Author: Matt Fahrner

  • Ubuntu Jammy ate my homework

    This site needs a lot of updates and a ton of spring (multiple springs’) cleaning. However, it’s a particular mess right now because I updated my Ubuntu server to Jammy and its newer PHP destroyed my (dated) WordPress theme.

    So… Lot to come there along with updating pages et al.

    Please forgive the ensuing mess.


  • Signing the “Pause Giant AI Experiments: An Open Letter”

    I have joined the other signatories of the “Pause Giant AI Experiments: An Open Letter“.

    Like any declaration of its breadth, I have varying opinions about points within the statement, but in broad strokes it captures my concerns.

    Note that I do not in any way limit this to OpenAI’s efforts only, but all machine learning efforts (“ML” or what is typically called “AI”, artificial intelligence, these days). There are numerous ethical concerns, not the least of which are biases caused by the data trained on, the potential for abuse, the unlikely but not entirely implausible risk of runaway sentience, the risk of unknowingly creating a feeling/suffering entity, and perhaps most importantly to me, the risk of greatly furthering social inequality through technology capture and the mass destruction of jobs with no sharing of gains. A mass destruction with no planning for UBI or other new reasonable social welfare structures (and, to note, not just only risk to the statement’s “fulfilling” jobs – income is needed by all regardless).

    I grew up with science fiction authors the likes of Asimov, where while AI had its own set of problems, at least there was some hope of having the benefits of AI communally shared in terms of financial gain and quality of life. Our current societal deference to “rugged individualism” and “winner takes all” is not compatible with a future where jobs are broadly lost to AI. AI, in that case, will not be rescuing humanity, but potentially enslaving the majority left to eek out what remaining livable wage jobs that exist.

    Before we jump headlong into this technology, as a society we need to not only understand the ethical and moral considerations, but also ensure we have the societal checks and balances already in place prior to avoid unnecessary damage and suffering.

    Finally, as multiple friends have noted, the greatest risk from AI is not AI itself, but the humans who use and control AI. That is where we most need to step back, pause, and reevaluate.


  • Resurrection

    Been quite some time since I’ve posted to this site, in part because I had to debug a plugin issue, but also because I’ve spent too much time on Twitter, and (no small deal, and by far the best part) had a son to shepherd to adulthood.

    Some updates since:

    • Can be found on GitHub here.
    • Can be found on Twitter here.
    • Can be found on Mastodon here.
    • Can be found on Instagram here.

    Look forward updating this site and creating more content moving forward.


  • Equifax

    Being in the industry, I understand how difficult it is to secure an organization, so I have some sympathy for Equifax. As an ex-NSA colleague noted (paraphrasing), “A defender has to protect everything, an attacker only has to find one hole.” That said, their business is PII, so there is a higher standard there.

    In the end my concern is less that the hack happened, than the difficulty in navigating their site and ultimately receiving the credit protection. First of all, the initial page they are telling “customers” isn’t intuitive:

    https://www.equifaxsecurity2017.com

    It is mostly PR material. You ultimately need to go to the “POTENTIAL IMPACT” button on the bottom:

    https://www.equifaxsecurity2017.com/potential-impact

    Then when you do sign up, they tell you you’ll have to wait for roughly a week then sign up at a different URL. You had better write down the URL because they say, “you will not receive additional reminders”. The URL, if you made the mistake of not writing it down is:

    https://faq.trustedidpremier.com

    Then “click through the link to continue through the enrollment process”. What link that is, god knows.

    In fact if you click the above “faq.trustedidpremier.com” today, it goes back to, well, “www.equifaxsecurity2017.com”, which I assume then you are supposed to click the “ENROLL” button on the bottom???:

    https://www.equifaxsecurity2017.com/enroll

    Just mildly confusing.


  • VMware virtual or not?

    Depending on naming, in a VMware environment you may not actually be sure if a Linux system is VMware or not. Here’s a quick command to find out:

    which will generally output “VMware, Inc.” if VMware.

    On older systems you may find “-s” doesn’t work, in which case just pipe “dmidecode” through grep looking for “VMware”.

