xenol's blog

My personal blog

29c3: Finale

I arrived at CCH in the afternoon and headed directly for NOC Review talk. Guys did really wonderful job, although the Wifi was a problem. I really liked some network facts:

  • ~70 access points, great signal coverage
  • 3059 concurrent wireless clients connected during peaks
  • traffic usage of 8.2 Gbps
  • 40% of traffic being IPv6

Video can be found here.

The 29C3 was really nice experience and I will definitely return back to 30C3. Another nice thing was that event of this size was run entirely by the volunteers. I would like to take part in helping as a Chaos Angel or directly as a speaker next year. We will see what will 2013 bring.

29c3: Day Three

Third day of the Congress was filled with some number of interesting talks I visited. I started with a talk, in which I was interested the most – An Overview of Secure Name Resolution – DNSSEC, DNSCurve and Namecoin. Speaker gave great introduction into DNSSEC and also talked about its deployment rate. He also spoke DNSSEC’s use in amplification attacks and suitable countermeasures. DNSCurve and Namecoin was discussed as well. From this talk, it is clear that DNSSEC is the way forward. Video will be available shortly.

Security Evaluation of Russian GOST Cipher gave nice overview of Russian GOST cipher and it’s history. In theory, GOST should be secure for 200 more years. I am a bit sceptic as in the last two years there were found around 20+ possible attacks on GOST. Speaker talked about them and described the steps how to attack. Video will be available shortly.

Another great talk by Daniel J. Bernstein was titled Hash-flooding DoS reloaded: attacks and defenses. Dan explained hash tables and described anatomy of the hash flooding attacks in detail. Martin Bo├člet demonstrated vulnerability on languages using MurmurHash as a hashing function. He used Ruby and Java for demonstrating purposes. Martin spoke about better alternatives – CityHash by Google. However, he demonstrated that it is worse than MurmurHash family of hash functions. SipHash was introduced as a simple, yet secure alternative. Video will be available shortly.

29c3: Day Two

I started this day with visiting talk by Axel Arnbak titled Certificate Authority Collapse. Axel talked about the current model being completely broken (nothing new in the security community) and that the change is needed. He described the DigiNotar incident. The European Union wants to address this issue by regulations, which do more harm than good. If the CA model is broken, it should be fixed technically and not by law. Video can be found here.

After lunch, I went and saw Lightning talks block. I liked the talk about a project building community GSM and mesh networks in remote areas in Mexico.

Another great talk of the day was FactHacks – RSA factorization in the real world by Daniel J. Bernstein, Nadia Heninger and Tanja Lange. Speakers gave a quick introduction to RSA cryptosystem and some facts about its factorization. Dan also showed several algorithms for factoring primes. There was practical example on how we can search for private keys on the Internet, complete missing parts of it and speakers generally advised to stop using 1024-bits RSA keys. I switched to ECDSA few months ago and you should do it as well. If your SSH server doesn’t support ECDSA (OpenSSH <5.7), then stick to 2048 bit or 4096 bit private key size. Video can be found here.

The final talk I visited was about Stylometry and Online Underground Markets, which was about the usage of stylometry to identify and gaining a better understanding of how do underground market work. Video should be available shortly.

29c3: Day One

29c3 is my first Congress I visited. It returned to Hamburg after 8 years of being held in Berlin and is located at the Conference Center Hamburg (CCH). First day’s talk were mostly non-technical ones.

Not my department by Jacob Appelbaum proposed that people should develop more software like Tor or similiar tools.

The second talk titled Enemies of the State: What Happens When Telling the Truth about Secret US Government Power Becomes a Crime was about breaking the US constitution by the US goverment and the rise of spying practices after 11th September 2001 covered as the fight against the terrorism. Speakers talked about ways how NSA wants to monitor people and store everything they can about them. They also suggested that people should care more about their privacy. After all, anonymity and privacy are the basic right of the every human being on the planet. This talk was given by ex-employees of NSA and US DoJ.

The last talk I visited was about the mitigation of timing side channels by Sebastian Schinzel. He proposed several new countermeasures and wrote set of tools, which should detect timing side channels vulnerabilities. More info can be found on his website.

After the last talk, I returned to the hostel and drunk mate with Juraj. Rest of the group joined us later and several polish hackers came as well. Discussions were mostly security-related.

DNSSEC Automatization With OpenDNSSEC

DNSSEC is an amazing piece of technology. DNSSEC data is digitally signed. The validating DNS server can check if the data it receives is identical to those on the authoritative DNS server. This helps us mitigate DNS cache poisoning.

I have signed my domain back in January 2012, signing my zone by hand. However, I forgot to resign my zone and the zone signature expired making it unresolvable. This made me wonder how could I automatize the whole process. I read about OpenDNSSEC. OpenDNSSEC is a wonderful piece of software, which automates the DNSSEC zone managements. OpenDNSSEC is used by several NICs around the world to manage their TLD zones. I didn’t try OpenDNSSEC at first as I found it to be too complex and not suitable for a single zone. I tried BIND 9.9 DNSSEC inline-signing, instead. It worked, but I was unhappy with it. Inline signing in BIND converts manually maintained zone into a dynamic one and signs it. All DNSSEC changes are made to the journal file format, which I dislike working with. As I wasn’t satisfied with this solution, I gave OpenDNSSEC a try.

