evilrouters.net

Executive Summary of John Goekler’s “The Most Dangerous Person in the World?”

“The things we fear most may be least likely to occur, which means the time, trauma and treasure we invest in them is a complete waste.

Security itself is an illusion. It is a perception that exists only between our ears. No army, insurance policy, hazmat team, video surveillance or explosive sniffer can protect us from our own immune system, a well-intentioned but clumsy surgeon, failing to look before crossing the street, an asteroid randomly hurtling through space or someone willing to die in order to do others harm.

In this sense, the only things that can truly make us more “secure” are not things. They are the courage to face whatever comes with dignity and intention, and the strong relationships that assure we will face the future together, and find comfort and meaning in doing so.

Imagine, then, what might happen if we simply quit listening to the scaremongers and those who profit from our paranoia. Imagine what the world could look like if we made a conscious choice to live out whatever time we have with courage, compassion, service and joy.

Terrorism is an act of the weak. But so is walking through the airport in our socks.

We can make better choices.”

[ Read More ]

I believe in security and privacy on the intarwebz. I also use PGP for e-mail and whole disk encryption (more to protect data in the event my devices are lost or stolen than to “hide” anything). Because of that, this is kinda scary:

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.

There is, of course, the alternative: =)

I found myself recently setting up new HP ProCurve 5400 switches in production. Because I’m a network guy, I like to keep an eye on them (interface counters, traps, etc.), thus setting up SNMPv3 was necessary. In addition, these devices come (”out of the box”) with a default read-write community string set to — you guessed it — “public”, open to anywhere. That had to be taken care of first.

Setting up SNMPv3:

First, let’s set some basic information so we can track this device amongst all the others:

SWITCH1# conf
SWITCH1(config)# snmp-server location S123
SWITCH1(config)# snmp-server contact jlgaddis

Next, we’ll enable SNMPv3 which, on these 5400s, also has the effect of creating an “initial” user:

SWITCH1(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ******
Privacy protocol is DES
Enter privacy password: ******

User 'initial' is created
Would you like to create a user that uses SHA? n

User creation is done.  SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmp restrict-access'): y

What happened here is that an SNMPv3 user (with username “initial”) was automatically created for us. We were prompted for the authentication password and privacy password (note that the protocols were automatically chosen). At this point, I just entered “123456″ as I have plans to delete that user anyway. I went ahead and answered “y” to the last question, but I’ll be turning off SNMPv1 and SNMPv2 in a bit moment regardless.

Let’s configure our switch to only run SNMPv3 and go ahead a create a new SNMPv3 user as well:

SWITCH1(config)# snmpv3 only
SWITCH1(config)# snmpv3 restricted-access
SWITCH1(config)# snmpv3 user cacti auth sha AUTHPASS priv aes PRIVPASS

Here I was setting up a user so that my “graphing application” of choice, cacti, can communicate with the switch to retrieve interface statistics. Substitute your own authentication password and privacy passwords above (”AUTHPASS” and “PRIVPASS”). You can change the protocols as well, if you’d like, to MD5 and DES, respectively. I prefer to go the “high security” route whenever possible, however, so that’s what I opted for here. Be sure your management software is compatible with these settings!

Now, we need to assign our “cacti” user to a group that’s appropriate for the level of access we want it to have. I won’t describe all of the ones available (see Chapter 14 of the Management and Configuration Guide for that), but the one I want (in this case) is “operatorauth”. This group provides for “operator” level access (a.k.a. “unprivileged”) and requires authentication. We’ll also specify “sec-model ver3″ as an SNMPv3 access group should only use the ver3 security model:

SWITCH1(config)# snmpv3 group operator auth user cacti sec-model ver3

Okay, almost there! Now we just need to allow SNMP access to the switch from the host that cacti is running on. In my case, it’s 172.30.144.17:

SWITCH1(config)# ip authorized-managers 172.30.144.17 255.255.255.255 access operator access-method snmp

You can change that, of course, to your own IP address (or whole networks — be sure to change the netmask, however).

