Related link: http://www.startribune.com/stories/462/5481317.html

If you’re not from my area, you may not know too much about this hacking incident. Here’s a brief summary.

Medica, a Minnesota based health plan provider, has experienced a publicized security breach when it was disclosed that hackers stole confidential data from their servers. In this case, the perpetrators of the breach is believed to be a pair of former employees, who downloaded internal company documents, and went through executive emails. According to Medica statements, it is unlikely that personal information of Medica’s customers has been downloaded or compromised.

The Star Tribune article gives the rundown of the security issues from a former employee. By reading the article you can make guesses as to what Medica had (or did not have) as far as a security infrastructure, but it’s still very light on details. We’ll probably learn more during the lawsuit against the employee hackers.

But I have to question the motivations of the former security engineer in bringing up these details to the press. Was it a sense of civic duty, a simple discussion with a reporter, or was it grandstanding? That’s not my place to say. But I’m probably not the only person out there who has the same question.

To put things in another way, what’s going to happen when I try to Google some search terms like: ‘“employee name” security’. This probably isn’t a good thing in the long run.

I will offer some advice. If you’re a systems administrator, just be careful when it comes to disclosures to the media. If you’re a current employee, there are proper internal channels that need to be taken before you should even speak to a reporter. If you’re an ex-employee, take a few minutes and think about that you want to say, whether or not it’s really worth saying, and whether or not your name should be associated with it.

Related link: http://2005.meetbsd.org/

I was invited to give a talk and a workshop at this year’s meetBSD, a conference for the Polish BSD community. This was the second meetBSD. The first proved so popular that the conference was increased from one day to a three day weekend.

While I can’t comment on the technical talks (besides mine and Scott Long’s, all the presentations were in Polish), I can give you an idea about the Polish BSD community.

After an unanticipated and hellish stay at the Paris airport, I arrived a few hours late at Warsaw wondering if the person who was supposed to pick me up was still there and if I’d be able to find him. And if not, if I’d be able to figure out the Polish telephone system. (One thing I’ve discovered about travelling to Europe is that every telephone and every toilet seems to operate differently.)

I was very pleased that the first face I saw belonged to none other than Pawel Dawidek. I had met Pawel at BSDCan and had had several good conversations and emails regarding his work on gmirror(8) and GEOM.

Having already missed the train to Krakow, Pawel invited me to spend the afternoon with him and his girlfriend. He made sure we had a chance to freshen up, check email, eat and have a quicky tour of Warsaw. This was my first introduction to Polish hospitality.

That evening on the train to Krakow, we had a chance to meet many of the other attendees and their girlfriends. This was the first BSD conference I’ve attended that had a higher ratio of female to male attendees that weren’t just someone’s wife or girlfriend. (5 out of 75 v.s. the usual 1 out of 175). It was also the first country I’ve visited where everyone had a girlfriend. When I remarked on it, they were amazed that geeks in other countries were often the butt of can’t-get-girlfriend jokes. As one person simply stated, “how could you live without one?” Indeed.

The first day of the conference, I was slated as the third speaker. I found myself an outlet and settled down to catch up on email and some work. I was typing along when someone made an announcement in Polish. The last 2 words of the announcement were “Dru Lavigne” whereupon the entire audience turned their heads to look at me. Thus I found out that there had been a scheduling change and it was my turn to speak about BSD Certification.

The PDF of the talk should appear on the meetBSD website shortly. If anyone is interested in hosting the slides, drop me an email. Also, the PDF for the workshop is being hosted at the NYCBUG library and should show up sometime next week.

After the talk, I was interviewed by Aleksander Fafula who runs Poland’s largest BSD portal. The URL to the English version of the interview will appear in the June version of the BSD Certification Newsletter.

At lunch I discovered that Poles are very big meat eaters. I also learned the meaning of the word “hearty”. If you ever go to Poland, rest assured that you will eat very well for very little zloty (the Polish currency).

