Thursday, December 01, 2016

Chrome and Google DNS

You should lock down your DNS. No machine should be calling out to the DNS upstream. You should setup a local DNS relay so that all DNS goes through that, and that machine can then relay upstream to the ISP DNS.

That said, you may find one day that your box is calling out to DNS on 8.8.8.8 or 8.8.4.4. A quick ARIN lookup on those and you see it's Google. Turns out, if you are using Chrome, then you will see these DNS requests appear in your logs.

Chrome calls up to 8.8.8.8 and 8.8.4.4 to check "internet" health. If it can't get a connection to those IP addresses then it boldly proclaims there is no internet connection.


Tuesday, November 29, 2016

401K and IRA

You asked why I don't like to invest money into 401K and IRA funds. Well, I do. The problem with a 401K is in the government management and oversight. The small business I own is designed for heavy weight at the top of the salary scale as it's a Subchapter S corporation. That means all of the profit passes through to the principal shareholder at the end of the fiscal year. That pushes my income to very high levels sometimes, much higher than the employees. As a result, the audit on the 401K causes a reimbursement of funds to make it "fair."

Every year I get a fat check back out of the 401K that I don't want. So what' the point of investing money into a retirement fund that refuses to grow past an arbitrary limit. it's a waste for me and so I don't put excess money into it.

The IRA is another fun vehicle. There are limits on how much you can put into that type of fund. Then you have to hope that it grows. I have a Legg-Mason IRA and for about 5 years it did nothing. It lost some money and then finally started to get some life. I'd rather not put money into an idle account like that when I have more fun things to do with it.

The best investment for your money is yourself. I like to use my money to invest in curious business plans, new pursuits with technology, and keeping myself from getting bored. I've spent a good amount of money over the years creating mobile games, experimental web applications, and new business ideas. Some of those ideas were met with government resistance and so I am burned out on them. The mobile games were expensive, but fun. There's very little opportunity in the mobile space. You have better luck playing black jack with your money.

Instead of taking more money from my clients, I choose to throttle the money machine and slow down the burn. Helping my clients to maintain their cash flow means there is longer-term cash flow for my business too. Sure, I could take more money and put that into a 401K or IRA and get that reimbursement check every year. That doesn't really help me though. We all need long term cash flow opportunities, and we can get those only by taking what we need instead of taking all that we can get.

I hope that answers your question da, tineh, john, lucy ...

Monday, November 07, 2016

Robot Me

Some time ago, feels like years, my cousin's daughter proclaimed that she wanted to be a robot. She was 6 at the time, I think. Samurai Lucy probably knows the exact date of this conversation I had with my cousin, as it was on facebook.

I told my cousin that her daughter was the greatest robot ever built. Indeed we are. Our soft bodies are cushions for the hard endoskeleton that keeps our body able to be rigid. We have control circuitry distributed throughout our bodies with a central computer. That central computer is controlled by an expert system that knows how to integrate signals and train several connected neural networks.

We are the greatest robot ever built because we are self-locomotive. We create our own energy, don't need to get an external battery to replace old ones. Our computer is capable of work using single electrons and their quantum spin. Our ligature learns how to adapt to its environment, like those incredible Boston Dynamics [1] robots.

We are the greatest robot ever built because we are self propagating. This is an important distinction because it supports panspermia [2]. From a tiny sperm with half of the host DNA and a gigantic egg with a whole bunch of DNA, their combination as a single cell turns into a trillion cells capable of writing this blog.

Imagine those BD guys making those robots. One day they think, hey, how small can we make these robots. So they make lots of tiny robots, and even more tiny robots, and then nanoscale robots [3]. Now how do we make more of these monsters? That's tough, because we're manufacturing stuff, and that makes for waste and inefficiency. So those BD guys get to thinking again. How do we get this robot to make itself.

So they make two pieces from a host. One that is the real host, the egg cell, with programming and capability to divide and make more of itself. Then the other is the "randomizer" code that is used to diversify the robots. Diversity is the mission profile of science, so these robots were made for scientific exploration.

Where do we get the raw resources to make the robot, though? That's dirt. From dirt we get "food" which is just fancy dirt. Put that into a chemical reactor and pull off some carbon, oxygen, water, and electrons, and now you have a fuel cell. To clean up the chem byproduct, we can use bacteria (specialized nano robots) to convert even more complex molecular products.

