There are a few filetypes that you likely don't want to add into any subversion repository, such as .pyc, .log, and .bak files. Not only do they not need to be in the repo, but you also probably don't appreciate them sullying the output of things like svn status either. Deleting all such files before each commit isn't a good option either. SVN allows you to ignore certain file patterns in the current directory (assuming it's under version control) and in all children via a command such as:

1. svn propset -R svn:ignore "*.pyc" MYDIR

But if you then try to add another pattern, such as "*.log", the initial value of the svn:ignore property is overwritten! To overcome this, create a file containing the patterns you want to ignore, one per line. I created a .svnignore file and added it into my personal SVN, symlinked from my home directory. That way I can use it on each box I work on, on various repos as needed, since the patterns are pretty universal.

Say you have made a file called .svnignore containing:

*.pyc
*.log

Then you would run:

1. svn propset -R svn:ignore -F .svnignore MYDIR

And the two patterns in the file would be ignored in MYDIR and all its children. If you want to add or remove a pattern later, just change the .svnignore file and re-run the same command.

You can also setup such ignores globally for a given SVN repo, but I tend to shy away from that sort of change, since I might just decide that I want some logfile checked in at one point or another. Setting the patterns per repo allows for a bit more flexibility.

One annoying note: When you add new directories to your repo, you have to run the command again. Otherwise the svn options for the new folder won't contain your ignore patterns.

Related posts:

1. File renaming made simpler Some people have difficulty renaming lots of files at once...
2. An awesome xargs option and cleaning up SVN accidents I started using a wonderfully helpful option for xargs recently,...

Related posts brought to you by Yet Another Related Posts Plugin.

How do we debug and profile a cloud full of processors and threads? It's a problem more will be seeing as we code big scary programs that run on even bigger scarier clouds. Logging gets you far, but sometimes finding the root cause of problem requires delving deep into a program's execution. I don't know about you, but setting up 200,000+ gdb instances doesn't sound all that appealing. Tools like STAT (Stack Trace Analysis Tool) are being developed to help with this huge task. STAT "gathers and merges stack traces from a parallel application’s processes." So STAT isn't a low level debugger, but it will help you find the needle in a million haystacks.

Abstract:

Petascale systems will present several new challenges to performance and correctness tools. Such machines may contain millions of cores, requiring that tools use scalable data structures and analysis algorithms to collect and to process application data. In addition, at such scales, each tool itself will become a large parallel application – already, debugging the full BlueGene/L (BG/L) installation at the Lawrence Livermore National Laboratory requires employing 1664 tool daemons. To reach such sizes and beyond, tools must use a scalable communication infrastructure and manage their own tool processes efficiently. Some system resources, such as the file system, may also become tool bottlenecks.

In this paper, we present challenges to petascale tool development, using the Stack Trace Analysis Tool (STAT) as a case study. STAT is a lightweight tool that gathers and merges stack traces from a parallel application to identify process equivalence classes. We use results gathered at thousands of tasks on an Infiniband cluster and results up to 208K processes on BG/L to identify current scalability issues as well as challenges that will be faced at the petascale. We then present implemented solutions to these challenges and show the resulting performance improvements. We also discuss future plans to meet the debugging demands of petascale machines.

read more

I've been an infrequent yet admiring user of Metasploit for about four years, but I've never tried it on Windows. It strikes me as being something I "just shouldn't do," like running Nmap on Windows or (shudder) Snort on Windows. However, while preparing labs for my upcoming class, I thought I would give version 3.2 a try. It worked very well, at least for the simple test I ran.

After installing the .exe and launching the new app, I saw this window:



I decided to try exploiting a vulnerable Samba server:



When I set the parameters I ran the exploit:



When I got my session I interacted with a root shell on the victim.



By identifying the process started on the victim (PID 2216) and running lsof, you can see the vulnerable service which Metasploit attacked.

Incidentally, my take on why having these sorts of tools available is In Defense of HD Moore, from three years ago.

Great work Metasploit team!

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

A regular blog reader asked me for recommendations on books to learn Unix, and which Unix to learn. I still remember asking my "Unix and Solaris Fundamentals" instructor in 1997 to recommend a book on Unix for me. I thought I would share my response here.

