Bypassing the I.T. security fortress

On the back of my mind for the past few years, I’ve been thinking about how I.T. security becomes less meaningful as time goes on. The use of digital cameras isn’t usually allowed, yet a company isn’t (usually) going to boot out an employee for having a cell phone with a digital camera — or even using it to take a snapshot of a diagram that will be placed on a corporate wiki. The use of USB thumb drives for transferring and storing corporate data is perceived as a risk, but often, it’s a practical way of getting one’s job done. Remember network firewalls? They’re still in place, but they’re increasingly meaningless. They certainly don’t keep out viruses and trojan horses. And with the increasing prevalence of wireless networking, there’s even less incentive for people to play by the I.T. security rules. Dan Kaminsky [expresses these thoughts better than I have](http://www.doxpara.com/?p=1245)
:

> … every restriction, every alteration [I.T. makes] in people’s day to day business, carries with it a risk that users will abandon the corporate network entirely, going “off-grid” in search of a more open and more useful operating environment. You might scoff, and think people would get fired for this stuff, but you know what people really get fired for? Missing their numbers.

> Its never been easier to get away with going off-grid. Widespread availability of WiMax and 3G networks mean there’s an alternate, unmonitored high speed network available at every desk.

Kaminsky [goes on](http://www.doxpara.com/?p=1245) to discuss some of the ramifications of these ongoing changes, including “the Cloud” (e.g. Google docs) and the security of corporate data.

jvisualvm: A free Java memory and CPU profiler

I needed to profile a Java application, and since we had a JProfiler floating license, I used it. JProfiler works well, although it’s pricey. I was googling for other Java profiling tools, and [stackoverflow.com](http://stackoverflow.com/search?q=visualvm) made mention of [jvisualvm](https://visualvm.dev.java.net/), which comes bundled with JDK 6 release 7. I noticed that on my Fedora 10 box, the java-1.6.0-openjdk package includes jvisualvm. None of my coworkers had heard of it.

JProfiler introduces a significant performance penalty into the code it profiles, whereas other tools including jvisualvm and YourKit have a much lower impact. I’m going to give jvisualvm a try, once I get the target environment set up properly with the new JDK.

UPDATE: jvisualvm won’t profile remote applications like JProfiler can. jvisualvm is not quite as easy to use, and I haven’t figured out how to get stack traces on the CPU and memory hot spots. Overall, I like the tool.

UPDATE 2: jvisualvm can be configured to give a stack trace of memory hot spots. I’ve learned that performance between the Java 1.5 and 1.6 jvms can be very different. I’ve learned that I can run ‘kill -3 ‘ to print a stack trace of my running java processes. It’s helped me to narrow down bottlenecks in an application when the profiler wasn’t granular enough.

The future of Gnome Apps: JavaScript?

There’s an interesting article called “[Building desktop Linux
applications with JavaScript](http://arstechnica.com/articles/paedia/javascript-gtk-bindings.ars?bub)” By Ryan Paul, January 19, 2009.

I didn’t immediately understand the vision. Don’t we already have
Python, Ruby, Java, C++ and Perl bindings for Gnome? Yes, we do. So why
would we add JavaScript to the mix? Or any other scripting language?

The best way to think about it is Firefox plugins, like Greasemonkey,
that actually modify the web browser to give you a new experience.
Firefox extensions are written in JavaScript. JavaScript has hooks into
the application (Firefox) to manipulate it.

Gnome hackers want to do the same thing for Gnome. Not only could you
write Gnome application in JavaScript, you could extend a Gnome
application using JavaScript, no matter what language it was written in.

Another way to think about it is this: When most people think of Java,
they don’t think of the language. They think of the platform — the
libraries that are shipped with the language (networking, database
connectivity, etc.). The same is true for Python, Perl, and Ruby.

The goal is to us an embeddable language to tweak the Gnome platform,
not to use a platform (like Java, Python or Perl) to tweak Gnome. When
they embed a language into Gnome, application developers will use the
Gnome platform way of doing networking, instead of doing it the Java
library way. They will use the Gnome way of opening file picker, not the
Java library way. They will use the Gnome way of doing HTTP, not the
Python or the Java or the Perl way.

Fedora 10 lacks “wow” appeal; OpenSolaris 11

I upgraded one of my machines to Fedora 10 last month, and for me, this release lacks the “wow” appeal that other releases have had. A minor annoyance is that the keyboard repeat delay [is broken](https://bugzilla.redhat.com/show_bug.cgi?id=475747) for me and so far, there is no fix other than disabling keyboard repeat. On the plus side, Fedora 10 includes OpenOffice.org 3 and other [new](http://fedoraproject.org/wiki/Releases/10/ReleaseSummary) [features](http://www.heise-online.co.uk/open/features/print/112093). Be sure to check out the [Common Issues](http://fedoraproject.org/wiki/Bugs/F10Common) people have experienced with Fedora 10.

