Monday, December 05, 2005
Saturday, December 03, 2005
Note: As is common knowledge, no discussion of the exam or contents can occur after taking the exam by participants. Please refer to the website at http://redhat.com/training for any questions you may have. There is a detailed exam prep page that will outline all of the requirements.
Sunday, November 27, 2005
Here is an excerpt:
Creating an Array
mdadm --create) mode is used to create a new array. In this example I use
mdadm to create a RAID-0 at /dev/md0 made up of /dev/sdb1 and /dev/sdc1:
# mdadm --create --verbose /dev/md0 --level=0
--raid-devices=2 /dev/sdb1 /dev/sdc1
mdadm: chunk size defaults to 64K
mdadm: array /dev/md0 started.
--level option specifies which type of RAID to create in the same way that raidtools uses the
raid-level configuration line. Valid choices are 0,1,4 and 5 for RAID-0, RAID-1, RAID-4, RAID-5 respectively. Linear (
--level=linear) is also a valid choice for linear mode. The
--raid-devices option works the same as the
nr-raid-disks option when using /etc/raidtab and
mdadm commands take the format:
mdadm's options also has a short form that is less descriptive but shorter to type. For example, the following command uses the short form of each option but is identical to the example I showed above.
# mdadm -Cv /dev/md0 -l0 -n2 -c128 /dev/sdb1 /dev/sdc1
Saturday, November 12, 2005
1. Verify that the NFS share is available and mount on the local filesystem, if not already mounted.
mount -t nfs /local/install/point /nfs/server
2. If using the command line, simple use the RPM command to install the application:
rpm -Uvh /path/to/share/application.rpm
3. If using the package manager, use the following command from the command line:
system-config-packages --tree=/path/to/nfs/share &
You will now be able to select the applications that you would like to add or remove.
When using LVM, it may be difficult to remember all of the commands that are possible and necessary to create a Logical Volume. An easy way to get a list of all of the related commands is to enter the lvm console by typing 'lvm' on the command line. Once in the LVM console, type 'help' and all of the available commands will be listed with a short description.
CAUTION: using the logical volume manager can and probably will destroy data. Verify that you have created backups of all of your data before trying the samples below.
Using the Logical Volume Manager
1. Partition the physical hard disks that will be used as part of the Logical Volume(s)
Use 'fdisk' as appropriate. Remember to set the system type as 'Linux LVM', which is type '8e'.
2. Create physical volume(s)
From within the lvm console, use pvcreate on each partition that will participate in the logical volume group.
pvcreate 'physical partition'
lvm> pvcreate /dev/hdd1
Incorrect metadata area header checksum
Physical volume "/dev/hdd1" successfully created
3. Create a volume group
Using the vgcreate command, create a volume group which consists of the physical volumes created previously.
vgcreate 'volume group name' 'physical volume' ['physical volume'] ...
