My talk was titled Network Introspection with Open Source Tools and was an overhaul of the presentation that I did at LinuxWorld earlier this year. I took the feedback of the audience and tuned the talk to a Perl centric audience. I wasn’t heckled badly on IRC, which is the ultimate gauge of success.

I’d like to thank the organizers, CMU, sponsors, and The Perl Foundation for another successful year of the Work Shop. Next year, Pittsburgh is hosting YAPC::NA, and will not be hosting the Pittsburgh Perl Workshop. I look forward to being able to drive to YAPC!

If you saw the talk and want to rant about it, feel free to do so here.

I’ve been working on packaging the code that I have into something that might be useful to the general public. I’ll post another blog entry when I have a rough cut version of the package available for testing/breaking.

Keep in mind, I rarely read books in school. After 5th Grade, I preferred to spend my time playing sports, building Legos, and screwing around. I could “get by” on Cliff’s Notes, classroom dialog, and other 3rd party accounts of books. I’ve finally taken a liking to reading, so this is a good time to share my list of books that changed my life in chronological order of my first reading them.

1. Night by Elie Wiesel
2. The Stranger by Albert Camus
3. The Myth of Sanity by Martha Stout, PhD
4. The God Delusion by Richard Dawkins
5. The Demon Haunted World by Carl Sagan
6. 1984 by George Orwell

Night by Elie Wiesel

Elie Wiesel has been criticized for this book and his continued vocalization of his experiences in the Holocaust. Personally, I don’t agree with the criticism. Open, honest, and constant discussions of humanities failures are necessary to prevent them from recurring. Regardless of your stance on his speaking out, Night is a book that you must read remembering that it is not a work of fiction, but a true story. This book is Elie’s account of his time in Auschwitz. It is very hard to digest.

I read this book as a high school senior. At that time, the only struggles in my life were with girls or with my parents. At times, those problems would have me a little down. After reading Night I began to see the glass half full quite a bit more.

The Stranger by Albert Camus

Albert Camus was an atheist, arguably a nihilist. This was my in depth run-in with the philosophy of Nihilism. For me, the story boiled down to a man being sentenced to death for not crying at his mother’s funeral. Sure, there’s a lot more in the book, so go read it. There’s certainly a part of me that connects with the main character. The inability of society to cope with a person who experienced emotions differently than them was especially striking. The character Camus presents exhibits patterns of someone classified as a “sociopath.” This was also my first experience with abnormal psychology, which is something that I even to this day, completely enthralled by.

The Myth of Sanity by Martha Stout, PhD

I finally began studying psychology via bn.com/borders.com/amazon.com in late 1999. Prior to that, I was too busy not doing anything productive. The Myth of Sanity is almost a scientific paper, except it gets way too personal. No doubt, papers have been published by the author on the subject, but this book is a look into the experiences of a psychologist working with patients suffering from Disassociative Identity Disorder (previously classified as Multiple Personality Disorder). The storytelling in the book gives a very human and simplistic look into the amazing defensive capabilities of the human mind. If this book taught me anything, it’s that we know so very little about the potential of our most valued possession, our mind.

The God Delusion by Richard Dawkins

Having been a good Catholic High School student, I contemplated the existence of God and often questioned the logical implications or reality distorting mechanisms of the dogma. I never received any answers beyond “have faith.” As a child, I had faith. As I grew up, I learned that meant “have faith in what these people are telling you.” I also discovered that people are dirty, rotten, liars. So I began to wonder how a book (the Bible) that was written so long ago could be verified to be accurate. I also began to learn about how even the Justice System no longer trusts eye-witnesses are credible evidence. People lie, or people’s senses lie to them. Even in large groups, people are unreliable as evidence.

I decided to buy a copy of this book while in Texas (oh, I got a dirty look). All the questions I asked were answered with references to peer reviewed papers and ongoing research with plausible hypotheses. The experience of understanding the world as a purely natural environment devoid of any and all mysticism is akin to experiencing the world where any and all things are mysticism. It is fantastic. Seeing everything as a process of unrelated, complex interactions over exhaustively long periods of time makes every second that much more amazing.

Does anyone have all the answers? Of course not. This doesn’t mean that you should stop looking or discount science because the only alternative it to make shit up. Admitting you don’t know the answer is one of the most important qualities I look for when interviewing new candidates for jobs. Science doesn’t know all the answers, but at least it provides the methods to derive them, and the motivation to keep looking.

If you have questions and you’ve read the Bible attempting to figure it out, you’re doing yourself an injustice if you don’t look to science as well. Check out The God Delusion.

