Technological Musings

Pebble Review

In April of 2012, a Kickstarter project was launched by a company aiming to create an electronic watch that served as a companion to your smartphone. A month later, the project exceeded it's funding goal by over 100%, closing at over $10 million in pledges. Happily, I was one of the over 68,000 people that pledged. I received my Pebble about a month ago or so and I've been wearing it ever since.

The watch itself is fairly simple, a rectangular unit with an e-ink display, four buttons, and a rubberized plastic strap. The screen resolution is 144x168, plenty of pixels for some fairly impressive detail. The watch communicates with your mobile phone (Android or iPhone only) via a bluetooth connection. All software updates and app installation occurs over the bluetooth connection. There is a 3-axis accelerometer as well a a pretty standard vibrating motor for silent alerts.

According to the official Pebble FAQ, battery life is 7+ days on a single charge, but this depends on your overall use of the device. The more alerts your receive, the more the backlight comes on, and the more apps you use on the device, the shorter your battery life.

Pebble is still in the process of building the initial run of watches for backers. Black watches, being the majority of the orders, were built first. Other colors are coming online in more recent weeks. Pebble has a website where interested parties can track how many pebbles have been built and shipped.

I've been pretty impressed with the watch thus far. Pebble has been fairly responsive to inquiries I've made, and they seem dedicated to making sure they have a top quality product. Of course, as is typical on the Internet, not everyone is happy. There seem to be a lot of complaints about communication, how long it's taking to get watches, and about the features themselves.

It's hard to say whether these complaints have any merit, though. For starters, I can't imagine it's a simple task to design and build 68,000 watches in a short period of time. And to complicate matters further, it seems that many backers of Kickstarter projects don't understand the difference between being a backer and being a customer.

When you back a Kickstarter project, you're pledging money to help start the project. As a "reward" for contributing, if the project is successful, you are entitled to whatever the project owners have designated for your level of contribution. The key part of this being, if the project is successful. Some projects take longer than others, and times often slip. That said, I've only been part of one Kickstarter that has failed, and even that one is being resurrected by other interested parties.

But there are some legitimate complaints, some that can be addressed, and others that likely won't. For instance, I've noticed that with recent firmware releases, the battery life on my watch had dropped considerably. Based on communication with the developers, they are aware of this and are actively working to resolve it. I'm not sure what the problem is, exactly, but I'm confident they'll have it fixed in the next firmware update.

The battery indicator is a source of frequent discussion. Right now, there's no indicator of battery life until the battery is running low. And that indicator doesn't show on the watchface, it only shows when you are in other menus. This, in my opinion, is a poor UI choice. I'd much rather see a battery indicator option available for the watchface itself.

Menu layout was also a frequent source of frustration for users. In previous firmware releases, you had to actively go to the watchface you wanted. Recent releases changed this so that the watch was the default view and other screens were chosen as needed. The behavior of the navigation buttons on the watch were also updated to reflect this new choice.

So Pebble continues to improve over time. It's an iterative process that will take some time to get right. I'm eager to see what future releases will bring. Next week, Pebble is scheduled to release the watch SDK, allowing users, for the first time, to start adding their own customizations to the watch.

The Pebble watch has a lot of potential. As the platform matures, I'm hoping to see a number of features I'm interested in come to fruition. Interaction between Pebble and other apps on iPhone devices would be a welcome addition. I would love to see an actigraphy app that uses the Pebble for sleep monitoring. From what I've read, sleep monitoring is even more accurate when the monitor is placed on the sleeper's wrist. Seems like a perfect use for the Pebble.

I'd also like to see more of an open SDK, allowing users such as myself to write code for the Pebble. While I'm aware of the closed nature of the iPhone platform itself, it is still possible to add applications to the Pebble itself. I can't wait to see what others build for this platform. Given a bit of time, I think this can grow into something even more amazing.

Customer Dis-Service

In general, I'm a pretty loyal person. Especially when it comes to material things. I typically find a vendor I like and stick with them. Sure, if something new and flashy comes along, I'll take a look, but unless there's a compelling reason to change, I'll stick with what I have.

But sometimes a change is forced upon me. Take, for instance, this last week. I've been a loyal Verizon customer for … wow, about 15 years or so. Not sure I realized it had been that long. Regardless, I've been using Verizon's services for a long time. I've been relatively happy with them, no major complaints about services being down or getting the runaround on the phone. In fact, my major gripe with them had always been their online presence which seemed to change from month to month. I've had repeated problems with trying to pay bills, see my services, etc. But at the end of the day, I've always been able to pay the bill and move on. Since that's really the only thing I used their online service for, I was content to leave well enough alone.

In more recent months, we've been noticing that the 3M DSL service we had is starting to lack a bit. Not Verizon's fault at all, but the fault of an increased strain on the system at our house. Apparently 3M isn't nearly enough bandwidth to satisfy our online hunger. That, coupled with the price we were paying, had me looking around for other services. Verizon still doesn't offer anything faster than 3M in the area and, unfortunately, the only other service in the area is from a company that I'd rather not do business with if I could avoid it.

In the end, I thought perhaps I could make some slight changes and at least reduce the monthly bill by a little until we determined a viable solution. I was considering adding a second DSL line, connected to a second wireless router, to relieve the tension a bit. This would allow me to avoid that other company and provide the bandwidth we needed. My wife and I could enjoy our own private upstream and place the rest of the house on the other line.

Ok, I thought, let's dig into this a bit. First things first, I decided to get rid of the home phone, or at least transfer it to a cheaper solution. My cell provider offered a $10/month plan for home phones. Simple process, port he number over, install this little box in the house, and poof. Instant savings. Best part, that savings would be just about enough to get that second DSL line.

Being cautious, and not wanting to end up without a DSL connection, I contacted Verizon. Having worked for a telco in the past, I knew that some telcos required that you have a home phone line in order to have DSL service. This wasn't a universal truth, however, and it was easy enough to verify. The first call to Verizon went a little sideways, though. I ended up in an automated system. Sure, everyone uses these automated systems nowadays, but I thought this one was particularly condescending. They added additional sound effects to the prompts so that when you answered a question, the automated voice would acknowledge your request and then type it in. TYPE IT IN. I don't know why, but this drove me absolutely crazy. Knowing that I was talking to a recorded voice and then having that recorded voice playing sounds like they were typing on a keyboard? Infuriating. And, on top of it, I ended up in some ridiculous loop where I couldn't get an operator unless I explicitly stated why I wanted an operator, but the automated system apparently couldn't understand my request.

