Universal Encrypted Data In Transit – RHEL

Most companies today use Virtual Private Networks for remote users to connect with the enterprise, but few companies encrypt network traffic internally.   So why would universal encryption be a good idea?   Because perimeter defenses have become so good that most security breaches these days have happened when the instigator is already inside the system, as with phishing, SQL injection, or buffer overflow incursions.   Once inside, and with privilege escalation or a vulnerable switch, they can then monitor all traffic.

But let’s back up for a minute and consider VPNs.   A VPN is a ‘tunnel’ within the datastream which carries its data, isolated from the rest of the datastream by encryption.   It is only a ‘virtual’ tunnel since all the data is there with the rest of the crowd, but it is logically isolated from other packets as it is not cleartext.   The headers for its packets describe where it’s coming from, where it’s going, which packet it is in its stream, and information on the encryption, but the payload of each packet is encrypted using the cipher, hash, handshakes which were agreed to by both ends at the beginning of the session.   IPSec is not traditional encapsulation, where a packet is wrapped in an encryption protocol, which may be wrapped in yet another protocol.   IPSec flows in transport mode as normal packets, only encrypted.


Saving An Echo

My Echo SRM-2100 line-trimmer has given very good service in the ten+ years I’ve owned it, from fully mowing my half-acre yard when I lived in the cabin on 123rd St, to the limited lawn I have now.   Commercial-grade (straight-shaft) Echos have a very good reputation for durability, and a low exhaust note which is less annoying.

But lately it’s been hard to start, and simply would not idle;   I have to hold the trigger all the time.   These symptoms are usually related to fuel delivery, maybe a clogged idle circuit.   Well it’s been faithful for a long time, so maybe it’s time for it some love.


HowTo: Monitor the Network – Plasmoid

I always like to know what’s going on with my individual systems (especially air-gapped LANs), so if it hangs I have a good idea why.   And I especially like to know when lots of data is going out of my systems.   So we are going to make a handy little plasmoid which does this very effectively, and will run on KDE, XFCE, LXDE, etc, and given its cmake origin will probably build and run on OS-X and Windows as well.

knet1Here’s what it looks like. (click to enlarge)   It sits in your System Tray, and monitors the outward network interface.   Green traffic (bottom) is incoming, and red traffic (top) is outgoing.   You can set the scale to just about anything, but I’ll give a reasonable default below.


Router Security

There is finally beginning to be more awareness of router security.   All of us have routers, large or small;   it’s the bridge between ‘The Internets’ and our LAN, and smaller ones have a built-in firewall which many rely on as their only protection.

All routers come with a well-known default username and password, which most people have enough sense to change.   This helps prevent not only unauthorized access over the airwaves, but also through the internet itself, although WPA2 should also be turned on for airwaves protection.

Recently there’s been more black hat exploitation of certain brands of small router, specifically Asus and the sorry Linksys and DLink routers.   Users often opt for convenience and so turn on Remote Admin…   and black hats have automatic worms running around (check at :23 seconds) out there specifically looking for vulns to exploit for fun and profit.   NEVER turn on Remote Admin, and it’s not a good idea to turn on router disk sharing as it uses the terrible Windows Server Message Block (SMB) protocol.


Home Theater – Build a Mega-Screen

I’ve been watching TV on front projector since 2006, and it came to the point where, um, a 10′ screen just wasn’t big enough anymore.   You know how it is…

screen(click to enlarge)


Home Theater – Folding Light

When I moved to this house around 4 years ago, I found that the den is too small (15′ x 11′) to accommodate my very good Planar home theater projector, even though it is fitted with a short-throw lens.

Swapping from a long-throw lens to a short-throw lens on my expensive new projector.  (eeek!)

Swapping from a long-throw lens to a short-throw lens on my expensive new projector. (eeek!)

Well this is a problem because the image will be way too small for my 12′ diagonal screen.   There was nothing more I could do to the projector but I still needed some way to lengthen the throw.   But how, when the walls are in the way?   (click to enlarge)
SU - full shot


HowTo: Xen, for the Everyday Microkernel

~~   Forward   ~~

xen-logoMost people think of Xen as only being applicable to large organizations like Amazon’s AWS, RackSpace and other clouds, and various clustering applications.   Why is Xen such a good model of virtualization, clustering and security?   Because it’s the closest we have for now, to a production microkernel architecture.