lvm> vgcreate test1 /dev/hdd1 /dev/hdd2
Incorrect metadata area header checksum
Volume group "test1" successfully created
Verification of the volume group creation can be done with the vgdisplay command:
--- Volume group ---
VG Name test1
Metadata Areas 2
Metadata Sequence No 1
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 0
Open LV 0
Max PV 0
Cur PV 2
Act PV 2
VG Size 93.15 GB
PE Size 4.00 MB
Total PE 23846
Alloc PE / Size 0 / 0
Free PE / Size 23846 / 93.15 GB
VG UUID znEYOy-n4oJ-zmXq-QARI-cRvD-YmY5-Gq6qpd
4. Create a logical volume in an existing Logical Volume Group
Using the lvcreate command, create a logical volume:
lvcreate [-L 'size'] [-n 'logical volume name'] 'logical volume group'
lvcreate -L 200M -n vol1 test1
Incorrect metadata area header checksum
Logical volume "vol1" created
Verify that the logical volume is as desired with the lvdisplay command:
Incorrect metadata area header checksum
--- Logical volume ---
LV Name /dev/test1/vol1
VG Name test1
LV UUID HPqCiY-58NT-X1ae-5vk3-1hLw-f2no-AYe52O
LV Write Access read/write
LV Status available
# open 0
LV Size 200.00 MB
Current LE 50
Read ahead sectors 0
Block device 253:0
5. Format the logical volume with the filesystem desired (ext3 shown)
[root@primary ~]# mke2fs -j /dev/test1/vol1
mke2fs 1.35 (28-Feb-2004)
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
51200 inodes, 204800 blocks
10240 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
25 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
6. In good Red Hat form, create a label for the filesystem with the e2label command
[root@primary ~]# e2label /dev/test1/vol1 test1
7. Create an entry in the /etc/fstab file for this logical volume so that it will be mounted on subsequent boots. Use a meaningful mount point:
LABEL=test1 /test1 ext3 defaults 0 0
These steps have covered how to create a logical volume and use it. You can also expand an existing logical volume and perform other maintenance tasks. The only other task covered here will be expanding an existing logical volume.
Expand a logical volume
1. Add desired disk space to your volume group, if necessary
a. use fdisk to create a new partition of type '8e'
b. use pvcreate to initialize the new partition as a physical volume
[root@primary ~]# pvcreate /dev/hdd3
Physical volume "/dev/hdd3" successfully created
c. use vgextend to add the physical volume to the volume group
[root@primary ~]# vgextend test1 /dev/hdd3
Incorrect metadata area header checksum
Incorrect metadata area header checksum
Volume group "test1" successfully extended
CAUTION: The next step will remove all data from the partitions in question. Verify that you have backups.
d. use lvextend to expand the logical volume to the desired size
[root@primary ~]# lvextend -L 300M /dev/test1/vol1
Incorrect metadata area header checksum
Extending logical volume vol1 to 300.00 MB
Logical volume vol1 successfully resized
e. re-format your logical volume, relabel it, and remount it
umount 'logical volume'
mke2fs -j 'logical volume'
e2label 'path to volume' 'label'
mount 'path to volume in /etc/fstab'
1. 'physical partition' not identified as an existing physical volume
lvm> vgcreate 'volume group' 'physical partition' 'physical partition'
Incorrect metadata area header checksum
Incorrect metadata area header checksum
No physical volume label read from 'physical partition'
Unable to add physical volume 'physical partition' to volume group 'volume group'.
To correct this problem, use lvm to create a physical volume on each partition with the pvcreate command:
lvm> pvcreate 'physical partition'
Incorrect metadata area header checksum
Physical volume "physical partition" successfully created
Create the volume group with the vgcreate command.
Sunday, October 23, 2005
The first requirement is that your machine must have a means of communicating with other machines through hardware. This requirement is typically met through a network interface card (NIC) at the host level and a switch or router at the local area network (LAN) level. These devices are connected through ethernet cables or another suitable medium (which may also include wireless devices). This requirement is also referred to as the Physical Layer in the OSI Reference Model.
The next requirement is that each network interface must be configured properly. Each interface must be configured with an IP address, netmask, and gateway. These simple parameters allow the interface to communicate with other interfaces on the network. Each interface may be configured through the GUI tools which are provided by Red Hat, by editing configuration files with a text editor, or they can be manually configured from the command line. I will review the command line and text file configurations only. This requirement covers layers 2 and 3 of the OSI Reference Model.
Another requirement that must be met if communication with the network outside of the immediate network is desired is proper configuration of the /etc/resolv.conf file with the IP address of a valid DNS server:
The /etc/resolv.conf file, when configured properly, will allow the machine to obtain IP addresses for hosts which are known only by host name. It is critical that you do not allow any spaces before the nameserver directive in this file or it will not function. This file is configured automatically when using DHCP and manually when using a static IP.