Ok, time out, walk away, try again later. The second time around, I lied. I ended up in sales, so it seems to have worked. I explained to the lady on the phone what I was looking for. I wanted to cancel my home phone and just keep the DSL. I also wanted to verify that I was not under contract so I wouldn't end up with some crazy early termination fee. She explained that this was perfectly acceptable and that I could make these changes whenever I wanted. I verified again that I could keep the DSL without issue. She agreed, no problem.

Excellent! Off I went to the cell carrier, purchased (free with a contract) the new home phone box, and had them port the number. The representative cautioned that he saw DSL service listed when he was porting and suggested I contact Verizon to verify that the DSL service would be ok.

I called Verizon again to verify everything would work as intended. I explained what I had done, asked when the port would go through, and stressed that the DSL service was staying. The representative verified the port date and said that the DSL service would be fine.

You can guess where this is going, can't you. On the day of the port, the phone line switched as expected. The new home phone worked perfectly and I made the necessary changes to the home wiring to ensure that the DSL connection was isolated away from the rest of the wiring. DSl was still up, phone ported, everything was great. Until the next morning.

I woke up the following morning and started my normal routine. Get dressed, go exercise, etc. Except that on the way to exercise, I noticed that the router light was blinking. Odd, I wonder what was going on. Perhaps something knocked the system online overnight? The DSL light on the modem was still on, so I had a connection to the DSLAM. No problem, reboot the router and we'll be fine. So, I rebooted and walked away. After a few minutes I checked the system and noticed that I was still not able to get online. I walked through a mental checklist and decided that the username and password for the PPPoE connection must be failing. Time to call Verizon and see what's wrong.

I contacted Verizon and first spoke to a sales rep who informed me that my services had been cancelled per my request. Wonderful. Al that work and they screw it up anyway. I explained what I had done and she took a deeper look into the account. Turns out the account was "being migrated" and she apologized for the mixup. Since I was no longer bundled, the DSL account had to be migrated. I talked with her some more about it and she decided to send me to technical support to verify everything was ok. Off I go to technical support, fully expecting them to ask be to reset my DSL modem. No such luck, however, the technical support rep explained that I had no DSL service.

And back to sales I went. I explained, AGAIN, what was going on. The representative confirmed my story, verified that the account was being migrated, and asked me to check the service again in a few hours. All told, I spent roughly an hour on the phone with Verizon and missed out on my morning exercise.

After rushing through the remainder of my morning routine and explaining to my wife why the Internet wasn't working, I left for work. My wife checked in a few hours later to let me know that, no, we still did not have an Internet connection. So I called Verizon again. Again I'm told I have no service and that I have cancelled them. Again I explain the problem and what I had done. And this time, the representative explains to me that they do not offer unbundled DSL service anymore, they haven't had that service in about a year. She goes on to offer me a bundled package with a phone line and explains that I don't have to use the phone line, I just have to pay for it.

So all of the careful planning I had done was for naught. In an effort to make sure this didn't happen to anyone else, the rep checked back on my account to see who had informed me about the DSL service. According to the notes, however, I had never called about such a thing. I called to complain about unsolicited phone calls and they referred me to their fraud and abuse office and explains about the magical phone code I could put in to block calls. Ugh! She then went on to detail every aspect of my problem, again so someone else didn't have this problem.

This is the sort of situation that will, very rapidly, cause me to look elsewhere for service. And that's exactly what I did. I've since cut all ties with Verizon and moved on to a different Internet service provider. I'm not happy with having to deal with this provider, but it's the only alternative at the moment. Assuming I don't have any major problems with the service, I'll probably continue with them for a while. Of course, if I run into problems here, the decision becomes more difficult. A "lesser of two evils" situation, if you will. But for now, I'll deal with what comes up.

Programming Note

In 2012 I posted a little over a dozen entries to this blog. I like to think that each entry was well thought out and time well spent. But only a dozen? That's about one entry a month... I'd really like to do more.

So, new year, time to make some changes.. I spent a lot of time judging whether each post was "worth the effort" and "long enough to matter." I need to get past that. My goal is to start posting a number of smaller entries. I definitely want the quality to be there, but I want to avoid agonizing over each and every entry.

So here's to a new year and more content!

Derbycon 2012

I spent this past weekend in Louisville, KY attending a relatively new security conference called Derbycon. This year was the second year they held the conference and the first year I spoke there. It was amazing, to say the least.

I haven't been to many conventions, and this is the only security-oriented convention I've attended. When I first attended last year, it was with come trepidation. I knew that some of the attendees I'd be seeing were truly rockstars in the security world. And, unfortunately, one of the people who was supposed to come with us was unable to attend. Of course, that person was the one person in our group who was connected within the security world and we were depending on them to introduce us to everyone.

It went well, nonetheless, and we were able to meet a lot of amazing people while we were there. Going back this year, we were able to rekindle friendships that started last year, and even make a few new ones. Derbycon has an absolutely amazing sense of family. Even the true rockstars of the con are down to earth enough to hang out with the newcomers.

And this year, I had the opportunity to speak. I submitted my CFP earlier in the year, not really expecting it to be chosen. Much to my surprise, though, it was. And so I spent some time putting together my talk and prepared to stand in front of the very people I looked up to. It was nerve-wracking to say the least. You can watch the video over on the Irongeek site, and you can find the slides in my presentation archive.

But I powered through it. I delivered my talk and while it may not have been the most amazing talk, it was an accomplishment. I think it's given me a bit more confidence in my own abilities and I'm looking forward to giving another. In fact, I've since submitted a talk to BSides Deleware at the behest of the organizers. I haven't heard back yet, but here's hoping.

I'm already making plans to attend Derbycon 2013 and I hope to be a permanent fixture there for many years to come. Derbycon is an amazing place to go and something truly magnificent to experience. I may not be in the security industry, but they made me feel truly welcome despite my often dumb questions and inane comments. Rel1k, IronGeek, and Purehate have put together something special and I was proud to be a part of it again.

