So today researchers at Princeton released their findings that hard disk encryption isn't the a silver bullet to protect data on stolen laptops. I'm still working my way through the paper, but my initial thoughts go something along the lines of "woah..." This is some really nice work. You can read the paper at http://citp.princeton.edu/memory/.
They also have a nice video presentation of the weakness. My hat is off to these folks. Great work.
Thursday, February 21, 2008
Wednesday, February 13, 2008
Southern California Linux Exposition - SCALE 6X
Last week I was down in the Los Angeles area doing some work and I decided at the last second to attend SCALE 6X with some friends at the last second. I'm glad I did, since I had a great time, met some cool people and got a ton of new T-shirts.
We started out the day with a presentation on PostgreSQL 8.3 by Josh Berkus. Josh is a developer for Sun Microsystems and is a member of the core PostgreSQL team. He gave a great presentation on the features of the 8.3 release and really got me thinking about a system I maintain. There may be an upgrade project coming to this machine soon.
Next we wandered around the vendor hall for a bit. Mostly I collected T-Shirts and stickers, but things got really interesting when we stopped to chat with the people at the Zenoss, Hyperic and OpenNMS booths. We are looking at revamping our monitoring quite a bit at work, so this was a good chance to throw out questions. First we talked to the Zenoss guys. I've used Zenoss in the past and I like how much information it is able to pull from devices and servers. It's all done over SNMP, which has its own issues, so I don't have to install an agent on the target systems. It handles network equipment and Windows servers with the same ease. I can also use Nagios plugins to extend its capabilities. Really, its a nice app all around.
Things got really interesting at the OpenNMS booth though. I still don't know a ton about OpenNMS, but what caught my attention was how I could manage workflow with it. They have been working with Hyperic on integration to each other. One scenario that I liked was that a Hyperic check could cause an event in OpenNMS. Normal pager notifications, emails, etc go out. But to take it a step further, I can also define a handler in OpenNMS that when a specific event occurs the application automatically opens up a ticket in Jira for tracking and remediation! Now this I thought was cool. How many times have you had a repetitive issue with an application and struggled to communicate the impact of the issue to management. With this, I can track the work done to resolve each incident, the time taken and create a report for management to summarize the issue. Ok, it's boring, but still pretty cool. Who knows, with this kind of information maybe the root cause of the issue could get fixed.
Last we headed over to a presentation on Puppet by Luke Kanies of Reductive Labs. Puppet provides you with tools to keep your system configurations consistent and ease the difficulty of manually maintaining configurations and packages. It looks really cool and I'm going to play with it some. I still have a question about how secure the communications are between the clients and master server, but I heard something about client SSL certificates so maybe that will do the trick. Anyhow, some testing is definitely in order.
Other than that, not much else exciting at the show. I had a good time and got somethings to play with. If you're down in the LA area next year when SCALE 7X is, I'd recommend checking it out. For $70, it's hard to beat.
We started out the day with a presentation on PostgreSQL 8.3 by Josh Berkus. Josh is a developer for Sun Microsystems and is a member of the core PostgreSQL team. He gave a great presentation on the features of the 8.3 release and really got me thinking about a system I maintain. There may be an upgrade project coming to this machine soon.
Next we wandered around the vendor hall for a bit. Mostly I collected T-Shirts and stickers, but things got really interesting when we stopped to chat with the people at the Zenoss, Hyperic and OpenNMS booths. We are looking at revamping our monitoring quite a bit at work, so this was a good chance to throw out questions. First we talked to the Zenoss guys. I've used Zenoss in the past and I like how much information it is able to pull from devices and servers. It's all done over SNMP, which has its own issues, so I don't have to install an agent on the target systems. It handles network equipment and Windows servers with the same ease. I can also use Nagios plugins to extend its capabilities. Really, its a nice app all around.
Things got really interesting at the OpenNMS booth though. I still don't know a ton about OpenNMS, but what caught my attention was how I could manage workflow with it. They have been working with Hyperic on integration to each other. One scenario that I liked was that a Hyperic check could cause an event in OpenNMS. Normal pager notifications, emails, etc go out. But to take it a step further, I can also define a handler in OpenNMS that when a specific event occurs the application automatically opens up a ticket in Jira for tracking and remediation! Now this I thought was cool. How many times have you had a repetitive issue with an application and struggled to communicate the impact of the issue to management. With this, I can track the work done to resolve each incident, the time taken and create a report for management to summarize the issue. Ok, it's boring, but still pretty cool. Who knows, with this kind of information maybe the root cause of the issue could get fixed.
Last we headed over to a presentation on Puppet by Luke Kanies of Reductive Labs. Puppet provides you with tools to keep your system configurations consistent and ease the difficulty of manually maintaining configurations and packages. It looks really cool and I'm going to play with it some. I still have a question about how secure the communications are between the clients and master server, but I heard something about client SSL certificates so maybe that will do the trick. Anyhow, some testing is definitely in order.
