While still immature, the Security Vizualisation field has quite the potential to change the way we analyze the mounds of (ever-growing) data that security and network devices as well as applications and operating systems produce.

Instead of sifting through text and using the usual arsenal of tools (grep, perl, sed, awk...) to parse it, filter it and normalize it into yet other text for which our visual system is not well suited, Security Vizualisation leverages our eyes and brain as powerful, parallel pattern seekers to create graph that aid us in isolating patterns, finding hidden relationships or making sense out of dull-looking, seemingly boring data. As Raffael Marty said:

A picture is worth a thousand log records

To put it simply, Security Vizualisation allows to transform data into information into insight. But remember that this is still a very young field and there are quite numerous pitfalls. Also, industrial-grade tools are very rare. I've introduced this field and presented two real world examples where I leveraged the power of Security Visualization for problem solving in a talk I gave yesterday at the January 2010 monthly meeting of OSSIR Paris. The slides are available online.

Je vais présenter un compte-rendu de la conférence sécurité hack.lu 09 à l'OSSIR Paris le mardi 10 novembre 2009. Si vous êtes à Paris, n'hésitez pas à venir. L'accès est gratuit et libre.


L'horaire, le lieu et l'ordre du jour se trouvent sur le site de l'OSSIR.

... I’d be a neo-paganist and my brother a fundamentalist christian ;-)

4 days ago, The Metasploit project finally released version 3.2 of the Metasploit exploitation framework. Besides the fact that it is the very first version to be released under a BSD license (which should make license-wary jerks rejoice), it has many interesting new features.

One of these features is the ability to create executable files for the Windows platform on the fly from payloads such as the highly efficient Meterpreter. 2 days before the official release, HD Moore wrote a wiki page explaining how to automate Meterpreter sessions for client-side exploits (post to the mailing list and thread that followed). Using the Shikata Ga Nai polymorphic encoder (for the curious, Shikata Ga Nai is japanese for it can’t be helped, there is even a Wikipedia page for it), it is possible to create a unique binary executable which anti-virus software will have a hard time spotting.

John Strand posted a video comparing how executables created by Metasploit 3.1 and 3.2 fare against AV software by uploading these executables on Virus Total. The results are quite impressive.

If you want more details about Shikata Ga Nai, please read Context-keyed Payload Encoding, an article written by l)ruid (who is a Metasploit contributor) on Uninformed.org.

Mike Rothman, the man behind Security Incite, has posted yet another excellent post on his blog called Revisiting Big is The New Small. It is an excellent piece loaded with sharp insight and a very good sense of humor.

Anyone interested in the security market and how people contend with nonsensical sales pitch from the security vendors while all they want is good enough security (which doesn’t mean that this is an ideal situation) from big companies should definitely read that post. Here are some chosen quotes:

[...] the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

BAM! Reload, shoot:

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

Want some more?

without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Imaginons que vous deviez envoyer des dumps de trafic réseau à un partenaire/fournisseur/whatchmacallit et imaginons que vous avez besoin de nettoyer ces traces d'éléments identificateurs (oui parce que vous vous ennuyez et vous n'avez rien trouvé de mieux à faire de la journée à part faire votre paranoiaque de la sécurité). Et là, vous vous dites ... Mais comment faire ?

Il m’est arrivé plusieurs fois de me poser la question et à part prendre des traces en PCAP, les transformer en texte et utiliser ce cher sed parci-parlà, je n’avais jamais été plus loin.



Et voilà que PktAnon entre en scène. Cet outil hautement configurable (en XML, vous vous en doutiez car c’est la mode) permet de modifier un fichier de traces réseau au format PCAP afin de répondre à des exigences de pseudonymat (ou de paranoïa pour celles et ceux qui croient encore aux Bisounours).

PktAnon n’est pour l’instant toujours pas disponible en application tierce pré-packagée pour mes OS habituels (FreeBSD, OpenBSD, Mac OS X). Je vais donc attendre un peu avant de le tester. Si vous avez de votre côté réalisé des tests, n’hésitez pas à me faire part de vos impressions.

Bana, a fellow DocIslander, told me about an IBM DeveloperWorks titled Anatomy of Security-Enhanced Linux (SELinux). Bana pointed me to the following excerpt:

GNU/Linux is very secure, but it's also very dynamic: changes can appear that open holes into the operating system that can then be exploited. Although considerable attention is paid to preventing unauthorized access, what happens after an entry has occurred?

Good! Oh, hang on a sec. Don't you smell something really fishy in the first sentence? Let me me help you out a bit:

GNU/Linux is very secure, but it's also very dynamic...

I let my mind chew on these memes and I came to the conclusion that this basically boils down to saying something similar to the following:

Have no fear chap, you can sleep assured that no burglar will enter your house. Look at the door. It's made of bulletproof metal, 6 inch thick with 17 different locks, retina scan and ADN sampler. Oh, by the way, it's a very dynamic design that's why we are destroying the surrounding walls and rebuilding them from the ground up.

... And that's why we need something as mind-bogglingly complex as SELinux to secure the very secure.

J'ai effectué un compte-rendu des conférences du FOSDEM 2008 axées autour de la sécurité informatique pour la Lettre Techniques De l'Ingénieur (Sécurité des Systèmes d'Information). Il a été publié dans le numéro 14 (Avril 2008).

Contrairement à l'édition précédente, il y a eu peu de présentations autour de la sécurité. Ce ne sont pas les orateurs ou les sujets qui manquent pourtant... Seules deux présentations ont su retenir mon attention : une présentation de SELinux dans CentOS et une présentation/démonstration de WebScarab-NG du projet OWASP.

J'ai assez récemment rédigé un article ayant pour sujet le développement sécurisé pour la Lettre Techniques De l'Ingénieur (Sécurité des Systèmes d'Information). Il a été publié dans le numéro 13 (Mars 2008). Intitulé Vers une approche pragmatique du développement sécurisé d'applications, il décrit 6 points destinés à ancrer la sécurité au sein d'un cycle de développement logiciel pour aboutir à un SDL (Secure Development Lifecycle).

Cette approche est très largement inspirée de l'approche proposée par Gary McGraw dans son excellent ouvrage Software Security dont je recommande la lecture à toute personne s'intéressant de près au développement sécurisé. Je me suis contenté de simplifier l'approche initialement proposée par ce dernier et de survoler les points d'ancrage afin de fournir une vue d'ensemble de l'approche et des étapes nécessaires pour la mettre en musique.

Le numéro 37 (mai/juin 2008) du magazine MISC vient de paraître. Si vous y êtes abonné, vous avez du recevoir ce numéro dans votre boîte aux lettres sinon vous le trouverez très prochainement en kiosque. Vous retrouverez page 60 un article intitulé A la découverte de ModSecurity 2, que j'ai co-écrit avec mon collègue et ami de longue date Jérôme Léonard. J'ai pris beaucoup de plaisir à travailler avec quelqu'un dont je partage certaines convictions et une vision similaire de la sécurité informatique.



Comme son titre l'indique, nous vous proposons de découvrir à travers cette fiche technique le pare-feu applicatif ModSecurity 2 (que je m'étais promis d'essayer) en quelques pages. Nous y décrivons les fonctionnalités principales de la version 2 de ce produit destiné à augmenter le niveau de sécurité de vos applications Web. Et comme d'habitude, vous y retrouverez quelques petites notes d'humour destinées à rendre votre lecture plus agréable sans oublier de vous fournir les informations essentielles vous permettant de décider de l'éventuelle adéquation de ce produit par rapport à vos besoins.

Nous penchons du côté de l'approche par liste noire (interdire les URLs suspicieuses) qui nous paraît plus pragmatique et plus adaptée à la complexité des applications Web actuelles. Je n'en dirais pas plus ! Je vous invite à lire l'article et à nous soumettre vos commentaires et vos questions par email ou en utilisant le système de commentaires de ce blog. Votre retour est précieux et nous permet d'améliorer la qualité de notre travail.

Tel que précisé dans un autre billet, j'ai effectué une présentation sur des nouveautés d'OpenSSH (directives Match et ChrootDirectory principalement) et un tour d'horizon de quelques principes de durcissement présents dans des documents de durcissement de ce logiciel et généralement rédigés par des maîtrises d'ouvrage ou d'oeuvre mais dont l'applicabilité est improbable.

Pour vous donner un exemple, prenons les clés d'authentification. Il est généralement de bon ton de demander l'abandon pur et simple de l'authentification par mots de passe et de passer à une authentification par clés. Mais c'est beaucoup plus simple à dire qu'à faire. Comment gérer leur génération (est-ce qu'il y a bien une passphrase, la passphrase choisie est bien conforme à la politique de sécurité en vigueur) ? Leur diffusion, leur mise à jour (notamment de la passphrase avec une modification tous les N jours pour rester conforme à la politique de sécurité), ....

Les outils et les contrôles traditionnellement utilisés pour aider à générer des mots de passe de qualité et de contrôler cette dite qualité dans le temps etc. ne sont pas utilisables tels quels pour les passphrases des clés ou pour les clés elles-même.

Les clés facilitent énormément la vie (pensez ssh-add/ssh-agent), on en génère seulement quelques unes au plus si on est "pragmatique" et on en change très rarement voire jamais la passphrase. Mais est-ce pour autant un problème de sécurité ? Ce n'est pas plutôt à la politique de sécurité de savoir gérer des exceptions ? J'ai pointé le problème du doigt, je vous laisse réfléchir à toutes ses facettes.

En attendant, vous pourrez télécharger les slides au format PDF à l'adresse suivante : http://saad.docisland.org/docs/files/openssh-nah-sur20080311.pdf.

Edité pour ajouter : le lien de téléchargement affichait le nom d'une autre présentation, bien qu'il pointait là où il fallait. C'est désormais corrigé. Merci à Nicolas Legrand pour avoir relevé la coquille.