So you want to talk at a conference

Last year at this time I was attending an absolutely amazing conference known as DerbyCon. It was an amazing time where I met some absolutely amazing people and learned amazing things. Believe me, there was a lot of amazing.

I attended one talk that really got me thinking about blue-team security. That is, defensive security, basically what I'm all about these days. And I decided that I wanted to help the cause .. So, I started putting together the pieces in my head and decided I wanted to do a talk at the following DerbyCon ..

And so, when the CFP was placed, I submitted my thoughts and ideas. Honestly, while I hoped it would be accepted, I didn't think I had a chance in hell given the talent that talked the previous year.. Boy was I wrong.. Talk accepted. And so I started putting things together, working on the talk itself, pushing forward the design I wanted for this new tool. I aimed high and came up a little short..

As luck would have it, this past summer was a beast. Just no time to work on anything in-depth .. And time went by. And before I knew it, DerbyCon was here.. I did a dry-run of my talk to get some feedback and suggestions. Total talk time? 15 minutes. Uhh.. That might be an issue.. 50 minute talk window and all..

So, back to the drawing board. Fortunately, I received some awesome feedback and expanded my talk a bit. The revised edition should be a bit longer, I would hope.. I'll find out tomorrow. I'm talking at 2pm.

I'm terrified.

But I'm surrounded by some of the most awesome people I have ever met. I'll be fine.. I hope..

The Future of Personal Computers

The latest version of OS X, Mountain Lion, has been out for a few months and the next release of Windows, Windows 8, will be out very soon. These operating systems continue the trend of adding new and radical features to a desktop operating system, features we've only seen in mobile interfaces. For instance, OS X has the launchpad, an icon-based menu used for launching applications similar to the interface used on the iPhone and iPad. Windows 8 has their new Metro interface, a tile-based interface first seen on their Windows Mobile operating system.

As operating systems evolve and mature, we'll likely see more of this. But what will the interface of the future look like? How will we be expected to interact with the computer, both desktop and mobile, in the future? There's a lot out there already about how computers will continue to become an integral part of daily life, how they'll become so ubiquitous that we won't know we're actually using them, etc. It's fairly easy to argue that this has already happened, though. But putting that aside, I'm going to ramble on a bit about what I think the future may hold. This isn't a prediction, per se, but more of what I'm thinking we'll see moving forward.

So let's start with today. Touch-based devices such as IOS and Android based devices have become the standard for mobile phones and tablets. In fact, the Android operating system is being used for much more than this, appearing in game consoles such as the OUYA, as the operating system behind Google's Project Glass initiative, and more. It's not much of a surprise, of course, as Linux has been making these in-roads for years and Android is, at it's core, an enhanced distribution of Linux designed for mobile and embedded applications.

The near future looks like it will be filled with more touch-based interfaces as developers iterate and enhance the current state of the art. I'm sure we'll see streamlined multi-touch interfaces, novel ways of launching and interacting with applications, and new uses for touch-based computing.

For desktop and laptop systems, the traditional input methods of keyboards and mice will be enhanced with touch. We see this happening already with Apple's Magic Mouse and Magic Pad. Keyboards will follow suit with enhanced touch pads integrated into them, reducing the need to reach for the mouse. And while some keyboard exist today with touchpads attached already, I believe we'll start seeing tighter integrations with multi-touch capabilities.

We're also starting to see the beginnings of gesture-based devices such as Microsoft's Kinect. Microsoft bet a lot on Kinect as the next big thing in gaming, a direct response to Nintendo's Wii and Sony's Move controllers. And since the launch of Kinect, hobbyists have been hacking away, adding Kinect support to "traditional" computer operating systems. Microsoft has responded, releasing a development kit for Windows and designing a Kinect intended for use with Dekstop operating systems.

Gesture based interfaces have long been perceived as the ultimate in computer interaction. Movies such as Minority Report and Iron Man have shown the world what such interfaces may look like. But life is far different from a movie. Humans were not designed to hold their arms in a horizontal position for long periods of time, a syndrome known as "Gorilla Arm." Designers will have to adapt the technology in ways that work around these physical limitations.

Tablet computers work well at the moment because most interactions with them are on a horizontal and not vertical plane, thus humans do not need to strain themselves to use them. Limited applications, such as ATMs, are more tolerant of these limitations since the duration of use is very low.

Right now we're limited to 2D interfaces for applications. How will technology adapt when true 3D display exist? It stands to reason that some sort of gesture interface will come into play, but in what form? Will we have interfaces like those seen in Iron Man? For designers, such an interface may provide endless insight into new designs. Perhaps a merging of 2D and 3D interfaces will allow for this. We already have 3D renderings in modern design software, but allowing such software to render in true 3D where the designer can move their head instead of their screen to interact? That is truly a breakthrough.

What about mobile life? Will touch-based interfaces continue to dominate? Or will wearable computing with HUD style displays become the new norm? I'm quite excited at the prospect of using something such as Google's Project Glass in the near future. The cost is still prohibitive for the average user, but it's still far below the cost of similar cutting edge technologies a mere 5 years ago. And prices will continue to drop.

Perhaps in the far future, 20+ years from now, the input device will be our own bodies, ala Kinect, with a display small enough that it's embedded in our eyes, or inserted as a contact lens. Maybe in that timeframe, we truly become one with the computer and transform from mere humans into cyborgs. There will always be those who won't follow suit, but for those of us with the interest and the drive, those will be interesting times, won't they.

Jumping The Gap

I listened to a news story on NPR's On The Media recently about "Cyber Warfare" and assessing it's true threat. On the one hand, it seemed like another misguided report from a clueless news media. On the other hand, though, it did make me think a bit.

Much of the talk about Cyber Warfare revolves around attacking the various SCADA systems used to control the nation's physical infrastructure. By today's standards, many of these systems are quite primitive. Many of these systems are designed for a very specific purpose, rarely upgraded to run on modern operating systems, and very rarely, if ever, designed to be secure. The state of the art in security for many of these systems is to not allow outside access to the system.