As with any conference, the talks are interesting and informative but the real heart of the conference occurs in the after-hours social networking. In this respect, meetBSD was by far the best BSD conference I have attended. I had a chance to talk with nearly every one of the 75 attendees and had a very good opportunity to see the who’s who in the Polish BSD community. Not surprisingly, BSD is quite popular with ISPs and servers; I was surprised that it was almost exclusively FreeBSD. The Polish community is well educated (due to the free post-secondary education) and the average age seemed to be about 25. In the attendees, there was a good mix of students, consultants and trainers. Everyone seemed very enthusiastic about BSD certification and I made many good contacts in that regard. Everyone was very happy to talk about how things are in Poland and equally curious about North America.

For those wondering about the beer, Poles are very proud of theirs. I found it a bit too light for my taste as I like very dark bitter beer. However, I highly recommend Zubrowka, a very smooth vodka containing, of all things, bison grass. However, make sure you have a group of friends with you if you’re thinking of ordering a “kamakaze”. It was in the menu under cocktails so I was expecting a glass with an umbrella. Instead I got a platter containing 18 shot glasses of vodka diluted with a bit of Curacao and lemon juice.

Krakow itself is a beautiful city, rich with history, culture and architecture. It has its own castle, complete with dragon bones and an interesting story. In Poland, everything has an interesting story. I had a chance to visit many of the interesting sites with some of the attendees: the famous Market area, the castle, the former Jewish district. I also had a chance on my last day in Poland to visit Oswiecim (Auschwitz).

I’ll let you know if I come across any pictures of the conference; they should be posted on the Net shortly.

The other day, my upgrade script informed me that Perl was out of date. I let out a slight groan as I could only imagine how many applications depended upon Perl and envisioned many hours of port rebuilding ahead.

Not surprisingly, /usr/ports/UPDATING had this to say:

20050624:
AFFECTS: users of lang/perl5.8
AUTHOR: tobez@FreeBSD.org

lang/perl5.8 has been updated to 5.8.7. You should update everything depending on perl. The easiest way to do that is to use perl-after-upgrade script supplied with lang/perl5.8. Please see its manual page for details.

I’m happy to report that the upgrade was not painful at all. I simply did this:

# portupgrade -rR perl
# man perl-after-upgrade

This manpage clearly defined the steps and how to resolve any errors. As advised, I started with the dry run:

# rehash
# perl-after-upgrade

This is where I learned that 81 of my 220 installed applications depended upon Perl! The output also cautioned me that I should check that snmp still worked okay after the upgrade. I then ran the script in work mode:

# perl-after-upgrade -f

On my system, the script worked flawlessly without any errors and took less than 15 minutes to do its thing. The manpage describes what the script actually does:

“The standard procedure after a perl port (either lang/perl5 or lang/perl5.8) upgrade is to basically reinstall all other packages that depend on perl. This is always a painful exercise. The perl-after-upgrade utility makes this process mostly unnecessary.

The tool goes through the list of installed packages, looks for those that depend on perl, moves files around, modifies shebang lines in those scripts in which it is necessary to do so, tries its best to adjust dynamically linked binaries that link with libperl.so in the old path, and updates the package database.”

It also indicates that this script is under a BEER-WARE license:

COPYRIGHT AND LICENSE
Copyright 2005 by Anton Berezin

“THE BEER-WARE LICENSE” (Revision 42)
wrote this module. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return.

Anton Berezin

NO WARRANTY OF ANY KIND, USE AT YOUR OWN RISK.

All I can say is that Anton definitely deserves a beer for making a potentially time-consuming process effortless. No spending days rebuilding 81 applications. And certainly no dependency hell to deal with here.

Being curious, I asked Google a bit about Anton and found his website. His FreeBSD blog contains some interesting Perl scripts. If you play with jails and ports and like Perl, check them out.

Related link: http://www.knopper.net/knoppix/index-en.html

A totally new release of Knoppix was unveiled at LinuxTag 2005, Knoppix 4.0. This is the release that introduces the split between “maxi” DVD and “mini” CD releases. I’ve tried out the 4.0 DVD and let me tell you, I’m like a kid in a candy store.

