Time to take a stand

When I make any political commentary, I usually do it from an assumed ID, that is, anonymously. I do this to protect my family, my employer, and to be perfectly honest, my career.

There comes a time, however, when one can no longer hide behind anonymity.

I am already concerned about the direction we are going with the Syrian refugees. The rhetoric does not reflect our values. I can, though, at least understand the fears that drive it. I disagree, but it is at least arguable.

However, torture and the advocacy of torture is entirely unacceptable – period. Torture is wrong. It is immoral. It is evil. It is patently un-American.

Our fathers and grandfathers fought and died in wars that were justified in part because our enemies used torture. Those same enemies were rightly prosecuted for those crimes.

We fought two world wars, endless conflicts, and survived a Cold War, a war that could literally end the world and not once did we advocate torture. Quite the opposite, we, again rightly, derided our enemies endlessly for their use of torture in Gulags and “reeducation camps”. President Reagan, hardly a liberal, signed the UN Convention on Torture stating it was, “an abhorrent practice,” and, “Each State Party is required either to prosecute torturers who are found in its territory or to extradite them to other countries for prosecution”.

There is no way we can claim that ISIS and their ilk is worse or more dangerous than these threats we faced before, particularly having faced the entire might, and nuclear threat, of the Soviet Union.

Now we find not only that we have committed torture, but it is acceptable conversation to advocate for it. It is not. Torture as a topic is not up for debate. Again, it is evil and those who advocate it should look long and hard into their consciences. Those on the political stage who advocate for it should be booed off. That the conversation can be entertained at all reflects very badly on our nation.

We must step back. We must call it what it is and stop it before we lose the very ideals which we claim ISIS aims to end.

Get RPM install date

Sometimes you don’t know when an RPM was installed – maybe it was updated, maybe it came with the system. In any case, it can be handy when debugging or even for auditing purposes. This gives an example of getting the install time for the “filesystem” package:

somehost%  rpm -q filesystem --queryformat '%{name} %{installtime:date}\n'
filesystem Mon 18 May 2015 02:57:16 PM EDT

Really all you need is the “%{installtime:date}\n”, but the name can be handy if you want to use it with “-qa” (query all). Also can be handy to put “%{installtime}” (gives seconds since epoch) on the front and run it through “sort -n” to find out order of install.

Windows 10 under Fusion sluggish

If you made the mistake of upgrading your virtual copy of Windows under Mac OS X using VMware Fusion (version 8 here), you may find Windows 10 runs painfully sluggish. The answer? Disable 3D graphics acceleration.

  • Shut down the virtual machine.
  • Bring up the virtual machine settings (⌘E).
  • Select “Display”:

  • Deselect (remove the checkbox for) “Accelerate 3D Graphics”:

  • Close out the settings, and restart the virtual machine.

If you’re like me, you’ll find it far, far more usable.

ASA Firewall Rules of Thumb

Some important Cisco ASA firewall details I and others have learned and shared over the years:

  • Don’t use “security-level” as your method of security. In the long term at best “security-level” will cause you to block traffic you didn’t expect, at worst, it will allow traffic you didn’t want. Why? Well…
  • If you add an ACL on the “in” side of any interface (that is “into the ASA”), once it’s in the ASA, the security level doesn’t matter anymore. It’s very easy to forget this. However you can protect yourself by…
  • Always add “out” rules. Any “in” rules should be matched by “out” rules on the final destination interface. This is insurance in case you missed or were overly broad on your “in” rules.
  • Configure all of the interfaces to the same “security-level”. If you enable “same-security-traffic permit inter-interface” be careful as it allows traffic to flow to other same security levels without ACLs. You don’t want traffic to flow when you haven’t allowed it explicitly. The only exception to using different security levels might be the “outside” interface, which you may want to set to “security-level 0”. However, assuming “outside” is the Internet, ideally you want to be explicit there too. Otherwise you’re potentially setting yourself up for easy, unlogged, data exfiltration (among other things).
  • Remember that the ASA is a stateful firewall. If you establish some sort of connection out of an interface, the firewall should see that the return traffic belongs to the conversation and allow it through regardless. For the most part you don’t need to explicitly create return rules (or use the old IOS “established” trick).
  • If you’re trying to turn up a firewall on a network that existed, but was never firewalled before and you are having difficult categorizing the existing traffic, place the rules that you know are correct into the ASA, then add a “permit ip any any log” entry at the end. This will send logging of what fell to the wildcard rule to your syslog server, which you can then evaluate later. Once analyzed and missing rules in place, turn it to a “deny ip any any” and you’re done. Remember you can also do packet capture on the ASA as well.
  • Never trust a 3rd party. If they are coming into your network and saying they are properly filtering traffic toward you, filter them again anyway. First, their error could be your exploit, second you can’t assume their firewalls aren’t going to get hacked. Protect your network like it was your own child.
  • Beware of mixing ASA “access-list”s and ASA VPNs on the same firewall. Unless you want to enter “filter” hell, which generally you can only apply usefully in one direction, turn off VPN bypass with “no sysopt connection permit-vpn”. If you don’t do this YOUR VPN TRAFFIC BYPASSES ALL “access-list” RULES! Note that once you disable “VPN bypass”, your VPN traffic will appear to come from the “in” of the interface it initially arrived at. Since that’s usually “outside” and the Internet, you can have a seemingly less-than pretty mix of private addressing and public addressing to deal with on your Internet interface. This can make it cleaner to get a dedicated ASA for VPN and hang it off an arm of your firewall ASA.

