Computing – Page 23 – More Zonkyness

Confessions Of A Spy In The Data Centre

Nov 262016

(actually we don’t usually sit in the data centre; it’s too noisy and usually the wrong temperature for people)

There is a perception amongst people that security “gurus” who work in network security are spying on all your network traffic. Not the hackers (which is a whole other matter), but the people who run enterprise firewalls. We do, but we’re not interested in what you are doing but instead what is being done to you (and the enterprise as a whole).

Frankly nothing strikes me as more boring than spying on someone’s porn browsing – if I really need to, I’ll hunt down my own porn thank you very much! And we’re busy; you could probably double the size of every network security team in every organisation on the planet and still nobody would be sitting around twiddling their thumbs.

On the subject of porn (as an extreme example), it is not a security issue. There is an argument that browsing porn sites is putting yourself at greater risk of picking up some kind of nasty infection, but avoiding porn sites to avoid getting infected with malware is a tactic that results in your computer being infected. So the intended content isn’t a problem as far as security is concerned, but we’re interested in unintended content.

Now there are places that enforce browsing censorship – blocking anything that isn’t work-related. That role is usually dumped on the network security people because they have the tools to do the job.

Does porn browsing on the office matter? Of course it does – some people are upset by the sight of such things, and almost as important, when someone is browsing porn they are not working. But such matters are best dealt with in the office by the line manager – if someone isn’t doing their work it doesn’t matter if they are browsing porn, hitting Facebook, or snoozing under the desk. All should be dealt with appropriately by the line manager.

And centralised censorship is a rather clumsy tool – blocking Facebook is all very well if it is to prevent personal usage of the Internet, but what about the Marketing department using Facebook for publicity? Or the Customer Service department keeping an eye on Facebook for product problems that they need to look into? These can be allowed through on a case-by-case basis, but it highlights that censorship is a clumsy tool.

The word from a nameless vendor who is in this space, is that in many cases this censorship has less to do with preventing people from doing “naughty” things, and more to do with controlling bandwidth usage. And as bandwidth becomes cheaper, there is less interest in censoring Internet activities – certainly from a personal perspective I notice a decrease in the number of people who complain they cannot visit certain sites because of work’s “firewall”.

There is also the subject of TLS inspection where firewalls intercept and inspect TLS or SSL encrypted traffic between you and “out there”. Again there is a suspicion that we are for whatever reason spying on your activities. The answer to this is the same as previously – why should we bother? It is too much like hard work, and frankly most of the information that passes through a firewall is unbelievably boring.

No, TLS interception is used to do the boring task of inspecting traffic for malware, spyware, and other security threats. And with the increasing use of TLS to encrypt traffic it is becoming more and more important to do TLS interception for security reasons.

Yes there are those who would use that sort of technology to spy on your activities, but those organisations are typically nation states … and repressive ones at that. But it is extreme foolishness to blame a useful tool for the abuses that an abusive government perpetrates. Your average enterprise just isn’t that interested in what you’re up to.

And if you still don’t believe this, there is a simple answer: Do anything private on your own private network.

b84v37631-cubist-eye

Apple’s New Macbook Pro(s) (October 2016)

Computing No Responses »

Oct 302016

Meh.

With the sole exception of the touchscreen key strip that replaces the function keys, there’s pretty much nothing that interesting about the new Macbook Pro machines from Apple. That is not to say they are not nice machines, but they are a bit under-specified for a “pro” laptop tag, although I suspect that quite a few people complaining about the lack of a dedicated GPU in the 13″ model fail to realise that most serious professionals do most of their heavy number crunching in the cloud and not on a light-weight laptop.

macbook-pro

And frankly any laptop is light-weight compared to a rack-based server with a case full of Teslas.

A laptop is essentially a creative tool for accessing “the cloud” for anything that requires a real computer, and a 13″ Macbook Pro is fine for that (although the trendy tax is a touch high).

Now onto the function key replacement: As a devotee of the keyboard, I’m somewhat reluctant to cheer the replacement of real keys with a touch screen, but it could be quite a neat feature. In the old days when we used function keys much more widely than we do now, on-screen labels for what the function keys did were not uncommon … look at the bottom of the following screenshot :-

norton-textra-writer-21-4

And the ill-fated Apricot Computers had a competitor to the IBM PC which came with a keyboard that had six “soft keys” with LCD panels.

So Apple has not done anything new here, but when did they? Their core skill is taking technical innovations and making them user-friendly; I don’t have a problem with that.

This keyboard could be useful in many ways – in addition to resurrecting the old “function key labels” in a more usable way, there is also the possibility of using them to insert symbols that we should be using, but rarely do so because they are not to be found on our normal keyboards. Depending on your proffesion (or inclination), we have different symbols we could or should be using – perhaps the copyright symbol ©, the interrobang ⁤‽, or more. Of course how useful it becomes will be down to the relevant software developers.