The Demon Haunted World by Carl Sagan

Carl Sagan should be required reading for all school children. At the very least, you should read the short story “The Dragon in My Garage.” The rest of The Demon Haunted World is equally as alluring and wonderful. Since reading this book, I’ve latched onto Carl Sagan’s works. He was what we needed, and still need today. His primary objective was to bring the joy and wonder back to science. He was a brilliant proponent of science education, and an adamant dissenter of the Regan Star Wars program that he felt would ultimately lead to the destruction of life on our planet.

Sagan is unique in his enthusiasm and childish wonder for science and all things science. He admits that he desperately wants to believe in UFO’s and alien visitations, but the evidence for those occurrences is horribly lacking. Extraordinary claims require extraordinary evidence. Nothing can be taken as fact without evidence, regardless of how bad you want it to be true. I highly recommend all of Sagan’s works. If you haven’t seen it, The Science Channel reruns Cosmos fairly regularly and it’s definitely DVR quality material.

1984 by George Orwell

At the time Orwell wrote 1984, it was a far fetched warning to future societies on the dangers of totalitarianism. Unfortunately, most of the warnings have been ignored. The UK has long since crossed the threshold of this disturbing proposed future. The United States is on their way, if not through mechanisms described in Huxley’s Brave New World (on the list to read). I read this book while traveling through the US’s airport system from Maryland to Boston, MA and back. The sheer irony was haunting.

Anyone in the field of Information Security, Politics, or Public Service should have to reread this book every year. There are a number of elements in 1984 that struck me. On several occasions Orwell describes the perfect citizen of his distopian reality to be a balding, fat man who sweats profusely. This was striking considering the obesity epidemic in the US. Additionally, the invention of New Speak as a language that attempts to flush out the means to form rebellious thought by making it impossible to vocalize it. This is censorship at it’s extreme. Another striking feature was the how often the Party referenced the War as a reason to sacrifice minuscule personal liberties. I’ve heard this exact logic from the White House.

I really liked 1984 and regret not reading it when it was assigned in High School. I could write a term paper on the relevance to Information Security, Public Policy, and the “Democracy” of the United States. Probably several papers.

el fin.

So that’s my most influential list, I’ll have to add a few more to the bottom later tonight when I sort through my book shelf. Let me know if you like/dislike them.

Then this weekend, the data center that hosts this server exploded. The site is back up and running now, but there should be a few more hours of downtime on the horizon as they install and integrate a permanent electrical infrastructure to the data center.

Also, I’ve been selected to speak at the Linux World Expo in San Fransisco this year! My talk is “Network Introspection with Open Source Tools.” If you’re going, please stop by and heckle me!

I may start updating this blog at some point.

I originally wanted to present a bunch of code, but I couldn’t really find a way to make the code very interesting.  I wanted to teach people that security is part of all of their jobs.  I made it a point to reveal some of the idiocy of the Federal Government Mandates in relation to IT Security.  I also gave an overview of the security system I’m building with Perl at work.

There were laughs, smiles, and a lot of people woke up.  All in all, I’d say it went very well.  I’d like to refine the presentation and possibly resubmit for YAPC::NA this year.  Bigger audience, and an opportunity for me to conquer a large slice of my stage fright.

If anyone out there reading this saw the presentation and has feedback, please comment on this post!

UPDATE: If you enjoyed the content of my talk on security, please check out these articles I’ve written:

• Trust - Paradoxical Structure of Trust in Employers
• Eating Your Own Dog Food - Hypocritical IT Security Policies In the Real World
• Full Disk Encryption - In Theory and Practice
• Is Security Theatre Good Enough? Frustrating observations into poor Risk Analysis in the general populace.

OpenSSH is a glorious implementation of a critical network protocol. Most networks have disabled and banned the use of telnet, rsh, and ftp in favor of the more “secure” SSH protocol. OpenSSH runs on every platform I’ve encountered (using CygWin on Windows). SSH provides an encrypted channel for data transfer. Usually that’s Keyboard Interactive Sessions or Files (using SCP), however SSH is capable of setting up multiple channels and acting as a SOCKS4 or SOCKS5 Proxy.

From the manual:

-D [bind_address:]port

Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address.  Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine.  Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.  Only root can forward privileged ports.  Dy-
namic port forwardings can also be specified in the configuration
file.

That’s a lot of technical mumbo jumbo, so what does it mean?! Well it means that if you have ssh and an ssh server outside of your work network that you can connect to, you can SOCKS5 Proxy all your Interesting Traffic elsewhere by issuing this command:

ssh -D3128 server

Then pointing your applications to SOCKS5 Proxy localhost port 3128 will encrypt all the traffic between you and the server that you’re connecting to. This only provides privacy from the LOCAL or CORPORATE network, and does not encrypt your traffic on it’s way to it’s external destinations!!!!

In the next installment, we’ll cover PuTTY.exe and how to evade proxies on Windows platforms.

