Negative sides of biometric identification
I wrote this as a comment to a poll for a paper on using fingerprints for identification.
One of the main reasons for being negative to fingerprinting or other types of biometric identification is the bond to the physical person. One could argue that biometry is the best form of identity given the uniqueness of the population, but what happens with robberies if one would use a fingerprint instead of a PIN for accessing your account at an ATM? Instead of giving the thieves your PIN, they could simply cut off your hand.
Another downside for using fingerprinting or any biometric identification technique, is the permanency factor. While a fingerprint by itself could be seen as reasonably secure, what happens if someone steals the digital representation of the fingerprint on the server-side or a main-in-the-middle attack? It would be impossible to revoke a fingerprint without affecting the real person who owns it.
If you however are using loose identification methods, the problem would not exist in the same way. If you for instance would implant an RFID chip in your hand, you can always change the chip or just the stored key within the chip if it were to be compromised for any reason.
The upside for fingerprinting and biometric in general is the price factor. Just one fingerprint reader could replace a heap of smart cards for a simple thing as storage boxes at airports.
It will be interesting to see the results and the conclusions from the study, once it is completed.
Massive Number of Godaddy WordPress Blogs Hacked This Weekend
Massive Number of Godaddy WordPress Blogs Hacked This Weekend. “The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won’t easily notice. Clever and devious.”
WP Require Auth plugin released
WP Require Auth is a plugin for WordPress which makes it mandatory to be logged in before viewing any page. It is just a matter of downloading and unpacking the plugin as usual and activating it in the Plugins page in WordPress. There is currently nothing to configure.
Head on over to the WP Require Auth website to download or file a bug/feature request.
This effectively replaces my little hack for doing this earlier on.
OpenID and why it matters
Logging into websites have always been a pain if you want to stay somewhat secure. One could either use the same username and password everywhere or choose from a few remembered passwords. The next best thing is to use some kind of password manager, such as the one built into most modern web browsers or perhaps 1Password.
Another way of looking at online identities is the concept of one central hub – you. Think of it as your “home”, a place for your identity. This identity could then be used to authenticate you on any supported site, without requiring a password or even a username, provided that all required information has been entered into the central hub profile beforehand, such as your full name and username.
This is exactly how OpenID works! It acts as a central hub for your online identity and lets you login to all OpenID enabled websites without having to come up with a new password each time (or worse, use the same password). What makes OpenID work is simplicity; it is not that hard to grasp or explain the concept of an online identity hub and using an URL to identify yourself with.
A huge benefit of OpenID is that it is completely decentralized. This basically means that anyone can set up their own OpenID provider, and there are already lots of open libraries available to make this as painless as possible. This means that if you don’t trust anyone to hold your personal identity, just get a domain name and set one up for yourself, and use any type of authentication you want to identify yourself to your own hub. You can even use X509 certificates or OTP for this purpose if you want.
As for security, make sure to use HTTPS for the provider to protect against man-in-the-middle and replay attacks. The other important security issue are phishing attacks, where users would enter their credentials on a third-party server instead of their own. Using client certificates or making it mandatory to already be logged in before executing a request would however make this a non-issue. Other than that, the ordinary web problems remain, such as bugs in the OpenID libraries and other attack vectors.
If one would be able to gain access to your OpenID provider, he would have access to all authenticated sites. To put this in context however, look at your email account. If one were to gain access to your email, he would undoubtedly have means to access most of your sites anyway because of the password recovery feature.
Chances are that you already have an OpenID identity without even knowing! Lots of big websites provide this service, and it is even possible to roll you own as mentioned above, or even install a plugin for you very own WordPress blog to enable this feature. If you have your own fancy domain but no means to setup an OpenID provider, fear not, there is support for delegation, meaning that you can delegate the authentication to another provider, while still providing your own domain for authentication to the target website.
Address Book on Mac shows the wrong certificate
I recently wanted to email a recipient, for which I had the certificate. The problem was however, that he has an old certificate which has expired, and a new valid one. For some reason though, Address Book associates the old certificate with the email address instead of the new one.
Inspect Certificate in Adress Book
I still haven’t found a way to associate the new certificate with the user.
