Choose color scheme

Category Archives: maniacal paranoia

  • The impairing lack of light pollution

    When we lived in the city, ambient light pollution was such that I could set my CCTV cams to a certain brightness/contrast and the limited auto adjustments they did were enough to cope with day & night. In the middle of the forest, the night gets full on #000000 dark. The poor cams can’t adjust and I need to pick whether I want to record at night and get white frames during the day, or at daytime and get black frames during the night.

    I wrote the following script which computes the average brightness of a cam’s current frame and issues more drastic adjustments if needed. It is obviously tailored for my FI8918Ws but the same idea can be used for others.

    #!/usr/bin/php
    <?php
    
    $img = @imagecreatefromjpeg( 'http://192.168.1.203:8003/snapshot.cgi?user=<username>&pwd=<password>' ) ;
    if( $img===false ) {
        die( "Unable to open image" ) ;
    }
    
    $w = imagesx( $img ) ;
    $h = imagesy( $img ) ;
    
    $total_r = 0 ;
    $total_g = 0 ;
    $total_b = 0 ;
    for( $i=0 ; $i<$w ; $i++ ) {
        for( $j=0 ; $j<$h ; $j++ ) {
            $rgb = imagecolorat( $img, $i, $j ) ;
            $total_r += ($rgb >> 16) & 0xFF;
            $total_g += ($rgb >> 8) & 0xFF;
            $total_b += $rgb & 0xFF;
        }
    }
    
    $average_brightness = round( ( $total_r / ($w*$h) + $total_g / ($w*$h) + $total_b / ($w*$h) ) / 3 ) ;
    echo $average_brightness, "n" ;
    
    if( $average_brightness<30 ) {
        echo "night time!n" ;
        echo "moden" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=3&value=0&user=<username>&pwd=<password>' ) ;
        sleep( 10 ) ;
        echo "contrastn" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=2&value=6&user=<username>&pwd=<password>' ) ;
        sleep( 10 ) ;
        echo "brightnessn" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=1&value=240&user=<username>&pwd=<password>' ) ;
    } else if( $average_brightness>170 ) {
        echo "day time!n" ;
        echo "moden" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=3&value=2&user=<username>&pwd=<password>' ) ;
        sleep( 10 ) ;
        echo "contrastn" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=2&value=4&user=<username>&pwd=<password>' ) ;
        sleep( 10 ) ;
        echo "brightnessn" ;
        $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=1&value=64&user=<username>&pwd=password>' ) ;
    }
    
    ?>[/code]
  • Loopback & crypt: a filesystem, within an encrypted partition, within a file

    So here we are, 2012 and physical media are going away really fast. We won’t even talk about CDs which have been relegated to the role of plastic dust collectors; hard drives even are being abstracted by a myriad of cloud based solutions. Their purpose is shifting towards a container for the OS and nothing else. Filesystems & their hierarchies become hidden in a bid to remove any need to organize files, rather, you are supposed to throw it all up in the cloud and search on metadata.

    While moving away from physical media is convenient and inevitable, I like the hierarchical organization that directories provide. What’s more intuitive than a labeled container with stuff in it?

    How can we detach our hard drives from their physical shells, move them around in an omnipresent cloud and keep them secure?

    By creating a file, attaching it to loopback & creating an encrypted partition in it!

    Here’s how to do it
    • Create a file that will be your soft hard drive with:
    dd if=/dev/zero of=/tmp/ffs bs=1024 count=524288

    This will create a 512MB file (524288/1024).

    • Make sure that the loopback device #0 is free:
    losetup /dev/loop0

    You should see something telling you that there is “No such device or address”.

    • Attach the soft hard drive to the loopback device:
    sudo losetup /dev/loop0 /tmp/ffs
    • And then make sure it was indeed attached by re-running:
    losetup /dev/loop0
    • Create an encrypted partition on your attached soft hard drive:
    sudo cryptsetup --verify-passphrase luksFormat /dev/loop0 -c aes -s 256 -h sha256
    • Open your encrypted partition:
    sudo cryptsetup luksOpen /dev/loop0 ffs
    • Create a filesystem in it:
    sudo mkfs.ext3 -m 1 /dev/mapper/ffs
    • And mount it like a regular disk:
    sudo mount /dev/mapper/ffs /mnt
    • When you are done using your encrypted soft hard drive you will want to umount it:
    sudo umount /mnt
    • Close it:
    sudo cryptsetup luksClose ffs
    • Detach it from loopback:
    losetup -d /dev/loop0

    These steps can be automated of course. As a quick reminder, using the drive goes “loopback attach -> crypt open -> mount” and when you’re done it’s “umount -> crypt close -> loopback detach”.