Unfortunately, if numerous reports are to be believed, a good portion of the world's infrastructure is connected to the Internet in one manner or another. The number of institutions that truly air gap their critical networks is alarmingly low. A researcher from IO Active, who provided some of the information for the aforementioned NPR article, used SHODAN to scour the Internet for SCADA systems. Why use SHODAN? Turns out, the simple act of scanning the Internet for these systems often resulted in the target systems crashing and going offline. If a simple network scan can kill one of these systems, then what hope do we have?

But, air gapping is by no means a guarantee against attacks since users of these systems may regularly switch between connected and non-connected systems and use some form of media to transfer files back and forth. There is precedence for this with the Stuxnet virus. According to reports, the Iranian nuclear facility was, in fact, air gapped. However, Stuxnet was designed to replicate onto USB drives and other media. Plug an infected USB drive into a targeted SCADA system and poof, instant infection across an air gapped system.

So what can be done here? How do we keep our infrastructure safe from attackers? Yes, even aging attackers…

Personally, I believe this comes down, again, to Defense in Depth. With the exception of not building it in the first place, I don't believe that there is a way to prevent attacks. And any determined attacker will eventually get in, given time. So the only way to defend against this is to build a layered defense grid with a full monitoring back end. Expect that attackers will make it through one or two layers before being detected. Determined attackers may make it even further. But if you build you defenses with this in mind, you will stand a better chance at detecting and repelling these attacks.

I don't believe that air gapping systems is a viable security strategy. If anything, it can result in a false sense of security for users and administrators. After all, if the system isn't connected, how can it possibly be infected? Instead, start building in security from the start and deploy your defense in monitored layers. It works.

Multiple Personalities With The Linux Kernel

Virtualization is all the rage these days. Taking a single computer system and installing multiple "guest" operating systems on it. The benefits are a reduced footprint and better utilization of existing resources. There is a danger, however, in having many systems dependent on a single piece of hardware. The solution, of course, is to use multiple pieces of hardware and allow your "guests" to be moved between the individual hardware units, thus making the system more resilient to failure.

I've started playing a bit with virtualization, specifically, KVM virtualization. For my purposes, I'm using CentOS 6.x on a 64-bit capable system.

The hypervisor itself is a standard CentOS base install with the addition of kvm and various management packages. I installed the hypervisor on a RAID1 LVM, allowing me some room to grow if necessary, and reserving the remainder of the hard drive for virtual hosts. While you can use binary blobs for virtual disk, I prefer using a raided LVM which gives me the ability to grow the disk if necessary as well as minor bumps in speed.

Using yum, adding KVM to an existing installation is a pretty straightforward process :

yum install virt-manager libvirt libvirt-python python-virtinst

That should take care of any dependencies required to get KVM virtualization up and running.

Next up, we need to tackle networking. There are many, many different configurations, far too many to go through here. So, I'm going to keep it simple. For my purposes, I need a single connection to the outside network, all in the same VLAN, as well as a local NAT for some VMs that I need local access to, but that don't need to be accessed via the Internet.

Setting this up is brilliantly simple. First, copy the /etc/sysconfig/network-scripts/ifcfg-eth0 file to /etc/sysconfig/network-scripts/ifcfg-br0. Next, edit the ifcfg-eth0 file. You'll need to remove a bunch of lines and add a BRIDGE line as follows :

DEVICE="eth0"
BRIDGE="br0"
HWADDR="00:11:22:33:44:55"
ONBOOT="yes"

Next, edit the ifcfg-br0 file. All you really need to do here is change the DEVICE= line to reflect br0. I also recommend disabling NM_CONTROLLED … NetworkManager shouldn't be installed anyway since you used a base install, but better safe than sorry. In the end, the ifcfg-br0 file should look something like this :

DEVICE="br0"
BOOTPROTO="static"
BROADCAST="204.10.167.63"
IPADDR="204.10.167.50"
NETMASK="255.255.255.192"
ONBOOT="yes"
TYPE="Bridge"
DELAY="0"

Restart networking and you'll be all set. The NAT portion of this is handled by KVM itself, so there's nothing to do there. And networking should be all ready to go.

Without guests, however, all you have is a basic Linux system with a few extra packages taking up space. The real magic starts when you create and install your first VM. My recommendation is to start with creating a template system you can clone later rather than hand-installing every single VM. To install the template, first decide on the base disk size. I'm using 15 GB volumes which is more than enough for the base install and leaves room for most basic server configurations. If you need more space, you can attach additional disks later.

I'm not going to go into how I set up LVM, there are plenty of tutorials out there. For the purposes of this article, I have a volume group names vg_libvirt where I plan to store all of the virtual machines. So first we create the disk necessary for the template :

lvcreate -L15G -n template_base vg_libvirt

Next we install the OS. virt-install is essentially a wrapper script that sets all the necessary values within KVM to get you going. After the settings are configured and the VM is started, girt-installer will automatically attach you to the VM console. The full command I used to install is as follows :

virt-install --accelerate --hvm --connect qemu:///system --network bridge:bra --name template --ram 512 --disk=/dev/mapper/vg_libvirt-template_base --vcpus=1 --check-cpu --nographics --extra-args="console=ttyS0 text" --location=/tmp/CentOS-6.2-x86_64-bin-DVD1.iso

Since this is effectively a text install, you do run into a bit of a problem. Namely, you can't configure the drives the way you want. There is a way around this, though it takes a bit of work. Of course, since you're creating a template, the little bit of work now is easily made up for later. So, here's how I handled the drive configuration.

First, run through a basic install using the above install method. Once you're up and running, log into the new VM and head to the root home directory. In that directory you'll find a kickstart file called anaconda-ks.cfg. Make a local copy of that file and shut down the VM.