There is a configuration file for each interface in the following directory:
/etc/sysconfig/network-scriptsThese files serve as parameter files for the network startup script which is:
/etc/rc.d/rc5.d/S10networkWhen the network service is started, either manually or on system boot, the network startup script reads the configuration file to determine whether or not the interface should be configured to start and how to configure the interface. If the interface is configured to obtain an IP address via DHCP then it will broadcast for a DHCP server and set the IP address, netmask, default gateway, /etc/resolv.conf file, and possibly the hostname for the machine, depending on how the system is configured. If the interface is configured to use a static IP address then most of the above settings will be configured through the configuration file in:
/etc/sysconfig/network-scriptsThe hostname and /etc/resolv.conf file must be configured manually. An example of this file properly configured with a static IP address is as follows:
Most of the file is self-explanatory and fulfills the requirements listed above with regard to the interface configuration. If the interface is configured to use DHCP, the file will resemble the following:
[root@primary network-scripts]# cat ifcfg-eth0
This simple file will cause the interface to obtain an IP address, netmask, and gateway on startup and configure the /etc/resolv.conf file with the nameserver used by the DHCP server. This is a very common configuration and makes network management very robust.
[root@primary ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
The last part of this article illustrate how to configure an interface manually on the command line. I will merely list the steps required to configure the same interface that is listed in the configuration file above with the same parameters:
You can now verify your settings with:
ifconfig eth0 192.168.1.10
route add default gw 192.168.1.1
ifconfig eth0 up
To manually obtain an IP address via DHCP, use the dhclient utility. If no interface is specified then the utility will attempt to obtain a DHCP address for each non-multicast address on the system. An example of using this utility is as follows:
This command will configure the eth0 interface with an IP address, netmask, default gateway, and setup /etc/resolv.conf with the proper nameserver directives.
Through this article I explained what is required to network a Red Hat Enterprise Linux system. I also explained how to configure an interface so that the machine it is on will be able to communicate with other machines and devices on a network. The configuration can be done manually on the command line, through editting text files, and with the GUI tools provided by Red Hat with the operating system. The ability to configure Linux to interact with other systems is an essential skill, as a computer without the ability to network is useless.
Saturday, October 22, 2005
root@primary ~]# hdparm -tT /dev/md1It's not often that you can get this kind of performance out of an IDE drive, so I'm pretty happy with my purchases. I did test them with Knoppix in a non-RAID configuration and was able to get 62 MB/sec, so this is nearly 30 MB/sec better!
Timing cached reads: 956 MB in 2.00 seconds = 477.36 MB/sec
Timing buffered disk reads: 264 MB in 3.01 seconds = 87.72 MB/sec
[root@primary ~]# hdparm -tT /dev/md3
Timing cached reads: 948 MB in 2.00 seconds = 473.60 MB/sec
Timing buffered disk reads: 270 MB in 3.01 seconds = 89.68 MB/sec
Wednesday, October 19, 2005
Tonight I'll be reviewing the RHCE exam prep guide.
Tuesday, September 06, 2005
I am taking a short break from my studies for the RHCE because I received an un-solicited request for an interview from a large company in Seattle. I will keep you all updated.
Wednesday, August 24, 2005
Sunday, August 14, 2005
For anyone who has used VNC for remote GUI control of their systems, NX is far superior!
Wednesday, August 10, 2005
Tuesday, August 02, 2005
Other reasons to not use Internet Explorer:
4. Competition is better for innovation (not patents -- contrary to popular belief)
Sunday, July 31, 2005
Friday, July 29, 2005
Saturday, July 16, 2005
tcpdump -s 1515 -C 20 -w content.lpc
I next created a Ruby script that would open the pcap file and write the data that I wanted to store to a CSV file that I would then bulk load into the MySQL database. This part worked very well and very quickly. I found that when I inserted the data into an InnoDB table, while only storing the source IP, destination IP and port, and the time of the packet, that 20 capture files would take up 1GB of space. Not only that, but it turned out to be over 1.3 million packets. This amount of data is really testing my SQL skills, as I try to create intelligent queries that will allow me to aggregate the data on specific parameters.