Configuring the cfengine master server, with cfegine!

The easiest way to do secure file transfer without passwords would be ssh + public key authentication. This will grant us a reasonable level of security, which we can fine tune with products like scponly. For now, we’ll just play around with basics.

The first thing to do is to setup a user on your cfengine server to accept the file transfers. Make this user unprivileged and make sure they are allowed to login with ssh. I restrict ssh connectivity using groups. I have a special group for utility accounts on my servers called ‘localssh’. I’m going to create a user named ‘util’ to handle this setup.

cfmaster# adduser -n -g localssh -h /home/util util

We need passwordless authentication, so we’re using ssh-keys. However, we don’t want to generate those keys as they will be too much work. We also want to make sure we keep that key under lock and barrel to ensure it’s safety. I’ll use cfengine to configure the master server, and regenerate a utility key everyday. This will ensure limited exposure of the key on the network.

Here’s the master section of our cfengine copyback.cf:

groups:
  hg_cfmaster     = ( cfmaster.domain.com )

control:
  any::
    util_keydir     = ( /usr/local/cfkeys )
    util_privkey   = ( /usr/local/cfkeys/util.dsa )
    util_pubkey   = ( /usr/local/cfkeys/util.dsa.pub )
    util_updir       = ( /home/util/cfin )
    actionsequence = ( directories tidy shellcommands )

directories:
  any::
    $(util_keydir)        mode=700 owner=root group=root fix=all

  hg_cfmaster::
    /home/util              mode=700 owner=util group=localssh fix=all
    $(util_updir)           mode=700 owner=util group=localssh fix=all

tidy:
  hg_cfmaster::
     $(util_keydir)   pattern=util.dsa age=1 r=0 define=dc_util_genkey

shellcommands:
  dc_util_genkey::
     "/usr/bin/ssh-keygen -t dsa -b 1024 -N '' -C 'util@domain.com' -f $(util_privkey)"

copy:
  hg_cfmaster::
    $(util_pubkey)      dest=/home/util/.ssh/authorized_keys mode=600 owner=util group=localssh type=sum

What have we done!?@?!@?

Well, the control and groups sections setup our variables. The ‘directories’ section creates the directories and makes sure the permissions are nice and tight. This ensures that cfengine keeps it that way.

The neat trick is my use of “dynamic classes” to take care of key regeneration. The tidy section looks in the $(util_keydir) for anything matching “util.dsa” and removes it if it’s older than 1 day old. The “define” section defines a dynamic class for the tidy statement if and only if files were deleted.

Then in shellcommands, if our dynamic class “dc_util_genkey” is active, we issue the ssh-keygen command to create our new key.

Last, the copy section moves the generated public_key into the ~/.ssh/authorized_keys file for our util user. This enables the key for logging in without a password. We can get fancier, but like I said, for now, its simple.

Distributing the private key to the clients

The cfengine clients are going to need the private key to be able to authenticate to our cfmaster server. This is a quick addition in the aforementioned ‘copy’ block so it looks like this:

copy:
  hg_cfmaster::
    $(util_pubkey)      dest=/home/util/.ssh/authorized_keys mode=600 owner=util group=localssh type=sum

  !hg_cfmaster::
     $(util_privkey)     dest=$(util_keydir) mode=0600 owner=root group=root type=sum server=$(policyhost)

That’s it. Now all the clients will decide if they need the key based on the checksum and replace it as a newer copy becomes available. So, now we have an account that we can use to send files back to our cfengine master server.

Sending a file to our cfengine master server

What do we do now? Well, I used this technique to issue a certificate request to my cfengine master server for a security tool called OSSEC-HIDS. This meant cfengine could manage the configurations and keys from my clients, making deployment completely automated. Here’s an example using the key to scp a file back:

shellcommands:
  !hg_cfmaster::
    "/usr/bin/scp -i $(util_privkey) /tmp/somefilewithinformation.txt util@$(policyhost):~/$(host).txt"

There ya go! I’ll be putting up a page on the OSSEC-HIDS Wiki on how I used this technique to manage all my clients configurations relatively soon.

This needs to happen. Justice must be swift and unrelenting. Back when the RIAA conned Metallica to lead the charge against Napster, they killed a significant portion of the internet. I’d go as far as to blame them for being the catalyst of the dotCom Bust.

Both the RIAA and MPAA need to shut the hell up and embrace new technologies.

(I promise I’ll post the Proxy Evasion Article as soon as I can get my Virtual Machine running!)

I’ll be continuing my Proxy Evasion series as soon as I get a chance to put together some screen shots for the tutorial part of the article.

Hopefully that article will be completed relatively soon.

Hope everyone had a great holiday season.

Pick up a copy of this book: