The wonder of UNIX is that you can delete running binaries and loaded shared libraries. The drawback is that you get no warning that you're still actually running old versions. E.g. old heartbleed-vulnerable OpenSSL.
Server binaries are often not forgotten by upgrade scripts, but client binaries almost certainly are. Did you restart your irssi? PostgreSQL client? OpenVPN client?
Find processes running with deleted OpenSSL libraries:
Read the rest of this entry »$ sudo lsof | grep DEL.*libssl apache 17179 root DEL REG 8,1 24756 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.Read the rest of this entry »
Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.
So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.Read the rest of this entry »
A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should apply to other kinds of special hardware that does crypto operations. I'll refer to this hardware as the "device" as the general term, below.Read the rest of this entry »
STOP! There is a better way. this post explains a simpler and more secure way.
Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works.
Finally, I found out how to use a TPM chip to protect SSH keys. Thanks to Perry Lorier. I'm just going to note down those same steps, but with my notes.
I've written about hardware protecting crypto keys and increasing SSH security before:
Update: you need to delete
because otherwise your keys will be migratable. I'm looking into how to either never generating
these files, or making them unusable by having the TPM chip reject them. Update to come.
Recently some time ago (this blog post has also been lying in draft for a while)
someone came to me with a problem they had with a Cisco 7600.
It felt sluggish and "show proc cpu" showed that the weak CPU was very loaded.
This is how I fixed it.Read the rest of this entry »
I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes.
Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified.
It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway.Read the rest of this entry »
Go has exceptions and return values for error
Yes it does. Yes, it really really does.Read the rest of this entry »
I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys so that they cannot be stolen or copied. (well, they can be physically stolen, of course).Read the rest of this entry »
Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you are people who have and are inventing new and unusual attacks. Examples of this would be rogue IPv6 RA and NDs, and people who have actually generated their own signed root CAs. There's also the risk (or certainty) of having all your unencrypted traffic sniffed and altered.
For next time I've prepared a SheevaPlug computer I had laying around. I updated it to a modern Debian installation, added a USB network card, and set it up to provide always-on VPN. This could also be done using a raspberry pi, but I don't have one.Read the rest of this entry »