    That’s it! media-less & secure storage.

    Tested on: Ubuntu 12.04 64b

  • OpenMPI distributed password cracker: crackzor

    Download

    crackzor_1.1.c.gz

    Previous versions:

    crackzor_1.0.c.gz

    Quick start
    1. Download & extract with “tar zxvf crackzor_1.0.tar.gz”
    2. Make sure you have the right packages in place
      sudo apt-get install build-essential libopenmpi-dev openmpi-bin libssl-dev
    3. Compile with
      mpicc -O3 crackzor.c -o crackzor -lm -lssl -lcrypto
    4. Create a file called “machines” containing a newline separated list of every machine that are in your cluster, for example:
      machine00.domain.com
      machine01.domain.com
      machine02.domain.com
      machine03.domain.com
      machine04.domain.com
    5. Open MPI uses SSH for communication between nodes, as such, you need to make sure that the node you will be launching crakzor from is able to do SSH key based authentication to all the other nodes in the cluster. For my example above, if machine00 is where you will be working from, you will want to
      ssh-copy-id machine0X.domain.com

      where X E [0,4] (yes, machine00 needs to be able to SSH to itself).

    6. You now need to disseminate your executable across all the machines that will be running it:
      for machine in `cat machines`; do scp crackzor $machine:~; done

      Pro-tip: having network storage attached to all the machines makes this step unnecessary.

    7. Run with:
      mpirun -npernode Y -machinefile machines crackzor fbade9e36a3f36d3d676c1b808451dd7 abcdefghijklmnopqrstuvwxzy 1 1

      where Y is the number of cores each machine in your cluster has. If you are running this on machines with 2 CPUs with 8 cores each, Y = 8 * 2 = 16.

    Tested on Ubuntu 10.04 64b / Ubuntu 12.04 64b / Ubuntu 14.04 64b

    Screenshots
    mpirun -npernode 16 -machinefile machines ./crackzor 7ca4793dcdff46ecda38e48d65b6c913 abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ 1 7

    This is what “htop” looks like with a bunch of processes spawned & hammering every core:

    Statistics

    For the purpose of testing crackzor, we give it the md5 hash of an 8 character word and tell it to bruteforce it up to 7 characters. This insures that we will compute every permutation up to 7 character longs. The characters I asked it to permute are “abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ”, our sample space size is thus 52^7 + 52^6 + 52^5 + 52^4 + 52^3 + 52^2 + 52^1 = 1,048,229,971,204.

    Here is the raw data, and here it is graphed:

    I wish it would show the linear progression more but 3 things got in the way:

    1. approaching the machine’s actual number of cores on the Dell blades leave little room for linear expansion
    2. which is emphasized in a multiuser environment where other users run other computation
    3. the EC2 bar flattens the graph a bit but I still wanted to show how it compares

    Ideally I would run through a few iterations of EC2 to observe its progression but hey, it’s expensive :).

    Limitations
    • Right now, the only hashing algorithm supported by crackzor is MD5. It can very easily be expanded upon.
    • I also may not be using the fastest MD5 method with the fastest call, distribution is what I’m interested in.
    • Distributing password cracking among multiple machines is throwing linear resources to an exponential problem!
  • IPv6 link-local surface analyzer

    Download

    ipv6_surface_analyzer_1.0.tar.gz

    Quick Start

      1. make sure that nmap, ifconfig & arping are installed and in your path
      2. run as root

      tested on Ubuntu 11.10 64b

      Screenshot

      (actual ips obfuscated)

      Purpose

      With more devices coming IPv6 ready out of the box, a shadow network is emerging that nobody is paying attention to.