The kickstart file gives you the basic parameters that CentOS used to configure the system. You can edit this file and use it yourself to automatically install and configure systems. For our purposes, we're interested in editing the drive configuration and then using the kickstart file to create the template. So, edit the file and set the parameters as you see fit. An example is as follows :

# Kickstart file automatically generated by anaconda.

#version=DEVEL
install
cdrom
lang en_US.UTF-8
keyboard us
network --onboot no --device eth0 --noipv4 --noipv6
rootpw --iscrypted somerandomstringthatiwontrevealtoyoubutnicetry
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc America/New_York
bootloader --location=mbr --driveorder=vda --append=" console=ttyS0 crashkernel=auto"
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --drives=vda
part /boot --fstype=ext4 --size=500
part swap --size=2048
part pv.253002 --grow --size=1

volgroup VolGroup --pesize=4096 pv.253002
logvol / --fstype=ext4 --name=lv_root --vgname=VolGroup --size=4096
logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=VolGroup --size=2048
logvol /var --fstype=ext4 --name=lv_var --vgname=VolGroup --size=4096
logvol /home --fstype=ext4 --name=lv_home --vgname=VolGroup --size=2048

#repo --name="CentOS" --baseurl=cdrom:sr0 --cost=100

%packages --nobase
@core
%end

Once you have this, you can re-run the girt-install command from above with a slight tweak to make the install use the kickstart file you created (I named it kick1.ks) :

virt-install --accelerate --hvm --connect qemu:///system --network bridge:bra --name template --ram 512 --disk=/dev/mapper/vg_libvirt-template_base --vcpus=1 --check-cpu --nographics --initrd-inject=/path/to/kick1.ks --extra-args="ks=file:/kick1.ks console=ttyS0 text" --location=/tmp/CentOS-6.2-x86_64-bin-DVD1.iso

This will nuke the existing VM and replace it with one configured with the drive partitions as set in the kickstart file. And now you almost have a template.

You could use this new VM as a clone, but if you've set an IP on it, you'll run into duplicate IP problems. SSH keys on the machine will be cloned, making all of your systems contain the same keys. And other machine-specific settings will be cloned as well. This can be worked around, though.

I recommend that you first configure this new template with the basic settings you want on all of your VMs. For instance, if you're using Spacewalk for server management, you can install all of the necessary spacewalk binaries. You can configure a standard iptables template for the system. Maybe you have some standard security software you use such as OSSEC. And, of course, create the standard users on the system so you don't have to create them each time you clone the VM. Once everything is installed and running how you want it, perform the following actions to make the template :

touch /.unconfigured
rm -rf /etc/ssh/ssh_host_*
poweroff

The VM will power down and you'll have your template. Cloning this to a new VM is quick and simple. First, create the new logical volume as we did before. Next, clone the VM to the new drive :

virt-clone -o template -n new_vm -f /dev/mapper/vg_libvirt-new_vm_base

Simple enough, right? Run this command and when it completed, you can start the VM and connect to the console. You'll be greeted with the standard first boot process and then dropped at a login prompt. Congratulations, you now have a VM. Set the IP, configure whatever services you need, and you're off to the races.

If you need to modify the RAM, number of CPUs, etc., then use the virsh command on the hypervisor. You'll need to shut down the VM and restart it in order for these changes to take effect.

And that's really all there is to it. The VMs themselves can be treated as self-contained systems with no special care necessary … One note, however. If you reboot the hypervisor, the VMs are paused before rebooting and resumed after reboot. This leads to an interesting problem in that the uptime on a VM can easily exceed that of the hypervisor. Be aware of this and don't depend on a VMs uptime to be accurate.

Who's Problem Is It Anyway?

This week, Adobe released a security patch for their CS5 product line. While Adobe releasing security patches isn't really that surprising given their track record with vulnerable products, what is somewhat surprising are the circumstances surrounding the patch. Adobe released the patch somewhat reluctantly.

Sometime in May, possibly earlier, Adobe was made aware of a fairly severe security vulnerability in their CS5 product line. A specially crafted image file was enough to compromise the victim's computer. Obviously this is a pretty severe flaw and should be fixed ASAP, right? Well, Adobe didn't really see it that way. Their initial response to the problem was that users who wanted a fixed version would have to pay to upgrade to the CS6 product line, in which the flaw was patched. Eventually they decided to backport the patch to the CS5 version.

Adobe's initial response and their eventual capitulation leads to a broader discussion. Given any security problem, or even any bug in general, who is responsible for fixing it? The vendor, of course, right? Well... Maybe?

In a perfect world, there would be no bugs, security or otherwise. In a slightly less perfect world, all bugs would be resolved before a product is retired. But neither world exists and bugs seem to prevail. So, given that, who's problem is it anyway?

There are a lot of justifications vendors make as to when they'll patch, how they'll support something, and, of course, excuses. It's not an easy problem for vendors, though, and some vendors put a lot of thought into their policies. They don't always get them right, and there's never a way to make everyone happy.

Patching generally follows a product lifecycle. While the product is supported, patching happens as a normal course of business. When a product is retired, some companies put together a support plan with For instance, when Cisco announces that a product has entered the End-of-Life cycle, they lay out a multi-year plan for support. Typically this involves regular software maintenance for a year, security releases for 2-3 years, and then hardware maintenance for the remainder. This gives businesses ample time to deal with finding a suitable replacement.

Unfortunately, not all vendors act responsibly and often customers are left high and dry when a product is suddenly obsoleted. Depending on the vendor, this sometimes leads to discussions about the possibility of legislation forcing vendors to support products, or to at least address security vulnerabilities. If something like this were to pass, where does it end? Are vendors forced to support products forever? Should they only have to fix severe security problems? And what constitutes a severe security problem?

There are a multitude of reasons that bugs, security or otherwise, are not dealt with. Some justifiable, others not. Working in networking, the primary excuse I've heard from hardware vendors over the year is that the management interface of their product is not intended to be on a public network where it can be attacked. Or that the management interfaces should be put behind a firewall where it can't be attacked. These excuses are garbage, of course, but some vendors just continue to give them. And, unfortunately, you're not always in a position to drop a vendor and move elsewhere. So, we do what we can to secure the systems and move on.

And sometimes the problem isn't the vendor, but the customer. How long has it been since Microsoft phased out older versions of it's Windows operating system? Windows XP is relatively recent, but it's been a number of years since Windows 2000 was phased out. Or how about Windows 98, 95, and even Windows NT? And customers still have these deployed in their networks. Hell, I know of at least one OS/2 Warp system that's still deployed in a Telco Central Office!

There is a basis for some regulation, however, and it may affect vendors. When the security of a particular product can significantly impact the public, it can be argued that regulation is necessary. The poster child for this argument are SCADA systems which seem to be perpetually riddled with security holes, mostly due to outdated operating systems.

SCADA systems are what typically control the electrical grid or nuclear power plants. For obvious reasons, security problems with these systems are a deadly serious problem. I often hear that these systems should be air gapped from the Internet, but the lure of easy access and control often pushes users to ignore this advice.