    UPDATE:

    If “dmidecode” oddly isn’t available, you can also run:

    If you see “VMware” in the output, it’s a safe bet that it’s a VMware virtual.


  • Installing Plixer’s “Scrutinizer” NPMD

    Plixer makes a good “Network Performance Monitoring and Diagnostics” (NPMD) application called “Scrutinizer“. NPMD, as Gartner calls it, mostly omeans, collecting, aggregating, and reporting on Netflow data.

    Plixer provides a VMware OVF for installation of a virtual appliance. I, however, ran into a few issues with the installation:

    • I couldn’t get the install to work OVF through vCenter successfully, or at least vCenter 6.5. It would install, but when I booted it would come up to a PXE boot, rather than CentOS which the appliance runs on. The answer was to install it through the Windows vSphere ESXi client or through the web vSphere ESXi client.
    • Setting up SSL (HTTPS) during the initial install prompts wouldn’t work. Everything seemed fine, but on final boot of the Scrutinizer appliance, the HTTP/HTTPS wouldn’t come up at all. It turned out it hadn’t actually generated the certificates and files were missing. The answer is to select “no” to SSL in the initial dialog, then when fully up, log in using the “plixer” login and use the “set ssl on” option after the fact. SSL then works correctly afterwards.
    • By default it will bind to IPv6 ports and not to IPv4 ports (!) to listen for Netflow data. The solution is to log into the Scrutinizer server/guest as root and disable IPv6 per this document. Specifically, I recommend the “/etc/sysctl.conf” change as it is relatively simple to execute.
    • When logged in as “root”, doing a “yum update” is useful, though I would do the following bullet after.
    • When logged in as “plixer”, it’s useful to run the “set tuning” as well as “update packages”, though oddly it seems to run back one of the kernel updates from the last bullet.

    Now I just need to figure why I’m still not seeing the packets from the ASA…


  • Ubuntu package commands

    Because Ubuntu has a mix of utilities to manage packages I constantly seem to be forgetting the options I need when I go to do basic package management. Mostly for my sake are the ones I use most regularly:

    List installed packages:

    List names of available packages (including those not installed):

    Tell what package owns what file:

    List files in a given package:

    Force a package reinstall:

    Show general package information:

    Show package dependency information:


  • Good basic email advice

    Professor Alan Woodward from the Department of Computer Science at the University of Surrey via The Register:

    Educate users not to open files that they are not expecting. Practice your ABCs “Assume nothing, Believe no one, and Check everything should be drummed into users” personally I preach ABCD – if in any doubt Delete.

    Incidentally internal simulated phishing is extremely effective in my experience.


  • Fix Apple Bonjour with Cisco autonomous APs

    I purchased some used Cisco C1140 autonomous access points for my home network (autonomous meaning not lightweight or requiring a WLC). While everything seemed to be fine at first, later we noticed that printouts to our Canon laser printer were no longer working from our Macs. After some research I realized that the Macs were failing to locate the printer due to Apple Bonjour protocol issues. Google searches led to partial solutions, but most required a downgrade of the AP IOS – a no, no as a security professional.

    I kept looking and it turns out my savior was actually a Chromecast user with the same issue. Two configuration changes on the APs to disable IGMP snooping had to be executed, not one:

    All the prior advice was just to disable the former, which didn’t work (at least without an AP downgrade!). Adding the second line did the full trick.

    You may need to disconnect and reconnect to the wireless for full effect. Since multicast IGMP has other uses, I can’t guarantee the impact in a larger environment.

    UPDATE:

    Well, this may or may not work. In the end it seemed not to for me, but it’s still worth a try in your network.


  • Dell PERC 5i/R or H200 VMware Performance Fix

    I had an old Dell PERC 5i/R RAID card laying around and wanted to use it for a home lab ESXi box (note: also works on Dell PERC H200). The card isn’t amazingly high performance, but it it’s good enough for simple RAID. Well, that is, it’s good enough performance if you change the settings. By default “write caching” is disabled – that unfortunately includes even “write caching” on the drives themselves (5i/R doesn’t have cache so it’s always “Write Through”, the H200 has cache, but is disabled by default). Therefore by default write performance is downright painful.

