 |
|
|
|
|
Written by Matthew Lye
|
|
Wednesday, 03 February 2010 11:33 |
A Simple MisunderstandingI read an interesting article recently that was entitled Don't rely on filters, be better parents on ZDNet. The sentiment was a wonderful thing, but so very very wrong. To quote XCKD "Imagine you are at a parent teacher conference, and the teacher reassures you that he cares about student safety. Which is why is always wears a condom while teaching." Now strictly speaking that is better than the alternative, but something is VERY VERY WRONG. I use this example with a reason, the filter that has been causing such an uproar does not protect your children from ANYTHING that they were likely to see. The filter only covers material that is refused classification, that is to say the material is effectively illegal in Australia. Putting aside for the moment the evident technical, governmental abuse, and social problems with having a filter, this filter will only stop children from viewing child pornography or bestiality on the internet. That does also assume that you can block every related site on the internet, which is a good goal but unrealistic. The problem is then to rely on the filter to protect your children is to open them up to a world of pornography that is not blocked in any way. Examples of excessive violence, rape fantasy, abuse, anorexia and a whole host of other material that as long as is not a crime being committed is legal viewing. Again, relying on a filter as a parenting method is just WRONG. Compare it again to the quote from XCKD and you might see the resemblance. I'm not saying I don't agree with him in that parents shouldnt rely on filters and should instead focus on awareness and monitoring activities. I'm trying to say he missed the real point, the filter will not help with any of the current issues that parents have with children on the Internet, and that should have been the focus. Just a little something to think about while our politicians seem to have missed the point. This cannot become a polarised debate, to say that anyone that opposes the filter is a proponent of child pronography is uninformed, uneducated, and a heavly biased opinion based on propaganda and fear mongering. Take a real look at the effect of trying to give the country real broadband access, but at the same time implementing the same system that was the starting point for the Great Firewall of China. Make ISP's responsible for blocking content not approved by the government of a nation, then increase what must be blocked to include anything the current government wishes without public oversight, awareness, or approval. UPDATE: As a little extra note, even if they cant put through legislation to make it stick, the ACTA negotiations might do it for them. Take a read of this massive mess.
|
|
Last Updated on Wednesday, 03 February 2010 11:55 |
|
|
Written by Matthew Lye
|
|
Wednesday, 13 January 2010 15:08 |
Linux.conf.au 2010 Presentation: Developing and Maintaining Linux SOE Environments A summary of the presentation: An overview of Griffith Universities SOE Linux teaching environments and hopefully a guide to how to develop your own. This talk covers: - The Griffith environment
- How to configure Networked Home directories
- How to lock down changes to the Gnome GUI
- Managing changes to large environments
- WUBI, what it is, and how it can be useful for Debian based images
- Imaging and deployment issues
Presentation and documentation have been uploaded and can now be downloaded... so go on, hit the button. Download Conference Pack (ZIP) 
|
|
Last Updated on Tuesday, 19 January 2010 09:20 |
|
Written by Matthew Lye
|
|
Monday, 30 March 2009 09:21 |
|
The purpose of this document is to educate how to set up remote unattended backups for Linux machines in managed environments. For this to be successful several requirements have to be met.
IP addresses must be static or DNS names must be used.
Machines must be configured to use remote logins over an authorized connection. (The process is explained)
You must have the account access to the local machine that you want the backup process to run at (ie your user, or root for complete backups)
Port 22 must be open for SSH connections. Our Senario:A client would like to have an automatic backup configured that will pull data from two research machines and back up the data on a data server. The clients maintain their own local backups in .tar files on the machine that should not be captured. All archived data that they intend to be backed up is renamed to .tar.gz.
The clients do not require historical backups, but only a backup of what is currently on the machine in case of hard drive failure. They would like the backup done weekly.
Machine 1
IP: 192.168.01.55
DNS name:pc1.matthewlye.com
Machine 2
IP: 192.168.01.54
DNS name:pc2.matthewlye.com
Data Server
IP: 192.168.1.6
DNS name:ds.matthewlye.com
Setting up an Authorized ConnectionSetting up an authorized connection involves creating a pair of SSH keys on the machine you want to connect from and transferring the public key to the machine you want to log in on without using a password. This is key for being able to run automated connections for remote services such as automated backups.
Some key files to be familiar with for this operation:
id_dsa
Identifys this specific account on the machine you found it. The key is only valid for the specific account and machine it was created on. IE: its private key -- this should NEVER be copied or made readable by anyone except you. It should just exist.
id_dsa.pub
The public identification of the above account. Append this to the".ssh/authorized_keys" file of the destination machine you wish to login to without a password (described later).
authorized_keys
A list of which accounts (IE the accounts public key) are allowed to login to this machine without a password. You may have to create this file. It can contain multiple public keys, to give multiple accounts access to this account.
The first step is to create the key pairing from the Data Server:
ssh-keygen -t dsa
This command will generate two files in a ".ssh" sub-directory of your home.
These are the two keys forming a private/public key pair.
".ssh/id_dsa" and ".ssh/id_dsa.pub".