La prochaine réunion du groupe SUR aura lieu le mardi 11 mars. J'y présenterais en seconde partie de réunion les nouveautés d'OpenSSH et quelques principes de durcissement à appliquer pour augmenter le niveau de sécurité de cet outil ô combien essentiel de nos jours.

En ce qui concerne les nouveautés, je parlerais principalement des nouvelles directives de chroot en natif (et par utilisateur) ainsi que des directives Match.

Les réunions du groupe SUR étant gratuites et d'entrée libre, je vous invite à y participer. Et si vous avez des idées de présentation ou des salles à nous proposer, n'hésitez pas à me contacter.

Tel que je l'avais indiqué dans le billet OpenBSD, FreeBSD et Solutions Linux 2008, j'ai effectué une présentation de la fonctionnalité jail de FreeBSD le mercredi 30 janvier matin. C'est une mise à jour de la présentation précédemment effectuée en 2006 dans le cadre du groupe SUR de l'OSSIR.

Vous pouvez consulter les slides au format PDF : http://saad.docisland.org/docs/files/sl2008-jail.pdf.

Solutions Linux 2008 was a wonderful edition. Save for a few hours on the 2nd day (during which I gave a talk on FreeBSD's jail), I was at the OpenBSD booth with the gang. Besides the usual suspects (Wim Vandeputte, Marc Espie, and Miod Vallat), many other French OpenBSD developers showed up: Antoine Jacoutot (the so-called TagDiff'er), Gilles Chehade, Landry Breuil, and Charles Longeau. Eric Faurot, Wim's Friend, was also there. Last but not least, I had the pleasure to finally meet Wim' girlfriend (Machtelt, you rock!). Their help was very welcome since we had many visitors during those three days. Every evening, after closing the booth we went downtown to have a drink and some awesome dinners. The first night, we went to Les Galopins in Bastille. The next to Chez Denise, La Tour De Montlhéry and the last one to Hokkaido, a wonderful Japanese restaurant that I "bookmarked" (thanks Marc!).

GCU Squad made an impressive show and I had a very nice chat with the guys of RubyFrance, I also met some old acquaintances I haven't seen in eons. I am pretty tired after all this but I don't regret it at all.

If you'd like to see the OpenBSD gang soon, come to Brussels for FOSDEM! In the meantime, check out the pictures.

Je serais cette année sur le stand du projet OpenBSD à Solutions Linux 2008, salon dédié (si on peut dire) au monde du logiciel libre. J'ai prévu d'y être durant toute la durée de l'événement, soit du 29 au 31 janvier inclus. Le stand sera tenu par votre serviteur ainsi que de nombreux autres membres du projet tels que Wim et Marc Espie. Venez donc nous rendre visite et nous faire part de vos idées, questions et commentaires concernant notre projet.

En principe, je m'absenterais le mercredi 30 janvier matin car je ferais une présentation intitulée Virtualisation et sécurité avec jail dans le track Sécurité des conférences payantes. Lors de cette présentation, je couvrirais la fonctionnalité jail du système d'exploitation FreeBSD et les nouveautés introduites par la version 7.0 de cet OS (qui est en RC1 à l'heure où j'écris ces lignes).

En tant qu'intervenant, j'ai la possibilité d'inviter deux personnes à cette présentation payante. Si vous lisez ce billet et que vous souhaitez assister à ma présentation gratuitement, je vous prie de m'envoyer un courriel à mon adresse email (que vous trouverez derrière le hyperlien Contact de la présente page). Les premiers arrivés seront les premiers servis.

I gave an account of the hack.lu 2007 security conference during the SUR (Sécurité Unix et Réseaux) group of OSSIR in December with co-worker and fellow DocIslander Jérôme Léonard a.k.a. Mitch. There were many interesting presentations and a few boring ones. But the funniest and the weirdest was Injecting RDS-TMC Traffic Information Signals by Andrea Barisani and Daniele Bianco, two Italian hackers from Inverse Path. The hack.lu slides are not available yet. But this presentation was already given in other security conferences around the World such as CanSecWest for which the slides have been published.

This is a perfect illustration of Alternative Thinking.

If you read French, make sure to check our detailed account of this presentation and all the others we found interesting.

J'ai assisté à la conférence Hack.lu 2007 au Grand Duché du Luxembourg en décembre dernier avec mon collègue et ami Jérôme Léonard. HAPSIS, notre employeur, nous a permis d'y participer et l'OSSIR nous a sponsorisé pour une partie des frais engagés pour le déplacement. A cet effet, nous avons présenté un compte-rendu de cette sympathique conférence sécurité lors de la réunion du groupe SUR du mardi 08 janvier 2008. Les slides de la présentation sont disponibles en ligne sur le site de l'OSSIR. Vous y trouverez aussi un compte-rendu détaillé de l'événement. Je vous en recommande vivement la lecture.

Je tiens encore à remercier HAPSIS et l'OSSIR.

A friend sent me the following URL which illustrates an "old" trick for bypassing AV detection:
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/

This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.

Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.

Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.

According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.

As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...

They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!

Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!

Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.

I.T. security is all about trade-offs. And sound trade-offs mean you have a good balance between your security strategy and your business posture. Making sound trade-offs mean that you have an idea of the threats and risks (at least perceived ones) you are facing. Betabug pointed me to a wonderful collection of crazy CAPTCHAs. Some of those have very questionable content but most are either unreadable even with a truckload of good will or require lots of mind wrestling to get right. What are the goals of the designers? Prevent SPAM or account abuse while completely disgusting their users? Sure! No users, no SPAM/abuse. If I was an attacker, why the hell would I want to 0wn your assets without a good motivation? If you turn off your users, there's a good chance you turn me off too! What's the trade-off? Turning something that was designed to distinguish between humans and computers into something that put everyone in the same bag: the exclusion one.


Just one more example of bad security...

Reading John And John #619 (warning, very crude/explicit content ... you've been warned) reminded me of one of the key skills that hackers have and which is very important for security practitioners to acquire or at least fully understand. It's their ability to think "out of the box". What I call "Alternative Thinking" or as the Perl motto goes: there's more than one way to do it. The John And John #619 is a perfect illustration of this skill. One of the Johns has simply found out a new -disgusting but very effective- way for checking whether a seemingly dead person is really dead or not. No "normal", "socially behaving" person would think or do something like that. But it works! And this is what counts at the end.

When you are setting up your security architecture, what are you protecting against? Perceived (as opposed to real) risk? Known (as opposed to unknown) threats? Or are you just throwing together a bunch of security products (remember that security is a process right?) according to some "best" practices and hoping for the best? I don't believe that you can defend efficiently something that you don't fully understand. Without complete understanding of the e-commerce application the developers throw in your hands for protection, you won't be able to practice "Alternative Thinking" and come up with sound attack scenarios and misuse cases. And you won't make the right trade-offs for balancing security and business objectives.

Give this some "Alternative Thinking" time.

Si vous êtes un lecteur régulier de ce blog, vous devez savoir que je fais assez fréquemment des présentations aux réunions du groupe SUR de l'OSSIR. Je suis aussi co-animateur du groupe avec Hervé Schauer.

Comme vous pouvez le voir dans le calendrier des présentations du groupe, Nous avons défini le programme des trois prochaines réunions (octobre, novembre et décembre). Je vais en principe effectuer un compte-rendu de la conférence Hack.lu 2007 avec mon ami et collègue Jérôme Leonard lors de la réunion de décembre. Je tiens à vous rappeler que la participation aux réunions du groupe SUR est gratuite et, sauf dans de très rares cas, il n'y a pas d'inscription préalable.

Le programme des réunions ainsi que la date et le lieu sont annoncés en priorité sur la liste de diffusion du groupe (sec@ossir.org). Je vous conseille vivement de vous y abonner. Le trafic y est relativement faible et les discussions (trolls inclus) sont de qualité ;-). La liste est modérée, vous ne serez en principe pas exposé à plus de pourriel à l'exception peut-être des messages automatiques de notification d'absence que des utilisateurs d'Outlook et d'autres MUA ne manquent pas de positionner (pour des raisons justifiées ou pas). Les modérateurs, dont je fais partie, peuvent certaines fois désabonner les utilisateurs émettant de tels messages. Pour cela, Il suffit de nous en informer. Consultez la page dédiée aux Listes Electroniques de l'OSSIR si vous souhaitez vous y abonner.

J'ai écrit un article intitulé Un cadriciel puissant : Metasploit pour La Lettre Techniques De L'Ingénieur (numéro d'août 2007). C'est une publication payante. Dans cet article, j'aborde (à peu de choses près) les éléments figurant dans la présentation que j'ai effectué lors de la réunion du groupe SUR en décembre 2006.

Le numéro 33 de MISC, un magazine français dédié à la sécurité informatique, est paru il y a quelques jours de cela. Il est habituellement vendu en kiosque en France, Belgique, Maroc et certainement d'autres pays francophones. Il y a même une édition en Allemand.

Ce numéro contient une fiche pratique pour le durcissement d'un DNS primaire sous BIND 9 rédigée par votre humble bloggeur. J'ai essayé de la rendre aussi didactique (et amusante) que possible, dans un pur esprit "Edutainement".

Si vous avez l'occasion de la lire, je serais intéressé par vos commentaires.

I have finally devoted some precious time to update my resume. If you are interested, you can look at the English and/or French version (PDF) available from the new Resume page. Other formats available on request.

J'ai aussi complètement oublié de mentionner que DocIsland s'est encore aggrandi et avec un membre de qualité. Claire Vignot, première fille de notre groupe nous a rejoint il y a quelques semaines déjà ! DocIsland est donc constitué de 13 personnes ... Les supertitieux diront que ce chiffre porte malheur. Eh bien, il n'y a plus qu'à trouver un quatorzième.



Ceci dit en passant, l'air de rien, le site Web de DocIsland a eu son ravalement de façade tant attendu et avec le logo en plus.

