Why NAT Is Bad: The Blocklists

 Computing, Security  No Responses »
Feb 082017
 

One of the things that come up whenever IPv6 is mentioned on certain news sites, is that there are people out there who think that NAT solves all of the address size problems and doesn’t have any negatives. I could present a whole series of blog articles on why NAT is the work of the devil, and presents a clear and present danger to life, liberty, and the pursuit of happiness (I might be exaggerating just a touch here).

The naive approach to a security issue originating from a certain network address is to block that network address permanently, pending an appropriate response, or temporarily. Not a bad idea although it does resemble a game of hunt the wumpus, and to assist in this, there are community based collective blocklists.

But what happens when you block an address, and that address is the public address of a NAT device? You block everyone sharing that public address, which could be just a household or it could be thousands of unconnected people. For instance, I have up to 32,000 people behind a handful of public IP addresses.

And yes I do regularly see problems where blocks have been put in place, and from what I can see this is a problem that is widely shared amongst people who NAT.

And once you are blocked in this way, you may be able to get it removed if you manage to identify which blocklist you are on, stop the network abuse and it has a well-run mechanism for removal. Most blocklists (including the ones I run) don’t work this way.

Every IP address has a reputation associated with it, and if you share a public IP address that has a poor reputation, parts of the Internet will disappear for you, and these include some well known services.

Got Entropy?

 Linux, Security  No Responses »
Jan 192017
 

Entropy.

Any serious cryptographic routines needs a good source of random numbers, and whilst Linux provides a random number generator by default it’s sources of entropy can be somewhat limited. Especially when you’re talking about a virtual machine.

Indeed if you try to pull too much randomness out of the Linux entropy pool (especially when it is especially limited), what you get might not be quite as random as you expect.

Which is where hardware randomness generators come in. And I finally have one (actually two), and have hooked them up. You may be able to guess what time I plugged it in from the graph below :-

So what real world difference does it make?

Well nothing is dramatically obvious, but :-

  1. I have slightly more confidence that any cryptographic software I might run has a good source of randomness and is less likely to accidentally perform poorly (in terms of cryptographic strength).
  2. Some cryptographic software blocks if the Linux entropy pool is empty; with a hardware source I can be more confident that any performance issues are not due to a lack of randomness.

In Praise of Pedantry and Precision

 Computing  No Responses »
Dec 282016
 

“You’re such a pedant” goes the insult as though being right about something is somehow wrong.

Now don’t get me wrong – there are some areas where being a pedant is not entirely right – such as declaring that Christmas Day isn’t a bank holiday but instead a common-law holiday. But there are many areas where being pedantic and precise is not just the right thing, it is essential.

I work in IT, and many of the biggest problems in IT are down to lack of precision and not getting things right. I can’t recall the number of times things have gone wrong or have been delayed (probably the most common result) because things have not been specified clearly enough, with enough detail, and correctly.

So in certain specialised areas – such as IT – it is good to be pedantic and precise. Include too much information rather than too little.

 

Announcing … The iPC

 Computing  No Responses »
Dec 172016
 

In the dim and distant past when dinosaurs roamed the data centre (although it was called the machine room, or for trendy types who liked to keep up to date, the computer room), sometimes called the 1970s, a new type of computer gradually started to appear. This computer was intended to be used by one individual at a time, and more it was intended to be part of the furniture of an office (in the sense it belonged). It became known as the personal computer.

To quote Steve Wozniak: “To me, a personal computer should be small, reliable, convenient to use and inexpensive“. Of course “inexpensive” is relative and we wouldn’t think the personal computer of the 1970s was inexpensive. When you trawl through old copies of BYTE, please remember that when you get shocked at the prices that you have to add in inflation!

The field of personal computers grew so quickly that most of the dinosaur behemoths grew interested and joined in. One – the IBM PC – grew so popular that IBM grew to regret throwing it together so quickly, and it eventually came to dominate the market. Except for a small bunch of weirdos who insisted that the Apple Mac was the bees knees, and that the PC would soon die.

The argument between the two groups of fanatics grew so heated that “PC” become synonymous with the IBM PC – even well after IBM stopped dominating the market, and Macs were excluded from the “PC” label. Even after they become PC in all but name – today an Apple machine is no different to a normal PC from someone like Dell, HP, etc. except from the operating system.

Yet because of that ridiculous “cold war” between the Microsofties and the Applites, every time I issue a communique I have to use the phrase “PCs and Macs” because some cold war era warrior will claim “… but you didn’t say anything about Macs” or “… but not Macs?”.

So in the interests of clarity, although when I say PCs I mean both, I shall start using the phrase inclusive personal computers. Or iPCs.

And no, I don’t mean the Sun IPC.

 

The Basics Of Vi

 Computing, Linux, Tutorials  No Responses »
Dec 112016
 

Vi (or vim) is one of those editors that at first appearance appears to be insanely user-hostile, and some will say it looks the same way on a second, and third glance. Yet it remains one of the most popular editors under Linux, and even if you choose another editor as your mainstay, you are likely to encounter it in use a fair bit.