Anyone have any better solutions?
My mother-in-law is running Microsoft Windows 98 and has been using it for nearly 7 years. She knows how to get around and sees no reason to upgrade to Windows XP or Linux. As security people, I believe that we need to advise people to use systems that are as secure as possible...especially since Microsoft does not, and cannot, maintain the security of it's Operating Systems. The real answer here is to use an Operating System that is more secure so that the users do not have to understand so much about how the technology works to be secure on-line.
Sunday, June 19, 2005
Some things that are just smart to do with a Windows machine to maintain it -- in order of importance:
1. Do not use an Administrator account unless you are installing software or configuring your machine (this will save most people)
2. Use a firewall of some sorts
3. Enable automatic updates for Windows
4. Use anti-virus software
Wednesday, June 15, 2005
(Announcement is on the front page of Gentoo site.)
The main point behind the VMWare conference was for developers and testers, but I found it useful to go along and get the free $200 license for VMWare 5.0.
Wednesday, May 11, 2005
Monday, May 09, 2005
find - search for files in a directory hierarchy
find [path...] [expression]
Some basics to find are as follows:
A simple find command will list all files and folders recursively in your current working directory (CWD):
secondary ~ # find
The second argument to find is the path, which, if blank, is assumed to be your CWD, as shown previously. You can also explicitly give the path:
secondary ~ # find .
From the man page, we can see that after the path, we can give find an expression. This is where most people have trouble when starting out. The tendancy of most people is to limit themselves to a regular expression-type of expression when the bigger picture is that the expression possibilities are immense. Take the following, for example:
secondary ~ # find / -type d -name sbin
As you can see, this command listed all of the directories in the filesystem by the name of sbin. The -type command was used to specify the type of file to find, in this case it was a directory. The options available are:
File is of type c:
b block (buffered) special
c character (unbuffered) special
p named pipe (FIFO)
f regular file
l symbolic link (never true if the -L option or the -follow option is in effect, unless the
symbolic link is broken).
D door (Solaris)
The two most used are going to be the file and directory options. The next option used was the -name option, which can be used to specify the name or a part of a name to search for. You can use a wildcard to find variations, since the '-name bin' option will not find 'sbin' or 'bind', but '-name *bin*' will find all of them. Note that using the -regex option can be very complicated, so it is easier to use the '-name' option and possibly a wildcard or two.
While these few options are enough to get you started, they are nowhere near tapping the resources of this powerful command. I recommend exploring and using this command frequently, as it will make your CLI experience much more rewarding!
Thursday, May 05, 2005
Please do not use Bebo.com.
This is an auto-generated response designed to answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message.
Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
>>>>>> To forward mail with full headers
1. Click "Options" to the right of the "Contacts" tab. The "Options" page appears.
2. Under "Additional Options", click "Mail Display Settings". The "Mail Display Settings" page appears.
3. Under "Message Headers", select "Full" and click "OK".
4. Forward the resulting mail to:
Using MSN Explorer:
1. Open the message, and then click "More" in the upper right corner.
2. Click "Message Source". The message opens in a new window with all the header information visible.
3. Copy all the text and paste it into a new message. Send this message to:
Using Outlook Express or Outlook:
1. On the unopened mail, place your cursor over the mail, right-click, and click "Options".
2. Under "Internet headers", copy the contents of the full header.
3. Open the e-mail in question and forward a complete copy of the message, including the full message header you copied at the beginning of your message, to:
If you're not a Hotmail member, consult the Help associated with your e-mail program to determine how to view complete header information. Then forward the message to:
If the unsolicited junk e-mail or "spam" comes from a non-Hotmail account, you can send a complaint to the service provider that sent the mail. Make sure that you include full headers when you send your complaint.