J'ai complètement oublié de mentionner que j'ai écrit un article sur les SPAM images ainsi qu'un compte-rendu des présentations sécurité effectuées lors de FOSDEM 2007. Ces articles sont parus dans La Lettre Techniques De L'Ingénieur (numéro d'avril 2007). Le lien pointe vers un fichier PDF qui présente cette publication (payante) en deuxième page.

Depuis que j'ai écrit cet article, une évolution intéressante des SPAM images est à noter : les SPAM "PDF". Ce sujet a été discuté sur la liste de diffusion du groupe SUR (OSSIR). Voici ce que j'en pense, dans les grandes lignes :

On Jun 26, 2007, at 11:09 AM, Guillaume Arcas wrote:

> En marge de la discussion initiée sur les Spam Images puis Signal-SPAM,
> une petite question : j'ai reçu ce matin mon premier Spam PDF, un mail
> avec un fichier PDF en pièce jointe, fichier contenant une pub pour les
> produits pharmaceutiques habituels.

> Je n'avais pas noté ce genre de Spam avant : je suis passé à côté ou
> bien c'est une nouvelle tendance ?

Nouvelle tendance. Une petite recherche sur Google donne pas mal de resultats sympathiques dont [1] (en Anglais). Ca ne parait pas completement deconnant par rapport aux objectifs du SPAM image classique. Le cout de generation de PDF est relativement faible. De plus, ce n'est pas un format d'image du coup pas mal d'anti-SPAMs (tous ?) ne saurent pas l'analyser. Cependant, la faiblesse actuelle de cette technique est la similitude des fichiers envoyes. Un filtrage par checksum devrait avoir de bons resultats de detection ... en attendant qu'ils se mettent a la generation a la volee.

Just my 0.02 cents.
--
[1] http://www.heise-security.co.uk/news/91523

Vous voulez un exemple ? Il n'y a qu'à demander :



Depuis, Guillaume Arcas a fait quelques expérimentations de son côté et il semblerait que les spammeurs soient déjà passés à la génération à la volée :

Bonjour.

Suite à la petite discussion entamée tantôt sur les Spams PDF, et
notamment sur le filtrage par checksum des pièces jointes, un petit
aperçu de ce que j'ai reçu ces derniers jours :

$ md5sum *.pdf
0d2383bd94dd51b7f872dd806da69c8e Article.nyavquxas.pdf
11c984b8aa663ea0d297155302643370 Journal_32e186e535d0.pdf
158f0e99ce49cd02d5a52c613ac9f62f Request.QCYBBCUPV.pdf
19625aba199381dfaf134b2d4e3c3b37 text.pdf
1c371c91a289f6a8a4c96d0ac7b0ec3b alert_d30866bc5.pdf
2fa8d2128d53c2fa9da4810dfec5bf0e bill_180c2de7.pdf
301659c7eeaf160a71529590f1c975c7 Alert-ZICXPWTJWXLL.pdf
30c1c296d27ba31cc981e094a92ccc95 Mail-1182865134682.pdf
4a30f8f4342228fdac201f7086d024f7 text_xhhfnbp.pdf
581f809315c513241eca7ced8143979b message.pdf
9bf62f3df4f912b0363faef711283138 Report.pdf
9e94383792e4d25bb0a6fdc5d2b39abf Bill.e7182ec5857e2c.pdf
b35cf39041b38c87e58d8f5896d8fb80 mail.EUAWV.pdf
c7344de1a368091ea075dd8d5f858a25 advertisement-ZTLOHSIRRSNNAC.pdf
ca3c8353a6fed30c5c934b9b36f4e852 Bulletin-8c1b0c74.pdf
e3bd639a87e4668e644bfcb78d942a51 article_cosfqqbpxtpl.pdf
ede79b2e6c261ce6121a7d7145869752 readme.pdf
fc33c0b10969957207b15819a6138e0c Message-GHAXCPUNEF.pdf
ff607fbb076e539aca5b53a6af561548 Invoice-iow.pdf

Bref, pour la checksum, c'est pas gagné...

Ces PDF ne présentent pas le même contenu mais concernent la même cible
(achat d'actions de deux sociétés). On peut noter que si le nom de la
société est bien entendu le même, le contenu diffère quant au prix de
l'action ou le taux de progression supposé. Ce qui plaiderait pour une
génération à la volée du PDF.

Je n'ai par contre pas pris le temps de regarder les en-têtes.

Cordialement,

Merci Guillaume !

Sometimes ago, I started experiencing a crippling problem with email rendering (and particularly HTML email) in Outlook 2003. Before you cry fool, my regular MUA is Apple's Mail.app. But I do use Outlook 2003 for some customer-related mailboxes I have aside from my normal mailbox.

I have all the latest and greatest (hum...) patches installed and I really wondered what caused such a slowdown. Whenever I click on a message in the panel or start replying to an HTML mail, it takes a lot of time. Entering the right keywords in Google and "strolling" past the stupidity of some of the advices (uninstall security patch bla, modify this registry key and pray for a better world...) brought me the answer:

Sandi - Microsoft MVP
Please don't uninstall the security update. Try this instead.

This problem is often caused by a "protective" protocol that I do not
support or recommend, that is, loading down the registry by adding a slew of
sites to IE's Restricted Sites zone - sometimes tens of thousands of URLs.
Products that "protect" you by loading down the registry in such a way
include Spybot, IE-Spyad and Spyware Blaster.

IE7 has made changes to the way that the rendering engine interacts with the
Restricted Sites zone - the end result is that if you are using Outlook (not
2007), have IE7 installed and use HTML as your email format, then when you
type an email the IE rendering engine will check the registry for entries in
IE's Restricted Sites zone **every time you type a character***.

FIXES:

Remove all of those entries in the Restricted Sites Zone - a quick way to do
this is to reset Internet Explorer's settings (Tools, Internet Options,
Advanced tab)

I do use Spybot S&D and Spyware Blaster and I found many URLs in the Restricted Sites Zone. Since I rarely use IE as a browser, I removed the entries as advised. And Outlook started working normally again. Quick and clean. Thanks Sandi!

I also deactivated the Spybot BHO so that next time, it won't block URLs and cripple Outlook again.

Les slides de la présentation Bro : un NIDS pas comme les autres ? effectuée le 16 janvier 2007 dans le cadre de la réunion du groupe SUR (OSSIR), en collaboration avec Guillaume Arcas, sont disponibles au format PDF. Guillaume s'est chargé de faire la présentation, en prenant en compte les remarques très intéressantes de Franck Debieve, JP. Luiggi, et mes quelques remarques "cosmétiques". Je me suis chargé d'une démonstration de Bro 1.2.1 en me plaçant du point de vue d'un utilisateur qui connaît bien Unix (la plate-forme utilisée pour la démonstration est FreeBSD 6.2-PRERELEASE) et Snort et en essayant de clairement montrer que Bro, bien que très intéressant, reste encore incomplet du point de vue du "packaging" (configuration après installation, outils de gestion, ...) et au niveau de la documentation.

Dans le cadre de mon travail, je crée et j'assure des formations autour de la sécurité et des réseaux informatiques. J'ai développé et je maintiens une formation sur le système d'exploitation libre OpenBSD, qui est maintenu par le projet éponyme; projet dont je fais partie en tant que traducteur en langue française et coordinateur principal de l'effort de traduction principalement.

Cette formation, que j'assure sur 4~5 jours habituellement en intra/inter-site couvre les sujets suivants:

• Vue d’ensemble
  
• Utilisation basique
  
• Aperçu des services disponibles
  
• Gestion des utilisateurs
  
• Gestion du réseau
  
• Ports et packages
  
• Système de fichiers
  
• Cron et gestion des logs
  
• Apache
  
• OpenSSH
  
• Packet Filter (PF)
  
• IPsec
  
• Maintenance et mise à jour
  

HAPSIS, mon employeur, a mis à disposition sous licence BSD les slides (PDF) d'une ancienne version de cette formation qui traite de la version 3.7 d'OpenBSD (aujourd'hui nous sommes en 4.0). Même si cette version date un peu, la plupart des informations y figurant restent pertinentes.

Je tiens à remercier Fabrice Frade d'avoir aussi rapidement accepté ma proposition de mettre à disposition ces slides.

When reading technical books, I use a variation of Richard Bejtlich's reading method. Please take the time to read his post before continuing with this one.

As far as I can tell, my method takes more time but it allows me to fully understand key material and "engrave" it on memory. I use a combination of post-it flags and plain, bright yellow highlighters and three reading passes:

• First pass of reading. Usually not very mentally taxing. Flag key ideas with the post-it flags. I usually do this during my daily commute (currently 1h15 * 2 approx) in the public transportation.
  
• Second pass of reading. Give more concentration juice to the flagged items. Highlight the parts that need to be fully understood and remembered. Take notes using a pencil when applicable. I usually do this either at home/work or while commuting.
  
• Third pass of reading. This is done sometimes later (after reading two/three other books for example). Skim over the text and reread the flagged/highlighted items. Take note using a text editor, wiki or something like that. I currently use VoodooPad. Enter important URLs in bookmarks (in a special "Analyze this" folder) and/or in del.icio.us (using a special tag). I usually do this at home/work.
  

I've been to the groupe SUR monthly meeting in Paris (which I co-supervise with Hervé Schauer) this afternoon. As usual, there were two talks. While I gave the second talk with my friend Guillaume Arcas on Metasploit (the slides, in French, are online), the first was given by Marty Roesch, creator of Snort and founder of Sourcefire. The topic of his talk was The History and Future of Snort.

