Solved what’s probably everbodys most neglected problem: backups (or better their absence).

• bought a bluetooth stick to backup the phone (with gammu/wammu)
• bought a 2TB HDD and an USB/eSATA case to backup my systems (with rsnapshot)

It definitly was a very relaxing moment when I finished the first backup. Rsnapshot is certainly the tool to use for such home backup purposes. It allows you to have multiple virtual full snapshots of the system while only needing the space of the first full backup plus all your changes (it uses hardlinks for unchanged files). One thing I noticed: As I’m a bit of a paranoid, I set the disc encryption algorithm to AES256 in contrast to dmcrypts default AES128 setting. Now it seems like that takes up a considerable amount of CPU cycles more then AES128 (no real measurement, just quick observation). The result is that on my Atom 330 board, the encryption process runs at 100% CPU usage, eating up a full core and I only get 15MB/s writing speed (as opposed to 30MB/s on a Core2Duo 1.6GHz — maxing out the USB port). It’s still OK, it’s just that I don’t even have to bother using the eSATA port with the system. The good thing is, that on the next weekly backup, the disk speed will not matter very much as only the diff will get rsynced :)

Now … my nights will be much better, I think :)

And if you don’t have home backups yet, I hope your nights will be very restless!

Gentoo users compile their stuff on their own. This is a fun thing to do and provides you with a lot of flexibility. Every gentoo system is unique. Sadly this sometimes is exposed to the internet. For example Firefox contains the compile-date in it’s useragent string. Goodbye privacy.

Then again, we can easily fix this. Take a common useragent from useragentstring.com and paste it into the “general.useragent.override” option in the about:config settings editor of firefox. (If the setting does not exist, create it.) Done.

You can check your uniqueness on the EFF Panopticlick site. I reach a level of “one in 13,247 browsers have the same fingerprint as yours” (which is pretty good already). This is with a Windows-Firefox 3.6.3 useragent string and javascript disabled.

highly inspiring:

Simon Sinek: How great leaders inspire action

“People don’t buy what you do, they buy why you do it.”

Jonathan Kohl

What’s More Important: Being Agile or Creating Value?

Process isn’t everything, in fact it’s just a part of it.

… hab die letzten 8h damit verbracht herauszufinden warum mein selbstgebauter shellcode POC segfaultet …
Bis ich bemerkt habe, dass kernel+cpu W^X machen. So’n Mist! Im Wohnzimmer auf der alten Kiste und ohne PaX ging’s dann :)
Dear h4cker-g0dz, plz give me a ROP-compiler.

We all have passwords. Lots of passwords. Be it for hosts or websites or disc-encryption. Noone can memorize a thousand different passwords for every account one needs. So we have two possibilities:

1. use a small number of default-passwords or
2. use a password-manager

Most people I know chose a combination of the two. But having shared passwords between different accounts makes you very vulnerable in case of targeted attacks (or even automated attacks, if the attackers tool is smart). So what you really want is different passwords for each and every account.

For that to work for daily use, you want an integrated wallet, like the KDE wallet, the Gnome keyring or the Firefox password manager. But for longtime archival to look up that password you had for that old mail-account somewhere, you want something seperate that can hold all kinds of different passwords and is more or less plattform independent.

For a long time I maintained my list of passwords with gpg: I had an encrypted file with all my accounts. To access one of the passwords, I could do a gpg -d passwords.txt.gpg | grep username. To add or change a password, I had to save the decrypted file on disk, edit the record, encrypt the cleartext again and then shred the remaining cleartext file. This was really cumbersome.

What I really wanted was a simple independant password-manager for the command line.

This is what pwsafe is.

It has a pretty simple cli. Every record has a group.name string as primary key and has username, password and optional notes as properties. The commands to access the records are straight forward:
pwsafe -l [REGEXP] — list passwords matching regexp
pwsafe -a group.name — add a new record
pwsafe -up [REGEXP] — print records matching regexp
pwsafe -e [REGEXP] — edit existing records matching regexp

The grouping system becomes really natural after some time. For every operation you have to enter a passphrase to decrypt the on-disc password database. The on-disc file format is compatible with the windows tool password-manager.

I’ve taken a quick view at the source-code. It tries to mimick the behaviour of Schneiers password-safe. That means it uses (openssl) Blowfish in CBC mode and tries to keep the passphrase in non-swappable memory (needs suid-root for that to work). The passphrase is directly fed into blowfish as the encryption key. That means if you supply an 8-character passphrase you only get like 40^8 bit of randomness. So you better chose a strong passphrase. To get at least a 64bit strong key from about 40 keys on the keyboard you need about 12 or 13 characters.