      There’s Joe sysadmin, configuring a tight firewall for this new server, default deny, very restrictive & all. This is great but did he realize that there is nothing in front of IPv6? We are used to setting up iptables, ipfw, et cetera. Unfortunately ip6tables & ip6fw too often get forgotten.

      With IPv4, a device was manually configured or wasn’t configured until it got an address from DHCP. With IPv6 a device that is not manually configured will hop on the network with a link-local address and try to further discover its settings. In fact, IPv6 reserves a range of addresses for network discovery, these link-local addresses are based on the device’s mac address.

      Here is what ipv6_surface_analyzer.py does:

      • iterate through a given IPv4 range
      • for each address in the range, discover if a host sits behind it
      • port scan potentially found host on IPv4
      • infer IPv6 link-local address of host based on its mac address
      • port scan inferred IPv6 address

      The purpose of which is to establish by how much your attack surface is augmented by link-local IPv6.

      This threat threat is somewhat mitigated by its local nature and there are 2 reasons why:

      1. link-local isn’t routed and thus your visibility is bound to networks you have a presence on.
      2. Getting a host’s mac address is only possible while being on the same network.

      Local as it may be, having a shadow network providing a way to circumvent firewalls is quite risky.

    • Poor man’s 2FA: a simpler 2-factor authentication mechanism for SSH

      The problem with PAM based 2FA:
      • PAM does not get called when the SSH daemon does key based authentication. So your 2FA there only works with password authentication. This might be something you want but maybe not.
      • A PAM module based solution to 2FA is harder to implement
      The solution: Poor man’s 2FA!

      It is possible to add the ForceCommand directive to your sshd_config. Like the name suggests it simply runs a command after authentication and before the shell is spawned. This is a good spot to add an extra check, say another factor for authentication.

      The code:
      #!/bin/bash
      trap "echo "I'm sorry Dave. I'm afraid I can't do that."; sleep 1 ; kill -9 $PPID ; exit 1" 2 20
      code=`od -a -A n /dev/urandom | head -2 | tr -d ' ' | tr -d 'n' | sed 's/[^a-zA-Z0-9]//g' | awk '{print substr($0,1,5)}'`
      echo -e "Subject:$code\nFrom:root@server <root@server.com>\n2FA code in subject" | sendmail phone_number@carrier.com
      read input
      if [ $code = $input ];
      then
          `awk -F: '($1 == $LOGNAME) { print $7 }' /etc/passwd`
      else
      kill -9 $PPID
      fi

      That’s it really, save this to an executable file, replace the obvious variables and ForceCommand its ass.

    • Avoid getting tracked in a datamining society

      Welcome to the information age! Memory is cheap, millions of records are copied in the snap of a finger and everybody wants your information. This is called data-mining and everybody is doing it essentially to better advertise to you. These databases of your facts & habits are often sold and even hacked. It is time to ponder how little control you have over your own information. And when you do so, think not only about the information you give but above all about the information that can be inferred from it.

      Compiled bellow is a list of tips for avoiding getting tracked in modern society. They range from simple good practice to paranoia. Obviously you could go live as a hermit in the woods and be untraceable. Feel free to comment on anything I missed and I’ll add to the post.

      Day to day life

      • Broadcast the least information possible. Does your state require license plates in the front & rear? 19 states don’t, google them. Police cameras automatically scan all the license plates they see, why double your chances? Your license plates are also often recorded when you drive through tolls.
      • Pay everything in cash, credit/debit card transactions can easily place you in space and time. Moreover, encoded in the magnetic stripe is your name, stores know everything you buy and when you buy it. This is pant creaming data for the marketing geniuses trying to figure out ways to make you consume more.
      • Avoid customer rewards programs. An even better way to tie information back a a customer that might use multiple methods of payment. Still want the sweet deals? Don’t use your real info when signing up, or just don’t sign up, the cashiers often have default cards to scan.
      • Avoid mail-in rebates. They are nothing more than a way for you to sell your information.

      I.T. life

      This is a dense section, no surprise this is where most data mining occurs.