Marty started with the history of Snort. How it all started back in 1998 as an OSS pet project of his, how Snort gained momentum, how he started developing full-time and founded Sourcefire. I started playing with Snort on and off since version 1.5 and this part of the talk was quite nice. It helped understand how Snort got where it is now with version 2.6.1.2. But things started getting much interesting when Marty started speaking about the future of Snort and what features might be integrated in Snort 3.0, the next major version of this popular NIDS:

• Auto-tuning
  
• Auto anti-evasion (for layers 3 &4)
  
• Auto-prioritization of events
  
• No stopping to change configuration
  
• Taking advantage of multi-core processors
  

The three first features (auto-tuning, auto anti-evasion, and auto-prioritization) revolve around the same concept, called target-aware processing. Basically, if the NIDS can have confidence in what the attacked endpoint is (operating system, targeted application ...), it will be able to:

• Feed just the right policies (sets of detection rules) to the detection engine, thus eliminating unnecessary and often painful tuning (which is seldom done if any) and achieving the auto-tuning goal. Note that this is different from the current RNA (Real-time Network Awareness) product sold by Sourcefire. The detection engine in Snort 2.x is not aware of the RNA and all the intelligence (that is, the correlation of the NIDS and the RNA data) is done on the Defense Center, the central management software sold by Sourcefire.
  
• Model the target in such a way that the NIDS knows how to reassemble TCP packets or defragment IP packets and mimic the target. Marty said that evasion is a big issue and a very hard problem to solve. At least with knowledge gained on the target, Snort could become harder to evade in layers 3 & 4.
  
• Auto-prioritize events given knowledge on the target. Again, this is not RNA. The knowledge is gained somehow and fed right into the sensor so that when it sees an attack and it knows that the target might be vulnerable to it, it helps the analyst by giving that attack a higher priority that should be acted upon right away.
  

The fourth feature deals with the current necessity to stop Snort for changing the configuration. In Snort 3.0, you wouldn't need to stop the detection engine and lose context while doing so through the use of threads and data sources. A data source will implement data acquisition and decoding before handing the network data to the detection engine through an API which is implemented as a thread. If we need to change configuration, we would create a new thread and migrate the data source to it without context loss. As a beneficial side effect, it would be possible to have fail-over and load balancing between detection engines. A Snort daemon will be used as an interface between the administrator (who issues commands through a Cisco-like "shell" implemented in Lua) and the detection engine.

As for the fifth and last feature, Snort doesn't support currently the multi-core architecture of modern x86/x64 processors and Snort 3.0 needs to solve this.

All in all, it was a very interesting talk. Marty concluded by saying that many of these new features (such as threads and data sources) have been implemented in prototypes or are in the design phase. Since Snort 3.0 represents such a drastic change from the current Snort version, Sourcefire will be releasing subsystem alphas to the community for testing.

Edited to Add (20061213): On a side note, Guillaume Arcas and I will be giving a talk (in French) about the Bro IDS during the next groupe SUR monthly meeting (2007.01.16). Feel free to show up. Attendance is free. And we are also looking for a second talk for this meeting. If you are interested, drop me an email.

Edited to Add (20061218): According to Ureleet, IPv6 decoding will be native in Snort 3.0. Thanks for the update.

Les slides de la présentation Metasploit pour tous ou presque... effectuée cet après-midi dans le cadre de la réunion du groupe SUR (OSSIR), en collaboration avec Guillaume Arcas, sont disponibles au format PDF.

Guillaume Arcas, ami de longue date et consultant sécurité indépendant va effectuer avec moi une présentation intituée Metasploit pour tous ou presque... dans le cadre de la réunion du groupe SUR prévue demain mardi 12 décembre 2006 à partir de 14h00 à l'adresse suivante :

ENSAM (Ecole Nationale Supérieure des Arts et Métiers)
Salle L4/L5
151 Boulevard de l'Hôpital, 75013 Paris.
Métro : Place d'Italie (lignes 6 & 7) ou Campo Fermio (ligne 5).

Notre présentation débutera après la présentation de Marty Roesch, créateur de Snort et fondateur de Sourcefire, qui aura pour sujet Snort 3.x, la prochaine version de cet IDS.

L'objectif que nous recherchons à travers notre présentation est de sensibiliser le public du groupe SUR aux frameworks d'exploit et en particulier à Metasploit, démonstration à l'appui. Le sujet est abordé sous l'angle de l'administrateur sécurité désireux de tester la sécurité du S.I. sous sa responsabilité.

Les slides de la présentation seront mis à disposition après la réunion sur http://saad.docisland.org/docs/.

Je vous rappelle que la participation aux réunions de l'OSSIR est libre et gratuite.

Le numéro 28 de MISC, un magazine français dédié à la sécurité informatique, est paru il y a quelques jours de cela. Il est habituellement vendu en kiosque en France, Belgique, Maroc et certainement d'autres pays francophones. Et depuis quelques mois, il y a même une édition en Allemand.

Ce numéro contient deux fiches pratiques que j'ai écrites. La première fiche pratique traite les jails sous FreeBSD. La seconde traite des Zones de Solaris 10. Ces deux fonctionnalités sécurité sont très intéressantes pour le cloisonnement d'applications. J'avais déjà effectué une présentation des jails dans le cadre du groupe SUR de l'OSSIR.

Si vous avez l'occasion de lire ces deux articles, je serais intéressé par vos commentaires (constructifs bien entendu).

Federico Biancuzzi interviewed Ivan Ristic, ModSecurity developer and author of the Apache Security book (check the review from Richard Bejtlich), a few days ago about the new 2.0 version of this interesting OSS WAF (Web Application Firewall. buzzwords keep flowing these days). It runs as an Apache module and protects your web applications according to policies that you specify.

Version 2.0 is a complete rewrite of the code base and while it is still available today only as an Apache module, it's been rewritten with portability in mind and Ivan is hoping to release a IIS compatible version in the not too distant future.

The new version also looks very interesting on the functionality side. Among the major improvements on this side, here is what took my attention (excerpt from the interview):

• Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
  
• Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
  
• Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
  
• Support for web applications and session IDs.
  
• Regular Expression back-references (allows one to create custom variables using transaction content).
  

Even better (depends on whom is using the product): a GUI is available (it doesn't look like OSS though).

Read the full transcript for more details. I plan to test it as soon as I can. If you already did, let me know what you think.

portsnap is one of the most interesting tools of FreeBSD dealing with the ports collection. portsnap, developed by Colin Percival, the current FreeBSD Security Officer, allows you to initially fetch a ports tree for your system and keep it updated. For those who don't need CVS logs or don't want to deal with cvsup and the other ports/src tree fetching methods, portsnap is an ideal solution that connects to web servers for its operation and has an extremely simple syntax that is very clearly outlined in the manpage.

However, you may need to use portsnap through a proxy that requires basic authentication. To do this, you have to define two environment variables: HTTP_PROXY and HTTP_PROXY_AUTH.


$ echo $SHELL
/usr/local/bin/zsh
$ sudo export HTTP_PROXY=http://proxyip:proxyport/
$ sudo export HTTP_PROXY_AUTH=basic:*:username:password


Some readers might be used to the more "traditional" way of specifying authentication credentials right into HTTP_PROXY:

$ sudo export HTTP_PROXY=http://username:password@proxyip:proxyport/


Sadly, this doesn't work with portsnap even though it is valid according to fetch(3).

Another case of "security" that is getting us nowhere as reported by The Internet Storm Center:

Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms [...] that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

Hopefully, that was easy to fix (taken today from Kaspersky's blog):

Microsoft has fixed the .PIF 'vulnerabilty' in their MSN network filters as described in the previous blogpost.

So that's one less thing to worry about.

One's left to wonder how did such a trivia thing slipped under the Microsoft security radar...

Excellent video about Trusted Computing. Check it out!

J'ai présenté la solution de sécurité et de virtualisation (enfin, presque) jail lors de la réunion du groupe SUR du 11.04.2006. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060411-jail.pdf.

Si vous avez des questions ou des commentaires, n'hésitez pas à m'en faire part par courriel : saad at docisland dot org.

eWeek has a very interesting article on what Microsoft thinks of malware and what shall its customers do in case of infection. Let's get down to the conclusion: once you get infected, Microsoft thinks that it becomes impossible to recover. So they are advising their customers to investigate in automated processes to wipe the hard drives of the infected machines and reinstall everything.

Sound advice but how to exclude the infection vector from the reinstallation process while keeping the operating system and the applications running smoothly? Or do we just reinstall and protect our machines with Holy Water(tm) until the Patch Day if there is a patch in the first place then wait at least 15 days to check that the patch doesn't break business before deploying it?

Oh you said user education? Good, let's see how the average user will cope with stuff such as ActiveX controls, Browser Helper Objects, DCOM and such. Don't get me wrong. User education is very important but it ain't no magic bullet, particularly if the system and applications they are using are screwed. For instance, what do we teach to users regarding the latest Internet Explorer 0day? We tell them once more to stop using Internet Explorer and use FireFox? C'mon! Think about it. Will we end up with a huge list of "applications : alternatives" couples and switch to this or that whenever a vulnerability shows up? Don't you think something smells really really bad here?

According to eWeek, Mike Danseglio, program manager in the Security Solutions group at Microsoft said:

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

100% true. So what does Microsoft do about it? Is this an externality to them? Does it impact in any way shareholder's value?

And about targeted attacks:

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past.

So much for penetrate&patch.

But the software is not the only one to blame here:

"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said.

So far, so bad. Microsoft won't do anything really significant about it as long as this doesn't significantly impact shareholder's value. Every advice M. Danseglio gave incurs investments from the customers. No news, it's an externality for Microsoft.

Pre-orders of CD sets of the next version of OpenBSD, 3.9, are now open. OpenBSD 3.9 will be released in May 1, 2006. The CD sets will be shipped around this date.

If you want to support the OpenBSD project, please pre-order the CD sets. The money we get from the CD sales allow us to further develop the operating system and the associated projects such as OpenSSH, OpenNTPD, and OpenBGPD.

European users can order directly from Wim, a fellow OpenBSD developer located in Belgium. Other users should use the International site.

According to ZDNet, a Swedish man set up a challenge inviting people to hack a Mac Mini. The challenge was over shortly after since someone succesfully gained root access to the machine and he did so, the report said, in 30 minutes.