    Fortunately it’s not too difficult to fix if you can pull together the right tools. I was lucky enough to find a post by “tonyd88” on this Dell support forum which explains the process. Below, I attempt to summarize the steps for posterity.

    WARNING: If you enable write caching on the 5i/R or H200, because of the lack of battery backup (BBU) there is a risk that if you lose power mid-write, you will corrupt your disk, OS, etc. Not only use at your own risk, but ideally at least have a UPS on your system.

    Steps:

    • Locate a copy of “LSIUtil.exe”. The Dell RAID 5i/R was made by LSI. LSI was sold to Avago Technologies and a copy of it appears to be here, but you may need to look around in Avago’s legacy driver downloads. The latest version I have found is 1.62.
    • You’ll need to create a DOS boot disk or thumb drive with the LSIUtil.exe on it. Unfortunately explaining how to do that is a bit beyond the scope of this article. Google is your friend.
    • It is likely you will need “DOS4GW.EXE” also on the boot disk. You’ll have to find a reputable download or buy it here. This may be a potential alternative.
    • Install the Dell 5i/R RAID card in the system and boot to your newly created DOS boot disk/drive.
    • Run the LSIUtil.exe binary.
    • Select your controller. Hopefully there will only be one, but otherwise you’ll have to figure it out. Choose the number that matches and hit <enter>.
    • Select option “21”, “RAID actions” (type 21 and <enter>).
    • Select option “32”, “Change Volume Setting” (type 32 and <enter>). This submenu’s first item is the critical change:
      • On the first prompt for “write caching” type “yes” and <enter>.
      • For “Offline on SMART Data” just hit <enter> for default or change to whatever you want.
      • For “Auto configuration” just hit <enter> for default or change to whatever you want.
      • For “Priority resynch” just hit <enter> for default or change to whatever you want.
      • For “Hot Spare Pools” just hit <enter> for default or change to whatever you want.
    • At the next prompt type 0 <enter> to quit. Just continue to hit <enter> until it drops all the way out to DOS.

    You’re done. Pull the boot drive and reboot to whatever OS you’re going to use on it. VMware happily uses the cards.


  • Fix VMware Web Client Integration Plugin for Chrome on Mac OS X El Capitan (10.11)

    The latest vCenter Server 6.0 VMware Web Client Integration Plugin does not work on OS X El Capitan. The installer finishes, but silently fails due to missing libraries, libraries that probably existed in earlier OS X versions.

    Because the libraries don’t exist, necessary certificates don’t get generated, and even re-running the installer from the application directory won’t solve it (including with the below hack). What you need to do is ensure the libraries will be there when the installer gets to the “Running package scripts…” section on initial install.

    There are a number of possible solutions, but the below seems the cleanest and doesn’t require multiple installs.

    Before installing the application, do the following:

    Then run the full installer.

    This will create a hack to allow the packaged libraries to be used when the package scripts get run. If it’s working correctly the “Running package scripts…” will take many minutes to run as it executes “openssl” to generate the following:

    /Applications/VMware Client Integration Plug-in.app/Contents/Library/data/ssl/dh512.pem

    If it instead installs very quickly, you can be fairly certain it didn’t install correctly and probably VMware has changed something yet again. If it works, you can both upload files and deploy OVF files.

    Hopefully VMware will create a permanent fix. More on why this plugin is required can be found here. How to install/upgrade the plugin itself can be found here.