Vim: The Ex Mode

Computing, History No Responses »

Oct 272016

I have recently been ‘entertaining’ myself with watching some videos on the vim editor which to the uninitiated is an extremely powerful if somewhat ‘unusual’ editor that is popular amongst Linux power users. One of the surprising things that came up was that apparently there are experienced vim users who are not aware of why the ex mode exists.

Or probably why the ex command exists.

In the dim and distant past (and in fact even longer than I’ve used Unix!), one of the possible ways of interacting with computers was with a printing terminal :-

On such a terminal, using a visual editor like vim (or it’s predecessor vi) would have been painful. Redrawing the screen would take a couple of minutes or more; imaging moving the cursor across from the beginning of the line to the end!

So it was common to use an alternative kind of editor – the line editor. The process of creating a file is somewhat clumsy :-

$ ex ~/Foo
"~/Foo" 1L, 4C
Entering Ex mode.  Type "visual" to go to Normal mode.
:p
Foo
:a
Bar
.
:p
Bar
:1
Foo
:write
:quit

Now for a quick explanation (although this is no tutorial on line editors!): The ex ~/Foo is the command given to start editing a pre-existing file called Foo in the ex editor. After the editor starts up, I enter the “p” command to print the current line. I then use the “a” command to append text after the first line, and enter a “.” on it’s own to finish adding lines. Again I use “p” to print the current line, and then “1” to print the first line.

Which is more than you’ll ever want to know about how to use ex, so why does it still exist?

The first reason is simply because it’s possible. It’s almost certainly fairly easy to support the ex mode with vim; after all the ex-mode is effectively the commands you get when you enter “:” within vim.

The next reason is that line editors were sometimes used within shell scripts to batch edit files, and somewhere out there is a shell script from hell that relies on ex to keep running.

Friday’s DDoS: Assisted By Poor DNS Configuration

Computing, Security No Responses »

Oct 222016

Yesterday lots of people found the Internet disappearing on them due to a significant DDoS attack against the DNS infrastructure of one company. Now there are all sorts of suggested fixes for this sort of problem, some of which are useful.

However it is notable that people have not mentioned one method built into DNS which could have been used more effectively. Indeed one suggestion was for the DNS to do something it already does – caching.

When you ask your ISP’s DNS servers to resolve a name such as example.org, the answer that your ISP’s DNS server gets back contains several bits of information in addition to the answer you are interested in (the IP address to connect to). One of which is how long to cache the value for, which means that your ISP’s DNS servers can save themselves some work for as long as they are allowed to cache the answer for.

Now it is awfully convenient to set this value to something like 5 minutes because if you have a need to change the value, it is nice to have the value change as quickly as possible.

But it also increases your vulnerability to a weaknesses in the DNS infrastructure.

If you increase the time-to-live (TTL) value to something more like 24 hours, then your DNS servers (or more usually the DNS servers of your DNS service provider) are required less frequently which means that if something takes them offline for any reason then there would be a decreased impact. It will still stop some people from getting the DNS answers they need, but the proportion unable to get an answer will drop dramatically.

damascus-dns

IPv6: Why The DNS Is So Important

Computing No Responses »

Oct 192016

This is a bit of a thought experiment, so it may be not entirely correct (especially the maths – my probability theory is very rusty).

One of the lesser reasons for using the DNS rather than IP4 addresses is that typing mistakes are more easily caught – if you intend to type 192.168.67.52, but accidentally enter 192.168.67.53 instead, you still have a valid IPv4 address. Whereas entering the domain name wombar.example.com instead of wombat.example.com will most likely get you an error instead of sending your secrets off to an unknown location on your network – unless you have a rather silly server naming convention of course!

But how likely are you to make a mistake typing in an IPv4 address? According to a random web site “out there”, the average accuracy of a typist is 92%, or an average of 8 typos per 100 characters. If we convert this into a probability, we get a probability of typing each character correctly as 0.92.

Given that typing IPv4 addresses is something that some of us have a lot of practice at, and in many cases we will notice typos before they become a problem, I’m going to arbitrarily declare that the probability of getting any character within an IPv4 address correct is 0.999. But to type in an IPv4 address correctly we have to get a maximum of 15 characters correct :-

1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
1	9	2	.	1	6	8	.	1	2	8	.	1	2	8

So the probability of getting all those characters right is 0.999 (first character) x 0.999 (second character) … Or 0.999^15.

And once you work that out, subtract it from 1 (to get the probability of making a mistake) and convert it into a percentage, there is an 11% chance of making a typo in an IPv4 address.

For an IPv6 address such as 2001:db8:ca2c:dead:44f0:c3e9:28be:c903, which has 38 characters (no I’m not doing that silly table for IPv6) – 100 * (1 – 0.999 ^ 38) – 32%.

Now whilst my calculations may be a bit off, the likelihood of entering an IPv6 address incorrectly is nearly three times higher than the risk of entering an IPv4 address incorrectly.

In other words, with IPv6 you really need a good working DNS solution just to keep the errors to manageable levels.

dam-ip6

Older Entries Newer Entries