If I stop here without giving you real meat to chew on, you'd end up thinking that Mac OS X is not secure and you'll be ill-witted to use this operating system for hosting your valuable data. But MacWorld gave a few more, very interesting details:

Anyone that wanted to hack the machine was given access to the machine through a local account (which could be accessed via SSH), so the Mac mini wasn’t hacked from outside — root access was actually gained from a local user account.


Aha! That's interesting. Anyone working in the I.T. Security field knows that, most of the time, when someone gain local access it's game over. Local exploits are often much more powerful and deadly than remote ones. That's why we have layered network security, security by default, and such. It's like giving access to as many strangers as possible to a besieged castle without knowing if they are enemies or foes. If only one stranger heads for the king's lair (which might not be that secret) and slays the poor man, what good would do your 2-mile thick walls, 250.000 soldiers, and all the other _external_ security measures you have put in place? If I were the stranger who slew the king, first thing I'd do is behead the security officer of the castle.

Mac OS X has reasonable protections against outsiders. But when you punch holes through these protections and let outsiders become insiders, what do you expect? How many operating systems are there that will do better?

I think the challenge was a very stupid move to attract attention. But it spreads FUD (Fear, Uncertainty and Doubt) as a side, maybe wanted, effect.

I finally took the time to install the latest release of Solaris Express (02/06, build 31a) for testing purposes. My U10 not being exactly a speedrunner, I installed only Core System Support. That's about 869MB according to the Solaris installer; the Entire Distribution is 5438MB.

The installation went smoothly. And upon login, here is what I can see:

Sun Microsystems Inc. SunOS 5.11 snv_31 October 2007

Warning Will Robinson! Danger ahead! This made me check the clock thrice using independant sources. It appears that Sun Microsystems is way ahead of the competition. Besides DTrace, containers, self-healing and other technologies, it successfully integrated Future Jump(tm) to the latest release of Solaris. What an achievement!

OK, let's see how Future Jump(tm) works by trying to read a file:

# id
uid=0(root) gid=0(root)
# cd /etc
# ls -l ftp*
total 14
-rw-r--r-- 1 root sys 1518 Jan 3 10:01 ftpaccess
-rw-r--r-- 1 root sys 946 Jan 3 10:01 ftpconversions
-rw-r--r-- 1 root sys 104 Jan 3 10:01 ftpgroups
-rw-r--r-- 1 root sys 108 Jan 3 10:01 ftphosts
-rw-r--r-- 1 root sys 114 Jan 3 10:01 ftpservers
-rw-r--r-- 1 root sys 198 Jan 3 10:01 ftpusers

Good! Let's read ftpusers:

# more ftpusers
ftpusers: No such file or directory

Future Jump(tm) prevents root (the almighty root!) from reading /etc/ftpusers which according to ls exists and contains 198 bytes of data. But Future Jump(tm) sees through the future and it knows that this file won't exist anymore starting from October 2007. So why bother reading a file that won't exist anymore in a year and a half? Maybe because the Good Guys at Sun engineering didn't bother integrating an SSH service out of the box in Core System Support so we have to stick to ol' daddy ftpd and that we would like to do so as root?

Le numéro de Mars 2006 de PC Expert, un magazine informatique français, contient un dossier fourni sur les virus.

Philippe Roure, co-auteur du dossier m'a consulté sur un certain nombre de sujets et notamment les IDS/IPS, les débordements de tampon et de tas, la qualité des logiciels, et la rétroconception binaire utilisée pour créer très rapidement des exploits à partir de correctifs de vulnérabilité. Je suis cité à deux reprises pages 56 et 57.

Ceci est ma deuxième contribution auprès de ce magazine.

After 6 hours of excellent sleep, I woke up to the World with the joyful and playful tone of Thierry Deval's children. These little guys are affable. Thierry's daughter reminds me a lot of my own.

After a good breakfast, we drove to ULB (Université Libre de Bruxelles) where the FOSDEM is held and we arrived around 12:15PM. Too late to see Xavier Santolaria who left for his hockey game 15 minutes earlier. So no shot of the pimp coder of fuxor.pl this year (no it's not in the OpenBSD tree, If it was, cvs.openbsd.org would have been subject to erratic network disruptions).

For those of you who have been to France but not to Belgium, note that pain au chocolat is called couque there. And for all the time I've been going to Belgium, couques taste slightly better. They might have either good baking schools, some unnamed chemical component added to the food or both. Whatever it is, I really like this kind of food.


Anyways, Sunday was far more productive than Saturday or so it seems. We had many visitors but we could cope with them while keeping working. Maybe it's due to the excellent stability of the Internet connection. Wim showed up some Soekris boxes as well as some prototypes that needed some hardware hacking (with a saw) to assemble correctly. And Reyk Flöter gave a talk on OpenBSD and WLANs. He mentioned the problems our FreeBSD neighbors had with their Atheros-based AP. He didn't understand why they didn't import his fixes into their tree.

Then it was about time to leave. Matthieu Herrb and Marc Balmer left earlier. Uwe Stühler, Reyk, Alexandre Anriot and me followed an hour or so later. We left the booth in the good hands of Wim and Nikolay Sturm.

I've taken close-ups of the developers and the finger^Whardware hacking skills of Wim.

Overall, it was nice to hang on with the gang and talk with the visitors, some of whom are FOSDEM regulars. Once more, I didn't have the motivation to go to the talks I hoped to see. So next year, I won't get a look at the schedule. That'll spare me some useless key pressing to fill my calendar.

Updated to add:
It seems I have a bit wrong on the couque side. According to Xavier Santolaria:

xsa: btw saad, "couques" != "pain au chocolat", "couques" is a generic meaning for such stuffs, coz you can have "couque a la creme", or "couque au raisin", etc... so it'd be "couque au chocolat" ;)

Thanks Xavier!

The OpenBSD booth ran smoothly this afternoon with numerous people coming to see us and all our posters were gone.

We had less technical questions than last year. One guy was having a bad time with his PF configuration. IIRC, he told us that he needed to open a port X on the firewall to be able to forward port X to port Y of a machine behind it. Uwe and Marc helped him with his ruleset and showed him that he was wrong. From that point, they parsed the ruleset in more details and gave him some optimization and security advices.

I also had about the same questions I had every year or so:

• What's the differences among Net, Free and OpenBSD?
  
• How do I install third-party applications under OpenBSD?
  
• Does Net, Free and OpenBSD use the same kernel?
  
• What optimizations are used in the Linux kernel used by OpenBSD? (*new entry*)
  

The Internet connection, while it kept coming and going from time to time, was far better than this morning. Thanks to Reyk and a Soekris, we had a stable wireless AP unlike the (censored) one. As a result, some slackers morphed into hackers and got some work done.

My initial plan was to attend the DTrace and Xen talks but I enjoyed the company of my fellow developers and didn't attend.

Later in the afternoon, we cleaned the booth and took the cars to go take the traditional OpenBSD dinner somewhere in the outskirts of Brussels.

We had a nice time together and the meal was good. Too bad the waitress forgot some of the orders and gave Wim chicken instead of the seafood he ordered. No worries, beer helped the mood.

I've uploaded today's remaining pictures. You might find them with the other FOSDEM 2006 pictures.

Everything went smoothly after our arrival to Brussels Midi. Well almost. At 12:30PM, there is still no stable Internet connection. Let's face it: the FOSDEM staff haven't learned anything from the previous years.

Every year, we hope we'll have an Internet connection upon our arrival. Every year we grow frustrated. Hell! This is an Open Source and free software meeting and all the projects here rely heavily on the Internet to get things done. And yet, it didn't sink in with the FOSDEM staff. Even after all these years. It's simply beyond my understanding.

On the OpenBSD booth front, there a few developers: Reyk Flöter, Uwe Stühler, Nikolay Sturm, Thierry Deval, Matthieu Herrb (who disappeared soon after we arrived), Marc Balmer, Alexandre Anriot, Xavier Santolaria (who went to play hockey for the afternoon), Otto Moerbeek, and -of course- Wim. Dimitar, our official beer supplier, also showed up for a few minutes.


I've taken pictures and I will upload them as soon as I get .... a stable Internet connection.

I've been attending FOSDEM since 2001 and this year is no exception. Fellow OpenBSD developer Alexandre Anriot (who, besides nifty chop-socky porting skills, helps me a lot on the translation effort) arrived yesterday night.


We woke up early this morning to take the Thalys train to Brussels Midi railway station where Xavier Santolaria will pick us up and give us a ride along with Nikolay Sturm, Matthieu Herrb and Marc Balmer to ULB (Université Libre de Bruxelles) where FOSDEM is held. We will join the OpenBSD crowd there.

I sincerly hope hat we will have a better booth space than last year (we had two tables in front of drink machines so people were always going back and forth and it was really annoying).

Looking at the FOSDEM schedule, there a some talks that look interesting which I would like to attend. I hope I won't slack too much on the OpenBSD booth and go learn something useful thay I may share with you.

Yesterday night I was performing maintenance on wax, a multi-purpose machine I use for development, file serving, backup and routing for the rest of my home network. wax is a Dell Dimension 4550 machine that runs OpenBSD and has something like 600GB worth of disk. The maintenance consisted of upgrading the OS version and updating most of the applications I use through the OpenBSD ports collection.

The upgrade went very well and I started building the latest versions of my favorite applications from the ports collection. During the build process, I was enjoying some great music on my PowerBook and reading the latest issue of MacWorld in electronic form. You could say I was relaxed and confident that I was going to get to bed (soon) in a happy mood.

Sadly, Mr. Murphy, the most dreaded man on Earth, thought otherwise. He and his Law decided to pay me a visit.

I started to smell a nasty odor. Fried electronics! Oh, no! Using the Nose(tm), I began tracking it down. Is it coming from my PowerBook? From the cable modem? From the KVM switch? ... S***, it's wax's fan! It doesn't work anymore!!!