~~   The Microkernel Model   ~~

The microkernel operating system model is one which rethinks the very core of the way operating systems work.   With microkernel, very few functions are actually handled by the core kernel in privileged mode, and the kernel itself is simple, compact, and fast.   The minimal functions handled by the microkernel are low-level address space management, thread management, and inter-process communication.   All other OS functions, including device drivers, protocol stacks, file systems, etc, are handled in user space.   If there is a buffer overflow or other vuln in a driver of the microkernel system, the best a cracker could do is get to the non-privileged user that driver is running as, inside the virtual machine it’s running in.


HowTo: Prevent Tracking via the Browser Cache     

Practically speaking, all of today’s browsers use an internal cache, which stores web objects temporarily so that if they are called for repeatedly, they are brought from local cache much faster than if there were a full web access.   Well, there are some tricks to use your cache to track your movements around The Internets, even if you disable or clear cookies and LSO-cookies.


HowTo: ID and Avoid a TBird Bug, and Rake Your Email Client for Other Vulns

~~   Forward   ~~

All of us use a desktop email client to fetch our email, to respond, and to screen out spam.   When you click a link in an email, it will normally come up in your main web browser and take you to that site.   But there’s a way of crafting a link such that when you’re using Mozilla Thunderbird and click on a link, it opens the website in a Thunderbird tab instead of your default web browser.

Why is this a problem?   Because if you have hardened your browser to any reasonable level of security, all those protections are bypassed when the link is opened in a tab of TBird.   I use Iceweasel/Firefox with modifications from the TorBrowser, which include various configuration changes and addons to enhance security and privacy.   For example, addons I use are TorButton, NoScript, RefControl, HTTPS-Everywhere, RequestPolicy, AdBlock Edge, and Element Hiding Helper.   And I browse almost exclusively through TOR.   None of these security mechanisms is emplaced when links are opened in a TBird tab.


Re-Roofing With Torch-Down Modified Bitumen

Putting on a new roof is way out of my normal line, but I decided to learn it because I love to learn, and eh, because I wanted to save $4,000.   And anyway, I need the exercise.   I will explain this without shyness of my mistakes and in unvarnished words, so you can learn from my good and bad and do it right yourself the first time.

I own a property in unincorporated Everett, WA with a half-acre of developable land, and a house that was built in 1964.   The roof on the house is the original, and is thus in terrible condition after 50 years;   the tenants recently complained about a leak, so as a temporary measure I covered the area with a tarp.
(Click to enlarge… if you dare)
4. 21 Aug 2016


HowTo: Build an Encrypted ZFS Array ~ Part 2 ~ The Array

zfsThis is a continuation of Build an Encrypted ZFS Array – Part 1 – Encryption, although if you do not choose to encrypt, you could pick up here.   This HowTo is Debian-centric.   Caution:   Sometimes command-lines wrap below, because of the width of the page.

~~   Building the Array   ~~

We now have 4 disk drives set up encrypted, and their raw devices reside at /dev/mapper/sdb ~ sde.   We want to assemble these into a ZFS array so they’ll appear as one volume to the system, and with RAID-Z for data integrity.   First a few rules:


HowTo: Build an Encrypted ZFS Array ~ Part 1 ~ Encryption

~~   Forward   ~~


The Zettabyte File System is an advanced filesystem which was developed by Sun Microsystems and is now owned by Oracle, and although it has always been open-source, its CDDL license is incompatible with GPL and so it will not be included in the Linux kernel.   Now that ZFSonLinux is stable though, it is available as a DKMS package.

With this article, we are going to set up a ZFS array of multiple disks, which will be assembled to appear as one volume, for use as /home, or /media/backups, or other functions where massive data storage is required.   In addition each of the disks comprising our array will be encrypted, and the data will be compressed for better storage efficiency and throughput.   Now this may look long, but I am documenting everything and I’ve made every effort to make it easy.


HowTo: Convert Debian From SysV to Systemd

~~   Forward   ~~

For many years, Debian has used the SysV init.d system to start needed daemons and set things up.   But SysV can not work multi-threaded, and does not have controllable dependency resolution.   Upstart was invented to address some of these shortcomings, and RedHat and Ubongo tried it, but Upstart is just not extensible enough for future needs.   And so we turn to Systemd.

Systemd was developed for Linux to replace the init.d system inherited from UNIX System V and Berkeley Software Distribution (BSD) operating systems.   Unlike init.d, which is scripted, Systemd is a daemon that manages other daemons, and all daemons (including systemd) are background processes.   Systemd is the first daemon to start (during boot) and the last daemon to terminate (during shutdown).   Systemd starts each daemon, it monitors it, and it stops it in an orderly way.   And Debian will be moving to systemd when revision Jessie is released as Stable around Nov, 2014.

