Author: Matt Fahrner

  • More on “tiny” URLs…

    I keep getting them from very smart, very security conscious people. However, to make my point:

    http://goo.gl/1LJ1Wz

    I love what they offer but…

    Some do offer a preview, but users aren’t used to seeing that and unfortunately won’t care (ie: they are so used to getting them without preview, they won’t expect it or demand it).

    UPDATE:

    As a coworker pointed out, there are potentially plugins for Firefox etc. (I couldn’t find one that worked) or you can use a site like this:

    http://longurl.org

    It’s already come in handy for me a few times.


  • Python – some truth in this…

    I have to say even as a relative newcomer to Python, I find a fair bit of truth in this:

    https://medium.com/@deliciousrobots/5d2ad703365d/

    Working in a non-homogenous (that is, heterogeneous OS) environment where Python 2.x vs. Python 3.x is not guaranteed, the lack of backwards (or forwards) compatibility is problematic. If nothing else it erodes trust in the language – will Python 4.x inflict similar pain? Should I be looking to yet another language that isn’t so willing to shoot itself in the foot?

    Not all environments, even if they should be, are Puppet-perfect and portability is still a major requirement.

    This is to some extent what happens when languages become religion and “purity” to ideological dogma becomes more important than functionality. While I have to praise the desire for perfection, sometimes the perfect really is the enemy of the good.

    All that said, as Python becomes more “native” to my mentality, maybe I’ll change my mind. I’ve found the transition to other languages, OSes, etc. offensive to my sensibilities only to later become “assimilated to the Borg” as it were.


  • Using LDAP Paged Controls with Python

    Most LDAP servers can be set to return an unlimited number of entries on an LDAP search, however depending on the size of the LDAP database/directory this can possibly exceed your memory. Moreover if you want to write portable code, you probably should not depend on the LDAP server being able to return unlimited entries. For instance, AD’s LDAP generally defaults to 1,000 entries maximum.

    Because using LDAP paging isn’t very difficult there’s not a lot of reason to not use it. Adding paging only marginally reduces performance, while certainly putting less stress on the LDAP server(s). Personally I recommend you use it on a general basis, even where not strictly necessary.

    Python’s LDAP supports paging, though it isn’t well documented. I found two examples this one and this one. Both had their pluses, but neither explained what was going on too much. I melded them together, added comments, and streamlined a bit. Hopefully this will help you get the mojo…

    As a final note, one of the documents I found said the paged controls did not work with OpenLDAP. That’s not what I found – pretty much the exact code above worked without issue with OpenLDAP.

    UPDATE:

    A GitHub “Gist” for the above can be found here.

    UPDATE 2:

    For users of Python LDAP 2.4, you should check out of the comment by Ilya Rumyantsev which gives a forward/backward compatible set of code snippets since the API has changed a bit. Many thanks to Ilya for the update.

    UPDATE 3:

    Below I took Ilya’s updates and merged them in with some minor enhancements to compare the Python LDAP version on the fly. My next stop is to take this and convert it to a generator function, which would be more ideal than using a callback. The issue with going to a generator is handling the errors, which means throwing exceptions in some sane fashion…

    UPDATE 4:

    It turns out that the Python “ldap” module does not follow “StrictVersion” versioning in it’s “__version__” string. I have updated the “UPDATE 3” code to use “LooseVersion” comparisons.

    UPDATE 5:

    I updated the above code to default to “criticality=False” for the paging control. If the LDAP service doesn’t support paging, it will yield a potentially confusing “Critical extension is unavailable” error.

    Note I need to ultimately fix the exception handling as for whatever reason the exception object passed back doesn’t have a reasonable “__str__()” method and the message is left in the “desc” key.


  • How to probe ethernet capabilities…

    Mostly for my own edification – use “ethtool”, eg:

    You’ll note two important details about this output:

    1. This NIC is gig capable but is only running at 100mbs.
    2. I claim to be running this as root, but any good sysad should be using “sudo” instead!

    Anyway, simple command, but sometimes you forget them.


  • Mmmm… Mmmm…

    A little off topic but, when in Philadelphia… Mmmm… Mmmm…

    Internation Smokeless BBQ Restaurant and Buffet

     

    UPDATE:

    Mmmmm… Mmmmm… again!

    E MEI Restaurant


  • Nothing new here…

    But everyone should read it:

    Password strength. Longer better than complexity.


