Tims Blog

I’ve been intending to setup a KDC here at my house to do kerberized SSH and to see how involved setting up a KDC actually is. I’m fairly familiar with the technology at work, so I figured it wouldn’t be a big deal; and I was right.

Aside from a blond moment I had while setting a static IP on my KDC VM, everything went smoothly. There was a kdc.conf file that I’ve never seen before, but configuring that was a snap. I added principals no problem, keytabs, ACLs, krb5.conf parameters, etc no problem and now I have kerberized services at my house; sweet.

Next I’m going to add my realm to my desktop’s krb5.conf file at work and see how it goes kinit’ing from there. If that goes smoothly, I’ll be able to do away with passwords and certificates. Sweet!

Man frameworks make life so much easier.

In my daily perusing of techno-news, I read about Blueprint again and decided to give it a chance. Blueprint is a CSS framework. Ok, so that doesn’t strike me as anything that’s particularly important. I have mixed opinions about it after using it. I mean, yeah, it makes some things easy. Other things don’t exist in it that I thought would, and then it just has some things that I don’t particularly like, but ok whatever.

What I do like about frameworks in general is how they take care of that cross-browser stuff, and hide/fix nuances between versions of languages and applications. It’s so refreshing to not have to worry about if it will work in Firefox and IE and Opera.

So I guess that’s what I ultimately like about Blueprint; it standardizes things across browsers

• ring2skype
• 5 dollar dinners
• bash spaces cli workaround (see comments)
• advanced time calculator
• biblio
• alibris
• bookfinder
• tag plugin for dokuwiki
• tick-the-code test drive

So the other day I was picking apart my motorcycle because Joe explained this fuse block thing I found in a touring magazine. I took off the seat to see how the battery was situated and while there I noticed my saddle bags, which have a sort of metal ring locking mechanism on them, had rubbed up against the rear fender one too many times.

I thought back to when I was buying these and one of the “warnings”, if you will, was that you can rub the paint off the toss-over ones because they sit on the fender.

So I wasn’t very surprised, and it’s not a big spot (two or three points about the size of a pin head) but then it occurred to me that maybe I didn’t install them right either.

See the yoke has a strap that I thought was supposed to go under the yoke and across the width of the fender. That’s when I noticed these holes cut into the yoke and then it occurred to me that if I wiggle this harness up through these holes that, wouldn’t you know, no more metal rubbing on the fender; whoops.

So I did the adjustments and now the harness sits on top of the leather yoke, runs under the seat across the width of the fender, and no longer rubs against the fender. Well, live and learn I guess.

I was looking to move off of Gorilla and to something else, and I really like the look of KeePass even though I have never used it. It’s a Windows app (or so I thought) though and that kinda bummed me out. I thought I’d try to run it in Wine but meh, too much effort is involved in Wine.

Then I thought about just laying down and running it in a virtual machine, but I didn’t like that approach either.

Well, it turns out the KeePass folks wrote the app in C# and on their website they note that it should run happily in Mono. Cool! Then I read that they suggest Mono 2.2 or greater. Bummer, because Ubuntu is stuck on 2.0 for the foreseeable future. I decided to give it a try anyway and it worked like a charm; awesome!

What you need to do is install a couple packages

• mono-devel
• libmono-winforms2.0-cil

Then just go grab the portable version of KeePass from their site, extract it and do

• mono KeePass.exe

Surprisingly it works. Way cool

On the heels of my post the other day where I questioned my place in the workforce, I had an epiphany-like set of thoughts tonight.

Joe and I talked about compsec in our group and organization wide quite a bit the last time we were face to face. I told him I was having trouble knowing what our mission was for our organization. I got the impression that we always delegated responsibility. Even when it seemed like my group should be spearheading a particular project or rollout of something, instead we delegated it.

So I was in an odd spot. I began asking “what is it we really _do_ around here if all we ever do is delegate?” I began to feel like my work was pointless. I’d come in every day, lots of stuff would happen, but I would just delegate it all, and then I would go home. How do you derive meaning out of a job where you essentially function as a middle manager?

Joe made it more clear to me when he explained that due to the way that the organization is structured, our mission is to function as the head-node in a system of integrated computer security. Integrated is the key word and it’s what got me thinking tonight.

We have a vast number of homegrown applications at work. As part of the integrated security model, the focus is to push security down to the desktop level and have a focus applied at many levels. At the sysadmin level, line management, division head, and organization wide.

To really accomplish this goal though requires that the tools that we use in our day-to-day work, be available at all those levels. So if Bob the user needs data on X, and we have that data, then given the appropriate authorization, Bob can get his data. Bob’s manager should be able to get data relevant to work functions he needs to do also, and on and on.

So to accomplish all this, it really falls back on us in computer security to place a heavy focus on making our systems available.

I’m a big proponent of integration. I like tieing systems together so that they can do bigger and better things. I have no tolerance for those that whine that “it’s too hard” to provide a programmatic interface to anything.