In a big hurry, fearing the loss of more than a fan I stopped all the builds and halted the machine. Once I untangled and yanked all the cables, I opened the box to assess the damage. I was relieved to see that there was no other problem. The trouble now consists of finding a similar fan since the Dell box's warranty has expired 3 months ago. I wrote Dell an email hoping that they sell spare parts. If you sell (or know someone who sells) a JMC Datech 92x92x32 (12V, 0.85A, 83.1 CFM) fan or a similar one, please send me an email even if it's used or refurbished.

I thought I was done with Mr. Murphy for the night. So I started cleaning up my desk and preparing my backpack for tomorrow's ride to work. But Mr. Murphy is an insidious man who enjoys hospitality. The fan of kaboo, a Dell Dimension 8400 workstation, started to make weird noises. Please Mr. Murphy, don't tell me that a second fan is going to pass away.

I repeated the previous procedure: untangle cables, yank them, shut down and open the box. Phew, the fan seems to be OK. The noise is due to two damaged rubber clips that no longer hold the fan. As a result, when the fan is rotating it hits from time to time the plastic enclosure. kaboo is still covered by warranty so no worries!

Lessons learned:

• Mr. Murphy is as strong as ever (did I tell you that last week my iPod Photo ceased to work so I had to call AppleCare to the rescue?).
  
• If you have important data, back it up now and make sure you do it regularly and you have properly documented the backup procedure. Better be safe than sorry!
  
• The server that hosts the important data must be covered by a strong warrranty. In my 5y+ experience with Dell, their warranty and support are very good.
  
• What do you do when your backup server dies and Mr. Murphy decides to stay, lurking inside your dear workstation or laptop that holds all your electronic life?
  

Who said I.T. is fun?

J'ai effectué deux présentations lors de la réunion du groupe SUR du 10.01.2006 :

• Faille WMF : cette présentation a porté principalement sur la première faille WMF découverte dans le moteur GDI de Windows le 27.12.2005 dernier, avec quelques informations sur la nouvelle faille WMF découverte le 09.01.2006. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060110-faille_wmf.pdf.
• Multiplexage sous OpenSSH : cette présentation a porté sur la fonction de multiplexage disponible dans OpenSSH depuis la version 3.9 et nettement améliorée et stabilisée par les versions récentes. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060110-mux_openssh.pdf.

Si vous avez des questions ou des commentaires, n'hésitez pas à m'en faire part par courriel : saad at docisland dot org.

Une nouvelle vulnérabilité WMF a été découverte dans le moteur d'affichage GDI de Windows. Techniquement, ce sont en fait deux vulnérabilités dans les fonctions ExtCodeRegion et ExtEscape
de gdi32.dll.

Ces deux vulnérabilités causent une corruption de mémoire au niveau des applications utilisatrices du format d'images WMF. Un code d'exploitation de type Proof-of-Concept a été publié. Ce code exploite cette vulnérabilité pour causer un déni de service. D'après SecurityFocus et l'ISC, une exécution de code arbitraire n'est pas loin même si Microsoft ne voit que des problèmes de performances dans cette vulnérabilité.

Espérons que Microsoft ait raison.

Microsoft a finalement sorti un correctif pour la faille critique WMF 5 jours avant la date prévue. F-Secure pense que les tests du Microsoft se sont achevés plus tôt que prévu. Pour ma part, je dirais que la menace est si grande et la pression de leurs gros clients si importante qu'ils se sont décidés à réagir. Tant mieux !

Au passage, notez que Microsoft ne préconisait pas le correctif non officiel fourni par Ilfak Guilfanov et étrangement, leur correctif est fonctionnellement identique à celui d'Ilfak.

L'Internet Storm Center fournit des instructions détaillées (en Anglais) pour installer proprement ce correctif, surtout si vous avez installé le correctif non officiel d'Ilfak Guilfanov.

Vu l'importance et la criticité de la faille WMF des systèmes d'exploitation Windows, l'ISC (Internet Storm Center) a écrit une très bonne FAQ à ce sujet.

J'ai traduit cette FAQ en Français. Vous pourrez la lire à l'adresse suivante :

http://www.docisland.org/~saad/ISC_wmf_faq_fr.html


Le problème est très sérieux. N'attendez pas pour agir.

Votre entreprise a décidé de sauter le pas technologique et a cédé au FUD (Fear, Uncertainty and Doubt) savamment distillé par les vendeurs de solutions biométriques sur l'insuffisance des moyens d'authentification classiques. Passons sur la différence entre authentification et identification pour rester concentrés sur les solutions biométriques à base d'empreintes digitales qui vont nous sauver des méchants pirates.

Pour s'assurer que c'est bien vous et pas Joe Hacker qui cherche à accéder au système d'information, ces solutions vous demandent de poser un de vos doigts sur un capteur qui va "traiter" votre empreinte et la comparer, directement ou indirectement, au résultat de traitement stockée dans une base.

Seulement Joe Hacker, malin comme il est, va essayer de voler ce qui est stocké dans la base et le soumettre par un biais détourné histoire de voler votre identité à l'insu de votre plein gré. Mais pas d'inquiétude ! IBM aurait pensé à vous selon Technology Review. Ils ont développé un logiciel qui applique des transformations au résultat de traitement et lorsque la base des empreintes est compromise, il suffira d'appliquer une nouvelle transformation dont Joe Hacker n'aura pas connaissance. La commercialisation n'est pas prévue pour tout de suite. Mais bon, il y a des choses qui me choquent.

Ecartons les problèmes de détection de la compromission (la fameuse piste d'audit, je me demande qui la suit). Ecartons aussi les problèmes de déploiement (j'ai 10.000 employés et 20.000 capteurs, je fais comment pour propager de manière sécurisée la nouvelle transformation et sous quel délai ?). Vous ne trouvez pas qu'IBM pense que Joe Hacker est bien bête ? Qu'est-ce qui l'empêcherait de voler votre empreinte digitale à la source en en faisant une copie : papier transparent sur le capteur que vous utilisez, spray pour "réveiller" votre empreinte laissée sur le capteur après votre passage, relevé d'empreinte sur le disque dur externe "plein de bonnes choses" qu'il vous a passé hier .... Tout ça est possible car ce n'est pas votre empreinte qui est stockée dans la base mais le résultat d'un traitement correspondant à votre empreinte. Et qui dit traitement dit perte d'informations.

Ah, attendez ... vous utilisez Microsoft Windows n'est-ce pas ? Joe Hacker n'a même pas besoin de copier votre empreinte digitale. Il vous a posé un sympathique et discret cheval de troie en utilisant des vulnérabilités facilement exploitables (telles que celle concernant l'interprétation des fichiers au format WMF) de votre système pour "entreprises" qui lui permet d'avoir accès aux informations dont il a besoin une fois que vous vous êtes identifiés. Dommage pour la solution innovante de biométrie qui a coûté bonbon. C'est pas grave, l'essentiel c'est de se croire protégé n'est-ce pas ?

Des jours, de plus en plus fréquents d'ailleurs, on se demande sincèrement où on va...

Sony includes malicious software in Get Right with the man, the latest Van Zant album, to prevent you from copying the CD but also cloaks itself and would crash your Windows system if you try to remove it.

After complaints, Sony released a "patch" to fix the issue. However, the patch just makes things worse. Bruce Schneier, a renowned security expert, made an entry in his blog about this subject. He has links to excellent information on the issue at hand. A recommended read.

This is sad and it erodes what little confidence I still have in companies such as Sony. It looks like they are spreading their rootkit to other records as well, such as the latest album from Chris Botti (look at the Amazon users' comments).

And that's why I keep advising getting your music from eMusic and other serious companies that have no DRM or any other stupid protection mechanism.

Sun has made available (for free) the Sun Update Connection software to help system administrators keep their Solaris 10 systems up-to-date.

I consider Sun Update Connection from the point of view of a system administrator that needs to apply patches to a server with no graphical environment. That means I will only show how to use Sun Update Connection using the CLI (Command-Line Interface). This method makes usage of a subset of Sun Update Connection known as Sun Update Manager. This tiny guide is not intended to replace the official instructions from Sun but rather supplements them. I found them confusing at times so if you need a quick start for using Sun Update Connection, read on. You can later on read the full instructions on Sun's website.

Sun Update Connection is not integrated by default with Solaris 10 but according to C|Net News.com, this should be fixed in the next global update to Solaris 10, expected by the end of this year. You will need to download and install it separately. The installations instructions are rather clear and the installation is pretty much straightforward.

Once the installation is over, you will need to register your machine with Sun to be able to use Sun Update Connection, using your Sun Online Account (free registration). It should be noted that if you don't have a valid Sun Service Plan, you may only download security fixes and hardware drivers.

To register a system, you need to create a registration profile file. This file contains the data necessary to process your system's registration with Sun as shown by the following example:

userName=ichigo
password=shinigami
hostName=hollow
subscriptionKey=
portalEnabled=false
proxyHostName=
proxyPort=
proxyUserName=
proxyPassword=

This will register the system which hostname is hollow using the Sun Online Account ichigo which password is shinigami. This user has no Sun Service Plan so the subscriptionKey parameter is left empty. If you are going to register your system using a proxy, you will need to fill the 4 last parameters in the above example.

The registration profile must be owned by root and its permissions set to 0400 or 0600. This file must be fed to the sconadm command as shown below:

# /usr/sbin/sconadm register -a -r /tmp/registrationprofile.properties

For more details about the registration process, read the Registration Guide.

Once registered, you will be able to analyze your system, retrieve a list of updates and apply them automatically using the smpatch command:

# smpatch analyze
# smpatch update
For more information about the smpatch command, please refer to the manual page available upon Sun Update Connection installation.

Sun Update Connection 1.0.1, the latest version available as of this writing, has a few limitations/quirks:

• It is incompatible with containers, a major feature of Solaris 10. I hope this limitation will cease to exist in future versions since containers (also known as zones) are essential for system administrators who want to make good use of their hardware capabilities and optimize system usage from a performance and security standpoints.
• You can't install patches requiring interactivity.
• the analysis step performed by smpatch doesn't seem to be working correctly. It will keep displaying a list of updates even if they are not applicable to your configuration. To reproduce this issue, try to analyze, update then analyze once more using smpatch. A feature or a bug?