  • How to dump the Firefox history (Linux)

    Not pretty, but gets you there:

    • Find and go to your Firefox profile (usually you can locate by going to “~/.mozilla/firefox/*.default”).
    • Run “sqlite3 places.sqlite .dump | grep moz_places”

    If Firefox is running you may have to copy the “places.sqlite” to a new file then run the “sqlite3” against it. You can’t dump it while Firefox is running because it locks the database.

    Since it’s SQL there are fancier ways of pulling the actual tables, but for a quick script, this will do.

    Note if you’re after the time that a URL was accessed (I was), it seems to be the last field in the “VALUES”. It is is in microseconds since 1970. In that case, this little Perl snippet should get you the actual time:

    where “HISTORYTIME” is replaced by the time printed in the SQL dump (eg: a big arse number like “1373383738987790”).


  • Out of the mouths of Astronauts…

    Applies to IT as well:

    “And it’s worth remembering, too, there’s no problem so bad that you can’t make it worse also.”

    – Commander Chris Hadfield, Canadian Astronaut


  • Testing “sendmail” with immediate delivery

    In the old days when using “sendmail” if you wanted to watch the SMTP conversation between the local host and the next mail relay all you’d have to do is either run “sendmail -v” or “mail -v” (or “mailx -v” depending on the OS). It would then output the entire SMTP conversation with the remote host, which is useful for diagnosing why a remote host may be refusing your mail.

    In more modern implementations “sendmail” actually uses two separate configurations, a “submit.cf” which is used for originating mail, and “sendmail.cf” which is used for delivery/forwarding. Subsequently when you use “sendmail -v” without any additional options it uses “submit.cf” by default, which actually delivers to “localhost” first. Eg:

    The solution is to add the “-Am” flag which tells it to bypass the “submit.cf” and use “sendmail.cf” directly:

    Note depending on your OS you may have to run “sendmail” with “sudo” to get enough permissions to access the queue entries. You also ideally should provide the “-t” options and put things in like “To:”, “From:”, and “Subject:” to be a good mail citizen, though for testing it isn’t terribly important.


  • Make Excel text fit row height

    As part of my job I for better or worse have to deal with Excel on a regular basis. One of the issues I have is the sizing of rows (the cell height) not properly expanding, or conversely shrinking, when I add or remove data in the cell.

    It turns out there is a very easy way to clean the row height spacing:

    First, select the rows you want to fix the spacing on. For most spreadsheets without fancy formatting, the simplest bet seems to be to select all cells by clicking the left corner of all the cells (examples here are from Excel 2013):

    Then assure you are on the home tab:

    Then select “Format / AutoFit Row Height”:

    Voila! Sane cell height spacing again.

    This is particularly useful with “Wrap text” set in cell “Alignment”. Note with wrapping you may have to expand the size of some columns to get Excel not to think there needs to be extra height underneath with text that is very close to the right edge of the cell.


  • And now for something completely different…

    My big sister who I am eminently proud of:

    http://www.lisajensencostumedesign.com/

    Bragging done for today.


  • Dear Secure Companies…

    Dear Secure Companies,

    Please stop sending me emails to pick up critical documents or surveys where the URLs I need to follow point into random unverifiable domains. A link that leads to a URL like:

    http://wl1.peer360.com/b/J9dqJDSALAS87ZWR3Te7/mle.asp?hl=5621312750&r=BBGGHHSF&CID=305151

    is not going to inspire confidence and, assuming it isn’t spear-fishing or malware, is teaching end users bad practice. That is, it’s teaching end users to follow random links rather than verifiable domains. Encouraging recipients to follow such links is completely askew to modern security awareness training which is to tell the users not to follow random links.

    I know that using 3rd party marketing, survey, and even content providers is the norm, but you need to make the effort to ensure the URLs fall under your own verifiable domain, not some random 3rd party domain. Otherwise, unfortunately, you are part of the problem.

    I say this because in my day job I regularly get emails from major security companies or entities handling PII that embed links in their email going to what appear to be random (though undoubtedly valid) sites. This is bad practice and you are not helping the overall picture when doing so.


  • Four keyboard shortcuts you should know…

    I’m writing this because I see so many people who use computers regularly who don’t know these basic keyboard shortcuts. They’re easy – learn them and your computer life will be much better. Most work on pretty much any GUI (Windows, Unix, even Mac substituting the CMD key for the CTRL key).