In the full header, look at the last "Received" notation to locate what .com domain it came from. It looks something like:
[service provider domain name].com
Forward a complete copy of the message, including the full message header, to:
abuse@[service provider domain name].com
If the domain does not have an abuse service, forward your complaint to:
webmaster@[service provider domain name].com
Thank you for helping us enforce our TOU.
Tuesday, May 03, 2005
HiAt this point I'm very worried that my sister may have fallen for a scam of some sort, so I tell her that I am concerned that she may be using Bebo.com for my personal data...and she replied that she would not. She also was under the impression that Bebo.com is part of hotmail. Now I was getting worried that Microsoft was pulling a fast one on people and trying to take over the world by combining Bebo.com with their webmail service -- but I hadn't seen it on the all knowing Slashdot yet.
I am updating my address book and it would be very helpful if you could click on the link below and enter your contact details for me:
I am using a new service that helps people stay in touch. It is only for direct friends and allows
you to privately exchange contact details and view one another's photos. You choose what to share.
Thank you for helping.
I did a little research on the Bebo.com website and was not able to find anything that would link them to Microsoft. I did some more googling and found that many people were receiving spam and were unhappy with how Bebo.com hijacked their hotmail password/account so I thought I would investigate this. The first step would be to create a throw-away email address with hotmail.
I created an account with hotmail called 'email@example.com'. This took a very short time, filling out each form with bogus information.
First name: bebo1
Last name: bebo2
The next step is to sign up with Bebo.com and try to find out where they link with hotmail. I then signed up with the username, 'isthisbebo'. The following information is requested about the person signing up:
|My Contact Details|
|Date Of Birth|
The very next page shows a couple of text boxes which allow you to enter your hotmail email account and password so that Bebo.com can show you who IN YOUR ADDRESS BOOK is already in Bebo.com. Is that scary or what? This service is using people's email accounts to access address books. Why write a virus to do this, just create a website and ask people, they will give you their passwords!! I wonder if Microsoft condones this practice? The next step was to enter my hotmail email address and password and watch it go over the wire in the clear...which it did:
Request contact details from your own friends and populate your free address book.
~ OR ~
|Copy and Paste the wording below into an email.|
Send the email to friends to request their contact details. You can send from either your Hotmail account and/or ANY other email account you may have.
POST /WhosHere.jsp?Ran=289260571 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Cookie: bdaysession=251377972379689953; Emailfirstname.lastname@example.org; Username=isthisbebo; A=-1; G=0
ScraperTypeCd=H&Email=isthisbebo%40hotmail.com&Password=testing&OK=++OK++HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Wed, 04 May 2005 02:04:24 GMT
In conclusion, Bebo.com is NOT integrated with hotmail.com. The practice that Bebo.com has started of trying to fool people into giving them their hotmail username/password is very disconcerting. I am going to warn my family and friends to be very careful when using this service and not give out other email addresses or passwords. If a hacker were to compromise this system, there is no requirement for them to disclose it to the users, as far as I know -- and they would have a valid email address with password for some users. Bebo.com also reserves the right to send spam to those on their lists.
Monday, May 02, 2005
Friday, April 29, 2005
While installing Enigmail for Mozilla Thunderbird, I had some difficulty getting the extension installed. I would open the extensions dialogue and select the xpi file from my desktop and nothing would happen. I have not had to install the windows version for such a long time that I forgot that I had to perform the install as an Administrator account before I install it as a Limited-Access User Account. I don't agree with the way that this system works, as it means that the application is too closely coupled with the system registry and affects more than my single user when I install this extension. If this extension requires Administrator privileges to install, why doesn't it install for every user on the system when I do perform the Admin install?
Wednesday, April 27, 2005
It is always easier to run as root until you lose some data. This can be compared to the person who doesn't believe they need to backup their data -- they will quickly change their mind after they lose critical data (although some people never do learn and that idea must be applied here). If Linspire has to go through the same maturity lesson that Microsoft has gone through then it will be a stain on the reputation of Linux as part of the operating system.