Note: This DVD is not yet available for download. Klaus often creates a special version of Knoppix for LinuxTag that then gets released to the general public (often with some updates) a few weeks afterward. In the case of Knoppix 4.0 I imagine the DVD being handed out at LinuxTag will be pretty similar in features and software to what gets released to the general public. Still, think of this review as more of a preview of what the download release likely will be.

Klaus Knopper has always been able to fit tons of useful software on his CD releases. With each release it was amazing just how much functionality he squeezed into a 700Mb CD image. However some time around the beginning of the 3.x series you could tell that it wouldn’t last forever. With each release it seemed like some software had to go–the Koffice suite for example–as major packages such as KDE and OpenOffice just kept getting bigger. It seemed from the outside like the largest efforts going into Knoppix were just figuring out what to keep and what to leave behind, and how to squeeze everything on the CD.

With the 4.0 DVD, these problems are a thing of the past. As I was browsing through the software so I could write this blog entry, I felt like a kid in a candy store. There are simply tons of packages on this DVD. For one, Klaus has included the Gnome desktop environment so you can choose between KDE, Gnome, Window Maker, Ice WM, XFCE, fluxbox, openbox, and others. To change the desktop from the default KDE desktop, just click K->Knoppix->Utilities->Choose/Restart KNOPPIX Desktop, or at boot type the cheat code desktop=name_of_desktop. Even the default desktop has a fresh look–KDE itself has updated packages and uses the PlastiK theme by default.

There are hoards of other tools included on the DVD as well. It’s difficult to know where to begin (and I’ve only scratched the surface of this DVD so far), but some packages of note are a suite of KDE-based bluetooth management tools, the Epiphany browser, the complete KOffice suite, loads of games, the Blender 3d modeller, tons of development tools, and many other programs. In addition to the new packages, every package has received an update including the kernel (2.6.11), KDE (3.4.1), Firefox (1.0.4) and Thunderbird (1.0.2).

Knoppix 4.0 includes UnionFS as well, so if Knoppix somehow doesn’t have the software you need included on the DVD, you can use either the KPackage or Synaptic graphical packaging tools, or apt-get from the command line to install directly to the ramdisk just like with an installed Linux distribution. To save any changes you have made, click “K->Knoppix->Configure->Create a persistent KNOPPIX disk image” and follow the directions in the wizard to save the changes to writeable media like a usb drive.

For Windows users, Knoppix even includes the ClamAV virus scanner by default so you can scan a system for viruses even if you don’t have network access. Just boot Knoppix, click on the hard drive icon that represents your Windows partition (probably /dev/hda), and then, if you have Internet access, run sudo freshclam with no arguments from a console to update your definitions, otherwise go to the next step. The next step is to run the actual scan, so type:

$ clamscan -r --bell /mnt/hda1 > ~/clamscan.txt

Replace /mnt/hda1 with the path to your mounted Windows partition (or even a subdirectory on that partition). The scan will take some time depending on the size of the partition, so put on a pot of coffee. When the scan finishes, you can tail the file to see the results:

knoppix@0[knoppix]$ tail ~/clamscan.txt

/mnt/hda1/WINDOWS/AGRSMMSG.exe:OK



----------- SCAN SUMMARY -----------

Known viruses: 35469

Engine version: 0.85.1

Scanned directories: 1516

Scanned files: 21658

Infected files: 0

Data scanned: 4597.77 MB

Time: 2898.263 sec (48 m 18 s)


I’ve really only scratched the surface of the Knoppix 4.0 DVD. There are many other new tools that I still need to explore, but suffice to say that having a DVD’s worth of Knoppix greatly increases the flexibility of the tool. I look forward to seeing the “Download version” of the DVD be released to the general public.

Related link: http://www.securityfocus.com/print/columnists/334

While everybody and their dog already blogged about it, here it is: a fun interview with Marcus Ranum on security.