    So with no further ado (hold down the CTRL key while typing the key that follows it, kind of like the SHIFT key):

    • CTRL-C = copy the selected text
    • CTRL-V = paste the prior copied text
    • CTRL-X = copy the selected text and then delete it
    • CTRL-Z = undo the last change

    There are quite a few more worth learning, but some aren’t as guaranteed to work (for instance CTRL-SHIFT-Z which does a “redo” of the last “undo”). However, if you simply learn the 4 above your work will be remarkably improved in terms of streamlining.

    As a final note, these DO NOT work in Unix command line (shell) windows. In fact you’ll get completely different and potentially ugly behavior. They will however work in the Unix GUI (X Windows and/or browser windows etc.).


  • Why is WLAN “signal quality” in negative decibels?

    If you use “iwconfig” on Linux to get statistics on your wireless LAN you’ll note that the “Signal Level” is expressed in negative decibels. On the surface that would appear confusing – how can decibels be negative?!

    Fortunately an anonymous poster explains at Toms Hardware:

    Absolute power of a signal is measured in wattage. The bel or decibel system can only describe relative power- a gain of 3 dB means your signal is 2 times as strong as it was before, but the dB scale doesn’t define where you’re starting from or what your ‘zero’ is. So, we specify dBm, indicating that our scale is relative to 1 milliWatt of power. 0 dBm = 1 mW.

    The reason you see negative values is that you’re representing small but positive numbers, on a logarithmic scale. In logarithms, the value indicated represents an exponent… for example, under a log 10 scale, a value of -2 represents 10 to the -2 power, which equals 0.01. Likewise, a negative dBm means that you’re applying a negative exponent in your power calculations; 0 dBm equals 1 mW of power, so -10 dBm equates to 0.1 mW, -20 dBm equates to 0.01 mW, and so forth. It’s a lot easier, and more useful in some calculations, to describe a weak signal as -100 dBm as opposed to 0.0000000001 mW.

    Pretty simple when it’s explained that way!


  • Dumping SSL certificate information

    It seems lately I’m regularly having to dump the information from SSL certificates (for instance to get the “Subject” or CA signer). Since I keep having to look up the exact syntax, I thought it easier to save here and figured it might help others.

    So, if in PEM format, use the following:

    openssl x509 -text -in cert.pem

    If in PKCS#12 format, use this:

    openssl pkcs12 -info -in cert.pfx

    To dump a CSR (Certificate Signing Request), use this:

    openssl req -text -in request.csr

    To dump/check a private key:

    openssl rsa -text -noout -in key.pem

    More can be found here and here.

    UPDATE:

    You can also pull the publickey side of a certificate from an active website, which can be handy. The output will be in PEM format:

    openssl s_client -showcerts -connect somehost.somedomain.com:443 >cert.pem </dev/null

    It will give you information about the certificate you just pulled, however you will need to use the above PEM dump example to get things like the serial number.


  • Forcing a Window Media Player library rescan

    If you’re using your Windows Media Player (WMP) as a Windows Media “server” to share your music library, yet don’t use WMP directly to manage your media (I use the much more rich MediaMonkey) then you may want to force a library rescan when you add new tracks to your file-store(s).

    This isn’t very hard, but it isn’t entirely intuitive either. However it’s simple enough. Select the WMP window, hit the “ALT” key and a menu will pop up. Select “Tools / Apply media information changes”, eg:

    Windows Media Player menu

    Should do the trick.


  • BankInfo Ramnit Article

    Tracy Kitten at BankInfo has an interesting article about the Ramnit worm which is worthy of a read (even I would say by the general public). Ramnit is particularly pernicious because:

    Ramnit’s man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user’s ID and password, and sometimes other personal information en route to the actual log-in page. The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim’s accounts at will.

    That said, I’m not sure I agree with the solution espoused:

    “Passwords are not very useful for anything anymore,” [Bill] Wansley says. “They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication [emphasis added] – like Google has recently – for social-media sign-in, and certainly for anything that is for financial or medical-related accounts.”

    Certainly a challenge-response methodology would be effective if the response were dynamic (like say an RSA key fob or equivalent smartphone software), however if the two-factor authentication is two static values then there’s nothing that stops the malware from ultimately being designed to capture both factors. It would be “false security” to believe this is a permanent solution.