Automate system administration tasks using Nagios
As a system administrator, one often have to do repetitive tasks such as checking for free disk space, check mail queues and monitor critical services. If there are only a handful of servers, this task may not be very intimidating, but there are many times when there are many servers to monitor, or just for the sake of automation. This is where Nagios comes in.
Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do.
This is exactly what we need to make an automated system for monitoring! I will not go into details on how to set this up, since there is an excellent quick start guide available on the website. Instead I will focus on how Nagios has eased the burden of managing a large number of servers.
I have ready made templates for servers and when a new server is added, I just create a copy of the template and add or remove the services needed to monitor the server.
Public services are easy to monitor directly from Nagios, but private data such as disk space and CPU load demands a local service running on each of the servers. This is where NRPE comes into play. NRPE is a daemon which listens on the network and will respond to Nagios queries, using standard Nagios plugins. In Debian and Ubuntu, just install the nagios-nrpe-server package, and in Windows NSClient is very usable and easy to configure.
The last thing is alerts management. All servers that someone else manages, or is in charge of, should receive the Nagios alerts for that server. It will dramatically lighten the administration burden if it is possible to delegate as much as the server / service responsibility to other people. For extremely critical services, there should be an SMS gateway, which sends a message to the administrator or someone in charge of the server. This ensures that attention is immediately brought to the problem.
Create a fixed size network storage for Time Machine
Time Machine is a backup program built into Mac OS 10.5, Leopard. It saves all files on the computer on a USB or network drive, which can be used for restoration of individual files or the whole computer.
The normal behavior of Time Machine is to keep
- hourly backups for the past 24 hours
- daily backups for the past month
- weekly backups until your backup disk is full
It is the last point that might cause some trouble for some people, since many people might share the drive with other type of data. There has to be some way to limit the size of the backup volume. This is my approach.
Preparing an image
The first step is to create an image to hold the backup filesystem. If you want this filesystem encrypted, have a look at Mounting encrypted volumes, otherwise just follow the following steps. The image will be created as /ext/timemeachine.img and it will be mounted in /ext/timemachine.mnt.
dd if=/dev/zero of=/ext/timemachine.bin bs=1G seek=250 count=1losetup /dev/loop1 /ext/timemachine.binmkfs.ext3 /dev/loop1tune2fs -c0 -i0 /dev/loop1losetup -d /dev/loop1mkdir /ext/timemachine.mnt
The first thing is to create an image file, and using the dd command we create an empty 250GB file, which will contain the backups. The next step is to setup the image as a loop device, which makes it possible to mount it as usual. loop1 is currently used, but if you know that it is occupied, feel free to choose another device.
The next step is to edit /etc/fstab and add a line which will automatically mount the filesystem when the computer boots.
/ext/timemachine.bin /ext/timemachine.mnt ext3 loop=/dev/loop1 0 0
Then we will mount all filesystems and verify that it has indeed been mounted.
df -h/ext/timemachine.bin 248G 188M 235G 1% /ext/timemachine.mnt
There should be a line like the above if everything is working correctly. The last step is to set the correct permissions for the directory for your user.
chown -R joch /ext/timemachine.mnt/
Setting up the Samba share
To connect to the server, it is necessary to setup the Samba server. Create a share like the following in /etc/samba/smb.conf.
[tmbup]comment = Time machine backupspath = /ext/timemachine.mntbrowseable = yesread only = Noinherit permissions = noguest ok = noprintable = no
Now just reload Samba and add a user if you have not done so before.
invoke-rc.d samba reloadsmbpasswd -a joch
Setting up Time Machine
Connect to the share in Finder as usual.
Open up the Time Machine preferences and click Change Disk. It should give you a dialog like this, and Time Machine should then be enabled.
If you get the error “Time Machine Error: The backup disk image could not be created.”, you will need to do some magic on the server.
You need to start the backup once again, but this time you will have to be quick and copy the directory it creates on the server. Once Time Machine has finished, the original directory will be deleted, so just copy the saved directory back to the same place.
Now run the backup again, and it should complete successfully!
This behaviour is very strange, but the above trick always solves the problem.
Basic forensics of a compromised Linux host
A friend of mine noted an interesting article discussing someone’s Linux system, which was behaving strangely. It turned out that it had been hacked, and the article shows the basic forensics investigation to see what really happened.
Have a look at Holliday cracking. Thanks Göran.