I didn’t look for any parser vulnerabilities, but so far it seems the author knows what he did and I can only suggest pwsafe :)

Für alle, die nicht Fefe lesen:

Großartig :)

The Lazy Programmer’s Guide to Secure Computing

small summary writeup:

• how to write secure code in an imperfect world
• code patterns for “principle of least authority” (POLA)a sharp razor (to much authority: you get abuse, to few authority: you don’t get your job done)
• security and POLA in the mail envelope, every security principle serves another purpose as well
• the OO paradigm could serve as a good security paradigm, too
• most languages break the security properties of OO (e.g. by allowing stack access)
• for various languages there are tools which fix these language problems and filter your code, thus enforcing OO security properties (e.g. Caja by Google and Yahoo for javascript, Joe-E for java, Emily for Ocaml)
• how could these patterns be transported into distributed systems, the web? implementations: waterken server / web-key
• with these patterns in action, a web-money protocol can be implemented in about 30LOC Java
• if POLA is used in larger OO software systems, you achive ultra-deep security in depth
• with POLA, the attack-tree risk-combining operation changes from OR to AND, thus the economics of security change
  • when extending code, you mostly add unpriviledged code
  • meanwhile you fix problems in the priviledged code
  • thus, over time code becomes more secure instead of less secure
• we should use memory-safe OO languages and POLA principles

One of the main advantages of Gentoo Linux is the availability of the hardened profile and kernel. The hardened profile enables a number of switches and features which, together with the hardened kernel (PaX and grsecurity patchset), provide a system with full address space layout randomization (ASLR) and stack-smashing protection (SSP). ASLR requires a kernel patch, called PaX, and all binaries to be built as position independent executables/code (PIE/PIC). SSP, also known as cannaries, is a pure compiler-feature.

Now the old GCC 3.4.6 series had this feature (coming from an old IBM patch called ProPolice). But the current stable compiler on Gentoo, GCC 4.3.4 doesn’t have it anymore. This means, current stable Gentoo-hardened systems are built without SSP.

How could we fix that? Using gcc 3.4.6 will most likely break a number of things, so it’s not really an option. But GCC 4.4.2 has a new SSP feature. It’s a totally new implementation of the same idea. But 4.4.2 is not on by default.

To use GCC 4.4.2 and with it SSP on Gentoo-hardened, you have to import the hardened-dev overlay (layman -a hardened-development). Then you have to unmask =sys-devel/gcc-4.4.2-r2 in /etc/portage/package.unmask and install it. It will be put into a new slot (4.4), so it doesn’t overwrite the old gcc by default. When it’s compiled, you can enable it with gcc-config.

After there were mostly positive reports on the gentoo-hardened mailinglist, I just did that on my home-box. The complete re-build of the system with the new gcc is currently running. I’m confident that nothing breaks.

So if you have a server-box with hardened, I’d suggest you do the same and switch over to the new GCC in the hardened-dev overlay. It seems to work well for most people and packages. If you have a server-box without an ASLR kernel/system, aka not Gentoo-hardened, I’d suggest you do something about it anyway. I mean even Windows has it (since XP SP2).

As you might know, my blog/cms solution is a heavily outdated Joomla/Wordpress combo. I already found an XSS attack by myself. But I guess there are at least a hundred remote code executions in the wordpress components (although not directly exposed), not to speak of the ancient Joomla software. And all that is f*cking PHP code!!!11 ;)

Now, how do you run outdated and insecure PHP code?
Put simply: You don’t!

And that’s exactly what I inteded to do. But at the same time I also was not to keen to migrate all the content to a new cms/blog platform. So what could I do? Well, I just took it offline — and moved the PHP code and the database to a local box. What you see here, is a httrack-mirror of the dynamic page, together with a tiny hack for the RSS/Atom feed. I have a small script that ftps the locally generated httrack image on my website. Ahhh, no more unprotected credentials and login forms, no more sessions, no more cookies, just plain static http.

Now I’m back in the good old 90s. But at least I don’t have to worry anymore :)

(The comment-function was used rarely anyway and I got a lot of spam to filter every day. Getting rid of the dynamic functions is not to huge a loss for me, I think.)

Now that I have this rolled out, I also think, that this is a solution for a lot of other old websites. So if you’ve got one lying around with code you don’t really want to run anymore but with content you might still want, just put it through httrack. It feels a bit like rendering a vector image into a bitmap. Having as few code on the servers as possible, definitely helps reducing your attack vectors.