Why wait?   Works great.   Let’s learn and use it now as it’s a better paridigm, and brings Debian into the 21st century.


The Depressed Jeep

My 2007 Jeep Grand Cherokee has been ill ever since I bought it three years ago.   The Check Engine was on and it throws a code of P013C, “O2 SENSOR 2/2 SLOW RESPONSE – RICH TO LEAN”.   This is an unfixable plague for Jeep owners, and has become known as “the AIDS of Jeeps”.   So I bought a cheap OBD2 bluetooth dongle and an excellent Android phone app called Torque.   Checking my car’s oxygen sensors on engine bank 1 (driver’s side), I had what I should have:



HowTo: Set Up Reverse SSH Tunnels to Forward Ports

~~   Forward   ~~

VideofunnelSometimes, we have a powerful machine on our LAN, where we would like to run -all- our services like Squid, CUPS, MythTV, TOR, and so on.   In my case this is my Home Theater PeeCee.   I have all the appropriate daemons running on that machine and their listening ports are only on, and not on any outside interfaces (which would be a security problem).

But I also want these services on the other machines of my LAN, like the laptop and so on.   With reverse SSH tunnels, on the laptop I instigate a tunnel to the HTPC, and the HTPC’s daemon port is then forwarded through the encrypted tunnel to the laptop.   That port now appears on the laptop at as if it’s local.   When I use that service, the laptop reaches into its bellybutton, goes through the encrypted tunnel to the remote server, and accesses the service running on the remote HTPC.   All of this is done through SSH with military-grade encryption, so you can do this no matter where you are, securely.   No matter what daemon, only port 22 is ever open to the outside.   And, it’s fast.


HowTo: Render SSL on your Hosted Websites


~~   Forward   ~~

With all the websites that still do not use SSL, and the clear benefits that SSL provides, the only reason I can see that people are still not using it is that it’s not straightforward for the time-challenged and the uninitiated.   So let’s do this.

Secure Sockets Layer is currently the most common method of encrypting access to websites.   It’s used by all manner of e-commerce, banking, security and other websites, and is highly advisable for all sites as it provides protection for your visitors and you.   SSL is a streaming cipher (as opposed to a block-cipher, i.e. for disks) which offers perfect forward secrecy as it uses a long-term public/private keypair, to exchange short-term symmetric keys for streaming.

This HowTo assumes that you have one or more websites residing with a hosting firm, and that you control them with cPanel.   It also assumes that you’d like to have your SSL certificates, eh, without cost.


HowTo: Set Up TOR for a Single User, or as a LAN Gateway

~~   Forward   ~~

The TOR Project (“The Onion Router”) is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.   It provides the foundation for a range of applications which allow organizations Torand individuals to share information over public networks without compromising their privacy.

  • Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, email, instant messaging services, IRC, or the like when these are blocked by their local Internet providers.   Tor’s ‘hidden services’ let users publish web sites and other services without needing to reveal the location of the site.   Individuals also use Tor for socially sensitive communication:   chat rooms and web forums for rape and abuse survivors, or people with illnesses.
  • Journalists use Tor to communicate more safely with whistleblowers and dissidents.
  • (more…)

HowTo: Cache Web Objects with Squid


~~   Forward   ~~

Be kind to the Internet.   Practice good web hygiene and help yourself at the same time.   Squid is a venerable web object caching server, which optimizes the data flow between your browser and that distant webserver to improve performance and cache frequently-used content to save bandwidth.


HowTo: Prevent DNS Cache Poisoning

~~   Forward   ~~

There has been a long history of attacks on the domain name system, ranging from brute-force DoS attacks to targeted attacks requiring specialized software.   A ne’er-do-well could send a few packets, which result in many packets to the target, an effect called ‘amplification’.   In July 2008 a new DNS cache-poisoning attack was unveiled that is especially dangerous because it doesn’t require substantial bandwidth or CPU nor does it require complex techniques.

With ‘cache poisoning’ an attacker inserts a fake address record into a Domain Name Server.   If the DNS accepts the false record, the cache is poisoned and further requests for that domain are sent to the attacker’s server.   The fake entry is cached by the DNS for as long as the ‘time to live’ (TTL), usually a couple of hours.   So you might think you’re going to your bank or to pay a bill, but you’re handing over your login info to the attacker.