(Apologies for the little line at the top of that screenshot; lazy editing)

The strange thing about vi is that nobody uses the real thing any more (well almost nobody), but instead clones of one kind or another. That is mostly because vi originated in the commercial world of Unix, and clones were written to be open-source. It is perhaps worth remembering that vi has remained the mainstay of editing under Unix-based operating systems for three decades despite there being many alternatives.

It may look plain, but vi has almost every editor feature you can think of and almost certainly a few you never thought of.

The Modes

Almost every every other editor currently in use is a modeless editor, or at least mostly modeless. Vi is different in that it has three different modes that operate differently – insert mode, command mode, and ex-mode (essentially for extended commands). Of the three modes, the insert mode is the most like other editors, although are relatively few commands to use. As you can see in the screenshot above, the words “- INSERT -” appears at the bottom of the screen whenever you are insert mode (and the same for replace mode which is effectively the same).

Most commands are performed in the command mode, which can be thought of as the default mode – there is nothing saying that you are in command mode. If in doubt, you can press Esc to get from insert mode into command mode. There are some who will argue that in fact vi is modeless and that the “insert mode” is in fact a parameter to the insert command. This has a certain ring of validity to it – if you enter 32iHelloEsc in command mode, you will end up with 32 copies of the word “Hello” inserted.

But conventionally vi is written of as a mode-based editor, so it is best to think of it as such until you have learned enough to throw off conventional wisdom and go your own way.

The last mode is ex-mode, which at a basic level is covered only in enough detail to tell you how to get out of it! It is entered from command mode with the “:” command, at which point the cursor moves to the end of the screen leaving you free to type in lengthier commands. To exit simply hit the backspace key until the cursor returns to its normal location.

The Insert Mode

(and the replace mode)

The insert mode is started with a variety of commands, but the simplest is i(nsert).

Once in insert mode, you can start typing normal text without worrying about what commands it will run. There are a fair few things you can do with the control keys, but we’ll skip over those for the “basics”. To correct a few historical limitations :-

  1. You can move the cursor around with the arrow keys. It might seem a bit strange to say so, but the original vi didn’t allow you to move in insert mode partially because it pre-dates arrow keys (yes, really!) and had to use commands to move the cursor around the screen.
  2. You can move anywhere within the file and make changes anywhere; not just where the original change was intended. This may seem like an unnecessary feature to explain, but when you are changing a single word, it can seem wrong to also go somewhere else in the file and make changes elsewhere.

Without going into the more esoteric features, there is not a great deal more to say about the insert mode except it is exited with the Esc key.

The Command Mode

The movement commands :-

Arrow Keys Moves the cursor
h & l Moves the cursor left and right.
j & k Moves the cursor down and up.

The use of the h,j,k, and l keys to move the cursor around the screen seems rather bizarre except when you realise that some early terminals connected to Unix systems lacked cursor keys. They remain for compatibility reasons and because some people feel that they can be quicker to use as they require less hand movement than the cursor keys, or like me that those keys are burnt into muscle memory and so they are used almost without thought.

b(ack) Move backwards one word.
e(nd) Move forward to the end of the word.
f(orward){char} Move forwards on the same line to the next occurrence of {char}.
n(ext) Move to the next occurrence of the last search.
 / Search for something.

The most basic command for deleting text is “x” which deletes the character under the cursor, but a hint of what can be done with vi comes with the d(elete) command. The d(elete) command takes a movement as a parameter, and deletes from the current cursor position until where there movement takes you :-

dd Deletes line.
d$ Deletes to the end of the line.
d0 Deletes until the beginning of the line.
dw Delete until the end of the word.
diw Delete “in” word – deletes the current word.
df{char} Deletes until the next occurrence of {char}

But we now move finally to adding text :-

i(nsert) Insert at the current cursor.
o(pen) Open a new line below the current line.
O(pen) Open a new line above the current line.
a(ppend) Append text after the cursor.
A(ppend) Append new text at the end of the line.

Lastly, we can save and exit vi with “ZZ”.

Ex-Mode

This is going to be even more truncated than the last section (I know the last section doesn’t seem truncated, but trust me – it is!). There is a great deal more to this mode than just the three commands below :-

:write (or :w)

Writes the file being edited. Two options I am going to mention here.

Firstly you can add a filename to the command to write to an alternate file (:write new-filename) – very handy if you find you’re making changes to a file that you do not have permission to overwrite.

If you need to override a warning vi has about overwriting the current file, you can do so by appending an exclamation (!). Just don’t do it automatically (I’ve a sorry song to sing about doing that!).

:quit

And to quit vi, simply use the :quit command. If there are unsaved changes in the file you are editing, it will stop you, in which case if you really want to lose your changes add an exclamation (!).

 Older Entries  Newer Entries