Now we have a fully operational robot that can adapt to its environment, propagate itself, and create its own energy. It can also heal itself when it is damaged, and in some cases, can even grow new support "organs." [4]

Imagine you are stuck on a planet too, just like us. You create robotic satellites that explore the galaxy, and you send some robots out there like our Curiosity rover. They break and the mission is over. That really stinks. So you ask these BD guys to create you a dynamic robot that will not break so easily. You can't send it in a long space mission because it needs energy, so you keep it in a simple form, the two part DNA package (sperm and egg) and send it out into space. [5]

The real question is how do you communicate with your space fairing robot? Do you program quantum entanglement so the robot's brain entangles with the origin system? Until we find a way to detect quantum entangled communication we will never know for sure. If it is entanglement, then we should be able to detect it across both space and time.

[1] Boston Dynamics
[2] Panspermia
[3] Nanorobotics
[4] Organ Repair and Regeneration
[5] Daily Mail - Titanium Germ Ball and Huffigton Post - Alien Seed

Wednesday, October 26, 2016

Splunk To root or Not To root

Today I added some add-ons to my splunk and did some sysadmin on the server. Restarted and noted the splunkd was not running. Ahh, well, that's typical. Starting the splunk daemon is easy enough:

Start Splunk - from the people who made splunk.

There are two ways to start splunk, as you can read from above. One is to run the "splunk" process from your root shell after logging in. This will run splunk as root. The other is to use the nifty systemctl service script to daemonize the process.

Prior to today, I had the same problem and ran the splunk process as root. This was foolish. If you happen to have once started splunk as root, and then successfully started splunk as the "splunk" user, you will find that your splunk login page is empty. You get the background picture, but no input controls.

Damn. Google that, nada. Damn again.

Today, I learned alot more about selinux and permissions and labels, so I investigated the "web_service" log (/opt/splunk/var/log/splunk/web_service.log) and found:

IOError: [Errno 13] Permission denied: '/opt/splunk/var/run/splunk/session-d07528932b4314e72a9f5bccd0f85fb27e8f30bd.lock'

Double damn. So I run an "ls -lZ" on that var/run/splunk directory to see what is going on, and I find the following.

drwx------. splunk splunk unconfined_u:object_r:usr_t:s0   scheduler
-rw-------. root   root   unconfined_u:object_r:usr_t:s0   session-d07528932b4314e72a9f5bccd0f85fb27e8f30bd
-rw-------. root   root   unconfined_u:object_r:usr_t:s0   session-d07528932b4314e72a9f5bccd0f85fb27e8f30bd.lock
-rw-r-----. splunk splunk system_u:object_r:usr_t:s0       splunkd.pid

There it is, my foolishness. The lock files are owned by root and not splunk. Do a quick "chown splunk.splunk" on everything in the var/run/splunk directory, and reload your splunk login page.

You should have the login now.

I have found the splunk systemctl service to be very very (very) temperamental. Sometimes it works, sometimes not. I saw someone on my google quest suggesting a "su -c blah blah" on the service commands, but that's the wrong answer. Just keep trying to get it to work, eventually something magically gives-in and cooperates. I still don't know what that something "is." 

Don't run splunk as root. Don't run any web thing as root. Typically don't run anything as root. You can try changing the service config files in /etc/systemd/system, but remember to run "systemctl daemon-reload" otherwise, you will get the whiney message about changes not being reloaded.


DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named.

What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:

    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

Then you will likely see errors like this in /var/log/messages:

Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2

Then you run the sealert command as suggested by the very friendly selinux audit log and you are told:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# tmp_t, named_cache_t, var_log_t, var_run_t, named_var_run_t, named_log_t, named_tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

This is important information because your custom log locations are not labeled correctly, as in:

[root@namedsvr log]# ls -Z /var/named/chroot/var/log
drwxr-xr-x. named named unconfined_u:object_r:named_conf_t:s0 named

This named_conf_t type is very critical here. What you want to do now is change this type to be named_log_t:

chcon -t named_log_t /var/named/chroot/var/log/named

Restart named and error messages should go away.

Where did this named_conf_t type come from?

> more /etc/selinux/targeted/contexts/files/file_contexts

Run that more command see look at all of those labels. You want to find the named "chroot" labels and eventually work your way down to the /var/named/chroot/var/log paths. Then you want to add your own rule for the var/log/named path so that it sets the proper type to named_log_t. That way this change will survive reboot and restorecon, which is also very important.