Other than that, not much else exciting at the show. I had a good time and got somethings to play with. If you're down in the LA area next year when SCALE 7X is, I'd recommend checking it out. For $70, it's hard to beat.
Sunday, February 03, 2008
Weekend Reading
I'm out of town this week, but I've been doing some reading on MySQL performance, load balancing, high availability, etc. Some issues at work are at the root of this list, plus some consulting work that I have coming up soon.
First off, some reading directly from dev.mysql.com
High Performance MySQL
Next, a presentation by Jay Pipes and Bjorn Hansen. This one has stuff over my head and is written towards developers. Still, very good stuff.
Real World MySQL Performance Tuning
Download the PDF for it here
This isn't MySQL centric, but I ran across it in Jay and Bjorn's presentation
The High Availability Linux Project
MMM (MySQL Master-Master Replication Manager) - I need to do some testing on this one. Seems like it has some really wild application.
http://code.google.com/p/mysql-master-master/
http://groups.google.com/group/mmm-devel/
MySQL on FreeBSD
http://wiki.freebsd.org/MySQL
MySQL Performance Blog
http://www.mysqlperformanceblog.com/
Optimizing MySQL on FreeBSD
Link Here
More to come later.
First off, some reading directly from dev.mysql.com
High Performance MySQL
Next, a presentation by Jay Pipes and Bjorn Hansen. This one has stuff over my head and is written towards developers. Still, very good stuff.
Real World MySQL Performance Tuning
Download the PDF for it here
This isn't MySQL centric, but I ran across it in Jay and Bjorn's presentation
The High Availability Linux Project
MMM (MySQL Master-Master Replication Manager) - I need to do some testing on this one. Seems like it has some really wild application.
http://code.google.com/p/mysql-master-master/
http://groups.google.com/group/mmm-devel/
MySQL on FreeBSD
http://wiki.freebsd.org/MySQL
MySQL Performance Blog
http://www.mysqlperformanceblog.com/
Optimizing MySQL on FreeBSD
Link Here
More to come later.
Thursday, January 31, 2008
Setting up a serial console on FreeBSD 6.3
I resurrected my old FreeBSD server with a new hard drive and power supply the other day. Because I only have a 2 port KVM, I decided to setup a serial console connection to my primary desktop. I've used systems on a serial connection several times, but I've never actually setup a BSD server to use one before though. Turns out this was a very simple setup.
Track down a null modem cable with female connections at either end. Hook it up to your terminal server and your target machine at the available serial ports. Then do the following.
I followed them as written and had console through HyperTerminal. Now I just need to get a different terminal app, since I hate HyperTerminal so bad.
Track down a null modem cable with female connections at either end. Hook it up to your terminal server and your target machine at the available serial ports. Then do the following.
- To see all boot messages on the serial console, issue the following command while logged in as the superuser: # echo 'console="comconsole"' >> /boot/loader.conf
- Edit /etc/ttys and change off to on and dialup to vt100 for the ttyd0 entry. Otherwise a password will not be required to connect via the serial console, resulting in a potential security hole.
- Reboot and check your results.
I followed them as written and had console through HyperTerminal. Now I just need to get a different terminal app, since I hate HyperTerminal so bad.
Python Based Cross Site Scripting Scanner
Recently I was attempting verify some web application security issues reported by one of our vendors. Their report was fairly useless, since it complained about a couple of pages, but gave no information about how to duplicate the results. After manually trying reproduce the flaw for a while, I threw in the towel and started hunting around for a free XSS scanner.
I ran into a tool called SpringenWerk and decided to play around with it. It only took a couple of minutes to set up. I did some quick reading on how to use the tool and fired it off at the suspect page. The script ran for a little while and then exited out. Final score? Two XSS vulnerabilites, neither of which were found by the previously mentioned vendor. So I got curious and fired the script off at an HTTPS URL to see how it handled SSL. No problems at all. It negotiated the connection and did its testing from there. A very nice tool and was useful for me when I was stuck. You can take a loot at it at http://springenwerk.org/.
I never did find the issues the vendor reported and they said it was probably a false positive. Maybe, maybe not. I asked for the actual attack strings that they used, but so far they have not been able to produce them. Suspect...
I ran into a tool called SpringenWerk and decided to play around with it. It only took a couple of minutes to set up. I did some quick reading on how to use the tool and fired it off at the suspect page. The script ran for a little while and then exited out. Final score? Two XSS vulnerabilites, neither of which were found by the previously mentioned vendor. So I got curious and fired the script off at an HTTPS URL to see how it handled SSL. No problems at all. It negotiated the connection and did its testing from there. A very nice tool and was useful for me when I was stuck. You can take a loot at it at http://springenwerk.org/.
I never did find the issues the vendor reported and they said it was probably a false positive. Maybe, maybe not. I asked for the actual attack strings that they used, but so far they have not been able to produce them. Suspect...
Subscribe to:
Comments (Atom)