WireGuard – A Next-Gen VPN

~~   Forward   ~~

Why would we need another VPN when we already have IPSEC, PPTP, L2TP, OpenVPN, and an array of proprietary SSL VPNs?  After all these are tried and true and exhaustively tested.  But are they really, exhaustively tested?

WireGuard has around 4,000 lines of code  —  compare this with 600,000 lines of code for OpenVPN plus OpenSSL, or 400,000 lines of code for XFRM plus StrongSwan for an IPSEC VPN.  How can such huge code have all aspects fully tested, honestly?  WireGuard’s two orders of magnitude fewer lines of code means a lot smaller attack surface to have flaws in.  Reducing attack surface is the same principle used by micro-kernels, and is a cardinal principle of information security.


The Immutable Filesystem — Vastly Reducing Attack Surface

I am working on a novel approach to security by generalizing read-only filesystems in Linux, to prevent malware from modifying files or establishing a foothold in systems.  As far as I know this is a first in InfoSec.  When the whole operating system is set to read-only no changes can be made where it matters, even if the malefactor manages to get root.  This will greatly reduce the attack surface of any system without interfering with its ability to function.

bigdataIn almost all OS installs, system-critical directories and files are set to read-write, at least by root.  Why?  There’s no need.  I say this is unnecessary and leaves open many avenues of attack which are exploited time after time.  An immutable filesystem will eliminate almost all attacks by most of the hacker community, and even makes things difficult for nation-state malefactors.  Oh sure, it’s still possible to inject malware into memory, but that exists anyway and is a different problem.  An old axiom is ‘Good Security is Layering‘.  The Perfect, should not be made the enemy of the Good — and those who make it so end up with nothing.


Securing eMail With D.A.N.E.

Some day I’ll get time to do an article on setting up a complete email server with the most advanced security and spam protection, but for now we’ll focus on DNS-based Authentication of Named Entities (DANE).  Of all the methods of securing email, DANE is the most comprehensive and advanced to date.

In a nutshell, DANE is a way of to authenticate TLS client and server sessions (for both web and email) without the need of a Certificate Authority.  DANE has become more popular in recent years due to security breaches of some Certificate Authorities, which allowed encryption certificates to be issued to non-domain owners for malevolent purposes.  DANE provides an independent means of checking certs to make sure of their provenance, and therefore that the session is secure.


Universal Encrypted Data In Transit – RHEL

Most companies today use Virtual Private Networks for remote users to connect with the enterprise, but few companies encrypt network traffic internally.   So why would universal encryption be a good idea?   Because perimeter defenses have become so good that most security breaches these days have happened when the instigator is already inside the system, as with phishing, SQL injection, or buffer overflow incursions.   Once inside, and with privilege escalation or a vulnerable switch, they can then monitor all traffic.

But let’s back up for a minute and consider VPNs.   A VPN is a ‘tunnel’ within the datastream which carries its data, isolated from the rest of the datastream by encryption.   It is only a ‘virtual’ tunnel since all the data is there with the rest of the crowd, but it is logically isolated from other packets as it is not cleartext.   The headers for its packets describe where it’s coming from, where it’s going, which packet it is in its stream, and information on the encryption, but the payload of each packet is encrypted using the cipher, hash, handshakes which were agreed to by both ends at the beginning of the session.   IPSec is not traditional encapsulation, where a packet is wrapped in an encryption protocol, which may be wrapped in yet another protocol.   IPSec flows in transport mode as normal packets, only encrypted.


Saving An Echo

My Echo SRM-2100 line-trimmer has given very good service in the ten+ years I’ve owned it, from fully mowing my half-acre yard when I lived in the cabin on 123rd St, to the limited lawn I have now.   Commercial-grade (straight-shaft) Echos have a very good reputation for durability, and a low exhaust note which is less annoying.

But lately it’s been hard to start, and simply would not idle;   I have to hold the trigger all the time.   These symptoms are usually related to fuel delivery, maybe a clogged idle circuit.   Well it’s been faithful for a long time, so maybe it’s time for it some love.


HowTo: Monitor the Network – Plasmoid

I always like to know what’s going on with my individual systems (especially air-gapped LANs), so if it hangs I have a good idea why.   And I especially like to know when lots of data is going out of my systems.   So we are going to make a handy little plasmoid which does this very effectively, and will run on KDE, XFCE, LXDE, etc, and given its cmake origin will probably build and run on OS-X and Windows as well.

knet1Here’s what it looks like. (click to enlarge)   It sits in your System Tray, and monitors the outward network interface.   Green traffic (bottom) is incoming, and red traffic (top) is outgoing.   You can set the scale to just about anything, but I’ll give a reasonable default below.