Put the contents of the public key in authorized_keys on the machines your wish to login to without a password, under the .ssh directory in the home folder of the account you want to log into (IE: if you want root access it must be in the root home). If no file called authorized_keys exists you can just rename the id_dsa.pub file.
You can test this from your data server now by running ssh @. It should log in without a password prompt if you have done everything correctly.
Using rsync to backup dataThe rsync command used correctly allows for quick and easy backups of data in the event of crashes. It does not allow for historical backups (without tweaking), or backups in case changed files(again without tweaking). It can be used to keep backups of deleted files unless the --delete command is used to keep an exact sync.
Syntax should be:
rsync [option]... [user@]host::Source [Dest]
A basic rsync command would resemble something like:
rsync -ave ssh machine1:/home /machine1
The rsync command
This command sequence has been selected as in this theoretical case it was preferred to have the backups initiated from the data server instead of from the local machine (for example as part of a shutdown sequence). The pattern is similar and to push instead of pull data just the location values are reversed. The client's back up their own data using .tar files and anything they want backed up that is compressed is renamed to .tar.gz. The other exclude options are based on commonly excluded files and they should be customized to your situation.
Backup command selected:
rsync -rlptSv -e 'ssh -x'
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
:/home/ /pc1backup/ --exclude .thumbnails --exclude '*.swp' --exclude '*~' --exclude .'/lost+found/' --exclude '*.tar'
rsync -rlptSv -e 'ssh -x'
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
:/home/ /pc1backup/ --exclude .thumbnails --exclude '*.swp' --exclude '*~' --exclude .'/lost+found/' --exclude '*.tar'
The command explained
I will avoid duplicating what can be easily understood using man rsync.
-rlptSv represents the series of switches that can be found in the man page, it is worth noting that the normal -asv option was not used as group and user permissions were not required, and not prefered.
-e 'ssh -x' means that your are specifing to use ssh as the connection mode and disabling the ability to use x11 session forwarding
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
:/home/ is the login details for the machine followed by the location of the data @:
/pc1backup/ is the location on the local machine that you want the data backed up too.
--exclude .thumbnails --exclude '*.swp' --exclude '*~' --exclude .'/lost+found/' --exclude '*.tar' is a list of files that are automatically ignored by the rsync process. Its typically good form to exclude all the the .tar files
Its also a possible option to add -o BatchMode=yes inside the ssh string ('ssh -x -o BatchMode=yes') to abort if for some reason the authorization fails, it will not sit there asking for a password.
To have this run easily we need to create a script, so...
sudo nano /sbin/mybackup
Paste in:
#!/bin/sh
#
#/sbin/mybackup
#
# This script will run via Cron job to back up machines to the local machine.
#
# Version v1.01
#
PATH=/usr/sbin:/usr/bin:/sbin:/bin
rsync -rlptSv -e 'ssh -x'
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
:/home/ /pc1backup/ --exclude .thumbnails --exclude '*.swp' --exclude '*~' --exclude .'/lost+found/' --exclude '*.tar'
rsync -rlptSv -e 'ssh -x'
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
:/home/ /pc1backup/ --exclude .thumbnails --exclude '*.swp' --exclude '*~' --exclude .'/lost+found/' --exclude '*.tar'
echo "Nightly Backup Successful: $(date)" > /tmp/mybackup.log
Save the script (ctrl + o) then close (ctrl + x).
It is sensible to test that your cron jobs work as intended. One method for doing this is to set up the job to run a couple of minutes in the future and then check the results before finalising the timing. You may also find it useful to put the commands into script files that log their success or failure, for example the command above, or via the sendmail command.
Make sure its executable:
sudo chmod +x /sbin/mybackup
Make the script automaticNow we need to add a cron job to run the previous script
sudo crontab -e -u root
(on Ubuntu 8.10 select 3, it really is the easiest)
Cron runs on a simple pattern that looks like this:
min hour day mon dow command #comment
Value ranges that can be used:
min 0-59
hour 0-23
day 1-31
mon 1-12
dow 0-6 (Sunday = 0)
To set our app to run only on sunday at midnight:
0 0 * * 0 /sbin/mybackup -q
The -q on the end instructs the script to run in quiet mode.
If your editing cron in vi...press i to insert, escape once you enter the text, type :w to save then :q to quit
As a special extra note Linux cron not only have cron tabs but also special once a day, week, month year cron script directories in /etc. This allows Linux to run these scripts when they next 'start up' for better system house keeping, as linux machines may NOT always be running unlike their UNIX mainframe parents. If you are setting this up for a machine that is not always on, this would be the best way to do it. Navigate to /etc and list file and directories starting with 'cron' to find the files your looking for.