A good place to start learning selinux:


Sunday, October 02, 2016

To N or Not To N, That is The Question?

In Microsoft SQL Server you can hash using T-SQL[1]:
declare @hash varchar(200)
set @hash = '15174141714252'
print hashbytes('MD5', @hash)
This is a nifty feature, of course, because you can now send your passwords over the unsecured SQL connection and do your hashing on the server. Secure your connection [2], please, before doing this.

Note the use of varchar(200) in the code block. The Microsoft sample shows the use of nVarChar. Does it matter what we use? Turns out, yes. The code block above returns:
0x5B17965D4E33B04FD8848E536165D013
That is also the same hash produced using System.Encoding.GetBytes(blah) and the .NET MD5 digest provider.

If you opt to use nVarChar:
declare @hash nvarchar(200)
set @hash = convert(nvarchar(200), '15174141714252')
print hashbytes('MD5', @hash)
You will get something different:
0xBA48394E1385A2C633AB7F8339231B56
nVarChar and nChar use Unicode encoding [3] to process the string bytes. The default encoding on your system may not be Unicode, so you have to be especially careful. If you used nvarchar in your update command, but varchar in your stored procedure that took the password in plain text, you would likely produce a bunch of hashes that will not match.

[1] https://msdn.microsoft.com/en-us/library/ms174415.aspx
[2] https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
[3] https://msdn.microsoft.com/en-us/library/ms186939.aspx

Tuesday, June 30, 2015

The Hack on HACK

Pull up Bing (www.bing.com) and search on "Hack Fund." There you will see the PureFunds ISE Cyber Security ETF [2]. This is an exchange traded fund [1], meaning that a constellation of computers is constantly monitoring this fund's price and making long and short positions to take micro profits all through the trading day.

The fund is made up of security technology companies who are directly involved in the infosec world. You will have to become an investor in the fund to get the full prospectus of the funds that are being traded. On the PureFunds web site [2] you can see the top 10 holdings in the fund, such as IL, SAIC, PFPT, FTNT, SPLK. Wait, Splunk? Indeed, the log file analysis company, Splunk, Inc. [3], is part of the HACK fund. That's an interesting addition to the fund.

This post is not about the analysis of the holdings, but rather a warning about the fund. Recently Kaspersky Labs claimed to have been hacked by external "nation state" hackers [4]. You have to wonder why Kaspersky would ever disclose their own security breach. Kaspersky benefits from claiming to be hacked because it shows their vulnerability and lessens their "untouchable" status. This is exactly why the C.I.A. claims to have had their public web sites hacked in the past. You should doubt the sincerity of these claims from Kaspersky, or any AV software provider. These companies are just trying to manipulate the hacker's opinion on whether or not these companies are worthy of attack.

Back to the HACK fund and what it means to you. Every company listed in the holdings is an attack vector for the young and aspiring "Wind Ninja." I call them Wind Ninjas because I once tracked a team down to Uruguay and their monikers were the Japanese names for some mythical "Ninja" spirits, one in particular was a "Wind Ninja." These hackers, like you, have money in their pockets, time on their hands, but unlike you, they enjoy disrupting public opinion. Now they have a passive way of making use of their time and money. You won't be seeing much from the ransom ware people anymore because they can invest their $18M [5] in the HACK fund. Once invested in HACK, the hackers will then continue to drive more and more hacker activity, raising the public awareness (and scare-o-meter) of hacking, and thus increasing the value of their equity position.

This all reminds me of the Dilbert "$10 bug fix." (no citation, sorry) Remember that strip, where Dilbert's team gets paid $10 per bug fixed. So what does he do? Make lots and lots of bugs, and then fix them quickly, thus printing his own money. You can bet the hackers of the world are reading Dilbert and they are all moving their money into the HACK fund [8]. The growth of the fund has exceeded $1B in assets [10], which is serious money now. You can bet there will be some hefty manipulation in this fund. We have already seen some hints of it [8] after the SONY hack.

Now for some stock advice. First you get a team of hackers together, some kids from a local high school. Then you invest your money in HACK. Next, teach the kids how to hack and get them to go after some mid-level business. Once the hack is exposed, the HACK fund will go up in value, and you sell. Boom, you owe me 1% bro!