The other day, a co-worker handed me an OpenSolaris 11 Live CD. I booted it, expecting to be underwhelmed like I was with the Solaris 10 JavaDesktop. I was pleasantly surprised, however. Sun’s “Nimbus” GNOME theme knocks the socks off of the boring Fedora window manager themes. The experience felt like I was running Linux. It was responsive, supported my newer hardware, and the system was built with GNU utilities on the command line so I get my favourite options to ‘ls’, ‘grep’, etc. It supported my NVidia card out-of-the box, and had Compiz eye-candy as an option. The only thing I missed (in my superficial test) was the familiar ‘yum’ and ‘rpm’ for package management. I suspect that if I used it from day to day, I’d find other things I miss. Does OpenSolaris support encrypted file systems? Does it have as much optional software as I can get with Fedora Extras?

I’ll keep my eye on [OpenSolaris](http://www.opensolaris.com/) a little more closely in the future.

Backup: Immediate, Full and Long-term

Preserving the availability of digital artifacts is a goal worthy of pursuit. First, I’ve got thousands of digital family photos, and I don’t want to lose them to hard drive failure or lock them up so that they’re hard to get to. Second, I’ve got my email stored on my computer for the past several years. The recent email is what’s most valuable to me, but every once in a while, I need to search through email archives to find things, like a license key for [Date Book 5](http://www.pimlicosoftware.com/datebk5.htm). Third, it took weeks to install software and configure our laptop. I don’t want to have to repeat that work if the hard drive happens to stop working — especially if a project I’m working on needs to be done soon.

There are three main types of backup that are important to me: Immediate backup, full backup and long-term archival.

__Immediate Backup__
—————–

What I’m currently working on with the computer is usually more important than what I was doing on the computer a few weeks ago. The auto-save and even the “undo” feature of most word processing programs can help me when one of my children touches the keyboard and accidentally deletes most of the text. Auto-save and undo won’t help if my laptop is stolen or the hard drive fails. That’s why I use [mozy.com](http://mozy.com) for automated, off-site backups of my Windows laptop. It’s well worth $5.00 per month for this service, and it’s easy to pay for: skip eating out for lunch once per month.

For backup to happen regularly, automation is key — especially for immediate backup. I would make full backups more frequently if it were an automated process. I use a monthly repeating reminder so I remember to backup the things that aren’t automated.

__Full Backup__
———–

Admittedly, hard drives don’t fail often, and laptops that usually stay at home aren’t often stolen (at least, not in my neighborhood). But when it does happen, it’s a pain to reinstall the myriad of applications we use on a semi-regular basis. This is why a periodic, full backup is valuable. Doing a full backup with optical media takes too much time. External hard drives are much faster, have more capacity, and are inexpensive. They plug in using standard connectors such as USB, FireWire or eSATA. I store my external USB hard drive in a fireproof box.

__Long Term Archival__
——————

I want the best of my digital memories (e.g. photos) to be preserved for decades or centuries. A CDROM may be readable in ten or twenty years, but not fifty or a hundred. There probably won’t be hardware to read it in fifty years. Will computers in fifty years recognize JPEG format? No idea!

To preserve digital artifacts for that long requires refreshing it periodically into newer formats and storage media. It’s a good idea to use open, standardized formats rather than proprietary formats. For photos, this means to use JPEG and PNG in preference to Photoshop format.

Rather than refresh constantly, there’s the option of _printing_ photos and documents. It’s going to be easier to view a physical photo or a printed document in a hundred years than to unlock the secrets of an old hard drive.

__Trust, but verify__
—————-

I tend to trust my backup solutions, but it’s necessary to verify that they’re working. My brother’s computer periodically downloads my digital photos. I trusted that this was, at least in part, a good off-site backup. I learned recently, however, that his computer deletes old photos when space gets low, which is often.

__Resources__
———-
[Preserving Your Digital Memories: What you can do](http://www.digitalpreservation.gov/you/digitalmemories.html)

A few backup solutions: Mozy, Carbonite, SyncBackSE, and JungleDisk.

Interesting projects to backup using P2P protocols (including featurs such as encryption and
fault tolerance): [Tahoe](http://allmydata.org/trac/tahoe)
with a [writeup from LWN](http://lwn.net/Articles/280483/) and [Flud](http://www.flud.org).

Using the 2.6.26 Linux Kernel Debugger (KGDB) with VMware

Reading the linux kernel documentation on KGDB wasn’t enough for me to be able
to use the newly built-in KGDB kernel debugger with version 2.6.26 or 2.6.27.
The breakthrough for me was reading [part of Jason Wessel’s
guide](http://www.kernel.org/pub/linux/kernel/people/jwessel/kgdb/ch03s03.html).