    UPDATE:

    Jonathon McTaggart (thank you Jonathon!) gave the following update for the latest plugin:

    UPDATE 2:

    It appears VMware has essentially documented the same fix here, rather than fixing the installer:

    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144550

    The problem is, they are also suggesting you disable a fundamental OS protection temporarily as well. That is a major PIA and sadly doesn’t seem to work on macOS Sierra. I can use OVFs, but I can’t do file uploads. Apparently there is a integrated ESXi HTTP client that some are working on here (via here) that seems to offer some options. This has been a problem for over a year now…


  • Get RPM install date

    Sometimes you don’t know when an RPM was installed – maybe it was updated, maybe it came with the system. In any case, it can be handy when debugging or even for auditing purposes. This gives an example of getting the install time for the “filesystem” package:

    somehost%  rpm -q filesystem --queryformat '%{name} %{installtime:date}\n'
    filesystem Mon 18 May 2015 02:57:16 PM EDT

    Really all you need is the “%{installtime:date}\n”, but the name can be handy if you want to use it with “-qa” (query all). Also can be handy to put “%{installtime}” (gives seconds since epoch) on the front and run it through “sort -n” to find out order of install.


  • Windows 10 under Fusion sluggish

    If you made the mistake of upgrading your virtual copy of Windows under Mac OS X using VMware Fusion (version 8 here), you may find Windows 10 runs painfully sluggish. The answer? Disable 3D graphics acceleration.

    • Shut down the virtual machine.
    • Bring up the virtual machine settings (⌘E).
    • Select “Display”:

    • Deselect (remove the checkbox for) “Accelerate 3D Graphics”:

    • Close out the settings, and restart the virtual machine.

    If you’re like me, you’ll find it far, far more usable.

    UPDATE:

    Having purchased a more modern i7 based Mac I can thankfully say this is no longer necessary.


  • ASA Firewall Rules of Thumb

    Some important Cisco ASA firewall details I and others have learned and shared over the years:

    • Don’t use “security-level” as your method of security. In the long term at best “security-level” will cause you to block traffic you didn’t expect, at worst, it will allow traffic you didn’t want. Why? Well…
    • If you add an ACL on the “in” side of any interface (that is “into the ASA”), once it’s in the ASA, the security level doesn’t matter anymore. It’s very easy to forget this. However you can protect yourself by…
    • Always add “out” rules. Any “in” rules should be matched by “out” rules on the final destination interface. This is insurance in case you missed or were overly broad on your “in” rules.
    • Configure all of the interfaces to the same “security-level”. If you enable “same-security-traffic permit inter-interface” be careful as it allows traffic to flow to other same security levels without ACLs. You don’t want traffic to flow when you haven’t allowed it explicitly. The only exception to using different security levels might be the “outside” interface, which you may want to set to “security-level 0”. However, assuming “outside” is the Internet, ideally you want to be explicit there too. Otherwise you’re potentially setting yourself up for easy, unlogged, data exfiltration (among other things).
    • Remember that the ASA is a stateful firewall. If you establish some sort of connection out of an interface, the firewall should see that the return traffic belongs to the conversation and allow it through regardless. For the most part you don’t need to explicitly create return rules (or use the old IOS “established” trick).
    • If you’re trying to turn up a firewall on a network that existed, but was never firewalled before and you are having difficult categorizing the existing traffic, place the rules that you know are correct into the ASA, then add a “permit ip any any log” entry at the end. This will send logging of what fell to the wildcard rule to your syslog server, which you can then evaluate later. Once analyzed and missing rules in place, turn it to a “deny ip any any” and you’re done. Remember you can also do packet capture on the ASA as well.
    • Never trust a 3rd party. If they are coming into your network and saying they are properly filtering traffic toward you, filter them again anyway. First, their error could be your exploit, second you can’t assume their firewalls aren’t going to get hacked. Protect your network like it was your own child.
    • Beware of mixing ASA “access-list”s and ASA VPNs on the same firewall. Unless you want to enter “filter” hell, which generally you can only apply usefully in one direction, turn off VPN bypass with “no sysopt connection permit-vpn”. If you don’t do this YOUR VPN TRAFFIC BYPASSES ALL “access-list” RULES! Note that once you disable “VPN bypass”, your VPN traffic will appear to come from the “in” of the interface it initially arrived at. Since that’s usually “outside” and the Internet, you can have a seemingly less-than pretty mix of private addressing and public addressing to deal with on your Internet interface. This can make it cleaner to get a dedicated ASA for VPN and hang it off an arm of your firewall ASA.

    The most critical thing with firewalls is don’t be lazy. Take the time to do the configuration and rules needed. It takes extra effort up front, but a failure is far more expensive.