    It then goes on to say:

    Passphrases are better than passwords, but multifactor authentication is the new standard. “Nobody should be using their social-media passwords or phrases for their financial accounts,” Wansley says.

    While I absolutely agree that users shouldn’t use the same password for financial or other sensitive websites, I’m not absolutely convinced that making stronger passwords is generally an answer. Yes, if you are using straight dictionary words (which the websites should prevent), you are at risk, however a mix of case and say a numeric basically makes the passwords externally uncrackable. That is provided the website properly implements delays and lockouts to the process.

    In my opinion too much emphasis in the industry is put on strong passwords where people confuse the idea of a compromised hash (the encrypted form of the password) to external brute-force attack. If the former happens one should simply assume the password is compromised regardless of how strong it is. However most recent compromises involve either brute-force external attacks or outright compromise of the cleartext password – those are different animals than a hash loss. Again, a marginally strong password with delays and lockout will easily survive brute-force attack from an external source (ie: the web).

    That’s not to say a degree of password strength isn’t important, but making password too difficult to remember can be counterproductive as it encourages users to write the passwords down or use other insecure methods. In that regards “passphrases” can be a benefit – they can be easy to remember and strong at the same time.

    I think too often security professionals focus on what works for them and not the reality of the end user community they are servicing. Sure that gawd awful password complexity requirement is the ideal, but if your end users end up writing it on a post-it or in an Excel spreadsheet the game is over.


  • Why I hate tiny-fied URLs…

    In theory if the world were filled we universally good people, “bitly” and “TinyURL.com“, which given long URLs provide short ones, are a great idea. However whenever I get one I find that I’m frankly terrified to click on them.

    Why?

    Because while they could be going someplace useful, they could also be going to a giant virus laden web site, or a nasty bug exercising Flash app, or even a porn site that’s going to get me in dutch at the job.

    I mean here’s one:

    http://bit.ly/pSd3GJ

    How do you know where it goes? It happens to go to my resume, but it could go to a virus, a trojan, something completely inappropriate (or even illegal).

    Again, it’s a wonderful idea, and certainly more power to those who can stomach them, but I can’t. Heck I even get them sent to me by security professionals.

    Granted, even when they are URLs that clearly go to well known sites you are always at risk, but the extra obfuscation (as nice as it is) really increases your risk. No offense to the owners of “bitly” or “tinyURL.com”, they certainly are providing a public service, but it’s one that is too nerve-wracking for this security professional.


  • Adding ringtones to Android

    To add ringtones (or notifications or alarms) to Android phones, connect the phone to your computer and go to the top level of the drive that is mounted. Under that drive you can create (though they may exist already):

    /alarms or /media/alarms or /media/audio/alarms
    /notifications or /media/notifications or /media/audio/notifications
    /ringtones or /media/ringtones or /media/audio/ringtones

    In theory putting it under “/media/audio” (the third version given) should be a little cleaner. It also sounds like you can put it just about anywhere and tap on the track to select “Use as phone Ringtone” (I have not tried this though).

    This is under Android OS 2.1. Your mileage may vary with other versions.

    The Android API documentation is here, however it doesn’t look all that useful for the average end user.

    UPDATE:

    Well, that’s interesting. Having just tried my instructions again, I found I had to create a:

    /media/ringtones

    and put them there. “/media/audio” didn’t seem to work.

    Something must have changed in the latest version…

    /sdcard/alarms OR /sdcard/media/alarms
    /sdcard/notifications OR /sdcard/media/notifications
    /sdcard/ringtones OR /sdcard/media/ringtones

  • Useful Intel links…

    Two links from Intel are particularly useful for desktop/laptop users. First, this tool will find out if the Intel drivers you’re using are up-to-date:

    http://www.intel.com/p/en_US/support/detect

    since many if not most desktops/laptops include some Intel based chipset (even if it isn’t the main CPU), then this is a pretty useful site to use.

    If you’re interested to know what Intel chipsets your system uses without checking for updates, this downloadable tool is useful:

    http://www.intel.com/support/chipsets/inf/sb/cs-009266.htm

    When run it lets you know what at a minimum your mainboard chipset is (assuming it’s Intel).

    Of course AMD users mileage will undoubtedly vary. Note that both of these are Windows only apps (sorry).