.:[ a broken lcd ]:.

I started setting up the advanced projects lab. Pictures and descriptions available at http://picasaweb.google.com/brokenlcd/

This is a joint effort by the Hackers of the Sacred Code and Epic Secure Data Systems.

March 26, 2009, 3:02am

They say a chain is only as strong as it’s weakest link, and there’s a problem when your security software is your weakest link.

I’m a huge fan of netcat for it’s sheer usefulness in doing network stuff (for a fun night of crossing your fingers, try dd | nc … ). Recently, I was going through the security folder of the OpenBSD ports tree, seeing what was available, and I came across cryptcat. I built it and was warned:

c++ -O2 -pipe -DGAPING_SECURITY_HOLE -DNETBSD -static -o cryptcat netcat.o farm9crypt.o twofish2.o -lstdc++
netcat.o(.text+0x33e): In function `gethostpoop’:
: warning: strcpy() is almost always misused, please use strlcpy()
netcat.o(.text+0x5e3): In function `getportpoop’:
: warning: sprintf() is often misused, please use snprintf()
netcat.o(.text+0xdd1): In function `dolisten’:
: warning: strcat() is almost always misused, please use strlcat()

(-DGAPING_SECURITY_HOLE allows you to bind a shell to cryptcat, useful when exploiting a system…)

I went through and audited the cryptcat source for these insecure functions, and came up with the following:

straylight% grep -n strcpy *.c  > audit_report.txt
straylight% grep -n strcat *.c  » audit_report.txt
straylight% grep -n sprintf *.c  » audit_report.txt
straylight% wc audit_report.txt
12      99     702 audit_report.txt
straylight%

12 function calls where software (which can be potentially be bound to a shell!) utilizes a *known* insecure function. Go figure.

I think it’ll be an interesting exercise to attempt to overhaul the code. This will give me some experience securing existing code and opening my eyes to current security issues.

March 24, 2009, 11:40pm

I could not get the hardened kernel to boot, and even the genkernel panicked on me. I ended up going with CentOS, where I may not have a working hardened kernel, but I do have a strong firewall, basic UNIX security, and an enforcing strict SELinux policy. (And yes, I am working on getting the kernel working, so it will work. Eventually.)

I managed to get dmcrypt working with aes-cbc-essiv:sha256, although I want to move (eventually) to serpent-ctr-essiv:sha256, which I feel provides stronger protection. Once I get truecrypt working, I may try a dual-layer or even triple-layer disk encryption, so if one ciphersystem is broken, the system will have another. Paranoia? Yes. But that’s the target audience of this machine anyhow.

After this is all done I think I’m going to roll it up into a custom Epic Secure Data Systems - Hardened CentOS distro to make life easier, as I’ve already had to pull stuff from other repos (tor, tsocks, apg, etc…) and custom compile other software (i.e. TrueCrypt and S/Key authentication, not to mention the kernel).

March 17, 2009, 8:35pm

One of my latest projects has been setting up a secure data haven, which is basically a system to satisfy the following goals:

• provide an anonymous tor / freenet proxy with encrypted streams into the system (ssh / ssl)
• strengthen the tor and freenet networks by providing more traffic to throw in the mix, and, in the case of freenet, a large encrypted data store for use on the network
• provide encrypted file storage for users (current plan is 256-bit Serpent encryption in CTR (ESSIV) mode or possibly truecrypt triple-cascade, i.e. Serpent-Twofish-AES)
• provide encrypted network transport for users
• provide a system with a high enough security level to withstand The Internet’s various assaults and provide customers / clients with the peace of mind for their data.

The first step was determining network hardware to be used. In this case, I’m using a gigabit switch with a fiber run to the storage machine (eventually the machines will be moved from an Asante 7-port copper / 1-port GBIC interface simple switch to an 8-port GBIC Cisco 3505). The machine will however have a pair of twisted pair copper interfaces as an alternative and providing a secondary connection to a (future) backup switch.

The next step is determining hard drive requirements. For this particular machine, I went with the following:

• a 60G system drive (originally a 20G but that hard drive failed and the 60 was the only other size I had readily on hand).
• a 40G freenet anonymous store hard drive (encrypted hard drive space to be added to the freenet anonymous data pool)
• a 120G encrypted hard drive for users to store data on
• a 160G encrypted backup drive, split between a 35G system backup partition and a 125G backup drive for user data

The gentoo installation proceeds fairly normally, except that I haven’t set up the home partition as I will do that when I hit the encryption phase. I emerged the hardened-sources, pciutils, and then configured the kernel. Then I rebuilt the toolchain. I am currently in the process of working the kinks out of the kernel and once I get that working I will post more details.

March 12, 2009, 5:04am

I’ve been working on a file server for a data haven project, which happens to have three encrypted hard drives and a fourth encrypted partition. Since a lot of time goes between when I encrypt hard drives (and I tend to write scripts to automate opening and closing encrypted filesystems), I always forget how to do it. So here’s the quick and dirty guide to encrypting filesystems / partitions in linux using dmcrypt / luks / cryptsetup (a nice descriptive sentence for the search engines).

• cryptsetup luksFormat -y -c <insert cipher here> -h <insert hash here> -s <key size> <DEVICE>
• cryptsetup luksOpen <DEVICE> <MAPPING>
• mkfs.<HOLY CHOSEN FILESYSTEM> <DEVICE>
• mount /dev/mapper/<MAPPING> <MOUNTPOINT>
• cryptsetup luksClose /dev/mapper/<MAPPING>

This of course assumes you have cryptsetup with LUKS support installed.

