Orange Matter: Automating the Automators

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. APIs are critical to operating infrastructure programmatically, but ultimately we need to add one or more layers of API-based middleware to make the solution usable and flexible.

This post appeared on Orange Matter as “Automating The Automators“, but I’m also linking to the version posted on Thwack, mainly because that format allows me to use more images and be slightly more irreverent; you don’t want to miss the great artwork on this one.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automating the Automators and give me a share/like. Thank you!

IDG Contributor Network: Managed WAN and the cloud-native SD-WAN

In recent years, a significant number of organizations have transformed their wide area network (WAN). Many of these organizations have some kind of cloud-presence across on-premise data centers and remote site locations.The vast majority of organizations that I have consulted with have over 10 locations. And it is common to have headquarters in both the US and Europe, along with remote site locations spanning North America, Europe, and Asia.A WAN transformation project requires this diversity to be taken into consideration when choosing the best SD-WAN vendor to satisfy both; networking and security requirements. Fundamentally, SD-WAN is not just about physical connectivity, there are many more related aspects.To read this article in full, please click here

Your Voice Matters: The World Can Learn from Canada’s Inclusive Solutions to Make Citizens Safer Online

Andrew Sullivan presenting at the Canadian IoT event

Canada has shown great leadership in its innovative approach to secure our connected future by drawing on the diverse strengths, backgrounds, and perspectives our country has to offer.

While the wrap up of a collaborative effort to produce policy recommendations to keep us safe online is definitely worth celebrating, the real work for Canadians has just begun.

The Internet has profoundly changed the way we do things, expanding opportunity as it shrinks distances between people, cultures, and ideas. With connected devices hitting the shelves of major Canadian retailers like never before, the Internet of Things (IoT) is adding countless facets to a new era of human potential.

It has also brought new and complex challenges in areas such as privacy and security.

Many of us worry about our security when we log on. Despite recent calls by governments around the world to create regulation to keep citizens and information safe online, it is critical to consider that not one person or government can solve these issues alone.

If there’s anything the world of Internet governance has shown us, it’s that we get better answers to tough questions when a range of experts and interests can meaningfully take part in the Continue reading

Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708)

Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.

To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.

This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.

Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a Continue reading

CheriABI: enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment

CheriABI: enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment Davis et al., ASPLOS’19

Last week we saw the benefits of rethinking memory and pointer models at the hardware level when it came to object storage and compression (Zippads). CHERI also rethinks the way that pointers and memory work, but the goal here is memory protection. The scope of the work stands out as particularly impressive:

We have adapted a complete C, C++, and assembly-language software stack, including the open source FreeBSD OS (nearly 800 UNIX programs and more than 200 libraries including OpenSSH, OpenSSL, and bsnmpd) and PostgreSQL database, to employ ubiquitous capability-based pointer and virtual-address protection.

The protections are hardware implemented and cannot be forged in software. The process model, user-kernel interactions, dynamic linking, and memory management concerns are all in scope, and the protection spans the OS/DBMS boundary.

The basic question here is whether it is practical to support a large-scale C-language software stack with strong pointer-based protection… with only modest changes to existing C code-bases and with reasonable performance cost. We answer this question affirmatively.

That ‘reasonable’ performance cost is a 6.8% slowdown, significantly better than e. Continue reading

Huawei flap should prompt supply chain scrutiny

Aggressive efforts to keep China-based telecom vendor Huawei out of the U.S. market by the Trump administration have thrust a slow-burning debate in the networking space about the security implications of using Chinese-made technology into the limelight over the last two weeks, yet the real-world implications for business users are less than apocalyptic.The basics of the administration's case against Huawei are simple. The company’s close ties to the Chinese government, coupled with China’s history of industrial and political espionage against the U.S., means that its products can’t be trusted not to slip important information back to Beijing. The current crisis is only two weeks old, but  these concerns about Huawei and other China-based tech vendors date back years.To read this article in full, please click here

A lesson in journalism vs. cybersecurity

A recent NYTimes article blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmstr , ... It's not as if these people are hard to find, it's that the story's authors didn't look.


The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.

The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph:


That link is a warning from last July about the "Emotet" ransomware and makes Continue reading

The Week in Internet News: Broadband Goes to Space

The final countdown: After two delays, SpaceX has launched a rocket containing 60 satellites designed to deliver broadband to Earth-bound people, Marketwatch reports. SpaceX plans to eventually deploy up to 12,000 satellites in an effort to provide broadband service across the globe. SpaceX sees the satellite network as a way to fund future Mars missions.