Those Darned Clever Crows

Crows using traffic to crack a walnut


Router Security

There is finally beginning to be more awareness of router security.   All of us have routers, large or small;   it’s the bridge between ‘The Internets’ and our LAN, and smaller ones have a built-in firewall which many rely on as their only protection.

All routers come with a well-known default username and password, which most people have enough sense to change.   This helps prevent not only unauthorized access over the airwaves, but also through the internet itself, although WPA2 should also be turned on for airwaves protection.

Recently there’s been more black hat exploitation of certain brands of small router, specifically Asus and the sorry Linksys and DLink routers.   Users often opt for convenience and so turn on Remote Admin…   and black hats have automatic worms running around (check at :23 seconds) out there specifically looking for vulns to exploit for fun and profit.   NEVER turn on Remote Admin, and it’s not a good idea to turn on router disk sharing as it uses the terrible Windows Server Message Block (SMB) protocol.


Our Microbiome

Phones carry bacterial ‘fingerprint’
(This is why I read the BBC)

You know, we hominids carry around 2-3 pounds of bacteria all the time!   1/3 of feces is bacteria and fungal flora.   In cows, bacteria and fungi consume the plant matter cows eat, and then the cows actually digest those bacteria and fungi for nourishment!

Furthermore, they’re beginning to find that a strong possible cause of Cron’s Disease, Inflammatory Bowel Syndrome, some obesities, constipations, et al, are likely caused by an imbalance of the good and bad flora in our digestive tracts.   This can easily be caused by a regimen of strong antibiotics, not enough water, and so on.


Home Theater – Build a Mega-Screen

I’ve been watching TV on front projector since 2006, and it came to the point where, um, a 10′ screen just wasn’t big enough anymore.   You know how it is…

screen(click to enlarge)


Home Theater – Folding Light

When I moved to this house around 4 years ago, I found that the den is too small (15′ x 11′) to accommodate my very good Planar home theater projector, even though it is fitted with a short-throw lens.

Swapping from a long-throw lens to a short-throw lens on my expensive new projector.  (eeek!)

Swapping from a long-throw lens to a short-throw lens on my expensive new projector. (eeek!)

Well this is a problem because the image will be way too small for my 12′ diagonal screen.   There was nothing more I could do to the projector but I still needed some way to lengthen the throw.   But how, when the walls are in the way?   (click to enlarge)
SU - full shot


Animals Only a Mother Could Love

Consider being born as a platypus. (actually, ‘hatched’ as a platypus)   And as you come to awareness, it’s oh no, I am a platypus…   There are lots of unfortunate animals that need love too, and here is a small collection for your consideration.

Say hello to the Aye-Aye,  a type of lemur, primates only found on the isle of Madagascar.   It taps on tree-trunks looking for hidden insect grubs.   When it finds one, it chews through the bark and uses its unusually long middle finger to pull out the bug.   Aye-ayes are endangered because of the current burning of their habitat for farmland.

Say hello to the Aye-Aye, a type of lemur, primates only found on the isle of Madagascar.   It taps on tree-trunks looking for hidden insect grubs.   When it finds one, it chews through the bark and uses its unusually long middle finger to pull out the bug.   Aye-ayes are an endangered because of the current burning of their habitat for farmland.


HowTo: Xen, for the Everyday Microkernel

~~   Forward   ~~

xen-logoMost people think of Xen as only being applicable to large organizations like Amazon’s AWS, RackSpace and other clouds, and various clustering applications.   Why is Xen such a good model of virtualization, clustering and security?   Because it’s the closest we have for now, to a production microkernel architecture.

~~   The Microkernel Model   ~~

The microkernel operating system model is one which rethinks the very core of the way operating systems work.   With microkernel, very few functions are actually handled by the core kernel in privileged mode, and the kernel itself is simple, compact, and fast.   The minimal functions handled by the microkernel are low-level address space management, thread management, and inter-process communication.   All other OS functions, including device drivers, protocol stacks, file systems, etc, are handled in user space.   If there is a buffer overflow or other vuln in a driver of the microkernel system, the best a cracker could do is get to the non-privileged user that driver is running as, inside the virtual machine it’s running in.


