Long time, no post. I just don't have the free time I used to
Anyway... I sort-of caught up on my feeds and after reading this article about finding 'secret' government fiber lines, I started thinking. If the ground is very saturated with multiple crisscrossed cables, utilities, etc., is it reasonable to think that by looking at a map of those utilities and cables you can infer, with varying degrees of probability, the locations of these 'black' lines?
I would assume that in areas like the DC there are all sorts of classified communications lines going all over the place, so the logical place to start would be in the vicinity of a government building that has a high likelihood of having a classified or sensitive (non-commercial or public) line. Based on the locations of existing lines, one could extrapolate the rough areas where a line might leave the building and the path it takes (around the existing lines and utilities).
Maybe I'm thinking too two-dimensionally, but all this seems somewhat plausible. Let's say a 'black' line runs through an alley between buildings (unlikely but possible). Could someone dig through the basement to the line and tap it? I vaguely remember reading something about being able to tap a fiber line for around $100. The cost required to protect those lines from tampering would be too enormous, right?
There's my thought for the day.
12 June, 2009
Cable inference and mapping
22 February, 2009
Decision reached, let the migration begin
I finally decided to go with Arch Linux as my Gentoo replacement. I tried Sabayon (very) briefly, and it seemed that it would not give the the modularity that I need. Anyway, I already installed Arch and am up and running, albeit somewhat crippled, with disk encryption via dm-crypt and LUKS. Since this is the first time I've done disk encryption, I didn't want to mess with loop-aes; I'll leave that for some later date. So far, I've noticed no noticeable slowdown with LUKS.
Overall, the setup for FDE has been the easiest part of the whole migration thus far. I had a really difficult time getting X working. Surprisingly, when you install X as a dependency it doesn't install the necessary drivers (read: keyboard and mouse) as well. That took a few minutes to figure out. But overall, I think I have 80% of the apps I need installed now, and I'm really happy with how quickly that went. I am a little shocked that firefox is out of date in the repos, but from what I have read, it's because of some branding issues and I'm trying to see if I have a repo workaround (already installed latest firefox, trying to see if there's an 'Arch' way to do it).
I'm pretty pleased so far. Really, everything has been very smooth aside from the usual distro transition issues. I miss openrc right now (never thought I'd say that), but I think ultimately this setup will be more stable. Didn't realize that vmware-player was not in the repos beforehand, and unfortunately vmware's download server is down right now (go figure). I think vmware-player is the last app I need, or at least would like, before work tomorrow morning.
I really can't stress enough, I am very happy so far with Arch. Moving to FDE was *REALLY* easy, the hardest part was waiting fro my /dev/urandom hdd overwrite (which took approx. 14 hours for 80GB). The pacman package manager is pretty easy to use, but I'm still getting to know the options. For those who want to know, no, I did not tweak my kernel manually (which I DO miss), but I plan to work on that as I go. Unfortunately I do have 74 modules loaded now, but really I haven't noticed any slowdown. My boot time is a bit higher than I'd like, but it's hard to accurately measure (b/c of the FDE password and the ethernet card timeout) which I hope to fix soon.
Here's hoping that tomorrow fixes a lot of issues. For now, hopefully, there is hfsplus support in my kernel (for my backup disk lol).
Oh, and I passed my CISSP exam. w00t!!!
02 February, 2009
Palm - I hate you
I began writing this on my Treo, but it became too difficult after the second reboot.
Dear Palm,
I tried to send this directly to your company, but I couldn't find
your contact info while using blazer, so I'll just leave this here.
Fuck you Palm.
That's pretty harsh, but I want you to know that I mean it. I own a
treo 700p and I have to say it is the worst 'phone' I have ever had
the displeasure to own, use, carry, or otherwise be close to. Now I
hear you're releasing the pre, but for Sprint only. that just makes me
hate you more. Prior to using this 'phone' (I use the term very
loosely) I refused to use any phone with a windows os. Being a *nix
guy, I assumed that palm os would run circles around any win based
phone. I was gravely mistaken.
The browser 'blazer' is the most sorry excuse for a browser ever. Ever.
It crashed the whole phone while surfing your site. Read that again.
Yes, my treo rebooted while surfing palm.com. Oh, and that's after
your site told m there were multiple browser-related errors. I can't
use opera mini bec--
I had to switch to my laptop because it's impossible to write an email on my Treo 700p. Anyway... Opera Mini, which works well on just about all mobile devices, crashes almost instantly on the 700p. I don't know why I'm pidgeonholed into using blazer, but seriously, who at Palm was like "Wow, this is an awesome mobile browser. We should totally force this upon our customers." Whoever made that decision does not use blazer. And what the hell is up with the lag times?? It takes at least 10 seconds to CLOSE THE BROWSER?!?!?!?!?! WHAT THE FUCK!!!
This is a total rant post, which I try to avoid, but seriously, fuck you palm. You have totally ruined my outlook on mobile technology. At this point, I would rather own a Windows-based phone than anything developed, even 3rd party developed, by palm. Never again. NEVER again. To anyone who reads this, I implore you, I beg you, DO NOT, ever, EVER,
I'm pissed, I don't care, I'm getting a new phone. I hate you palm. That is all.