So should SCADA systems be regulated? It's obvious that the regulations in place already for the industries they are used in aren't working, so what makes us think that more regulation will help? And if we regulate and force vendors to provide patches for security problems, what makes us think that industries will install them?

This is a complex problem and there are no easy answers. The best we can hope for is a competent administrator who knows how to handle security and deal with threats properly. Until then, let's hope for incompetent criminals.

Protecting Sources in the 21st Century

Trust is key in many situations. This can be especially true for journalists interested in reporting on sensitive matters. If journalists couldn't be trusted to protect the identity of their confidential sources, many news items we take for granted would never have been written, or perhaps they wouldn't have included some of the crucial information they revealed. For instance, much of the critical information about the Watergate scandal was given to reporters by a confidential source who went by the name of Deep Throat.

Until recently, reporters made contact with their sources via anonymous phone calls, often from pay phones, secret meetings, and dead drops. The identify of sources could be kept secret fairly easily, especially if the meetings were carefully conducted in such a manner as to leave little or no trail for anyone to follow. This meant avoiding the use of phones as they were traceable. Additionally, many journalists were willing to risk jail time instead of revealing their sources.

With the advent of the Internet, it became possible to contact sources, both local and distant, quickly and conveniently via email or some form of instant messaging. The ability to reach out to a source and get an almost immediate answer means journalists can quickly deal with rapidly evolving stories. The anonymity of the Internet means that sources stay anonymous. It's a win-win situation.

Or is it…

I was listening to an On The Media podcast recently and they featured a story about how reporters using the Internet are, in some cases, exposing their contacts without meaning to, often without even knowing it. You can listen to the story below or read the transcript.

Before the Internet, phone conversations were sometimes considered an acceptable risk for contacting sources. After all, tracing a phone call was something it generally took a court order to accomplish. The Internet, however, is a completely different beast. Depending on the communications software used, tracing the owner of an account can be accomplished very easily by just about anyone. Software such as Netglub or Maltego can be used to quickly gather Intel on someone, starting with something as small and simple as a single email address.

Email accounts are generally accessible from anywhere in the world, protected by only a username and password. Brute forcing software can be used to crack a password in a relatively short time allowing someone direct access to the mail stored in the account. And if the mail is sent in clear text, someone trying to identify the source can easily read email sent between the reporter and their source without anyone being the wiser.

Other accounts can be similarly attacked. The end result of identifying the source can be mere embarrassment, or perhaps the source losing their job. Or, as is often the case when foreign news sources are involved, the source can be hunted down and killed.

For a reporter, protecting a source has always been important, but in some cases, it's a matter of life and death. In the past few years, unrest overseas in places such as Iran, Egypt, Syria, and others has shown that secure communication methods are necessary to help save the lives of those fighting for change. Governments have been ruthless in hunting down and eliminating those who would oppose them. Using secure methods for communication have become lifelines for opposition forces. Likewise, reporters and anyone else who interacts with these sorts of contacts should also be using whatever methods of security they can to ensure that their sources are protected.

Towards Building More Secure Networks

It is no surprise that security is at the forefront of everyone's minds these days. With high profile breaches, to script kiddies wreaking havoc across the Internet, it is obvious that there are some weaknesses that need to be addressed.

In most cases, complete network redesigns are out of the question. This can be extremely invasive and costly. However, it may be possible to augment the existing network in such a manner as to add additional layers of security. It's also possible that this may lead to the possibility of being able to make even more changes down the road.

So what do I mean by this? Allow me to explain...

Many networks are fairly simple with only a few subnets, typically a user and a server subnet. Sometimes there's a bit of complexity on the user side, creating subnets per department, or subnets per building. Often this has more to do with manageability of users rather than security. Regardless, it's a good practice that can be used to make a network more secure in the long run.

What is often neglected is the server side of things. Typically, there are one, maybe two subnets. Outside users are granted access to the standard web ports. Sometimes more ports such as ssh and ftp are opened for a variety of reasons. What administrators don't realize, or don't intend is that they're allowing outsiders direct access to their core servers, without any sort of security in front of it. Sure, sure, there might be a firewall, but a firewall is there to ensure you only come in on the proper ports, right? If your traffic is destined for port 80, it doesn't matter if it's malicious or not, the firewall lets it through anyway.

But what's the alternative? What can be done instead? Well, what about sending outside traffic to a separate network where the systems being accessed are less critical, and designed to verify traffic before passing it on to your core servers? What I'm talking about is creating a DMZ network and forcing all users through a proxy. Even a simple proxy can help to prevent many attacks by merely dropping illegal traffic and not letting it through to the core server. Proxies can also be heavily fortified with HIDS and other security software designed to look for suspicious traffic and block it.

By adding in this DMZ layer, you've put a barrier between your server core and the outside world. This is known as layered defense. You can add additional layers as time and resources allow. For instance, I recommend segmenting away database servers as well as identity management servers. Adding this additional segmentation can be done over time as new servers come online and old servers are retired. The end goal is to add this additional security without disrupting the network as a whole.

If you have the luxury of building a new network from the ground up, however, make sure you build this in from the start. There is, of course, a breaking point. It makes sense to create networks to segregate servers by security level, but it doesn't make sense to segregate purely to segregate. For instance, you may segregate database and identity management servers away from the rest of the servers, but segregating Oracle servers away from MySQL servers may not add much additional security. There are exceptions, but I suggest you think long and hard before you make such an exception. Are you sure that the additional management overhead is worth the security? There's always a cost/benefit analysis to perform.

Segregating networks is just the beginning. The purpose here is to enhance security. By segregating networks, you can significantly reduce the number of clients that need to access a particular server. The whole world may need to access your proxy servers, but only your proxy servers need to access the actual web application servers. Likewise, only your web application servers need access to your database servers. Using this information, you can tighten down your firewall. But remember, a firewall is just a wall with holes in it. The purpose is to deflect random attacks, but it does little to nothing to prevent attacks on ports you've opened. For that, there are other tools.