      • Don’t let email load remote content

      This is commonly used as a way to know if you’ve opened the email, at what time you opened it, where you opened it from (IP geolocation) and what your email client was. The technical explanation is that some email have HTML formatting with images included. These images can be embedded in the email itself or referenced to a remote server. In the later case, the remote server will for example enable PHP parsing for JPEG files, execute code to track you and then feed the image to the email client which never had a clue it was loading a “special” image. This is all transparent to the user and the email client.

      • No smartphone GPS tracking

      Let’s take an example: you enable Google Latitude on your cell phone to share your location with friends and get to know fun facts about how much you travel. The information you give Google are geographic coordinates, the informations inferred from it are where you live, where you work and whether or not you pull your 40 hours a week there.

      • Let’s go further: no smartphones at all!

      Apple’s Iphones and Google’s Android phones gather location information WHETHER YOU WANT IT OR NOT. That’s right, you can turn off GPS all you want your phone still recurringly reports back to Apple & Google telling them not only where they are but also which other wireless devices they see around.

      More info here from the most excellent Samy Kamkar.

      The tech giants are involved in a major data gathering process where they use you to create a comprehensive map of the wireless spectrum. This is both an awesome project using crowdsourcing to accomplish a daunting task & a scary invasion of privacy. Because it doesn’t ask you, and because you take it home and so it reports your wireless router and so now everytime you use a regular computer connected to said router, they know exactly where you are. It is scary because even if you could turn it off, others around you are passively reporting your location.

      • Even further? no cell phones! your location can be triangulated from cell towers.
      • Forget social networks, even if you use fake information. Sooner or later, your contacts, something you said, someone that said something about, will be traced back to your real self.
      • Remove EXIF data from the pictures you distribute online, especially if they were taken with smartphones.
      • SSL encryption, SSL everywhere. In fact any time you configure a connection (IMAP, FTP, HTTP) make sure that it uses an encrypted mechanism. The number of network taps are growing and you don’t want to make the job easier on them.
      • Review pictures you distribute online for license plate numbers, bills laying on tables and other identifiers.
      • A strong firewall not just for incoming traffic. Nowadays devices are very noisy, from Bonjour to checking for updates the packets coming out of your network interfaces without your knowledge are plentiful and growing. And every time to send a packet out, your presence is known. A firewall with rules on outgoing traffic is a good idea to keep unwanted traffic to a minimum.
      • Don’t give your email address to anyone that asks for it, use services like mytrashmail.com or even better yet, get a new email account every time. This way if they sell your information you will know right away since you only have 1 email account per company. You can then check they EULA and see if maybe they boast of not selling your information, Make them accountable! On a side note Gmail offer the capability of adding a plus (“+”) following by a string of your choosing to your regular email address. For example if your email address is address@gmail.com, Gmail will also accept mail to address+sillysite@gmail.com. This way you can segregate mail by company with the convenience of having it all go to the same account. The caveat to that is that “+” is often considered as an invalid character in an email address even though it is a valid character.
      • Adblock is one of the best plugin for your web browser (Firefox or Chrome). It removes ads thus significantly enhancing your browsing experience. By negating traffic to advertisement servers, you are denying their chance to data mine the crap out of you. Browser fingerprinting is one of many techniques used with an argument often made that the combinations of browser related software are so plentiful that your browser can be uniquely identified. Permanent cookies are also used to keep an eye on your web whereabouts.

      And even if you follow all these steps, you are not 100% untraceable online.

      The path of maximum sheep

      Finally, for when you have to give information, try and be a generic & blend as possible.

      • Your name is needed to sign up for something? John Smith.
      • Need a new car? White Honda Civic, no bumper stickers, no vanity plates.
      • Gotta find a new name for a PC? Linksys.
      • Need a username for that shitty forum? User2656, don’t use the one you use everywhere else or one thing leading to another, it can most likely be tied to your real identity.
    • Adding an Endace card to Symantec’s DLP

      I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.

      After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:

      Endace DAG driver is not available
      Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.

      A look at /var/log/Vontu/debug/PacketCapture.log yields:

      ERROR PacketDriverFactory - Driver Dag is unavailable: libdag.so.3: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]

      do an

      updatedb
      locate libdag.so

      You will notice you just compiled a version more recent than libdag.so.3. As it turns out, Symantec DLP v11.0 does NOT know how to use the generic libdag.so nor the latest libdag.so.4.0.2 you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use libdag.so.4.