You know, I always had trouble understanding what the word “curmudgeon” means (not matter how many times I type “define: curmudgeon” in Google :-)), but this piece really explains it. Plentiful examples include: “whole RFC process is obsolete”, “I see very little that’s new and even less that’s interesting [in security]”, “I believe we’re making zero progress in computer security, and have been making zero progress for quite some time”, “If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases…”

So, is “everything good” in security already invented? No! I think nowadays it is not about “inventing 100% protection” (which is indeed already invented - by Ranum), which Ranum talks about, but rather about “how to I get exactly the right amount of protection while sacrifing a minimum acceptable amount of usability/efficiency”…

Related link: http://taosecurity.blogspot.com/2005/06/cissp-any-value-few-of-you-wrote-me.html

In his ever-insightful piece “CISSP: Any Value?” (referenced above), Richard Bejtlich says “I think the root of the problem is the concept that the CISSP somehow measures technical competence. The CISSP in no way measures technical skills. Rather, it should measure knowledge of security principles. It does not meet that goal, either.” Read the whole article and the discussion that follows it on his blog!

Related link: http://www.computerworld.com/printthis/2005/0,4814,102653,00.html

I am usually fascinated with people pointing mistakes in something :-) Here is a cool list of seven security mistakes, quoted from the paper.

“1. Failure to realize that perimeter security is dead

2. Failure to protect laptop computers

3. Failure to institute effective change management

4. Failure to realize the importance of security awareness

5. Failure to implement a defense-in-depth strategy

6. Failure to take the spam and spyware threat seriously

7. Failure to implement a vulnerability management strategy”

I like them since they are more modern than some other similar resources. About the #1, I wouldn’t say it is “dead”, but it certainly is not the whole story nowadays.

Related link: http://businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm

That is an amusing report on the security of security software (!). A new report “shows the number of vulnerabilities found in security products increasing sharply for the third straight year — and for the first time surpassing those found in all Microsoft products.” Wow!

Related link: http://mplayerhq.hu/DOCS/HTML/en/edl.html

Ahh family movie night… If you have ever had a family movie night with children of mixed ages, it can be rather interesting finding a movie that is suitable and enjoyable for everyone. It seems no matter what movie you choose (unless it’s rated G) there’s always that one scene that you wish weren’t there. Chances are you end up pressing the Mute button or Fast Forward button at least once to skip past some questionable content. Chances are also good that when you do this, you will edit out dialogue only to unmute right as a character curses or blows something (or someone) up.

I’ve used mplayer as a media player under Linux for a long time, and while browsing through their steadily growing documentation, I came across the Edit Decision List (or EDL) feature. An EDL is basically a text file with each line containing a start time and end time in seconds, and an action. If the action is 0 mplayer will skip the scene, if it is 1 mplayer will mute it. Here’s a sample file from the mplayer documentation:

5.3   7.1    0
15    16.7   1
420   422    0

This EDL would tell mplayer to skip between 5.3 and 7.1 seconds in a video, mute between 15 and 16.7 seconds, and skip between 420 and 422 seconds. It might seem a bit cumbersome to create this file, but mplayer provides a shortcut. Start mplayer with the -edlout option:

$ mplayer -edlout test.edl file.avi

As mplayer goes through the video, when you see a scene you want to edit or skip, hit ‘i’ and mplayer will write down the start time in the file and set it to skip for 2 seconds. When you finish the movie you just go back to the file and tweak the timings to suit you. Once the file is complete run mplayer with the -edl option to use your file:

$ mplayer -edl test.edl file.avi

What’s nice about this type of feature is that it gives the consumer control over what censoring occurs in their movies. You can have the R movie you watch with adults, and the PG-13 edit you watch with your children.

Now this feature isn’t just limited to families with children. You could use this to edit out comment that isn’t necessarily offensive, but just plain annoying. For instance, you could create your own custom “Phantom Edit” of a movie where instead of cutting out Jar Jar, you cut out whatever other character or scene annoys you. Or, you could use it to cut out commercials from a TV broadcast without firing up the video editor.