At the very edge, simplistic fire walling and generally loose HIDS can be used to deflect most attacks. As you move further within the network, additional security can be used. For instance, deploying an IPS at the very edge of the network can result in the IPS being quickly overwhelmed. Of course, you can buy a bigger, better IPS, but to what end? Instead, you can move the IPS further into the network, placing it where it be more effective. If you place it between the proxy and the web server, you've already ensured that the only traffic hitting the IPS is loosely validated HTTP traffic. With this knowledge, you can reduce the number of signatures the IPS needs to have, concentrating on high quality HTTP signatures. Likewise, an IPS between the web servers and database servers can be configured with high quality database signatures. You can, in general, direct the IPS to block any and all traffic that falls outside of those parameters.

As the adage goes, there is no silver bullet for security. Instead, you need to use every weapon in your arsenal and put together a solid defense. By combining all of these techniques together, you can defend against many attacks. But remember, there's always a way in. You will not be able to stop the most determined attacker, you can only hope to slow him down enough to limit his access. And remember, securing your network is only one aspect of security. Don't forget about the other low hanging fruit such as SQL injection, cross site scripting, and other common application holes. You may have the most secure network in existence, but a simple SQL injection attack can result in a massive data breach.

Monitoring as a Lifestyle

A few years ago, I wrote a blog entry about losing weight using the Wii Fit. This worked really well for me and I was quite happy with the weight I lost. But I found, over time, that I put at least some of the weight back on. Most of this, I believe, was due to not having a full understanding of how much I was eating.

I've since switched from using the Wii Fit to using the XBox Kinect for fitness. I also go to fitness classes outside of home, but that's a more recent change. But this blog entry isn't really about fitness alone. It's about monitoring your lifestyle, keeping track of the data you generate on a daily basis. Right now, I track a lot of personal data about my weight, what I eat, how often I work out, how I sleep, etc.

Allow me to lay out some of the tools I use on a daily basis. First off, my phone. I happen to be an iPhone user at the moment, though any modern smartphone has somewhat similar capabilities. Using my phone, I can view and edit my data whenever I need to, wherever I am. There are literally thousands of applications that can be used to track data about yourself. I'm hoping to be able to aggregate all or most of this data in a single location at some point, but for now, it's spread across a few different services.

I'm typically fairly private about my data and I tend to avoid most cloud services. However, I have found that it's virtually impossible to do the type of tracking I want without having to building every single tool myself. So, instead, I use a few online services and provide them with virtually no personal information about myself beyond what is required to make the service work.

So what am I using, anyway? Let's start with how I track my diet. I'm using a service called My Fitness Pal to track what my daily caloric intake is. This has significantly helped me redefine my dietary habits and helped me to realize how much I should be eating. Previously, I would try to reduce my intake by spreading out meals over the course of the day. While this is a great habit, in the end I believe I was eating more than I should have been, despite my intent. Using the MyFitnessPal application, I get a clear view of where I stand at any point during the day. I've been able to significantly reduce my intake without having to shun the foods I love.

On the fitness side of things, I work out every morning before work using XBox Kinect and Your Shape Fitness. I switched over to this when the original Your Shape game came out and I've been quite happy. The Wii Fit is a great tool to start with, and it has the benefit of checking your weight every time you play, something I do miss with Your Shape, but the exercises became far too easy to complete. Your Shape pushes a bit harder, bringing a higher level of exercise to my daily routine. And now with the new version, they've raised the bar a bit, allowing me to push even harder. There are a few areas I'd like to see improvements in, but overall, I don't have many complaints.

Using the Your Shape app on my phone, I get a readout of my exercise for the day, as well as an estimate of the calories I burned. I take this information and enter it into the My Fitness Pal application. Doing this allows me to increase my allotment of calories for the day based on how active I have been. In a way, I guess it works like a reward system, granting me the ability to enjoy a little more each day I spend time to work out.

I also wear a Jawbone Up. The Up is a pretty cool little device that tracks your movement during the day and your sleep patterns at night. It can also be used to track your food, though the interface for this is a bit lacking, which is why I use MyFitnessPal. The Up gives me a great view of how active I am during the day, as well as a view of how well I'm sleeping at night. Jawbone has had a bit of a hard time with this particular product, but my personal experience has been pretty positive thus far.

I have a few applications on my phone for tracking runs, though I use them for walking instead.. I'm not much of a runner. These applications are a dime a dozen, and I don't really have a preference at this point. As long as the application has feedback on distance and route, it's typically good enough. The application for the Up has this capability as well, though I haven't had a chance to try it out yet.

And finally, I use an application to track my weight on a daily basis. One of the first things I do in the morning is weigh myself. I'm currently using an application called TargetWeight by Tactio. Basically, this application tracks your weight over time, offering up a few features to help along the way. If you enter a target weight, the application will show you the weight left to lose as part of the icon on your phone. Additionally, it will attempt to predict when you'll hit your target rate based on the historical date it has collected. There's a nice graphical view of your weight over time as well. Entering your weight is a quick process each morning and is one of the biggest motivators for me. There's also an option to use a WiFi enabled Withings scale to wirelessly enter your data.

All together, these various applications and tools allow me to gain better insight into my daily health. This is obviously not for everyone, but for myself it has worked wonders. I've lost about 30 pounds or so in the past 2 months, and I'm getting quite close to my current target weight. To each his own, but this is working wonders for me.

MAKE : Mass Monitor Rebuild

A few years ago, I came across a Mass EDI 4-monitor display. The computer system I had just happened to have two dual-display video cards, so it was a perfect match. Last year, one of the displays burned out and had to be replaced. Unfortunately, Mass wanted upwards of $500 for a new display. I did have a number of Dell displays available, though, and decided to look into adding one of those to the mix.

My initial attempt at adding a Dell to the mix was fairly crude, but it worked. I decided to rebuild the entire array this past week and remove the remaining three Mass monitors. There were two main reasons for this. First, the crude setup I had with the first Dell monitor wasn't an ideal situation. The way the new monitor was mounted, it pressed up against the others and was difficult to adjust. The second reason was that I have a new video card, a Galaxy nVidia GeForce 210, that requires DVI and not VGA. The version of the Mass display I had didn't support DVI.