So I make it a primary requirement of all the software we buy or make and all the appliances or other crap we purchase have a strong, mature, well documented API.

I think it also is critical that we provide these APIs in as many formats as we can reasonably provide. Web service formats like REST, XML-RPC, and SOAP are easy to provide all from one spot… …if you use the right framework. I love web services. Anything that can talk HTTP can pretty much make use of them; they’re fantastic.

Having said all this, I know how frustrating it can be when you’re told that “no, there’s no API” for any particular application. Many that we use in our own group do not have them because those applications were not designed with an API in mind; a decision that I consider to be absolutely unacceptable.

But Tim, it’s hard. But Tim nobody will ever use these data sets. But Tim we just can’t control access to all of these things.

Wrong, wrong and wrong.

There is little extra work required to provide an API to anything given that you are using the right tools. The second argument is just a flat out lie. Anyone with half a brain knows that, given the opportunities, people will come up with some pretty creative ideas. So exposing those opportunities in a controlled way is vital in helping to get the creative juices flowing. And finally, access control is a problem that has been solved over and over and over again. Just pick a solution.

So I think there is a strong argument that can be made for providing interfaces to our systems in particular because of our focus on integrated computer security management. I also think that it should be a requirement that these interfaces are exposed in as many ways as can be reasonably managed because, in the end, the user interface is a highly subjective beast. If you can make the UI essentially just a mashup of API calls, you make everything much more flexible.

My boss and I had a heart-to-heart the other day concerning my response to someone about MD5 hashing webpages. I had based my response solely off the nature of dynamic webpages without taking into consideration the nature of many of the webpages on site; namely static content.

After a really heated discussion which left me silent with anger, I continued on through the day, wrapped up and went home.

He had asked me what I like, or want, to do at work. The question partially stemmed from the fact that we may be getting two new people in our group. My answer was rather lame though; “whatever needs to get done”.

I don’t answer questions like this well. Other forms of the question are

• what do you like to do for fun?
• what are your goals in life?
• what do you want to do when you retire?
• what do you want to do for a living?
• etc, etc, etc

I truely do not know. It’s pathetic on a grand scale, I realize that, but my answer to each of those right now, really is “nothing”. It makes for a pretty empty sounding life doesn’t it?

I know he reads this blog, so this is probably not the place to say it, but I kinda feel like the proverbial “new” big brother in a family that is about to have a new baby. With the new employees, what place do I have in the group with a lame response like “I’ll do what needs to be done”? Sure, I guess that’s valuable to the organization, but where is the ambition?

Maybe I’m just burned out; job, life, and everything. But if I were going to fix it, the first question I’d probably be asked is, “ok, what do you want to do instead?” Answer: I don’t know.

Vacation doesn’t fix it, toys don’t fix it, friends don’t fix it, and family doesn’t fix it. So how would you recommend I fix it?

So I thought a bit more about things at work that keep me occupied or bring at least marginal enjoyment to the day to day stuff.

• I like new stuff; new technology, new software, new programming languages, etc
• I like building things; tools for the group and for the unwashed masses
• I like making information out of data

This will probably get me fired, but I don’t have the same level of interest in pentesting, hacking, vulnerability assessment, etc, as my boss does.

Security and I have an odd relationship. I don’t like being told “no” and I don’t like having to follow policy. I think that if you get offended by a person’s words, then you’d better grow up; which is why I don’t usually hesitate in calling someone a brainless idiot. Arrogance? Yeah, maybe. The difference here though is that when I act that way, I do it based upon my understanding of the topic. And I’ll accept being wrong; that’s not arrogance.

Maybe I have a fundamental disagreement with computer security. Or maybe I’m sick and tired of the FUD, lies, and complacency that the industry is built on. I like the technology that the industry has come up with though. I think packet capture, deep packet inspection, various scanner technologies, network detection technologies, etc, is all hella cool. I like reading about exploits and how they work. I don’t really care in using them (as my boss would), I’m more interested in the “oh so that’s how it works?” view of the exploit.

I figure I’m still young though, and maybe compsec, in the grand scheme of things, isn’t my calling in life. Look at xorl, he/she has no interest in computer security, but he/she runs an awesome blog about dissecting software vulnerabilities.

So maybe, ultimately, my interests lie in technology; which field I apply it in is irrelevant. I just happen to be applying it in the computer security realm at the moment.

I’ve moved off of my old SLF 4.3 box to something more updated; finally. A new version of nessquik is out that fixes an issue with mysqli and off-port MySQL servers.

• php memcached extension updated
• php wrapper for bing api
• bing api keys
• jquery idle timer plugin
• page speed
• how to give a great talk
• jquery list
• jquery for designers
• one bag
• travel hacking
• gearman

Not much to say, just links.

• five ways to speed up webpage response times
• learn the basics of blueprint css framework
• introduction to rest web services
• clickwatch
• tomboy rest api
• tracks
• compile your own php.js
• wassec final draft
• buckyballs

Totally. I feed the rabbits in my backyard the produce that goes bad in my fridge. Sorry neighbors.