I have two machines:

* developer – where I run gdb
* target – where the kernel is being debugged, running in VMware

Configure VMware on the developer machine

* Power down the guest (target)
* Edit the VM guest settings
* Add a serial port
* Use named pipe `/tmp/com_1` (it’s really a UNIX domain socket)
* Configure it to “Yield CPU on poll” (under Advanced)
* Install ‘socat’, if not already installed

Configure and Compile the kernel on the developer or the target machine

– Get kernel 2.6.26 or newer
– `make menuconfig` # or make gconfig
– Under Kernel Hacking:
– enable KGDB
– enable the Magic SysRq key
– enable “Compile the kernel with debug info”
– Build kernel: `make`

Configure target

– Enable Magic SysRq key on target:
– Edit /etc/sysctl.conf and set `kernel.sysrq = 1`
– or run `sysctl -w kernel.sysrq=1` # this doesn’t survive a reboot
– Install developer kernel
– On the developer machine:
`rsync -av –exclude .git ./ root@target.host.name:/mnt/work/linux-2.6.26`
– On the target, a RedHat based system:
`make install`
`make modules_install`
– Edit /boot/grub/grub.conf and set `timeout=15`
– Boot into the newly installed kernel

Start debugging

– On target:
`echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc`
– On developer:
`socat -d -d /tmp/com_1 PTY:` # notice what pty is allocated — /dev/pts/1 in my case
`gdb vmlinux`
`set remotebaud 115200`
`target remote /dev/pts/1`
– On target, do one of the following:
– `echo “g” > /proc/sysrq-trigger`
– Type ALT-SysRq-G
– Ready, get set, go! Go back to developer machine and use gdb to set
breakpoints, continue, etc.

I set up debugging because I wanted to understand the behavior of the kernel
when loading a module. It turns out that loading of the module failed because
sitting in a debugger delayed the execution, causing a timeout in module load
by the time I stepped through the code. Use of printk turned out to work
better.

HP xw4600: HOWTO enable hardware virtualization

How to enable Intel hardware virtualization on an HP xw4600:

* Boot into the hardware BIOS setup
* Got to Security -> System Security
* Enable both types of virtualization (VTx and VTd)
* Save settings, and power-cycle the machine.

I’m running Linux, Fedora 9, and using KVM, so I run the following:

modprobe kvm-intel

Loading that module will fail if hardware virtualization isn’t enabled.

DjangoCon videos on YouTube

I’m not a Django programmer, but for those who are, this may be useful. YouTube has videos of the inagural DjangoCon conference:
[http://www.youtube.com/results?search_query=djangocon&search=tag](http://www.youtube.com/results?search_query=djangocon&search=tag)

Transferring a linux hard drive to a new machine

For over a year, I’ve endured a development machine that would lock up under heavy disk I/O. Yesterday, I apparently complained loudly enough that I was given a new machine to replace it. I didn’t want to reinstall Fedora 9, so I transferred my old hard drive to the new machine, as the primary drive. To get it to boot and function properly, here’s what I did:

* Booted with the Fedora 9 install CD into “rescue mode”
* Ran the following commands once I had a shell:

mount –bind /dev /mnt/sysimage/dev
mount –bind /sys /mnt/sysimage/sys
chroot /mnt/sysimage
mv /boot/initrd-2.6.25…i686.img /boot/initrd-2.6.25…i686.img.orig
mkinitrd /boot/initrd-2.6.25…i686.img 2.6.25…i686

* Then I ran ‘grub’, and typed the following:

root (hd0,0)
setup (hd0)
quit

* Ejected the install CD, and rebooted. Once booted, I noticed that my network cards weren’t set up quite right. My new network card was listed as “eth2” in system-config-network, and I didn’t actually have cards for the listed “eth0” and “eth1” interfaces anymore. I didn’t know what file to change to get my new card listed as “eth0”, so I ran the following command to find out what files I might need to edit:

find /etc -type f -print0 | xargs -0 grep “eth[01]”

That command listed the following files, among others:

* /etc/udev/rules.d/70-persistent-net.rules
* /etc/vmware/locations

I edited /etc/udev/rules.d/70-persistent-net.rules and ripped out the assignments for my old NIC interfaces, and set the new one to be “eth0”, then rebooted and used `system-config-network` to set up my network.

When I ran my VMware guest, VMware Server gave me an error message about not being able to use bridged mode for the selected interface. With my old computer, VMware had used eth1 for bridged networking, and I didn’t have an “eth1” interface anymore. I edited /etc/vmware/locations and changed “eth1” to “eth0”, and restarted vmware. This time, bridged mode worked correctly.

Web App Security Statistics

Perhaps this is a bit old, but it’s the first time I’ve seen it, and I thought it was interesting enough to share.

[http://www.webappsec.org/projects/statistics/](http://www.webappsec.org/projects/statistics/)

* more than 7% of analyzed sites can be compromised automatically
* Detailed manual and automated assessment using white and black box methods shows that probability to detect high severity vulnerability reaches 96.85%.
* The most prevalent vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location