And so I started to look at how to better mount a Dell display on a Mass multi-monitor array. The Dell monitor I used initially was a 1907FP. The general size was about right, it just needed to be lifted up away from the lower monitor a bit. The main problem I had with the current mount was that in order to couple the Mass mounting bracket to the Dell mounting bracket, there was really only one location that it could be placed without adding additional hardware. The Dell monitor has a small button on the back to remove it from its mounting, and the Mass has a lever of sorts that does the same. The coupling had to take both of these removal mechanisms into consideration. I spoke with a colleague about the problem and we came up with a small coupling plate that would raise the dell monitor up, keep both removal mechanisms clear, and allow for much better adjustment of the resulting monitor array.

Assembly was pretty straightforward. In order to attach the coupling plate to the Dell monitor, the Dell mount had to be removed from the original stand, lined up with the coupling plate, and holes were drilled to match.

Once the Dell side was finished, the Mass mount was removed from the original monitor and paired up with the augmented Dell mount.

And finally, the new augmented mounting brackets are attached to both the Dell monitor and the Mass monitor array. The dangling VGA cable was for testing prior to the installation of the new video card.

All that remains now is general adjustment of the new monitors. There's a single Hex screw on the Mass array behind each monitor that can be used to adjust the monitors up and down, as well as some angled movement. Thi should allow me to adjust the display to exactly what I need. And it now works with the new video card, which was a breeze to install and get running in Fedora.

I love it when a plan comes together.

Contemplating the Future

In 2005 I obtained a job at a regional ILEC as a Data Operations Technician. As part of this job, I took over development of one of the tools we used to diagnose customer DSL connections. Problem was, this tool was written in PHP, a programming language I was, as yet, unfamiliar with.

At the same time, I was also looking for a web-based tool I could use to keep track of various tasks. While there were a few open-source tools I could use, none had the features I was looking for. So I decided to write one myself, and to write it in PHP so I could learn the language better. In the end, I'm glad I did as PHP has become indispensable for writing web-based tools.

The tool I wrote was a web-based todo manager called phpTodo. Since the alpha release in 2005, I have released 7 more versions. Work on phpTodo has ebbed and lowed with time, often interrupted by work and life in general. In fact, the last formal release was made almost 5 years ago, bringing the current version up to 0.8.1. In 2009, I found out that phpTodo was being packaged and released with Fedora as well.

After releasing 0.8.1, I decided to switch from using categories to using tags, similar to how the blogging system I use, Serendipity, uses them. This required rewriting a good deal of the back end of the system, as well as making extensive changes to the front end. I also started using the Prototype and Scriptaculous Javascript frameworks, and then later switched to jQuery. In all, a great deal of code has been rewritten.

I'm quite happy with the general feel of the new version I've been working on. While there is a good deal more code to be written, I'm confident there will be a code release soon enough.

I've been thinking a lot about the future of phpTodo and where I want to take it. When I originally started, I wrote the system such that I could see my todo list items via an RSS feed. At the time, I had a Blackberry phone and this worked brilliantly. Of course, this was purely a one-way feed with no way to update any todo items on the go. Since that time, I started working on a mobile view for the system, but stopped quickly after I realized how horrible working with WAP was. Fortunately, technology has progressed quickly since that time and WAP is no longer necessary. So, I'm considering working on a mobile version again.

A mobile version brings new challenges, however. It should be trivial to develop a mobile view that can be used while online, but my hope was to have an offline version as well that can be synchronized with the online version. One possibility is to develop an app that can be loaded onto a phone. That, of course, severely limits the platforms it can be run on. Another possibility is an HTML5 version, though that brings challenges of its own.

Another thought was to build a web service into phpTodo. The basic premise is an XML generator that, given a set of parameters, can supply an XML feed for external systems to use as input. And an XML parser that can receive data from external systems in order to update phpTodo data. I believe this can be used as the interface for the mobile view.

A web service can also be used to power another idea I had. I stumbled across the website of Brett Terpstra a while back and found a treasure trove of interesting ideas and useful code snippets. Among these is an obsession for recording notes to keep track of projects, interesting ideas, and helpful code snippets. Brett uses a number of custom scripts and software packages, most of which are exclusive to his platform of choice, OS X. To be honest, I find this incredibly intriguing, and potentially useful. So, I've been thinking about developing a command-line tool I can use to interact with phpTodo. A web service could make this a great deal easier.

I have no plans to stop working on the project, and, in fact, I'm eager to keep moving forward. As I continue to rely on phpTodo itself for my daily work, I rely on improvements I can make to the system. So overall, the future of phpTodo is bright.

Mega Fail

So… this happened :

Popular file-sharing website Megaupload shut down

Megaupload shut down by feds, seven charged, four arrested

Megaupload assembles worldwide criminal defense

Department of Justice shutdown of rogue site MegaUpload shows SOPA is unnecessary

And then.. This happened :

Megaupload Anonymous hacker retaliation, nobody wins

And, of course, the day before all of this happened was the SOPA/PIPA protest.

Wow.. The government, right? SOPA/PIPA isn't even on the books, people are up in arms over it, and then they go and seize one of the largest file sharing websites on the planet! We should all band together and immediately protest this illegal seizure!

But wait.. hang on.. Since when does jumping to conclusions help? Let's take a look and see what exactly is going on here.. According to the indictment, this case went before a grand jury before any takedown was performed. Additionally, this wasn't an all-of-a-sudden thing. Megaupload had been contacted in the past about copyright violations and failed to deal with them as per established law.

There are a lot of people who are against this action. In fact, the hacktivist group, Anonymous, decided to display their dictate by performing DDoS attacks against high profile sites such as the US DoJ, MPAA, and RIAA. This doesn't help things and may actually hurt the SOPA/PIPA protest in the long run.

Now I'm not going to say that the takedown was right and just, there's just not enough information as of yet, and it may turn out that the government was dead wrong with this action. But at the moment, I have to disagree with those that point at this as an example of an illegal takedown. As a friend of mine put it, if the corner market is selling illegal bootleg videos, when they finally get raided, the store gets closed. Yes, there were legal uses of the services on the site, but the corner store sold milk too.

There are still many, many copyright and piracy issues to deal with. And it's going to take a long time to deal with them. We need to be vigilant, and protesting when necessary does work. But jumping to conclusions like this, and then attacking sites such as the DoJ are not going to help the cause. There's a time and a place for that, and I don't believe we're there yet.