About This Bash Bypass Bug

There’s been alot of news in the past couple of days about this Bash bug, some of it hysterically saying that 500 million sites could be impacted.   Well maybe that’s how many sites are running the Bash command-line utility susceptible to the bug, but only a small fraction of those are actually exploitable.   And exploitable is what matters.   This has been an issue with Bash for 20 years, since inception.

First of all, if you’re a Debian user you can relax.   Almost all scripts call /bin/sh, symlinked to /bin/dash, which does not have the vulns.


DefCon corollary — Seeking Employment

Back in 1999, DefCon attendees were viewed with great suspicion by employers.   When a manager of the NSA or a big company became known at the conference, he was overrun by attendees trying to give him their resume, but were mostly denied.   Whenever I described any knowledge of hacking methods, the response was always fear.   So I stopped going into detail, even when the job is computer security.   These days though, people (without a record) who know how hacking is done and how to defend against it, are actively recruited.



DefCon: The good, the bad and ‘the Feds’

defconAh, DefCon, my favorite convention.   I should have gone this year.   It’s a celebration of determination, independence, intellectual accomplishment, and constant learning.

My brother and I went to DefCon in 1999.   I managed to talk my way into the Press Room and got full press credentials with access to special areas   —   I’d hacked the hacker’s conference.   I did have to wait 20 minutes for my brother to get through the regular line though.   I later sold my DefCon press credentials on eBay for $14.   Shoulda kept them.


HowTo: Prevent Tracking via the Browser Cache     

Practically speaking, all of today’s browsers use an internal cache, which stores web objects temporarily so that if they are called for repeatedly, they are brought from local cache much faster than if there were a full web access.   Well, there are some tricks to use your cache to track your movements around The Internets, even if you disable or clear cookies and LSO-cookies.


An Idea for Solving the Certificate Authority Vuln Problem

~~   Forward   ~~

A while back, Comodo and DigiNotar were compromised, opening any SSL using those certificates to attackers.   Maybe it’s time to acknowledge that the traditional SSL trust model is outmoded.   Every web browser trusts the word of scores of Certificate Authorities, and if any one of those CA’s is compromised by a cracker, government agency, or internal hire, then there is no way to know that your HTTPS connection isn’t being intercepted.   Further, if a CA (GeoTrust for example) has a large market share of SSL certs, browsers can’t then just “un-trust” them, as millions of non-tech users will start getting https errors and won’t know what it means nor what to do.   My ideas cover both the questions of forgery, and of CAs which are effectively too large to fail.

Rather than requiring that a root certificate be signed by a single trusted authority, require multiple and independent trusted signatories.


HowTo: ID and Avoid a TBird Bug, and Rake Your Email Client for Other Vulns

~~   Forward   ~~

All of us use a desktop email client to fetch our email, to respond, and to screen out spam.   When you click a link in an email, it will normally come up in your main web browser and take you to that site.   But there’s a way of crafting a link such that when you’re using Mozilla Thunderbird and click on a link, it opens the website in a Thunderbird tab instead of your default web browser.

Why is this a problem?   Because if you have hardened your browser to any reasonable level of security, all those protections are bypassed when the link is opened in a tab of TBird.   I use Iceweasel/Firefox with modifications from the TorBrowser, which include various configuration changes and addons to enhance security and privacy.   For example, addons I use are TorButton, NoScript, RefControl, HTTPS-Everywhere, RequestPolicy, AdBlock Edge, and Element Hiding Helper.   And I browse almost exclusively through TOR.   None of these security mechanisms is emplaced when links are opened in a TBird tab.


What Is Going On With eBay?

I’ve been a member and seller on eBay with the same user ID since 1998, and regularly turn to the site when I want to buy or sell just about anything you can mail.   But recently there have been attacks by criminal gangs on user accounts which eBay seems to be unable or unwilling to inhibit.   These gangs take over an innocent user’s account, possibly by tricking them out of their username and password (or possibly through an internal eBay vuln, which I think is more likely), and then use that account to sell non-existent items (and collect the money) and to seek and find more victims.

Many of the compromised accounts have 100% positive feedback, and had prior sold hundreds of items.   One victim who had his account hijacked says he was locked out of his account, and then later billed “around $50” by eBay for seller’s fees on items he had never heard of.   When customers click on a scammer’s listing, they are redirected to a professional, official-looking page which asks them to log in and ‘confirm’ their credit card and bank account details!   The items ostensibly for sale in these compromised listings range from smartphones and TVs to laptops and bicycles.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually  though customers will only see the right-hand side of a long string of gibberish and won't notice.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually though customers will only see the right-hand side of a long string of gibberish and won’t notice.