      Hold on to your pants as I explain the unholy hack that made it work:

      edit /opt/Vontu/Protect/lib/native/libPacketDriverDag.so.11.0.0 , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.

      search for libdag.so.3 and replace its 3 by a 4.

      Recycle your server again and it should be happy about life :)

    • 2-factor authentication & writing PAM modules for Ubuntu

      Download

      2ndfactor.c

      The problem

      Passwords are often seen as a weak link in the security of today’s I.T. infrastructures. And justifiably so:

      • re-usability, which we’re all guilty of, guarantees that credentials compromised on a system can be leveraged on many others. And given the world we live in, password re-use is inevitable, we just have too many accounts in too many places.
      • plain text protocols are still used to transmit credentials, and the result is that they are exposed to network sniffing. This is worsened by the increase in wireless usage which broadcasts information. Telnet, FTP, HTTP come to mind but they aren’t the only ones.
      • lack of encryption on storage is a flaw that too often makes it way into architecture design. How many databases have we heard about getting hacked & dumped? How many have we not heard about?
      • password simplicity & patterns are also factors weakening us against bruteforce attacks.

      So far, the main counter measure we’ve see out there is complexity enforcement. Sometimes IP restriction, or triggering warnings on geographic inconsistencies (Gmail, Facebook). But these barely help alleviate problem.

      A solution

      One hot solution that is making its way into critical systems (banks, sensitive servers) is Multi-factor authentication, and by “multi” we’ll stick to 2-factor authentication (2FA) because, well 3 factor authentication might be getting a little cumbersome :). The goal is to have more than one mean of establishing identity. And as much as possible, the means have to be distinct in order to reduce the chances of having both mechanisms compromised.

      Let’s see how to implement 2FA on an Ubuntu server for SSH. Ubuntu uses PAM (Pluggable Authentication Modules) for SSH authentication among other things. PAM’s name speaks for itself, it’s comprised of many modules that can be added or removed as necessary. And it is pretty easy to write your own module and add it to SSH authentication. After PAM is done with the regular password authentication it already does for SSH, we’ll get it to send an email/SMS with a randomly generated code valid only for this authentication. The user will need access to email/cell phone on top of valid credentials to get in.

      Implementation

      Let’s do an ls on /lib/security, this is where the pam modules reside in Ubuntu.

      Let’s go ahead and create our custom module. First, be very careful, we’re messing with authentication and you risk locking yourself out. A good idea is to keep a couple of sessions open just in case. Go ahead and download the source for our new module.

      Take a look at the code, you’ll see that PAM expect things to be laid out in a certain way. That’s fine, all we care about is where to write our custom code. In our case it starts at line 35. As you can see, the module takes 2 parameters, a URL and the size of the code to generate. The URL will be called and passed a code & username. It is this web service that will be in charge of dispatching the code to the user. This step could be done in the module itself but here we have in mind a centrally managed service in charge of dispatching codes to multiple users.

      Deploying the code is done as follows:

      gcc -fPIC -lcurl -c 2ndfactor.c
      ld -lcurl -x --shared -o /lib/security/2ndfactor.so 2ndfactor.o

      If you got errors, you probably need to first:

      apt-get update
      apt-get install build-essential libpam0g-dev libcurl4-openssl-dev

      Do an ls on /lib/security again and you should see our new module, yay!

      Now let’s edit /etc/pam.d/sshd, this is the file that describes which PAM modules take care of ssh authentication, account & session handling. But we only care about authentication here. The top of the file looks like:

      # PAM configuration for the Secure Shell service
      
      # Read environment variables from /etc/environment and
      # /etc/security/pam_env.conf.
      auth       required     pam_env.so # [1]
      # In Debian 4.0 (etch), locale-related environment variables were moved to
      # /etc/default/locale, so read that as well.
      auth       required     pam_env.so envfile=/etc/default/locale
      
      # Standard Un*x authentication.
      @include common-auth

      The common-auth is probably what takes care of the regular password prompt so we’ll add our module call after this line as such:

      auth       required     2ndfactor.so base_url=http://my.server.com/send_code.php code_size=5

      The line is pretty self descriptive: this is an authentication module that is required (not optional), here’s its name and the parameters to give it.

      send_code.php can be as simple as:

      <?php mail( "{$_GET['username']}@mail_server.com", "{$_GET['code']}" ) ; ?>

      Or a complex as you can make it for a managed, multi-user, multi-server environment.