The New York Times has published a very interesting article (- free - registration required) about people called Life Hackers studying how one can get all of the benefits from interruptions in the workplace - interruptions being often important and needed - without their downsides.

The studies have found some interesting facts. For example, once you are interrupted it takes 25 minutes to switch back to the original task at hand. The studies, which are far from complete, also shows how computer display size might play a central role in productivity increase.

The article also gives some good hints (that are surprisingly lo-tech!) about how to manage interruptions.

Le projet OpenBSD, auquel je participe depuis 5 ans, fêtait hier ses 10 ans. Le processus de développement adopté par le projet est plus évolutionnaire que révolutionnaire. Mais que de révolutions en sécurité informatique durant ces 10 ans d'existence !

La version 3.8, prévue le 1er Novembre prochain, continue la lignée d'évolutions/révolutions sécurité et qualité.

Bon anniversaire OpenBSD, et longue vie !

Sorry, the saner part of me didn't take control for long. Just after I finished brushing my teeth and preparing to go to bed, the insidious Geek Inside took over and drove me to the xterm. So did the installation finished during these few minutes?

Oct 13 02:16:46 rope reboot: rebooted by root
Oct 13 02:16:47 rope syslogd: going down on signal 15
syncing file systems... done
rebooting...
Resetting ...


Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 440MHz), No Keyboard
OpenBoot 3.27, 512 MB (50 ns) memory installed, Serial #12935339.
Ethernet address 8:0:20:c5:60:ab, Host ID: 80c560ab.



Rebooting with command: boot
Boot device: /pci@1f,0/pci@1,1/ide@3/disk@0,0:a File and args:
SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Configuring devices.
Hostname: rope
WARNING: /pci@1f,0/pci@1,1/ide@3/dad@2,0 (dad0):
corrupt label - wrong magic number

Loading smf(5) service descriptions: 2/2
checking ufs filesystems
/dev/rdsk/c0t0d0s5: is logging.
/dev/rdsk/c0t0d0s7: is logging.

rope console login:

Great! It works! And the corrupt label error is insignificant since I didn't format my second drive (dad@2,0).

So before R.E.A.L.L.Y. going to bed, here are the lessons I learned tonight :

1. You can use any pen to write on any book (so-called low-tech). If you can't make it by yourself, think CD-R brands, burning speeds, and CD-ROM readers (particularly LG ones).
2. Depending on your needs, some operating systems are easier to install than others. OpenBSD can be installed on sparc64 very quickly. Other sparc64 open source operating systems such as Debian can also be installed much quicker than Solaris 10 that took me more than 5 hours and 4 total attempts to install (not all due to Solaris 10 to be honest). I repeat: it depends on your needs and what you are looking for out-of-the-box.
3. Use fresh or low-level formatted disks whenever possible.
4. Check the media. Check the media. Check the media.
5. There should be a way to see what media works with which drive. Looking for ideas? See 1.
6. Staying awake at insane hours become more difficult as I'm getting older. I agree, it doesn't take a rocket scientist to figure this one out.

Night everyone.

The time has come for me to get serious about testing and getting acquainted with the new release of Sun's operating system: Solaris 10. As a security consultant who he is also fond of Unix-like and Linux systems, I need to use this operating system for two main reasons:

1. See how different it is from Solaris 8, the latest release of Solaris I've been using from both a security perspective and an administration one. I am curious to see how nice or bad the new features of Solaris 10 are (DTrace, zones, and SMF mainly).
2. Try to harden it reasonably.

To install Solaris 10, I either need a sparc64 or an amd64 supported box. Budget being what it is, I don't have the financial resources to buy a brand new machine just for the sake of playing with an operating system. I don't have any personal need to put it in production. My current FreeBSD, OpenBSD and Mac OS X systems already fit the bill very nicely. I just want to update my skill set and see how secure I can make Solaris be. Wait a minute! What's collecting dust under one of the desks? Oh! that's the venerable rope (as in "rope to hang yourself with, anytime, anywhere!").

rope is an Ultra 10 equipped with an UltraSPARC II-i 440Mhz, 512MB of RAM, 2 IDE harddrives (30Go and 80Go) and a PCI SCSI adapter. It served me well during many months as a DNS, file and backup server under OpenBSD. It was retired after I bought a Dell server with much more disk space (which is of course running OpenBSD). But can it be loaded with Solaris 10? Well, according to the documentation I read, no problem! So let's try.

After connecting a serial cable, a network cable, and the power cable, I inserted the Solaris 10 disc 1 in the CD-ROM drive and here you go: boot cdrom in the OpenBoot Prompt. Damn, it doesn't work. the cdrom alias is not mapped correctly (I installed OpenBSD on it from the network without ever using the CD-ROM drive). I summon nvalias for help and there you go! Enter Solaris 10 installation.

As you may know, Ultra 10 is far from being a work horse. Even during its time (it was released in '97 or '98 IIRC), and due to its IDE bus (among other things), it was not considered a fast machine. Time to go fetch a coffee...

When I came back I was welcomed with Solaris 10 asking me what language do I want for installation, what kind of terminal I have, what type of installation I 'd like to perform, network data etc. etc. It is pretty much the same as the Solaris 8 installer. For this first attempt, I got as far as the point where it starts loading the installation media (just before the file system layout). And it hanged there, timing out on the CD-ROM drive (which was working perfectly just a few moments ago). Did rope collect too much dust? Time for cleaning and checking everything.

Armed with my B&D electrical screwdriver, an invertible air duster and a contact cleaner and lubricant, I opened the box, cleaned it and checked every single cable I could lay my hand on, particularly the IDE and power cables. I also removed extra cards I don't need at the moment (the PCI SCSI and modem cards).

Time for a second attempt. But, for extra security, I used the probe-ide OBP command which worked just fine. Great! then let's boot cdrom. For this second attempt, it stopped exactly at the same point. Can't be the cables, so it must be either the lame LG CD-ROM drive that comes by default with Ultra 10s, the installation media I burned from the official Sun ISO or a combination of it. After much investigation (the night starts stretching a little bit beyond my initial estimates), it was clear that the LG CD-ROM doesn't play well with Verbatim CD-Rs burned at 48x speed.

So I decided to try with another media and burning at a slow speed. Third attempt. Great! the LG CD-ROM drive seems to play fine with this new media. It'd have been great to include some media checking utility like the one included with some Linux distros or am I asking too much? Right, Solaris seasoned administrators use Jumpstart. But hey, AFAIK you need another Solaris box for that. Can't avoid my LG darling. For this third attempt, I got past the "loading installation media" sequence and reached the filesystem layout part. After telling the installer that I don't want to preserve any existing data on my disks, it asked me to choose one of my two harddrives to host Solaris 10. So c0t0d0s0 or c0t2d0s0? Wait a sec, wait a sec...either my coffee was not too strong or it was way too strong. Solaris only sees 8GB of space on each! Hey, these harddrives are 30GB and 80GB. Oh no! Don't tell me that you have the stupid 8GB limitation with IDE disks. I thought this belonged to the long-forgotten Solaris 2.6 time. Time for some investigation (good night honey, can't come to bed at the moment. Gotta have a word with this Solaris guy).

Given that the disks were labeled using OpenBSD and that both operating systems use a BSD-style layout (overlap and such), I need to zero out the disk labels before going any further. Sigh. Is this a modern operating system we are talking about? Or my Ultra 10 is just too old? The best way I could do that (at least at this time of night where my brain is kind of slow after a busy working day) is to boot from an OpenBSD installation CD-ROM, escape to the shell and use dd and /dev/zero on the overlaps. As almost everything with OpenBSD, it works just fine.

Fourth attempt. Got past the layout. We are making progress here. The installer sees the real capacity of my harddrives. CD 1 finished. Asking for CD 2. Installation in progress. Hope in the horizon.... I might go to bed soonish. Oops! I should have kept my brain shut :

Oct 13 00:34:14 rope scsi: Sense Key: Media Error
Oct 13 00:34:14 rope scsi: ASC: 0x11 (L-EC uncorrectable error), ASCQ: 0x5, FRU: 0x0
Oct 13 00:34:21 rope scsi: WARNING: /pci@1f,0/pci@1,1/ide@3/sd@3,0 (sd1):
Oct 13 00:34:21 rope Error for Command: read(10) Error Level: Retryable
Oct 13 00:34:21 rope scsi: Requested Block: 321510 Error Block: 321510
Oct 13 00:34:21 rope scsi: Vendor: LG Serial Number:
Oct 13 00:34:21 rope scsi: Sense Key: Media Error
Oct 13 00:34:21 rope scsi: ASC: 0x11 (L-EC uncorrectable error), ASCQ: 0x5, FRU: 0x0
[....]

Are you kidding me? OK. I am fed up with this. Guess what's the first thing I will do in the next few days before my fifth attempt? Throw away that stupid LG CD-ROM drive and put a real CD-ROM drive in this box.

And if Sun people are reading this, how about a media checker or advice on what brand to use and speed for burning your ISOs to make them work with your legacy machines? Oh right, no business incentive to do that. You are not as nuts as the OpenBSD people to support old cruft.

Off to bed, hopefully not having bad dreams starring Solaris 10 and Sun hardware. Oh wait! I just got a look at my xterm to shutdown the box properly (a BREAK and a power-off are your friends) and what do I see ? Can't describe it :

Please specify the media from which you will install Solaris 10 Software 3 for
SPARC Platforms.

Did the LG drive "sensed" my anger? Good! Maybe no fifth attempt after all. Let's load CD 3. Instead of starring blankly at the progress bar showing slow progress (well you could do that if you are really bored. I'm not), I decided to update my Mac OS X with the latest updates after Apple's last announcement. iTunes 6 after releasing iTunes 5 only one month ago and important bugfixes for QuickTime. Well, where our Solaris 10 fourth attempt is heading?

