).

    What more, GPL open source makes it possible to audit and patch the code of OSSEC, and gracefully sidesteps the problem of vendor lock-in.

    Now that I’ve played with it and tuned it for sufficiently long, it’s started to compliment my IDS nicely and beats old approaches like tripwire, fail2ban[6]/sshguard[7] and logwatch[8]. Don’t get me wrong, OSSEC is not the silver bullet[9], then again nothing is and thus we must stay vigilant.

    So, with the advent of Week of OSSEC year 2 I took the opportunity to tell you about this fine piece of software, and to show you the real nugget: my debian install and update script for ossec which you can use standalone, or together with my budding and passably simple configuration system gone, which I will introduce another day in another post.

    0K out.

    References in all their undistractingly subscripted glory:
    [1] Verizon data breach report
    [2] Talk on stuxnet the SCADA worm by kwy
    [3] Microsoft confirms Russian pill-pusher attack on its network
    [4] Regjeringen utsatt for dataspionasje
    [5] OSSEC
    [6] Fail2ban
    [7] SSHguard
    [8] Logwatch
    [9] Abusing OSSEC