What’s even better about EDLs is that since this is a simple text file, it would be rather easy to create your own EDL and then share it with your friends or even the rest of the Internet. I can forsee some sort of web service that would collect and host EDLs for everyone’s mutual benefit.

Kudos to the mplayer team for adding this feature. I look forward to seeing what some creative people are able to do with it.

So, what movie would you use EDLs for?

The little things in Macs and OSX are the ones which end up being the most powerful. In this case, my trusty old G3 iBook has bitten the dust with the dreaded Logic Board failure - leading me to discover the firewire target disk mode…. allowing me to back up my internal hard drive over firewire to my Linux box. I love those little things that Apple puts in! Here’s my mini howto.

My first favorite Apple-ism was the “I don’t need a cross over cable anymore” NIC. I mean, how convenient is it having an auto sensing NIC so you never need to have both a normal cable and a cross over cable anymore? Firewire target mode is my next favorite.

For those of you who haven’t come across it yet, firewire target disk mode allows you to mount your firewire capable Mac’s (list of supported systems here) internal drive as a firewire drive on another Mac. You do this by holding down the “T” key after turning on the Mac. Technically, it allows you to mount the internal drive (with some limitations) as a SBP-2 (serial bus protocol) drive on a different machine. Naturally, this works fine on another Mac, but what if you don’t have two Mac’s? I don’t, so I got it working on Linux.

Firstly, your Linux setup is going to have to have a few funny settings, so you may have to recompile your kernel. Also, I’m using Gentoo on a 2.6 kernel, so if you don’t have all the options I have, you may have to patch your kernel for some option. In any case, you (I’m guessing here) probably need at least the following options enabled:

File Systems->Miscellaneous file systems->Apple Extended HFS file system

File Systems->Partition Types->Macintosh partition map support

Device drivers->IEEE 1394 (Firewire) support->SBP-2 support

Device drivers->SCSI device support->SCSI disk support

Assuming everything is working properly you should now be able to connect the two computers together using a firewire cable, boot the Mac in target disk mode (holding down the “T” key), and mount the Mac as a firewire disk like follows (note the parameters are for my Mac):

sudo mount -t hfsplus /dev/sdb5 /mnt/mac/

One last note - your normal fdisk won’t read a mac partition table, so look at your dmesg output to see which partitions are on your Mac :-)

Related link: http://www.sockpuppet.org/tqbf/log/2005/06/how-about-dont-be-evil.html

If you are thinking of getting a CISSP security certification, read this essay by Thomas Ptacek (you know who that is, don’t you?). Here is a quote: “a certificate that is held by less than 10% of the most respected practitioners in the industry, but that is held by more than 90% of third-string consultants and entry level IT secops, lacks some credibility.”

He might be a bit harsh, since his judgement seems biased by his personal perspective, but - you know what? - he has a point. So far, I am pretty happy that I avoided this cert.

Related link: http://2005.meetbsd.org/

On Saturday, I’ll be giving a tutorial on “Installing, Securing and Maintaining FreeBSD Servers” at meetBSD 2005 in Krakow, Poland. The gist of the talk is how to install the minimum possible required to keep a server operational and fully patched.

Since this is a hands-on tutorial and we weren’t sure how reliable the Internet access would be in the lab, I promised to mirror the necessary files on my laptop. My personal goal was to mimic Internet availabilility within the classroom environment. For example, pkg_add -r should just work; so should cvsup.

I’m providing my working notes as they may be of use to others who find themselves with multiple FreeBSD systems behind a slow or intermittent Internet connection.

On the system hosting the files:

I initially experimented with /usr/ports/net/cvsup-mirror, but it seemed overkill for my purposes. (Michael Lucas wrote a how-to on this utility in his Big Scary Daemons column.)

My laptop already uses cvsup to keep the entire ports collection and all src up-to-date. Meaning, I already had all the tools I needed to create a mirror without installing additional software.

In addition, the other FreeBSD systems in the lab will only require the minimal ports tools but will need full src in order to rebuild world and compile a custom kernel. I wanted to be able to easily control which files students could receive via my mirror.