I think, as a beginner, you have to decide what you want to learn. I'll try to keep this description generic yet answer the reader's question. The person who asked the question requested an emphasis on the command line, rather than administration using GUIs.

As you might have guessed, I recommend trying FreeBSD. In fact FreeBSD 7.1 was released today. FreeBSD is a great OS for beginners, especially those who want to rely on the command line.

I am reluctant to suggest trying to learn a new OS without a good reference, but luckily a modern and thorough book arrived a little over a year ago. Michael Lucas' book Absolute BSD, 2nd Ed is probably the best pure introductions to Unix administration available. (I mean that of all the books out there, regardless of OS, Michael's book is the best, especially for beginners.)

Four years ago I posted reasons I like FreeBSD, if you want to see my overall thoughts on the OS.

After reading Michael's book, I suggest deploying services by reading Building a Server with FreeBSD 7
by Bryan J. Hong. Brian wrote a cookbook for building various servers on FreeBSD 7.x.

I don't recommend running FreeBSD on the desktop. I prefer my desktop to "just work," and I work in a GUI environment (although I tend to install software via command line anyway). I used to run FreeBSD on my laptop, but now I use Ubuntu. For me, Ubuntu "just works." I don't worry about anything. That's what I want in a more fluid environment like a desktop. PC-BSD is an option on the desktop, but I don't run it.

If you're more inclined to use Linux everywhere, then I suggest Debian on servers and Ubuntu on your desktop. The nice aspect of pairing these two is that Ubuntu is essentially Debian underneath. Ubuntu (or even Debian) is also more likely to be natively supported for many desktop applications, whereas FreeBSD might be a little less supported.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Yesterday, FreeBSD Engineering Team had announced the availability of FreeBSD 7.1-RELEASE. There are couple of interesting positions in the release notes. Firstly, what we've all knew was going to happen is that ULE sc

I use Juniper Netscreen (5GT and SSG5) to maintain the intersite VPNs in my company, and to function as firewalls. I was having an FTP issue today, which I suspect is caused by the firewall, so I wanted to see what was going on.

If you work on several pieces of equipment that are similar in function and interface, you might get confused, or your brain takes a shortcut, and you end up doing something silly, like typing "ls" at a Windows command line. Same thing with me and routers sometimes, so I logged into my netscreen and typed "debug" and hit question mark, because I wasn't sure of the argument list. The list of arguments came up, and I started scrolling through , looking for likely candidates. Around this time, it hit me, "There is no debug statement in ScreenOS". I quit out, and just hit "?", which should give me a list of all available commands. Sure enough, it wasn't listed there:


alpha:ns1(M)-> ?
clear clear dynamic system info
delete delete persistent info in flash
exec exec system commands
exit exit command console
get get system information
ping ping other host
reset reset system
save save command
set configure system parameters
trace-route trace route
unset unconfigure system parameters
alpha:ns1(M)->


Well...huh. So I googled it. It turns out that there is a debug command, just not generally documented, and it can do what I'm looking for. I found a blog entry on Geek2Live that seemed to hold the general ideas of what I wanted, and it even included a nifty mindmap to explain it.

If you're interested in this sort of thing, you might enjoy this list of hidden ScreenOS commands and the Juniper knowledge base article on capturing debug flow information. Brought to you by Standalone Sysadmin
http://standalone-sysadmin.blogspot.com

Almost two years ago I described testing IPv6 using Freenet6 on FreeBSD. This morning I decided to try the same on Windows XP and document the process here.

I needed to use a tunnel method like Freenet6 because the test host is behind NAT.

First, visit go6.net and click "Free IPv6 Connectivity with Freenet6". Register yourself a user account. To install on my Windows XPSP3 32-bit system I downloaded "Gateway6 Client 6.0-BETA4 Windows Installer 32-bit". I installed and accepted the defaults:



When I first tried installing the software I got an error which denied installing the TUN driver. I had to back out of the installation and change this local group policy key using gpedit.msc:



I changed "Do not allow installation" to "Warn but allow installation" under Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Devices: Unsigned driver installation behavior.