Please specify the media from which you will install Solaris 10 Software 4 for
SPARC Platforms.

Yes!, that's 4. Here goes the dreaded (regress) progress bar again. Damn, my cable broadband connection just went down in the middle of the updates for my Mac OS X. My first name, Saad, means luck in Arabic. No such thing as luck tonight. Time to switch to my backup ADSL connection and restart the update process on the Mac.

Letter to my bed:

My dear bed, I hope you are not angry. I would be more than happy to come and let you show me around through the land of Morpheus but I have a small problem (nothing to worry about, really!) with this Solaris guy. I am not on some tight schedule or something like that but well. he is challenging me! And even though I know I'm gonna be really tired in a few hours (it's 1:28 AM and the progress bar for CD 4 is only at 25% percent and there is still the Companion CD to install) when I will need to go to work, I just want to get over with this.

Sincerly yours (after the Solaris guy gets done with me that is)
Saad

*yawn*. 1:53 AM. CD 4 installation finished. Companion CD installation starting. It contains many pieces of open source software that I might not need such as ProFTPD, Squid, GD, ... But as one of my goals is to test the new Solaris Software Update to keep my system up-to-date, I would also like to see if these additional software is supported as well and the kind of reactivity I can expect from Sun when it comes to plugging security holes contained in these applications.

My sane self is taking over. I am going to crash into my bed and tomorrow in a few hours, when I wake up before going to work I'll check to see if everything went fine.

Le numéro 21 de MISC, un magazine français dédié à la sécurité informatique, vient de paraître. Il est habituellement vendu en kiosque en France, Belgique, Maroc et certainement d'autres pays francophones.

Ce numéro contient un article sur les chantiers d'OpenBSD que j'ai co-écrit avec Guillaume Arcas, consultant indépendant et ami de longue date.

Dans cet article, nous couvrons 4 chantiers du projet OpenBSD : OpenSSH, OpenCVS, OpenNTPD, et PF. Par manque de place et, dans une moindre mesure, de connaissances nous n'avons pas pu couvrir OpenBGPD/OpenOSPFD.

Si vous avez l'occasion de lire cet article, je serais intéressé par vos commentaires (constructifs bien entendu) car c'est ma première tentative dans un magazine à large diffusion comme MISC.

PC Expert, un magazine informatique français, vient de sortir son numéro de septembre dans lequel Philippe Roure évalue 11 distributions Linux et *BSD. Pour élaborer son dossier, il m'a interviewé cet été pour mieux appréhender OpenBSD et savoir à quels besoins il répond le mieux. Et il y a même une petite interview de votre humble serviteur (shameless plug comme ils disent outre-atlantique).

Je viens de lire le dossier et je le trouve très bien réalisé. OpenBSD a eu une note de 5/5. Il en est de même pour NetBSD et Debian. Fedora Core et Red Hat Linux Enterprise ont eu respectivement 2/5 et 3/5 !!! Une note ne veut pas forcément dire grand-chose mais j'apprécie le fait qu'un magazine grand public français s'intéresse finalement à ce système d'exploitation.

Je n'ai pas vu l'article en ligne. Il faut peut-être attendre le mois prochain pour espérer le voir sinon il faut passer chez votre marchand de journaux préféré.

Introduction
With the release of Mac OS X 10.4 (Tiger), Apple introduced a new way of controlling startup daemons using launchd.

Launchd is a daemon/agent manager. To do this, it reads property lists located on system-wide and per-user directories. The property lists are XML files. Too bad for me, I'm quite an old school Unix lover that likes rc.local style plain text files; files that you can find or cook for yourself on every Unix-like operating system whether it's a *BSD or SysV style one. I think XML is an overkill for handling a task as simple as starting/stopping daemons. And don't get me started about a change in the DTD.

What's the solution then to revert to ol' style rc.local? It's simple as creating a property list for launchd to launch an rc.local style script. This rc.local style script will then startup the other daemons such as postfix, dovecot etc.

Speaking about postfix and dovecot, let's use them for our examples below.

Step 1: Create per-daemon scripts
First we start by creating a shell script for each daemon we want to control. For postfix, a script like the following one will do the trick:
$ cat /Data/local/etc/rc.d/postfix
#!/bin/ksh
# $DocIsland: postfix,v 1.1 2005/06/02 20:30:12 saad Exp $
# postfix -- Control Postfix
postfix_cmd="/usr/sbin/postfix"
case $1 in
start)
echo -n "starting postfix ..."
$postfix_cmd start >/dev/null 2>&1 && echo done
;;
stop)
echo -n "stopping postfix ..."
$postfix_cmd stop >/dev/null 2>&1 && echo done
;;
restart)
$0 stop;
$0 start;
;;
*)
echo "usage: $0 (start|stop|restart)"
exit 1
;;
esac
exit 0

For dovecot, we use something like:

$ cat /Data/local/etc/rc.d/dovecot
#!/bin/ksh
# $DocIsland: dovecot,v 1.1 2005/06/02 20:30:12 saad Exp $
# dovecot -- Control Dovecot
dovecot_cmd="/Data/local/sbin/dovecot"
killall_cmd="/usr/bin/killall"
case $1 in
start)
echo -n "starting dovecot ..."
$dovecot_cmd >/dev/null 2>&1 && echo done
;;
stop)
echo -n "stopping dovecot ..."
$killall_cmd dovecot >/dev/null 2>&1 && echo done
;;
restart)
$0 stop;
$0 start;
;;
*)
echo "usage: $0 (start|stop|restart)"
exit 1
;;
esac
exit 0

At this point we have our two scripts in /Data/local/etc/rc.d. Make sure they are executables and that they work by running them before carrying on.

Step 2: Create rc.local
Next we create an rc.local file. Here is an example:

$ cat /Data/local/etc/rc.local
#!/bin/ksh
# $DocIsland: rc.local,v 1.2 2005/06/02 19:36:39 saad Exp $
# rc.local -- Emulate rc.local behavior as found in OpenBSD or other
# BSD systems. This file is called a boot time by Mac OS X's launchd via
# an XML property list located in /System/Library/LaunchDaemons/local.rc.plist
locald="/Data/local/etc/rc.d"
# Start Postfix
if [ -x $locald/postfix ]; then
$locald/postfix start
fi
# Start Dovecot
if [ -x $locald/dovecot ]; then
$locald/dovecot start
fi

Before continuing, verify that you can start postfix and dovecot by running this script.

Step 3: Create the XML property list
Now we want to tell launchd to call the rc.local script we just created at boot time. To do this, we need to create an XML property list. This list, which is in fact a file, is /System/Library/LaunchDaemons/local.rc.plist. /System/Library/LaunchDaemons is a system-wide directory.

The XML property list looks like this:

$ cat /System/Library/LaunchDaemons/local.rc.plist




Label
local.rc
ProgramArguments

/Data/local/etc/rc.local

RunAtLoad




Conclusion
As you can see, we used three simple steps to "revert" back to our old school, nonetheless reliable, way of managing daemons. Besides its reliability, it has the advantage of portability to other systems as well.

For more information about launchd, see the manual pages for launchd(8), launchctl(1), and launchd.plist(5).

Should you have any question/comment about this hack, please send them to saad@docisland.org.

Panic!
Approximately two weeks ago, I had a very difficult time with my PowerBook powered by Mac OS X 10.4 (Tiger). Without getting into specifics that might annoy you at best, the OS crashed and as a result, I was not able to access some files and directories after rebooting. Everytime I tried to do operations on them, I was welcomed with errors such as BAD FILE DESCRIPTOR.

Restore that backup!
Hopefully, I am a rather savvy user who values his data. When I see fit, I back it up using Rsync to a remote Internet server. So all I had to do was to restore the last backup I did as soon as I have an Internet connection. Not so simple, Rsync failed miserably. It was welcomed by the same error messages.

Disk (In)Utility
I was on the road, my home directory which contained the problematic files and directories was protected by FileVault and the only thing I had besides my remote backups was Disk Utility. While the application detected many errors but was not able to repair them. Oh! Didn't I tell you that it takes some wristling to check a Filevault-protected home directory with Disk Utility?

Apple(No)Care That Much
OK, let's not worry much. I have an AppleCare Protection Plan and they gave me a CD with TechTool Deluxe from Micromat. The feature list of this software is impressive. It will sure help me out of this situation and restore my data.

I booted off the CD and it starts munching something for a looooong time. And then the TechTool control GUI finally appeared on the screen and to continue I had to click on a button. But the mouse cursor won't move. I retried not once but thrice to no avail!?!

Any Other Kid In Town?
After much searching, I found Alsoft's DiskWarrior. It was recommended by MacWorld and many users praized this software. At a 70+ USD price tag, it has to be. Anyways, it was midnight and I needed back those "lost" files badly.

I was very nicely surprised by the ease of use and efficiency of DiskWarrior. Not only, it fixed all the errors on my home directory (which is a sparse disk image encrypted in AES since it is FileVault-protected) but it restored all the missing and not accessible files and directories. It runs fast given that my home directory is approx 40 GB.

Lessons Learned: First Aid ToolBox
After reading lots of documentation about the subject, here is a list of essential items you need to have while on the road to recover from data loss.

Mac OS X Install DVD
This will allow you to run Disk Utility on your current disk and repair it. You can always use Disk Utility while your OS is booted (if you can do that) but you won't be able to use it to repair your running, locked, disk.

Alsoft's DiskWarrior CD
The software version I used won't be of much use to run on your current disk drive if this one is locked by the OS. The CD version is bootable.

A pocket-sized external USB2/FireWire hard drive
You can use it as backup for your important data or as a way to offload your disk before fixing it. If you are an AppleCare Protection Plan customer, you need to have your registration number and their phone number.

CD-R(W)s, DVD-/+R(W)s
and such for backup purposes.