|
|
Last Updated on Monday, 30 March 2009 13:07 |
|
Written by Matthew Lye
|
|
Tuesday, 24 March 2009 09:21 |
|
I originally decided to keep out of the debate on internet censorship in Australia. Its been a touchy subject for a little while and there are good reasons too do it, and a much larger list of bad ones. In terms of the technical viability of filtering the internet, ill let the governments report speak for itself. What I am more concerned about is the lack of oversight on such a dangerous list, at the very least there should be some sort of public court proceeding to limit abuse of the system. Bruce Schneider continually reiterates that any security measure is a trade-off between the amount of security you gain compared with the freedoms you surrender and the power that gives. Currently other than the Great Firewall of China several other countries have filters imposed by their governements. These countries amoung others include Denmark, Finland, and Thailand. These three countries are the focus of my conserns at the moment and I will deal with each in turn. The Danish filter: Case Study in Secrecy and Lack of Oversight The Danish filter can be used to censor anything, but is meant to be for child pornography sites found by the Danish police and the Danish "Save the Children" group, so far looking much the same as the proposed Australian filtering scheme. The list is generated without judicial or public oversight and is kept secret by the ISPs using it, again this seems remarkably similar to the currently proposed scheme. Even though the filter is not in, just referencing the filter, or in some cases even other filters, is enough to have you blacklisted as recently happened to the popular telecommunication forum Whirlpool. The front page of the site is full of links to news stories regarding the filter and the problems its creating. Currently the top ISP's are refusing to participate and the Australian Senate is refusing to approve the filter. Even talking about the filter is an unpopular subject and a link to the filter itself will have the offending linker charged $11,000 a day for exposing the Governements dirty secret. The only way this filter can work is if it is public, not private and subject to public enquiry and peer review. It is also worth noting most sites on the Danish list are still censored (i.e must be on the current list reported to WikiLeaks), even though many have clearly changed owners or were possibly even wrongly placed on the list, for example the Dutch transport company Vanbokhorst. The Finish Filter: Case Study in Silencing Critics The Finish filter is meant to cover Internet sites outside of Finland that publish child pornography. The list is generated without judicial or public oversight and is kept secret by the ISPs using it (Do you sense a theme?). Unaccountability is intrinsic to such a secret censorship system and indeed the list has already expanded to cover other sites. Some fuss has currently been raised over the banning of well know internet activist Matti Nikki's website who began posting links to incorrectly cagetorised sites currently blocked by the filter. Suddenly attempts to access his website from inside Finland would report that his website was hosting child pornography, something blatantly wrong... and downright suspicious. Its worth noting the criminal proceedings have started over his 'aiding the distribution of child pornography' and in news articles, the police have been quoted saying that his site could be considered a "child porn portal". Using the filter to censor... starting to sound like 1984 to anyone? The Thai Filter: Case Study in Silencing Political Protest Thailands Ministry of Communications has also implemented a filter, for the exact same reason as everyone else; the noble goal of stopping child pornography. However like the others, referencing the list is illegal and the list is a tightly held secret with no oversight. Like the others sites are added that shouldnt be, but unlike Finland they are more blatant about the reasoning behind the block: of the 1,203 sites censored this year, all have the internally noted reason of "lese majeste" or criticizing the Royal family. The one common thread with these filters is that the filter is private, the method to add to the blacklist is uncontrolled, and does not have judicial or public oversight. The only way this filter can work is if it is public, not private and subject to public enquiry and peer review. Its also worth noting that the Australian filter is on WikiLeaks, but I just dont have the money to link it, however the truth is out there.
|
|
Last Updated on Monday, 30 March 2009 12:47 |
|
Written by Matthew Lye
|
|
Tuesday, 24 March 2009 08:23 |
|
Now that CanSecWest has all but wrapped up were left with some surprises. Firstly a brilliant analyst known only as nils managed to take all three major browsers; Safari on OSX, Firefox on Windows XP, and lastly cracked the new IE8 browser on the second day. The only browser to survive the week was Googles new Chrome browser, a feat credited both to improvements in Windows and its unique sandbox implementation. Effectively to exploit Chrome you need three linked exploitable flaws. Some have been found to break through the browser but the second two layers have proven a formidable challenge. It just goes to prove the defense in depth methodology again. There were some encouraging comments on the improving security of Windows with researchers remarking on the randomized processes that made it harder to find where in memory their exploit would run, effectively making it harder to exploit the local OS. Many researchers were especially impressed with nils for his exploits for exactly this reason; Its getting harder to do. The focus is now switching to Safari and OSX. There are no protections available at this stage to protect users. Many of the security features in Linux and Unix were removed to make the OS more user friendly and permissions were made more lax. The result of this is that the Safari browser is easily exploited, and the OS has no further protections available to prevent malicious code from being executed on the local machine. I was very surprised when reading the comments on some of the reporting done at ZDNet and ArsTechnica about how the desktop is the most valuable target to exploit and servers are irrelevant. Yes, browsers are the most common exploit point that people will see, and YES... its true that you do have a wealth of information on your local machine. However 99.9% of the time what the exploits are used for is to create botnets, phishing attempts, or anti-virus/anti-malware scans, not to steal your data. Exploited servers give much more control over what you do. You accept odd requests or errors from trusted sites and click ok without thinking. Usually exploited servers is howthe exploits get on your machines in the first place. Servers are almost always more valuable targets, just harder to hit.
|
|
Last Updated on Monday, 30 March 2009 12:53 |
|
|
|
|
<< Start < Prev 1 2 3 4 Next > End >>
|
|
Page 1 of 4 |
|
|
|
|
|
|