The most critical thing with firewalls is don’t be lazy. Take the time to do the configuration and rules needed. It takes extra effort up front, but a failure is far more expensive.

Dell Service Tag the easy way under Linux

Sometimes you need the service tag or model off a Dell server that isn’t in your possession. You can either find some feet on the street to do it or as it turns out, with Linux, you can use “dmidecode”:

Thanks to Brandon Checketts’ website for this tidbit.

IC3 Alert on Microchip-Enabled (EMV) Credit Cards

Unfortunately quite accurate and what a number of us have been saying all along:

http://www.ic3.gov/media/2015/151008.aspx

The gist can be found in a single paragraph:

Although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud. EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the PoS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data.

You can look at EMV two ways – a good start, or a lot of effort and money, in retrospect, potentially put toward the wrong solution. Yes, it is better than the status quo in the states, but it doesn’t so much as solve the issue as shift it. The fact is, memory scrapers will still be able to get the vast majority of information they need to create counterfeit cards for use in locations or merchants who have yet to embrace EMV, or alternatively, use the cards online where EMV is inapplicable.

Coupled with lack of PIN (we have “Chip and Signature”, not “Chip and PIN”), what we have is something that tends to protect the banks more than the merchants. In fact some argue that it is particularly punitive to small businesses.

While there is no panacea – the hackers will find a way, perhaps a better investment would be driving merchants to P2PE and E2EE solutions (or hybrids). That too would be expensive for merchants to implement, but at least addresses most of the major concerns in today’s security environment.

UPDATE: The above has hit the media, but seems to have disappeared from the FBI site.

UPDATE 2: While there is nothing official – some outlets have noticed the disappearance. The suspected cause was a concern from the banking industry:

“We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN.”

I would have to agree, while it does not make a ton of sense that the PIN portion wasn’t implemented (which would have stopped physically stolen cards), the real concern is not in the PIN or lack thereof, but rather that the full track data is still transmitted by default in the clear.

UPDATE 3:

It is back with revised language:

http://www.ic3.gov/media/2015/151008.aspx

The above paragraph was altered to read as follows:

Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.

The language “upgraded to an EMV terminal” either is confused or confusing. Just because a “terminal” (PIN Pad?) is EMV capable, does not mean the transaction is encrypted in the terminal prior to transmission to the POS, nor does it mean that the POS does not decrypt the transaction. If it is not encrypted or it is decrypted at the POS, the POS can be used or possible memory scraping (“data-capturing malware”). Again, the PIN Pad and merchant payment infrastructure needs to support P2PE or E2EE solutions for that kind of protection.

Note that even if it is encrypted at “terminal” and not decrypted at the POS, if it is decrypted anywhere within the merchant’s network, that could be a location for “data-capturing malware” to be installed. By using P2PE or E2EE, that risk can essentially be pushed out of the merchant and down to issuers or processors.

As always, the opinions above are my own, and do not necessarily represent my employer’s.

Swift to C++

So having just watched a great webcast from O’Reilly on Swift (and certainly having plenty more to learn):

  • Protocols == Pure Virtuals
  • Generics == Templates
  • Extensions == Class Derivation/Extension/Overloading on steroids
  • Operator Overloading == Operator Overloading, again on steroids.
  • Closures == well, nothing innate, but pretty much same thing as Python Closures

Curiously, and I wonder if it causes problems, that there is no “protected” equivalent. Also from a purely base syntactic level it looks remarkably Scala-like though it falls away quickly on analysis.

Interesting language, definitely. Topic reminds me of Jason Bock’s “If Carpenters Were Hired Like Programmers”.

If you needed one reason…

To watch the “IT Crowd“, this alone would be it:

Get rid of annoying “People Pane” in Outlook

I wouldn’t mind the “People Pane”, except that in our organization is shows nothing useful. Moreover for a reason I cannot fathom, it always gets opened up, taking enormous reading real estate. So from this (Outlook 2010 at least):

Click the “View” tab:

Select “People Pane” and set it to “Off”:

Voila!

UPDATE:

Same two steps work on Outlook 2013.

More on “tiny” URLs…

I keep getting them from very smart, very security conscious people. However, to make my point:

http://goo.gl/1LJ1Wz

I love what they offer but…

Some do offer a preview, but users aren’t used to seeing that and unfortunately won’t care (ie: they are so used to getting them without preview, they won’t expect it or demand it).

UPDATE:

As a coworker pointed out, there are potentially plugins for Firefox etc. (I couldn’t find one that worked) or you can use a site like this:

http://longurl.org

It’s already come in handy for me a few times.