I deployed OpenDNSSEC on my personal FreeBSD server. The configuration didn’t take more than 15 minutes thanks to the excellent official documentation. Once, I started the OpenDNSSEC service, it generated both KSK and ZSK for my zone. I published DS record via my registrar’s web management portal. I am using RSASHA256 cipher for both KSK and ZSK. I wanted to use ECDSA, but my registrar doesn’t support it yet. I hope this will change in the near future. Any DNSSEC-related operations are now made automatically without any manual intervertion. Whenever I add new DNS records into my zone, I just call ods-signer to resign my zone. The zone resigning will be scheduled and the new records will be published alongside with their signatures. I love automatic things!

My zone also contains SSHFP records with my SSH server fingerprints and I am now able to finally make use of OpenSSH client’s VerifyHostKeyDNS feature. I tried out IPSECKEY record. It worked with racoon. More on how to configure racoon to get IPSec peer’s certificate from the DNS can be found in racoon.conf(5). Lastly, I am very interested in DANE and TLSA resource record. I think that this will be the biggest feature of DNSSEC in the upcoming years because DANE makes commercial CAs obsolete. Why should I pay for certificates, when I can generate one and just publish it in the DNS? This is very nice feature, but it’s dependent on a wider DNSSEC adoption, which isn’t happening massively. I hope this will change pretty soon.

I wrote simple howto about running OpenDNSSEC with BIND on FreeBSD. I published it on my wiki and I hope it will help somebody. Feedback is welcome. I am also planning to package both SoftHSM and OpenDNSSEC for OpenIndiana, once I am done with other tasks I am working on. However, I do not expect this to happen during this month. More realistic date is December.

Passed RHCE Exam

I took and passed both Red Hat Certified System Administrator (RHCSA) and Red Hat Certified Engineer (RHCE) exams. The certification is valid for 3 years. After that you have to either retake RHCE exam or pass other higher level Red Hat certification in order to prolong certification validity. RHCSA exam took 2.5 hours and RHCE 2 hours. I was nearly done after 1 hour and used the remaining time for checking.

My tips for examination pass:

  • No STRESS. There is no need for it as topics covered in both exams are pretty basic and anyone with Linux systems administration experience will pass it.
  • Use GUI tools everytime possible. They save time, which you might need for checking other stuff.
  • Reboot the virtual machine at least once to check if every needed service will autostart.

I was told that results would be known in 3 US business days’ time. However, I received email with results in several hours after I took the exam and even examiner was suprised how fast the results arrived. The whole process was a very good experience.

OpenIndiana Involvement

I have been watching OpenSolaris development for a long time. As a technology fan, I really like all the cool features OpenSolaris offers: ZFS filesystem capabilities, service management with SMF, dynamic tracing and application debugging with DTrace, container-based virtualization with Solaris zones, network virtualization with Crossbow, safe system upgrades and downtime minimalization via Boot Environments and integratiom of all these features together makes it perfect operating system for a server. However, OpenSolaris is dead and it continues to live as OpenIndiana, which is a Illumos-based derivate. Illumos is an open source project providing Solaris and OpenSolaris kernel and driver source code. OpenIndiana aims to be a direct continuation of the OpenSolaris operating system.

As a fan and satisfied user of Zabbix monitoring software, I decided to port, package and maintain Zabbix monitoring suite for OpenIndiana. Zabbix agent already made it to the package repository. Zabbix server and possibly proxy will follow in upcoming months. I am also planning to maintain other software I am actively using e.g tor, php-fpm and DNS related software.

In January I have set up first Slovak OpenIndiana mirror, which is running at dlc-1.sk.openindiana.org and is reachable via both IPv4 and IPv6. Big thanks goes to my employer, Digmia, which provided hardware and network bandwidth.

In the future, I would like to get more involved in helping with OpenIndiana infrastructure tasks, maintaining some software and possibly OpenIndiana documentation project and helping with OpenIndiana handbook, which should be a complete user guide to the OpenIndiana operating system.

Easy FreeBSD Jail Management With ZFS and Pkgng

I have been using FreeBSD jails ever since I started using FreeBSD on my servers. Jail can be described as a chroot on steroids with own users, process namespace and lately own virtualized network stack.

I am using FreeBSD jails for mainly for securing and separating services. Each service runs in its own separated container on its own ZFS dataset. Each dataset is a ZFS clone from the snapshot of the template jail, which is adapted to have software I need in every jail installed (zsh, git, vim…) and configured. Running FreeBSD jails on separate ZFS datasets is very flexible because we can setup different per-jail mount options, use compression and snapshot each jail separately. Software updates are fine for small amount of jails, while updating software in hundreds of jails can be a scaring experience. This is past with pkgng. pkgng is a new project, which brings new binary package manager. It is very easy to build packages from ports, create and serving package repository and updating.

With this setup, I can deploy new jail under 2 minutes as all I have to do is a ZFS snapshot cloning and adding jail configuration into host /etc/rc.conf and thanks to ZFS cloning capabilties we are saving some disk space, too. I wrote a simple howto on my personal wiki. I have also setup package repository for my needs at pkg.xenol.eu. Feel free to use it.

Welcome

Welcome to my personal blog! I had an idea of creating personal blog for a very long time. However, I was always lazy to do so.

When I was looking for some blogging engine, I realized that none of the major ones suited me. So I started to experiment with various setups and then I discovered jekyll, which is static blog generator. I like the idea of having a blog completely stored in version control of my choice and served as static pages. Later I found Octopress, which can be described as “jekyll on steroids”. It is much easier to deploy, it integrates many 3rd party plugins for Twitter, Disquis comments, Google Analytics and other services. It uses HTML 5 template and interface is optimized for viewing on mobile phones. It has everything modern blogging platform should have.

So again welcome to my blog and happy reading.