Tuesday, April 26, 2005
nmap -sS -sV -O -v -T5 'ip address'
After discovering that the IP had a tempting number of services available, in addition to several IRC servers running, I attempted to view the web page that the server was serving by viewing it in Firefox. I was suprised to discover that the web site was an e-commerce site that belonged to a religious organization. Armed with this new information, I was convinced that the site had been compromised and that they needed to be informed. By looking up the whois data, I discovered that the server was hosted in the US and that there was a technical contact listed. I emailed the technical contact, as well as the root/abuse/info at the domain in question and informed them of the problem. I received a response a couple of hours later and the site was taken down for maintenance.
A couple of things I take away from this is that I can make a difference by being aware of what is happening to me and doing some minor investigating when an intrusion attempt occurs. Also, the whois data being public is essential for people like me who care about the safety of others to be able to inform server admins that they may have a problem with the integrity of their systems. Sorry about the lack of detail on the site, but I don't want to make them a target or give them any undue publicity.
Saturday, April 23, 2005
Throughout The Art of Intrusion, Mitnick relates unfounded but convincing stories of cracking performed by others. With each event, Mitnick related how to prevent the attack and how to fix the problem before it begins. Mitnick does not reveal any new information in this book that any security professional worth their salt does not already know. Mitnick's style of story-telling almost feels like he wants to be writing a technical document but doesn't make it there which results in a book which is awkward to read and not very interesting until the last two chapters. I had to convince myself to keep reading in hopes of finding out something new.
The biggest complaint that I have about this book is that Mitnick is continually trying to convince the reader that crackers are doing society a favor by exploiting vulnerable systems and that all of the really good security consultants were once [or still are] black-hat crackers. Mitnick and others who commit cyber crimes evidently believe that they should not be punished if they report the crime to the party who their crime effects -- even though malicious activity has occurred. If the crime is committed, the consequences should be faced.
I do not recommend this book.
Wednesday, April 20, 2005
To be continued...
Sunday, April 17, 2005
Friday, April 15, 2005
Microsoft has made some big strides in improving this model of operation recently with the 'Run-As' command but it has also been difficult to use. With the next release of Windows coming up, code-named Longhorn, Microsoft is embracing the principle of Least-privilege User Account (LUA). The principle of LUA has long been enforced in the Unix/Linux worlds with all users being able to control their own profile and nothing else or an account having access to control one daemon or service except the root user who is used to perform administrative functions. I am anxious to see how Microsoft does in this implementation, although I do expect it will take a few tries to get it right. This may turn into another version of the same thing we have now -- with there being 15 different levels of administrator and the Limited Account that still cannot function.
Wednesday, April 13, 2005
OpenNA Linux aims to be more secure than the average main-stream Linux distribution by removing all unnecessary software and services with role-based installations. If you are going to deploy a web-server, you install only the applications necessary to run a web-server. While role-based security is fairly obvious, very few distributions allow you the flexibility of installing only the bare minimum to run the services that you desire. OpenNA Linux even discourages installing an X Window system, which should be advised to any production server.
On a side note, Werner Puschitz, has written an article on how to secure a Linux system that is well worth reading. After reading the article, I have just a couple of additions to the article. The first thing that I would do is with the sshd_config file; replace the following line:
with this line:
This change will prevent the SSH server from using the SSH protocol 1 to authenticate users and it will be more secure. The other item that I don't quite agree with pertains to passwords. The auther encourages very complex passwords which makes it difficult for users to remember them. I do agree with his password scheme for any privileged accounts or accounts with remote access, but for normal users who do not have remote access (outside the subnet) there should be a more relaxed scheme. I would recommend only requiring at least two of the many criteria that he listed, as well as a minimum length of 8 characters.