      Lastly, edit /etc/ssd/sshd_config and change ChallengeResponseAuthentication to yes. Do a quick

      /etc/init.d/ssh restart

      for the change to take effect.

      That’s it! try and ssh in, the code will be dispatched and you will be prompted for it after the usual password. This was tested on Ubuntu 10.04 32b / Ubuntu 10.04.2 64b / Ubuntu 11.04 64b / Ubuntu 12.04 64b.

      A few disadvantages of this 2FA implementation worth mentioning
      • more steps required to get in
      • doesn’t support non TTY based applications
      • relying on external services (web service, message delivery), thus adding points of failure. Implementing a fail-safe is to be considered.
      • SSH handles key authentication on its own, meaning a successful key auth does not go through PAM and thus does not get a chance to do the 2nd factor. You might want to disable key authentication in sshd’s config.
    • Tripwiring your linux box

      Privilege escalation, trojan’ed SSH daemons, key loggers… While the focus is still mostly on MS platforms, Unix boxes aren’t free of exploits. As they are made popular by Macs and ever more approachable distributions like Ubuntu, they become more of a focus. The large share of the server market they represent is a considerable source of information that is mouth-watering to hackers.

      A good tool in the fight against ever evolving malware is Tripwire (the open source version cause we’re cheap). It takes the signature of key files on your systems (configuration, binaries) and checks them regularly for changes. Its major strength is the fact that no matter what exploit was used to compromise a certain binary, if this binary is infected, tripwire will go off. Modern antivirus softwares look for specific signatures of known infections, and there are so many of them that they only look for the ones that are thought to be in the wild at any given time. They also are in reactive mode against 0days and usually take a few days to adjust. Their behavioral analysis methods are based on heuristics and generate too many false positives to be worthwhile.

      Tripwire doesn’t care what the infection is, it just goes off if something changed. This is simple and efficient. Now it should only be one piece of a comprehensive security policy.

      In this article we’ll look at getting it installed and going on Ubuntu in a matter of minutes. You’ll want to be root for all this.

      ——————————————

      First, get the package:

      aptitude install tripwire

      It’ll ask you for the passphrases used to secure itself.

      You’ll end up with these config files in /etc/tripwire:

      ——————————————

      Edit /etc/tripwire/twpol.txt to define which areas to keep an eye on, a pretty ok default is provided but needs some tweaking for Ubuntu and personal preference. I’d publish mine but hey, that’d be pretty stupid. Just keep in mind that you can use an exclamation mark “!” to negate a line, let’s say you want it to look at /etc but not /etc/shadow (user will want to change passwords in most cases) you’ll have a rule that looks like that:

      {
      /etc        -> $(SEC_BIN) ;
      ! /etc/passwd ;
      }

      ——————————————

      When you’re done, run:

      twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt

      This will create the secured policy file based on the text file you just edited.

      ——————————————

      The config file (/etc/tripwire/twcfg.txt) can be edited too but the defaults are nice too. When done run:

      twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

      Again, this creates it secured equivalent.

      ——————————————

      Make sure that the created file are only readable/writable by root

      chmod 600 /etc/tripwire/tw.cfg /etc/tripwire/tw.pol

      Good practice dictates that you also should be removing plain text configuration files but you’ll want to keep them around for a little while, as you tweak your original config.

      ——————————————

      Finally, you can initialize the database with:

      tripwire --init

      What this does is take a snapshot of everything you’ve specified in the policy file. If any of it changes, you’ll be notified.

      ——————————————

      The following will run the check for changes manually.

      tripwire --check

      When you installed the package with aptitude, /etc/cron.daily/tripwire was automatically created to have this run everyday, root will received a mail report every day.