Banning rural broadband: Moves by U.S. President Donald Trump’s administration to ban products from Chinese telecom hardware company Huawei may hurt rural broadband access, Phys.org says. Many small broadband and mobile providers serving rural areas use inexpensive telecom equipment from Huawei and other Chinese companies.

The (un)connected tractor: Meanwhile, the U.S. is far from the only country facing challenges with rural broadband. Farmers in Brazil often lack access, Reuters reports. Even as many pieces of new farm equipment require Internet access, less than 10 percent of Brazilian farms are connected, according to one estimate.

Dividing line: The Internet is dividing between a Chinese and a Western view of how it should operate, says ABC.net.au. And Chinese companies, aided by their government, are spreading their technologies and philosophies across the globe, the story suggests.

Expensive bugs: An 11-year-old laptop loaded with Continue reading

Pragmatic Debian packaging (2019)

Notice

This guide is an updated version of a previous edition. If you need to target distributions older than Debian Stretch and Ubuntu Bionic, please have a look at the older version instead.

While the creation of Debian packages is abundantly documented, most tutorials are targeted to packages implementing the Debian policy. Moreover, Debian packaging has a reputation of being unnecessarily difficult1 and many people prefer to use less constrained tools2 like fpm or CheckInstall.

However, building Debian packages with the official tools can become straightforward if you bend some rules:

  1. No source package will be generated. Packages will be built directly from a checkout of a VCS repository.

  2. Additional dependencies can be downloaded during build. Packaging individually each dependency is a painstaking work, notably when you have to deal with some fast-paced ecosystems like Java, Javascript and Go.

  3. The produced packages may bundle dependencies. This is likely to raise some concerns about security and long-term maintenance, but this is a common trade-off in many ecosystems, notably Java, Javascript and Go.

The BGP Monitoring Protocol (BMP)

If you run connections to the ‘net at any scale, even if you are an “enterprise” (still a jinxed term, IMHO), you will quickly find it would be very useful to have a time series record of the changes in BGP at your edge. Even if you are an “enterprise,” knowing what changes have taken place in the routes your providers have advertised to you can make a big difference in tracking down an application performance issue, or knowing just when a particular service went off line. Getting this kind of information, however, can be difficult.

BGP is often overloaded for use in data center fabrics, as well (though I look forward to the day when the link state alternatives to this are available, so we can stop using BGP this way). Getting a time series view of BGP updates in a fabric is often crucial to understanding how the fabric converges, and how routing convergence events correlate to application issues.

One solution is to set up the BGP Monitoring Protocol (BMP—an abbreviation within an abbreviation, in the finest engineering tradition).

BMP is described in RFC7854 as a protocol intended to “provide a convenient interface for obtaining route views.” Continue reading

Security group support in OVN external networks

In this post I will introduce and showcase how security groups can be used to enable certain scenarios.

Security groups allow fine-grained access control to - and from - the oVirt VMs attached to external OVN networks.

The Networking API v2 defines security groups as a white list of rules - the user specifies in it which traffic is allowed. That means, that when the rule list is empty, neither incoming nor outgoing traffic is allowed (from the VMs perspective).

A demo recording of the security group feature can be found below.

here.

Provided tools

This repo adds tools, and information on how to use them, to help manage the security groups in oVirt, since currently there is no supported mechanism to provision security groups, other than the REST API, and ManageIQ. ManageIQ also doesn't fully support security groups, since it lacks a way to attach security groups to logical ports.

Demo scenarios

In the following links you can also find playbooks that can be built upon to reach different types of scenarios.

A deeper dive into Linux permissions

Sometimes you see more than just the ordinary r, w, x and - designations when looking at file permissions on Linux. Instead of rwx for the owner, group and other fields in the permissions string, you might see an s or t, as in this example:drwxrwsrwt One way to get a little more clarity on this is to look at the permissions with the stat command. The fourth line of stat’s output displays the file permissions both in octal and string format:$ stat /var/mail File: /var/mail Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 1048833 Links: 2 Access: (3777/drwxrwsrwt) Uid: ( 0/ root) Gid: ( 8/ mail) Access: 2019-05-21 19:23:15.769746004 -0400 Modify: 2019-05-21 19:03:48.226656344 -0400 Change: 2019-05-21 19:03:48.226656344 -0400 Birth: - This output reminds us that there are more than nine bits assigned to file permissions. In fact, there are 12. And those extra three bits provide a way to assign permissions beyond the usual read, write and execute — 3777 (binary 011111111111), for example, indicates that two extra settings are in use.To read this article in full, please click here

1 1,238 1,239 1,240 1,241 1,242 3,855