  • Dell Service Tag the easy way under Linux

    Sometimes you need the service tag or model off a Dell server that isn’t in your possession. You can either find some feet on the street to do it or as it turns out, with Linux, you can use “dmidecode”:

    Thanks to Brandon Checketts’ website for this tidbit.


  • IC3 Alert on Microchip-Enabled (EMV) Credit Cards

    Unfortunately quite accurate and what a number of us have been saying all along:

    http://www.ic3.gov/media/2015/151008.aspx

    The gist can be found in a single paragraph:

    Although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud. EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the PoS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data.

    You can look at EMV two ways – a good start, or a lot of effort and money, in retrospect, potentially put toward the wrong solution. Yes, it is better than the status quo in the states, but it doesn’t so much as solve the issue as shift it. The fact is, memory scrapers will still be able to get the vast majority of information they need to create counterfeit cards for use in locations or merchants who have yet to embrace EMV, or alternatively, use the cards online where EMV is inapplicable.

    Coupled with lack of PIN (we have “Chip and Signature”, not “Chip and PIN”), what we have is something that tends to protect the banks more than the merchants. In fact some argue that it is particularly punitive to small businesses.

    While there is no panacea – the hackers will find a way, perhaps a better investment would be driving merchants to P2PE and E2EE solutions (or hybrids). That too would be expensive for merchants to implement, but at least addresses most of the major concerns in today’s security environment.

    UPDATE: The above has hit the media, but seems to have disappeared from the FBI site.

    UPDATE 2: While there is nothing official – some outlets have noticed the disappearance. The suspected cause was a concern from the banking industry:

    “We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN.”

    I would have to agree, while it does not make a ton of sense that the PIN portion wasn’t implemented (which would have stopped physically stolen cards), the real concern is not in the PIN or lack thereof, but rather that the full track data is still transmitted by default in the clear.

    UPDATE 3:

    It is back with revised language:

    http://www.ic3.gov/media/2015/151008.aspx

    The above paragraph was altered to read as follows:

    Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.

    The language “upgraded to an EMV terminal” either is confused or confusing. Just because a “terminal” (PIN Pad?) is EMV capable, does not mean the transaction is encrypted in the terminal prior to transmission to the POS, nor does it mean that the POS does not decrypt the transaction. If it is not encrypted or it is decrypted at the POS, the POS can be used or possible memory scraping (“data-capturing malware”). Again, the PIN Pad and merchant payment infrastructure needs to support P2PE or E2EE solutions for that kind of protection.

    Note that even if it is encrypted at “terminal” and not decrypted at the POS, if it is decrypted anywhere within the merchant’s network, that could be a location for “data-capturing malware” to be installed. By using P2PE or E2EE, that risk can essentially be pushed out of the merchant and down to issuers or processors.

    As always, the opinions above are my own, and do not necessarily represent my employer’s.


  • Swift to C++

    So having just watched a great webcast from O’Reilly on Swift (and certainly having plenty more to learn):

    • Protocols == Pure Virtuals
    • Generics == Templates
    • Extensions == Class Derivation/Extension/Overloading on steroids
    • Operator Overloading == Operator Overloading, again on steroids.
    • Closures == well, nothing innate, but pretty much same thing as Python Closures

    Curiously, and I wonder if it causes problems, that there is no “protected” equivalent. Also from a purely base syntactic level it looks remarkably Scala-like though it falls away quickly on analysis.

    Interesting language, definitely. Topic reminds me of Jason Bock’s “If Carpenters Were Hired Like Programmers”.


  • If you needed one reason…

    To watch the IT Crowd, this is it:


  • Get rid of annoying “People Pane” in Outlook

    I wouldn’t mind the “People Pane”, except that in our organization is shows nothing useful. Moreover for a reason I cannot fathom, it always gets opened up, taking enormous reading real estate. So from this (Outlook 2010 at least):

    Click the “View” tab:

    Select “People Pane” and set it to “Off”:

    Voila!

    UPDATE:

    Same two steps work on Outlook 2013.