My preference for a cipher happens to be serpent-ctr-essiv:sha256 but you can use whatever ciphers you have compiled into the kernel. By not including -s the key defaults to a size of 128 bits; my preference is 256.

Another option is to use truecrypt.

March 11, 2009, 8:52pm

Courtesy of Wally (http://imwally.tumblr.com) I have a new theme called Nigredo (http://nigredotheme.tumblr.com/).

February 24, 2009, 10:00pm

I’ve been running OpenSolaris on my Lenovo T61 ThinkPad for about a week now, so I figured I’d write about my first impressions. The first thing to mention is that I installed mainly for the development tools and ZFS performance, so my needs will not be the same as everyone else’s. In a nutshell, however, I will note the following points: * mp3 support, which requires the Fluendo codec to be downloaded and installed (and mostly likely you will need to read the README that comes with the download in order to pull this off), is very easy to pull off. Rhythmbox and Songbird both work fine with mp3 files now. AAC support, however, is not something I have gotten working. * I have video support through an installation of mplayer and vlc via the blastwave repository (http://www.blastwave.com) which requires some work to get running, namely in setting up the blastwave repo and in modifying the path to look for binaries in the csw directory. I do not have DVD support yet, however. * CD burning works perfectly. * I am quite comfortable using the installation for school - I don’t have any issues with firefox or openoffice not being able to do things. * I have 2G of RAM in my laptop, and yet my RAM usage is generally > 65 - 80%, quite often nearly maxed out. I plan on upgrading to 4G (mostly due to the fact that I run windows in a VM to have access to VisualStudio for some school projects). * Speaking of VMs, VirtualBox is amazing, especially with the addons CD installed and seamless mode engaged. * Power management required editing a file and rebooting the laptop, but once I got it working it works perfectly. * The default print manager was a headache; I had to install CUPS (which I did a quick writeup on, it should be the previous post) but once I got CUPS installed I have no problems with printing both to my school’s network printers or to my USB Brother laserjet printer. * The development environment is beautiful. I am now hooked on netbeans, although I still use jEdit for Perl and FORTRAN (for my FORTRAN class). Netbeans is a very rich development environment, and I even started using sun[cC][cC] over gcc/g++ (mostly because I’m not a huge fan of GNU - only because I don’t particularly care for the GPL or some of its leaders). I spent a while trying to find a decent IDE with profiling and memory allocation debugging support in Linux and found everything else lacking. I never really got into Eclipse, kdevelop is decent, geany had a few quirks I didn’t like, anjuta was a pain, so I was sticking to jEdit and a terminal window. Now not only have I found an IDE I like, it’s also cross-platform. Looks like I win. * I’ve had a hard time using my external 40G USB hard drive on the machine. * Generally wireless works well, however I sometimes have difficulty getting it to reacquire a connection after waking up from sleep and occasionally it will lose the connection. All in all, I really enjoy OpenSolaris and find it to be my laptop operating system replacement for ubuntu. I have ubuntu installed on the second partition on the laptop but I hardly ever use it. In fact, I think the last time I used it was to install netbeans. It definitely could use some work to make it more useable and approacheable to new users, but I’m hooked.

February 01, 2009, 7:31am

The source documentation I used for these are:

http://opensolaris.org/os/community/printing/Documentation/cupsprint/ (CUPS printing)

http://blogs.sun.com/randyf/entry/solaris_suspend_and_resume_how (power management)

First let me say that both are now working perfectly, and that in Linux and BSD both I’ve had issues doing both. I’d say it took me 15 minutes a piece at most to get both working well.

Second, as a reference, I am using a Thinkpad T61 (7658-01U) so obviously, YMMV.

Power management:

Very straightforward: as root, edit /etc/power.conf and add the line

S3-support          enable

(I added it right below the auto S3 line). Then run “pmconfig” and reboot. Once I rebooted, the system worked just fine. Every now and then, my wireless card acts a little funny or a takes a little longer to reacquire the AP, but that was a problem I had in both gentoo and Ubuntu, so it’s not surprising. The system takes at most 10-15 seconds to go into standby, and that’s with NetBeans, firefox, IRC, pidgin, evince with several PDFs, and Songbird open. As a quirk, I do have to hit the power button to resume again, it doesn’t autoresume on opening the laptop. C’est la vie. It comes up quickly and with xscreensaver installed, session locking works fine.

CUPS printing:

The source document will get you running with CUPS right away. Basically, make sure you install both CUPS packages via the package manager, add yourself to both “sys” and “adm” groups (my default group was sysadmin), and run the following:

print-service -s cups

svcadm enable svc:/application/cups/scheduler
svcadm enable svc:/application/cups/in-lpd

Then pull open firefox to http://localhost:631. For my printer (an HP LaserJet 9050) I had to download the PPD file from openprinting (http://www.linuxfoundation.org/en/OpenPrinting - for once the Linux Foundation was useful for something…) in order to get my print options working properly. The whole reason I switched to CUPS is that this printer requires you to print to tray 4 and the default GNOME print manager wouldn’t let me select a print tray. (Another side note, I use LPD printing for this printer…)

After filling in the add printer settings and selecting the custom PPD I had saved to a tmp folder, I entered my username and password in the authorization dialog and everything worked.

I hope this helps someone else…

January 27, 2009, 7:12pm

NetBeans 6.5 loading on my laptop.

January 27, 2009, 12:31am

This is the first time I installed OpenSolaris, during which I managed to botch my grub install so badly (I was dual-booting Ubuntu and OpenSolaris) and had to re-install. Fortunately I didn’t lose any data in the process (that I know of, at least…) Larger version here.

January 27, 2009, 12:28am