Kris S. Amundson's blog

  • Defcon - Day 0

    Aug 01, 2009

    After crossing 4 states by car we arrived Thursday in Las Vegas for Defcon 17. We obtained our temporary badges, purchased some shwag, and headed off to finally get some good sleep.

    Friday:

    Moxie Marlinspike gave an excellent talk on defeating SSL. Using specially crafted certificate requests and flawed SSL implementations (currently most of them), one can MITM attack with no degradation in authenticity of an SSL site. Interesting and scary at the same time. Firefox 3.5 is patched with more to follow. OCSP is also a joke and easily defeated.

    Next up Jason Ostrom and Arjun Sambamoorthy gave a presentation on hacking video. They have created a tool that ARP poisons RTP video streams and is able to reconstruct the streams into media files. You can also take an existing avi file and loop over an existing stream. It was interesting to see new sniffer software attacking a new type of data stream. In the attack against the Cisco phone, they had an cool hack for causing the phone to reboot and push a new config over TFTP in order to disable anti-spoofing settings.

    After my video fix I hung around for Robert Clark's update on the state of Computer and Internet Law. This high ranking DHS employee had a surprisingly good sense of humor and also provided some tips for handling police, and border searches. Remember folks, if cops show up to your house to "talk", they're trying to get you to consent to a search because they don't have enough cause to get a warrant. :)

    Tor was the next talk I attended. The topic was why Tor has been slow and what design changes are being considered. Tor relays wrap all individual data channels into one tcp stream. If one channel trips a tcp window adjustment, all the data channels suffer. Bit torrent was also picked on as a culprit of slowing tor. It also reminded me that I need to get some of my own tor relays up again. This talk was given by Roger Dingledine.

    The last session I checked into was Dan Kaminsky's unnamed talk which ended up being on PKI and SSL. A lot of it was a rehash of the Moxie SSL presentation and how they can be exploited. It provided more back story, and a bit more detail, but the Moxie presentation was better (and first, which gets your more l33t points).

  • Drive Encryption

    Nov 05, 2008

    At OpenSourcery we have a policy that all user workstations, be it laptops or desktops, must be fully encrypted.

    With everything on disk under encryption, users are free to auto-login their desktop session, which allows us to continue to use one passphrase per bootup.

    With this encryption in place, users are free to save passwords in browsers, login credentials for email clients, and cache svn authentication; all this information is stored in the users home directory and part of the encrypted filesystem.

    One major benefit of this system is I don't have to be pushy talking to users about what data is located where, and how confidential information is used locally on a device. Users don't need to know what is cached in /tmp, that ssh passphrases can be exist in swap, or that they decrypted a gpg file locally and forgot to clean it up for a few weeks. This is on top of the obvious benefit that stolen equipment contains no useful data.

    Recent versions of Ubuntu have provided an easy installation method for using LUKS (Linux Unified Key Setup). The catch is you need to download and use the Alt install CD. Select "Use LVM and encryption", provide your passphrase twice, and everything on disk will be encrypted (minus a small /boot partition where no sensitive data is stored and is used to get the kernel going to support LUKS).

    A couple months ago I manually formatted an external USB drive with LUKS. This was to make a backup of my entire laptop prior to going on vacation (yes.. I really need to ditch the laptop during vacations). After the rsync I put the drive under my desk and forgot about it.

    All our important data is stored in svn repositories, so it's rare that I need to make a full backup of my laptop. Kicking the drive a couple times by accident reminded me I was due for another full backup.

    Upon connecting the USB cable I was presented with a Gnome window detecting the LUKS configuration and asking for my passphrase. This was unexpected, and though I'm quite capable of hacking crypttab and using cryptsetup, plug-n-play disk encryption is quick and easy (this was under Ubuntu 8.04).
    unlock-drive.png

    Ubuntu 8.10 brings a new encryption feature during the Alt install (which I use 99% of the time over the standard desktop installer). Encfs is a new option during install that asks if you want your home directory to be encrypted. Instead of LUKS block level encryption, EncFS is an abstraction layer for per-file based encryption with views to hide the encrypted files. I will need to do some research on this method before I recommend its use, but it's good to see Ubuntu trying to incorporate security with user-friendliness.

    With data becoming more important, and computing devices becoming smaller, no device should be running in unsecured environments without storage encryption.

    Official LUKS Website
    Useful Ubuntu/Debian HOWTO

  • Hawaiian Adventure

    Aug 17, 2008

    Since 2006 OpenSourcery has enjoyed working a wonderful client: the Moloka'i Community Service Council, MCSC. I met Karen Holt, the executive director, in 2005 through PSU as we were working with EZ Wireless to help them design and implement a city-wide wireless network in Kaunakakai, Hawaii (island of Moloka'i).

    In addition to helping them with their wifi networking, we also went in and overhauled their IT systems in 2006. Improvements included new Cisco switches replacing hubs, cleaning up DNS off their internal "local.com" Windows domain to djbdns, and a migration off Microsoft Exchange to Zimbra. Their local IT staff were also interested in learning Linux and the number of Ubuntu hosts has only gone up with plans to migrate off the Windows 2003 server for file and print sharing.

    Back on the email front, Zimbra provides tools to migrate Outlook PST files on local storage, and connect directly to an Exchange server to scoop up mail and address books. Given Karen's 10GB mailbox, Outlook had to go and the migration tools worked as advertised.

    Two years later Zimbra has gone through multiple upgrades and added many useful features. It has even survived an acquisition by Yahoo. This week completes a final migration to a dedicated server off VMware (due to increased usage), and an upgrade from 4.5.7 to 5.0.8.

    MCSC helps the local community through programs including: an elementary and high school education program, educational scholarships, a mental illness center, a commercial kitchen, brownfield cleanup, at-risk family assistance, and the latest project: the Moloka'i Ranch Purchase.

    The island of Moloka'i has the highest percentage of foreign land ownership in Hawaii. This ownership has put profits ahead of environmental and cultural sustainability.

    MCSC is leading a new global campaign to purchase the ranch to begin restoration and preservation of Hawaii's last native lands.

    More information can be found on their website:
    http://molokai.org/

    An good article articulating how well Moloka'i fights outside influence, and won against a Molokai Ranch development project:
    http://tinyurl.com/6fauxp [nytimes.com]