At this point, we should be good to go. We could add the device into cacti’s web interface and within a few polling cycles we’ll start to see interface traffic statistics, such as this (from another device):

Finally, there’s one more step that might be necessary, depending upon your switch’s configuration. Because my switch has a loopback address assigned to it, that’s the IP address I want to tell cacti to poll. This method will still allow the switch to be reachable if one (or more) of it’s interfaces go down (there are multiple routes to it). By default, the ProCurve 5400 will respond to SNMP requests with a source IP address of the interface that the requests were received on, and NOT a source IP matching the original destination of the requests:

SWITCH1(config)# snmp-server response-source dst-ip-of-request

…and that’s it! We can now “speak” SNMPv3 (and ONLY SNMPv3) to our switch. In addition, only the “cacti” user can access it, and only from 172.30.144.17.

That’s a helluva lot better than the default read-write “public” community string that’s accessible from anywhere, huh!?

UPDATE: I forgot the part where I deleted the “initial” user that was created automatically for us. Here’s how that’s done:

SWITCH1(config)# no snmpv3 user initial

Easy enough!

computer world is reporting that:

a laptop containing “strategic information” was stolen from a campaign field office of presidential contender John McCain.

The laptop contained “strategic information for the [Republican party] on how we are going to reach out to people in the Kansas City area.”

i guess they’ve never heard of pgp or whole disk encryption, in general, both of which i use and recommend.

read more

stolen from bob plankers:

“if elected president, senator john mccain would reserve the right to run his own warrantless wiretapping program against americans…”

anybody who votes for this guy doesn’t deserve freedom, which will be good since there won’t be much left.

mccain: i’d spy on americans secretly, too

barack obama was in casper, wyoming, today at a town hall meeting. obama condemned the use of the bush’s administration habit of getting wiretaps without warrants and also their willingness to imprison people without actually charging them with anything.

“there’s nothing republican about that. everyone should be outraged…”

obama said that he would ask his attorney general “to review every executive order” that the bush administration implemented.

“we are going to overturn those that are unconstitutional. we are going to overturn those that are unnecessary.”

he was rewarded for that with a standing ovation.

…like the nsa headquarters.

thanks to the billboard liberation front!

just wanted to wish a belated happy birthday to president abraham lincoln, who was quoted as saying:

“i see in the near future a crisis approaching that unnerves me, and causes me to tremble for the safety of our country. corporations have been enthroned, an era of corruption will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people, until wealth is aggregated in a few hands and the republic is destroyed.”

thanks to bob plankers, “the lone sysadmin” for this:

here’s senator russ feingold talking very frankly about fisa and the issue of privacy (it’s short):

this guy gets it.

according to the international association of privacy professionals, january 28th is “data privacy day”:

north america joins 27 european countries to celebrate data privacy day 2008. the day will feature several efforts to promote the importance of data protection, including a meeting at duke university among european and u.s. privacy experts.

the iapp is encouraging privacy professionals to contact local schools, colleges and universities and offer to give a presentation on or during the week of january 28 about privacy using the materials provided. our goal is to have privacy professionals all over the country giving presentations to students about the importance of privacy today. details about presentations that happen during the week of january 28 should be sent directly to kim macneill at kim@privacyassocation.org.

as john bambenek mentioned on the sans handler’s diary, however:

“the important note about this effort is that it focuses its attention on the weakest area of privacy protection, the individual themselves. if people do not protect their own information (for instance, by putting their entire lives in their facebook profile) there is little other groups can do to prevent the misuse of that information.”

i just wish i had heard about this earlier. i work in higher education (college students are the most prominent facebook users) and could have done some presentations there. my hometown, an hour away, also has its share of parents who i’m sure would have benefitted from something like this. alas, maybe next year.

if you’re interested in seeing how much personal information i have on my facebook profile, add me as a friend!