Public service announcement: WordPress 2.1.1 is hacked
Well, it seems like a cracker has injected some code in a recent WordPress release, so upgrade immediately!
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
For more information, have a look at the WordPress blog.
How to send secure email using PGP
One of the biggest deficiencies in a virtual world is that authenticating a person is very hard. In the real world we can rely on our eyes, photo ID and other things. Neither of these things work directly in the digital world.
So, how can we authenticate users? Using PGP to fill this gap is very common, and this is what I will discuss today. PGP has a stormy history, but I will not go into that here, but instead refer you to the PGP Timeline.
What is needed to send secure email, files or other types of messages to people over the internet? We will use the GnuPG package, which should be easily installed in just about any system, including Windows. In a Ubuntu or other Debian based system, just write apt-get install gnupg and you will be all set.
You should also install seahorse, which is an application for gnome which enables you to easily manage your keys. The application should the be available under Applications -> Accessories -> Encryption keys once you have it installed.
The first task is to create your very own key-pair to enable you to sign your messages and to let others send encrypted messages to you. By choosing Key -> Create new key and then selecting PGP Key, you will be presented with a form where you enter your details. You will then be presented with a password entry for your key, and it is crucial that you select a very long password. It should preferably be longer than 20 characters.
You should create a key which is at least 3072 bits long. This will provide protection for a long time in the future. While you are at it, you might as well use 4096 bits. Note that it will take a while for the key to be generated, so please be patient.
Now that you have your own key-pair, you should first of all export the key by selecting the key and clicking properties. The key must be kept it in a very safe place, such as a safe or in a bank.
You may now select Sync and publish keys in the Remote menu to upload your key to a public key-server, such as pgp.mit.edu. This will enable others to easily get your public key automatically.
If you use your favorite text editor and open ~/.gnupg/gpg.conf and enter the following two lines in the end, GnuPG will try to automatically fetch public key when they are missing:
keyserver hkp://wwwkeys.pgp.net
keyserver-options auto-key-retrieve
To actually use GnuPG now, you will have to configure your email client for this. Evolution has built-in support for PGP and support for Mozilla Thunderbird can be added by installing the enigmail extension. Ubuntu users may install the mozilla-thunderbird-enigmail package.
Note that it is advisable to check Always encrypt to myself. Without this setting, you will not be able to read encrypted messages you send to other people!
You are now ready to send and receive encrypted and signed mail!
But, you say, how does this key identify me as a person? Well, it doesn’t – yet. To do this, you must sign other people’s keys, and have other people sign your key, meaning that they vouch for your identity.
This is normally done face-to-face or in bigger key-signing events. The general principle is that you will bring the fingerprint of your key, and others must then verify that the key is correct. You must also you a valid photo-ID, and here is the key – by showing your photo-ID, you have tied your PGP-key to you as a person. You can get more information on key-signing events by visiting The Keysigning Party HOWTO.
This means that you must be very thorough with the verification procedure, since it is the ground on where the principles behind the PGP trust model rest. If this is not done correctly, the whole encryption is void, since you really don’t know who the person in the other end really is.
So, to sign someones key, just open the properties for that key and select the Trust tab.
Here you should click the top check-box when you have verified the person using photo-ID and checked the fingerprint of the key. Seahorse will automatically synchronize your key with a key-server once you have signed the key. The check-box underneath is where you can select whether to trust the signatures of the person you are signing. If you check this box, you will automatically trust all keys which the person you just verified trusts. Remember that you should not tick this box if you believe that this person does not manage his keys correctly, or has some other reason to distrust his signatures.
Note that all steps mentioned in this article can be done using the command-line tool gpg. If you want to use this way instead, just read The GNU Privacy Handbook or try gpg --help for some general information.
I have now just discussed the basics of PGP, but do not feel afraid to explore the possibilities. A good place to start is The GNU Privacy Handbook where you can read more about PGP and more specific GnuPG. If you have decided to try PGP, you are welcome to send me a signed and encrypted test message. My key-ID is 0x98CEC53A and it can be found on most key-servers. To find people using PGP in your neighborhood, log-on to Biglumber and do a quick search.
Privacy is becoming more and more important in the world. I hope that you will try this out and spread it to your friends and family. In the end, we should all hope for a safer, more secure and open society.