Once The Freenet6 client was running I configured it with the username and password I registered, and I set broker.freenet6.net as my Gateway6 address. Once I connected I could visit ipv6.google.com, and even check my IPv6 address online.



You may notice I installed the ShowIP Firefox addon. I learned about that from Command Information. It's a good way to try to keep track of the IP address you're using to access IPv4 or IPv6 sites.

I was also able to access sites from cmd.exe, using ping6 to ping ipv6.google.com and ftp to connect to the IPv6-only FTP server at ftp6.netbsd.org.



I think the Freenet6 client is a good way for people behind NAT (or in the case of the test VM here, two NATs) to access IPv6-enabled sites.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

If monthly, why not annual blog round-up? These are my top popular "Security Warrior" blog posts for 2008. Enjoy!

1. Just as last year (!!!), the "fallout" from being featured on a high-profile programming site continues to drive humongous loads of traffic which made this set of posts the most popular, even for this year  year, even though it was posted more than a year ago.  The topic that got such a huge boost was anti-virus efficiency. The posts are: Answer to My Antivirus Mystery Question and a "Fun" Story, More on Anti-virus and Anti-malware, Let's Play a Fun Game Here ... A Scary Game, The Original Anti-Virus Test Paper is Here!, Protected but Owned: My Little Investigation as well as a final entry about my own switch away from mainstream major-vendor anti-virus tool: A Bit More on AV  and Closure (Kind of) to the Anti-Virus Efficiency/Effectiveness Saga. The staying power of this series of posts is truly astounding; pretty much a Slashdot effect.
2. Due to totally bizarre reasons that just blow my mind, people keep obsessively googling for “open source SIEM” and thus I have to add this little post called On Open Source in SIEM and Log Management to a top list as – oh, shock! - #2. Just as a reminder, there is no credible open source SIEM tool (no “snort of SIEM”) – and there probably never will be. OSSEC comes kinda close, but solves a much more narrow problem (really well!)
3. Next by rank (amazingly, just as last year!) is a set of my Top11 lists:  Top 11 Reasons to Collect and Preserve Computer Logs and  Top 11 Reasons to Look at Your Logs (BTW, the third list, Top 11 Reasons to Secure and Protect Your Logs, was much more popular this year compared to last year – is log security finally coming?)
4. A champion of multiple months, “MUST-DO Logging for PCI?”  is also on the list; the world does need more specific PCI DSS guidance. PCI DSS guidance is not “too prescriptive,” it is more often not prescriptive enough!
5. I did a lot of polls in 2008 (mostly on logs, but on other subjects as well)  and many were on the top lists. I will do more polls this year as well; obviously, on more topics than just logs.
6. In a similar Slashdot-like effect, my comments on Terry Child saga “On Doomsaying (Terry Childs case)”, “So ... Am I? Maybe I Am!” and “Admins , Good Guys or "I am NOT an Idiot!"” were on the top list. The whole thing REALLY opened my eyes that “information security” and “IT” are not always friends, lovers or even good neighbors … Security people often bitch about management – this saga made me think we need to bitch about IT more :-)
7. This cute, semi-humorous post  on SIEM (“11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"”) was hot this year; it generate a lot of soul-searching about SIEM (some items are linked here)
8. Accidentally launching a “security idiot” meme (“You Are "A Security Idiot" If ...”) was also one of the highlights. The “security idiot” meme lives on.  (one day I will have to explain how the original post originated)
9. Hurray to database logging (finally!) My posts related to database logging top the charts in 2008. Specifically, How to Do Database Logging/Monitoring "Right"? as well as its "prequels" Full Paper on Database Log Management Posted and On Database Logging and Auditing (Teaser + NOW Full Paper).

Also enjoy:

Monthly tops:

• Monthly Blog Round-Up – December 2008
• Monthly Blog Round-Up - November 2008
• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008  
• Monthly Blog Round-Up - April 2008  
• Monthly Blog Round-Up - March 2008  
• Monthly Blog Round-Up - February 2008  
• Monthly Blog Round-Up - January 2008  
• Monthly Blog Round-Up - December 2007  
• Monthly Blog Round-Up - November 2007  
• Monthly Blog Round-Up - October 2007  
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

 

Annual tops:

• Annual Blog Round-Up – 2007

 

Technorati Tags: security,blog,blogs,blogging,chuvakin,annual About me: http://www.chuvakin.org

MD5 insecure? Absolutely. SSL hacked?  Sort of, but it’s not broken. CA negligence? You decide.