28 January, 2009
Unlinked files
A colleague and I have been discussing forensics on Linux recently which has led to me exploring the contents of my /proc directory. Wow what a wealth of information there is in there. He just shot me a link to a post about unlinked files, something I'd heard of (and experienced) before, but had never looked into with any kind of depth. Very interesting stuff. I have a lot to learn about /proc
http://sansforensics.wordpress.com/2009/01/27/recovering-open-but-unlinked-file-data/
08 January, 2009
Google + Police = Case closed?
An interesting story was on digg today about how cops located a child and her kidnapper using cell phone GPS coordinates and Google.
26 December, 2008
Finding a new distro... part 1?
I've been looking pretty seriously at Arch to replace Gentoo, so this post will describe my experiences and impressions thus far. I set up a VM to try the install and get a feel for the distro, and so far it seems OK. The install was easy and pretty fast, although I would have liked the ability to configure my kernel at install -- a step that, at least after years of Gentoo, was conspicuously missing. As expected there are a bunch of modules loaded on boot (61 total iirc), and boot time was actually painfully slow -- about 50 seconds! I'm not sure if it's the VM or all the extra garbage at this point. On the flip side, getting a working X configuration up and running with Openbox took all of 10 minutes, a process that would've taken significantly longer on Gentoo. At the same time, I wasn't able to try out the nvidia prop. drivers since it's in a VM -- who knows how well that will work, but if my experience so far is any indication, it should be fairly flawless. Another plus is that the latest (beta) nvidia drivers are in the repository (180.16-1) which is nice. Now that I look at my sync dir, I only see 177.82-1 in my local sync, so I guess my repositories aren't configured correctly.
The package management program pacman will take some getting used to. It certainly is much faster than emerge/portage, and not having to compile everything from source is a big plus. I do like the ports tree structure of portage though, maybe just because I'm so used to it, but I do like being able to see everything that's in my current repositories without having to go online. I can see all the packages, but I already miss seeing general categories (e.g. net-irc, www-servers) to give me alternatives to apps I already use.
Something that would be nice for me is an option to configure disk encryption at install. There's a guide on the wiki on how to do it, but iirc Debian gives you an option at install which I think is awesome. Also suspiciously missing on install was the ability to add a regular user. Maybe I just went through it too fast and missed the option, but it was very surprising to have to log in as root immediately after install. I do like the idea of different projects within Gentoo (e.g. gentoo-hardened) and at this point I do not know whether Arch has anything comparable.
So here I am, now questioning whether Arch is the right distro for me. I wish I had a more concrete idea of what I'm looking for or where to look outside of distrowatch. Someone recommended Slackware to me recently, and maybe I should give it another shot. I'll keep working with Arch to see where I end up and we'll see what happens over the next few weeks. Happy Holidays and have a happy New Year!
16 December, 2008
Decision finally reached
I've decided to abandon Gentoo due to continued frustrations caused by portage and the project/community in general. I hope this change is temporary because I have a lot of love for Gentoo. It breaks my spirit to say I'm calling it quits.
Now I have to decide what to migrate to. I've narrowed it down to three choices: Arch, Debian, and Sabayon. I'm leaning toward Arch since it seems to be similar to Gentoo in some ways: highly configurable, optimized, but it also gives you the option of installing from binary instead of source, a big plus for sweeping update days that include firefox, gtk+, and kdelibs.
Debian I have always wanted to try out for an extended period, although I'm not sure it's bleeding edge enough -- the repositories, to my (limited) knowledge, lag a little further behind than I'm used to. But Debian is stable and configurable.
Sabayon is only on the board because the idea intrigues me; to build a Gentoo-based distro that uses a new package management system and introduces binaries, the idea sounds like the best of all worlds. Almost too good to be true. I hesitate since I'm not sure how mature the project is.
If anyone has an opinion, please tell me. I'm waiting for a lull to format and reinstall. I have no experience with Arch, Debian, or Sabayon, so all input is welcome.
24 November, 2008
20 November, 2008
Secret German IP Ranges Leaked!
Not good for T-Systems/Deutsche Telekom. Government should be safeguarding citizens, not spying on them.
17 November, 2008
Am I too resistant to change?
For a while now I've had a little beef with Gentoo, but nothing I couldn't just shrug off. Now, I think I'm at the point where the frustration of portage just doesn't make sense to me anymore. Not once, but twice in the last two days have I wrestled with portage only to experience a much more hassle free install after cutting OUT portage. I won't go into detail, but the nvidia-drivers and vmware-player were the two culprit packages that, in both instances, emerged and installed perfectly, but utterly failed to run.
So now I'm asking myself why the FUCK I deal with long compile times when portage is, in my mind, broken?!? I'm giving it till the end of this month to see how stable my system remains before making the decision to stay or switch. November 30th is the day. I have a lot of love for Gentoo, that's why I've stayed for this long. But now, I just don't get it. I hope things change and I decide to stay, but for now I'm thinking that's unlikely.