      ——————————————

      If you want to make a change to the base config:

      edit /etc/tripwire/twpol.txt
      twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
      tripwire --init

      If you want to update the base config, for example to acknowledge changes that happened on the box:

      tripwire --update --twrfile /var/lib/tripwire/report/<hostname>-<date>-<hour>.twr
    • The death of the internet

      Let me throw a few of concepts we’ve been hearing about more & more lately:

      • metered bandwidth
      • end of net neutrality
      • content censorship
      • protocol restrictions
      • geographic restrictions
      • wiretapping
      • deep packet inspection
      • malware becoming crimeware
      • dataleaks
      • DDoS
      • internet kill switch

      The way that we used to see the internet as an unrestricted web of information is changing rapidly. And it looks like the free ride is coming to an end.

      Corporations want to dictate our internet usage, politicians don’t understand the issues of a technology from the next generation; and if they do, lobbyist money has a strong convincing power. And quite frankly your average user has no clue either. What was once a free and unrestricted flow of information is quickly becoming a metered and port/site/protocol restricted happy network.

      references:

      Traffic discrimination & Net Neutrality

      Comcast’s P2P throttling suit

      What was revolutionary about the internet was its lack of boundaries, the world was connected. Since then the marketing & licensing geniuses have caught on to the fact that it is possible to restrict content by geographic location. Like regions on DVDs you now cannot consume certain media in certain regions. It is a travesty to the human accomplishment that is the internet and inevitably leads to the absurdity that it is easier to consume pirated content than legal one.

      Organized crime also has caught on, the obnoxious malware & viruses that were once spreading for fame or installing dumb toolbars are now becoming very targeted at committing crimes. From harvesting financial information to generating DDOS attacks. A black market of stolen information and network hitmen is emerging on an internet that many companies handling your data do not understand. Viruses much like biologic organisms are becoming polymorphic with self defense mechanisms. Their technological advancement clearly shows funded work as opposed to the classic image of the basement hacker we all have ingrained in our heads.

      references:

      Zeus botnets specialized in harvesting financial data

      Researchers hijack control of the Torpig botnet for 10 days and recover 70 GB of stolen data from 180,000 infections

      Governments are starting to play their silly international politics game on this new field, releasing cyber attacks against one another. The amount of information & critical infrastructure facing the great network is making it a strategic field of military and intelligence importance. It is clear that the network in its current state of international openness is an issue to government interests, and we can fully expect to find cyber borders erected in the near future, not unlike the great firewall of China even though this last example has other applications. Applications that pertain to opinion control via censoring, China isn’t the only country doing that, Australia is pretty good at it. And the U.S. is working on creating a presidential “interet kill switch”, you know just in case people here get sick enough of 2 everlasting wars and 4th amendment tramplings to take the streets. Egypt has just done it, they shut down internet and cell phone communications during their 2011 protests.

      references:

      Stuxnet’s specific targeting of Iran’s SCADA controled systems

      The Great Firewall of China

      Australia’s intenet censorship

      Obama’s internet kill switch

      How Egypt shut down the internet

      At a time when Wikileaks is putting to shame governments and corporations, more controls are inevitable.

      So what’s next?

      Computers and network devices have become increasingly powerfull. So much so that this blog you’re reading is instantiated on a 8 years old server sitting on a fridge behind a home DSL. Besides computing & networking power, something else has been growing that you might have heard about: social networks.

      I think that one day, a couple of geeks will be tired of the state of the internet and will throw a home-made link between their houses to share what they want when they want without getting advertised, wiretapped, datamined or attacked. This can currently be done with long range wireless devices (WiMAX) or even by adding a layer to the current infrastructure (think VPN).  Soon a third geek friend will want in, and provided that he is trusted by the founders, he’ll get in. After a while, adding friends of friends will become too far out of reach for the founders to decide and they will implement a social reputation based system for dealing with users.

      And that’s it, you have a social network (at the strictest send of the term) that is growing & correcting itself based on reputation. This will of course be completely decentralized (unlike the internet) which means you will be relaying information for individuals you don’t know, hence the criticality of its reputation element.

      This network will eventually be overrun by corporate, mafia & government interests finding ways to abuse the reputation systems, it will slowly die and be replaced by another couple of geeks down the road.

      The end.