Overall, I highly recommend reading his article and will get back on how I review the distribution.
Thursday, April 07, 2005
This incident reminds me of hearing about foreign diplomats who are implanted with RFID tags so that they can be located and recovered in the event of a kidnapping. The crooks are not all foolish, they found out and began removing limbs that held the RFID tags (which were usually hands). What are YOU willing to sacrifice for that level of "safety"?
Tuesday, April 05, 2005
Free and/or Open Source Software (FOSS) create a means to provide technology to these children without spending lots of money on a proprietary operating system or office package and still provide a complete computing experience. If this operation were required to spend $199 on MS Windows and $399 on MS Office, the whole endeavor would be dismissed as impossible. I know that there are bulk licenses, but they cannot compete with the free software available. I'm not saying that there is not a place for the MS software though, they do provide a rewarding experience for those who are able to pay for the expensive licenses and who are able to pay for the support required to run these systems.
I applaud the efforts of MIT and I am certain that without the movement of FOSS that opportunities like this would not be available. If this effort is successful and laptops are distributed in mass quantities, the acceptance of Linux and Open Source software around the world will sky-rocket.
How do you compete with an opponent that has no price? I don't know, but MS has enough money they may find a way.
Monday, April 04, 2005
With 5 years of Linux administration and 10 years of administering Windows machines, it is increasingly apparent to me that the biggest cause of security breaches is that of too much user privilege. I see many shops where the administrators are running as administrator or root on the machines that they use for email, web-browsing, and non-administrative tasks. I also see a MS Windows environment where it is incredibly difficult for a user to not run as administrator and still get normal day-to-day tasks done -- but it is possible. When administering a network with 30 users on Windows XP/2K machines for 1.5 years I had no virus or worm outbreaks, and no loss of data. I did experience one incident of spyware when a user played a joke on another user by installing a screen-saver. On every network that I administered where the users were able to access the administrator account(s), there were always problems with virus outbreaks and worms causing hours of work for me to recover the systems.
I have heard from some system administrators and even security professionals that it is not possible to force users to not run with administrator privileges. This is not a correct statement or thought process. If you take the time to learn how to administer your systems properly, it will save you time in the long run. Unix and Linux have the 'su' command that will allow you to temporarily become an administrator to perform administrator functions. MS Windows has the 'Run-as' command that works fairly well to do the same. You should NEVER have to login to your system as the administrator user account. It is very difficult with MS Windows to maintain this security policy, but it is doable. One of the best ways to get used to this practice is to do it at home, where I'll bet most people do not! I can honestly say that I do not login to my machines as root unless I am performing administrative tasks, and then I logout as soon as I am done.
The following link from Microsoft gives a good overview of tools and methodologies which help run with least privilege: article.
Tuesday, March 29, 2005
In order to pass an argument to a shell script on the command line that is not all one word, you must enclose the command line argument in single quotes and the $1 variable in the code in double quotes. An example:
non-root@localhost$> ./myEcho.sh 'hello my loyal blog readers'
hello my loyal blog readers
I hope that this tip helps someone looking for the same thing.
Wednesday, March 23, 2005
I don't think that the vulnerabilities will ever match, or come close to matching what we have seen with Microsoft products. The reasoning for this is that Microsoft has been in the spotlight for many years as the front-runner, while the other boys have stood by the way-side learning and moving in a more secure fashion while learing from the mistakes and successes of Microsoft. It is much better to have options when deploying a server or desktop, so I welcome the competition of Microsoft, Apple, and any other OS vendor. I do like to preach about open-standards though, and the consumer should not have to be the one struggling to implement a solution because the vendor has gone out of their way to prevent interoperability (read Microsoft).
Friday, February 18, 2005
Article with quote
"But Clarke, during one panel discussion yesterday, called on Microsoft and other software companies to become more publicly accountable in their efforts to develop secure software. He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code.