23 October, 2008
This is not a drill Windows admins...
Microsoft is releasing an out-of-band critical patch today to fix an 0day that's being actively exploited in the wild. Yowza.
21 October, 2008
Sniffing your WIRED keystrokes (from the next room)
Saw this story, pretty cool stuff. Some Swiss researchers have developed a few different ways to sniff your electromagnetic keystrokes from up to 20 meters away. Vid.
17 October, 2008
NVIDIA 177.80 driver breaks OpenGL
At least it breaks OpenGL for me and a bunch of other people according to a google search. The issue seems to be in the actual libGL.so library. It seems like this is a persistent issue in the 2.6.27 kernel as well, so I'm not sure why this is in Gentoo's portage. Maybe my system is just broken? If anyone reads this and has had success w/ the 177.80 driver with gtk+ working and using nvidia's opengl implementation... please let me know. For now, I'm putting this driver on the backburner.
16 October, 2008
Stopping SQL Injection and Building Secure WebApps
Here's a paper (PDF) from Oracle on writing "injection-proof PL/SQL."
Also a guide shown to me by a friend on building secure webapps (from OWASP).
It's all about risk and consequences
I just read Paperghost's post on trying to contact someone at eBay about 5000+ of their users' logins posted online. His post highlights a few things that are 'broken.' One that he calls out is the problem a 'normal guy' would have trying to get this through to someone. There's nobody helpful you can talk to, no point of contact that can provide any kind of clarity... just black holes. But why does eBay make it so hard to contact someone who can actually help? The truth is they don't care. Let me explain.
From the 'About eBay' page:
eBay is The World's Online Marketplace®, enabling trade on a local, national and international basis. With a diverse and passionate community of individuals and small businesses, eBay offers an online platform where millions of items are traded each day.
Their business is one of the most widely recognized and successful online marketplaces ever. Wow! eBay rocks! And yes, eBay does rock, but they also don't care. A lot of people use eBay for free -- they sign in and bid on items. eBay gets a small percentage of each sale as well as advertising revenue and additional features sellers can pay for (that's how I understand it, correct me if I'm wrong, pretty simplified). They work really hard to protect people's accounts since that ultimately hurts their bottom line (profit).
The reason they don't care is because they can't. If I have an online eBay business and my account credentials get stolen, whose fault is that? Probably not eBay's, nor is it their responsibility to really do anything at all in the event something does happen to my account. Their only real motivation is based on dings to their reputation as a business, and since eBay is _huge_ there's not a whole lot of difference the loss of my (or a few thousand) account will make. Of course eBay wants to keep accounts safe to uphold their reputation, but ultimately, if accounts get compromised, it's not their fault and there's very little they can do to stop it from happening right now.
I, of course, blame the user for this (stop clicking on pop-ups please!). I read an article recently on how you're pretty screwed if your GMail or Yahoo! Mail account credentials get jacked (can't find the article, ah well). Google can only do so much if your account gets compromised, just like eBay, and ultimately, you're just a drop in the bucket. While the information in your GMail account or your flawless seller's reputation on eBay may be important to you, it's not very important to those companies. So getting back to the original question 'Why do these companies make it so hard to contact someone useful if shit hits the fan?' the answer is 'Well, there's not a whole lot we can do, so you're pretty much on your own.' It's not really that they don't care, it's that they can't care. And of course there's the volume of these type of requests -- I'm guessing far too many to keep up with. There's also the issue of alternatives -- eBay and GMail are so big and so successful, and this problem is shared among ALL businesses in these industries, there's not a whole lot to lose.
The real problem is nothing new: authentication and identification. It's not even an online problem, just a problem in general. Ensuring authentication and identification is tough... REALLY tough. Much harder than I once thought. But the problem with authentication and identification (shortened to AuthI) is complicated with sites like eBay and GMail, where there is no real consequence to the companies if your account is compromised. That's why it's all about risk and consequences. The risk of compromise is high, the consequence of compromise is low, so that equals 'no sale.' For banks, this issue is taken a little less lightly. Account compromise is actually a liability since the bank is responsible to offer some kind of reimbursement or protection or credit monitoring, whatever, in the event your 'identity' (account) is stolen.
So what's the deal with AuthI? Two-factor auth is a good solution (here's a post that breaks it all down), but again, it all comes down to risk and consequence. For eBay, that's a big investment of capital to only (maybe) bring down your risk to medium. How do you fix something that's really hard, but a lot of people think is easy? Just because I have a Canadian passport doesn't mean I'm Canadian, but you can't expect a database of DNA samples for everyone to be feasible or very practical for most applications. How do you fix bad behavior? How do you stop illegal behavior?
Now I'm ranting and just got derailed so I'll end this post here.
01 October, 2008
Why ePassports are bad
From a convenience and 'coolness' perspective, ePassports are great. But when THC decides to break the security and create a fake one, that's a really bad thing. I'm sure there are ways of making a secure ePassport, and governments in support of using them need to review their methods and revise as needed.