I started by creating a directory structure to hold the 2 required mirror config files:

# mkdir -p /usr/meetbsd/sup/test
# cd /usr/meetbsd/sup/test

# vi releases
cvs list=list.cvs prefix=/usr

# vi list.cvs
upgrade ports/Mk
upgrade ports/Templates
upgrade ports/Tools
upgrade ports/Makefile
upgrade src

Note that releases should be appropriate for any site wishing to mirror files contained somewhere within /usr. list.cvs should be customized to
indicate exactly which subdirectories you wish to be available via cvsup.

To make the mirror available, simply refer to your base like so:

# cvsupd -b /usr/meetbsd

On each system to receive the files:

Prepare the cvsup client. Note that the supfile is similar to the examples found in the handbook except for the sections I’ve bolded. You’ll want to replace IP_address with the IP of the system hosting the mirror:

# pkg_add -r cvsup-without-gui
# mkdir /usr/local/etc/cvsup

# vi supfile
*default host=IP_address
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default release=cvs delete use-rel-suffix
test

You’ll also want to prepare the missing directories:

# mkdir /usr/ports /usr/src
# chmod 755 /usr/ports /usr/src

Then, run cvsup:

# rehash
# cvsup -L 2 supfile

There you go. You now have your own customized cvsup mirror. If you ever feel like adding or removing available files, simply edit your list.cvs.

Hosting Packages

Next, I wanted to prepare my laptop to host the packages students would need in the class.

On the system hosting packages, create the packages directory:

# mkdir /usr/ports/packages

Then, make the desired packages:

# cd /usr/ports/misc/cvsup-without-gui
# make package-recursive

Note, you’ll have to make deinstall first if this application is already installed on the system on which you’re building the packages.

Once you’ve installed the necessary packages, you’ll want to configure anonymous FTP since pkg_add connects to FTP servers. This can be easily done using sysinstall:

#sysinstall
Configure
Networking
Anon FTP
Yes
ftp (group)
/usr/ports/packages (FTP root directory)
remove upload subdirectory
21 (for group ID)
No (to welcome message)

When you’re finished, start the FTP server in daemon mode, for anonymous access over IPv4:

# /usr/libexec/ftpd -D -A -4

Note: I haven’t demonstrated how to create a secure FTP server. These directions are suited for internal LAN use where FTP is not allowed through a firewall. If this isn’t your scenario, read up on how to secure your anonymous FTP server.

Accessing the package repository

On the systems you wish to install packages, change the default environment. Again, substitute IP_address with the IP address of the system hosting the packages:

# setenv PACKAGESITE ftp://IP_Address/Latest/
# pkg_add -r cvsup-without-gui

Instead of going on the Internet, your packages will install flawlessly from your own package server. Since you created those packages using the make package-recursive command, all dependencies are taken care of for you.

Well, I need to finish packing for the trip. I’ll be blogging about meetBSD as I get a chance. I’ll also let you know when the PDF for the tutorial is available, as well as the slides and PDF for the talk I’m giving on BSD Certification on Friday.

Related link: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1084856,0…

Here is a fun, but somewhat confused piece on logs and audit trails. The key item in the paper is that if you are using a homegrown log collection and analysis solution, you’d need to consider a commercial one i.e. a SIM product. You’d be better off! The paper also contains a distrubing quote from Stephen Northcutt of SANS: “For the smaller guys, it can be cheaper to pay the fine than pay for everything needed for full compliance.” It is pretty bad if a cost of compliance is higher than a cost of non-compliance…

Related link: http://blogs.ittoolbox.com/security/investigator/archives/004288.asp?rss=1

“Your security investigation that you’re conducting right now is going to fail for a number of reasons”, claims the author of this fun blog entry. What follows is an enlightening list of things that can and will go wrong during a forensics investigation. Some of them are “documentation is an afterthought”,”you’re over your head, but can’t admit it to your management” and of course “you don’t care” - the mother of all reasons to fail…