The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development. Outside experts would then be able to judge how well each company lives up to those practices.
"There's no fine involved, there's no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what's going on," Clarke said, drawing a round of applause from the crowd at San Francisco's Moscone Center. Panelists compared the concept to the effort to hold public companies to standards for financial reporting under the Sarbanes-Oxley Act."With the creation of open standards which will be regulated by the IT industry itself, and held accountable by the government and people, the industry will be able to move forward with the security and safety of the Internet and applications that rely on the internet.
Thursday, February 17, 2005
This type of automated tracking is a clear invasion of privacy. I am not suggesting that we have a right to privacy (although I do support the right to privacy), but I am suggesting that in this situation, the parents should be able to decide whether or not school employees will have access to their children at all times. I would want measures to be in place to ensure that the local pedophile would not have access to the children's location when the school was short-staffed. We all know that background checks are not 100% accurate, and that school employees are under-paid. The RFID technology is not mature enough to prevent third party reading and tracking either. There should be more planning and risk-analysis involved in a policy such as this.
The idea of monitoring our children is not a bad one, as they require monitoring by responsible individuals who care for their well being. The monitoring becomes a problem when it is automated and access may be given to individuals who the parents are not informed about. I can see this issue getting more of the spotlight as more monitoring solutions are created.
In the Seattle trial, a man is being charged with vehicular homicide after taking a ride with a friend in his new sports car. Witnesses saw the pair leave with the friend driving the car, who was then killed in an accident involving a tree and a mailbox. The prosecution is using PC-Crash, a computer simulation, to try to prove that the occupants switched roles and that the survivor of the crash was driving and caused the crash.
Wednesday, February 16, 2005
The idea seems very efficient, except that the system would have to be stopped to perform the check... A solution to this problem would be to have several servers load-balanced so that the sysadmin could check each system while there were other servers there to maintain the load.
This idea could also be accomplished using Knoppix, albeit not as quickly or efficiently unless the admin had written a script or program to check it for them.
Tuesday, February 15, 2005
Friday, February 11, 2005
More documentation can be found in the RFCs which describe it:
Tuesday, February 08, 2005
- Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
- Law #2:If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site anymore.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as the decryption key.
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
- Law #9: Absolute anonymity isn't practical, in real life or on the Web.
- Law #10: Technology is not a panacea.
Wednesday, February 02, 2005
Monday, January 24, 2005
Thursday, January 20, 2005
Even though the popular search engine Google has indexed over 8,000,000,000 pages that you are allowed to search when you use it, you are not searching the entire Internet... You are searching the internet as Google sees it. What does this really mean? Google does not want to keep track of all of the trash and garbage that is on the Internet, they want to keep track of the data that they think people want to know about. Google has developed a very complex algorithm that allows them to make an automated decision about each page that they potentially index based upon some pre-determined and proprietary parameters. One of the greatest challenges to advertisers and marketers is figuring out exactly what a search engine is looking for so that they show up in the search! If you merely create a web page and then search for it on a search engine an hour later, you will not find it there! Maybe an example will help...
A search engine is similar to a person who is in an occupation where they need to remember a lot of stuff... When you need to know something, you go to this person because they usually have the answer, or something close to what you want. Well, this person has to obtain this information somehow, and has to prioritize what information they want to learn or retain. Google is a very intelligent person capable of retaining a lot of information (it does run on over 100,000 Linux machines) which gives you a very good chance of finding the data that you want. The only problem is, that like most people, Google does not know everything...and probably never will...
If you really had the capacity to search the entire Internet in the time that your favorite search engine returns the results of your search, then the world you live in would have massive amounts of processing power and more bandwidth than you would know what to do with...
Keeping this in mind, this is why it is very good for all of us that there is more than one search engine... We would not want one company to define the internet that we have the capacity to search, just like we would not want one company deciding what we can do with our computer...(unless you use Windows, the you have already handed the keys to Microsoft).