[1] https://en.wikipedia.org/wiki/Exchange-traded_fund
[2] http://www.pureetfs.com/etfs/hack.html
[3] http://www.splunk.com/
[4] http://www.eweek.com/security/kaspersky-hack-reveals-conflict-between-spy-agencies-security-firms.html
[5] http://www.darkreading.com/endpoint/fbi-cryptowall-ransomware-cost-us-users-$18-million/d/d-id/1321030
[6] http://etfdb.com/2014/inside-the-cyber-security-etf-hack-qa-with-christian-magoon
[7] http://seekingalpha.com/article/2680305-finally-a-cyber-security-etf
[8] http://www.ibtimes.com/new-cybersecurity-etf-hack-sees-shares-jump-after-sony-hack-increased-security-1763538
[9] http://www.theguardian.com/uk-news/2015/may/21/trinity-mirror-alleged-phone-hacking-payout-fund-sunday-people
[10] http://www.businesswire.com/news/home/20150618005830/en/PureFunds-ISE-Cyber-Security-ETF%E2%84%A2-HACK-Surpasses#.VZK3Bk_bKUk

Friday, October 24, 2014

Typical Fall From Grace

I have had an Apple device in my life since 1990. My first Apple computer was a Mac SE which was my second computer, the first being a Commodore 64. The Mac SE was a beautiful design, smoother, encephalon like form that was entirely contained. It was the second generation of Apple's unified hardware design, something copied only in the mid 2000's by Hewlett Packard. When Steve Jobs left Apple in the 90s we saw a diversion in Apple's aesthetic designs. They moved away from the unibody computer and moved forward with the pizza box architecture that plagued the IBM PC/x86 world. They still had the characteristic platinum coloring of their units, but now you had a bunch of boxes that ran Apple software. It all stopped looking like Apple.

Jobs continued with his own aesthetic designs at NeXT, but that did not go well. While he tried to realize the greater encephalon design (that's a computer that looks like a head, by the way), the software didn't have the stability that Apple had to offer. Jobs needed Steve, and Steve needed Jobs, and together they needed Apple. This was all too obvious when Apple started producing new computer models twice yearly, each more competitive than the other, but each competing with its siblings.

When Jobs returned to Apple we didn't see technology innovation. That was already done by the likes of HP, Compaq, Microsoft, and Symbian. What those innovators all lacked was the aesthetic genius that Steve Jobs saw in the world. So when Apple released the iPod and then iPhone, it wasn't a technical innovation, rather it was an aesthetic innovation in technology. It was then in 2007 that technology needed to be more pretty than functional, and that's what Steve Jobs knew how to do.

That's why today I am writing this fun opinion piece about my iPhone 6 Plus. I have just about every kind of phone, from a Samsung Galaxy generation 1, to a new Galaxy Note 2, to iPhone 4, iPhone 5, HTC Windows Phone, and Nokia Lumia. These phones are all smooth bricks with shiny OLED screens. The Nokia phones were the most stylish of the non-Apple phones, and they all had a very common feature. The phones didn't have warts.

A wart is anything that sticks out from a surface. On the back side of these phones there is a nifty camera lens that is hidden in the surface to keep it safe. That countersink on the lens also causes flash glare and can disrupt the quality of the photos taken by the device. That's why the original iPhone was white, and always white for a long time. A black shiny surface causes a nasty lens flare from the flash and results in junk pictures. Steve Jobs knew that was important as a mission critical feature of the mobile phone. Even my Qualcomm Brew phone (Kyocera) got that right, with its recessed lens for photographs.

Today, though, I noticed that my iPhone 6 Plus does not have a recessed lens. Rather, the lens sticks out like an ugly wart. it has a metal ring around the lens to protect it, but that still it's a wart. Warts always snag on things, and the wart on the iPhone 6 will not disappoint in that regard. Furthermore, the wart causes the iPhone 6 Plus to never rest level on any surface. Now the iPhone only has three contact points with its host surface, which means less friction to keep it on a slanted surface, and a higher likelihood of it slipping off a closed laptop and falling onto the floor.

Some may argue that this was Steve Jobs' design idea, or that he approved it before his passing. I doubt that argument's validity having seen Steve Jobs' unique approach to aesthetic technical design. The device is a failure in my opinion. The sales of the iPhone 6 Plus should be halted and the lens should be recessed. Every mobile device should lay flat and stable on a flat surface.