——————————————————————————————————————-

MD5, known for years to be vulnerable, was instrumental in allowing creation of a rogue SSL certificate last month.  Although this is troublesome, it isn’t what really bothers me, even though some erroneously reported the untimely demise of SSL.  The real problem seems to be MD5’s continued use by CAs to sign certificates for years after problems were identified.

The MD5 story

In 2004, Dan Kaminsky described weaknesses in the MD5 cryptographic hash function.  He predicted future attacks against it could cause problems with digital signatures.  Kaminsky wrote,

The attacks discovered are indeed obscure. But completely theoretical? No. Even given what little data has been released – code implementing the attack isn’t even public yet – sufficient information has been released to piece together a rudimentary proof of concept tool that demonstrates, at minimum, that the selection of MD5 exposes new and potentially deeply undesirable functionality above and beyond what the one-way hash primitive specifies… 

That being said, this paper is not a “smoking gun” indictment of MD5. I’ve taken great pains to include the caveats of each vulnerability, as it is far too easy to overestimate the risks described in this paper. It is for that reason I am not saying ”today”, or ”any day now”. The title states ”someday” for a reason.  There are dots going back ten years as to the risk of MD5. Here are a few more, in the hopes that they will start to be connected.

Was there enough information available at the time to make everyone immediately jump to another hashing solution like SHA-1?  Probably not.  However, there should have been enough concern among certificate authorities (CAs) to protect one of the most valuable security tools on the Web–SSL.

Although the bigger CAs did begin using SHA-1 for their high-end certificates, those with fewer security guarantees (I guess to really need your lawyer read the fine print…) continued to be signed with MD5.

The 2008 “SSL” hack

The “someday” Kaminsky wrote about drew much, much closer last month with development and successful use of a proof-of-concept rogue certificate by security researchers Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger.  Figure 1 is a brief description of how a malicious certificate can be substituted for the real thing during purchase and acquisition.  The process is enabled largely because a majority of DNS servers are still vulnerable to redirection attacks.  For a more detailed description of how this works, see the original findings paper.

Figure 1  (http://www.win.tue.nl/hashclash/rogue-ca/#sec71)

What this means

On the surface, this “event” proves that it’s possible for an attacker to insert himself into the certificate acquisition process, resulting in wrongful authentication of visited sites.  However, SSL might not be in as much danger as originally reported.

Yes, there are many CAs still using MD5 for at least some certificate signing.  In fact, the rogue certificate used in this exploit emulated a VeriSign RapidSSL cert.  TC TrustCenter AG, RSA, and Thawte Inc. also still use the vulnerable hash function.  But there are four significant mitigating factors.

1. Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function.
2. Certificates already issued with MD5 signatures are not at risk.  The exploit only affects new certificate acquisitions.
3. CAs are quickly moving to replace MD5 with SHA-1.  For example, VeriSign was planning to phase out MD5 by the end of January 2009.  The date was pushed up due to the December proof of concept.  On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures.
4. The researchers did not release the under-the-hood specifics of how the exploit was executed.

Again, these are mitigating factors.  It isn’t impossible for cybercriminals to come up with an attack on their own now that conceptual understanding of approach is public knowledge.  But SSL is not broken.  The only thing broken is a portion of the public key infrastructure (PKI) which underlies it, and the risk is manageable.

How to mitigate risk

First, fix DNS.  Organizations which haven’t ensured their DNS services are secure should do so immediately.  Second, take the plunge and filter business or home access to Web sites.  (See Free Web content filtering puts safer browsing within reach for everyone and Websense.)  This is far from perfect, but it helps users avoid known malicious sites as they appear on the radar.  Finally, check new certificates before you purchase to see if the CA might be vulnerable and to ensure their validity.  Also check SSL-secured sites you visit for the first time to ensure the cert is valid–at least for the near future.

Checking before you buy is easy.  Use a reputable CA and check the signature hash function used.  Checking other sites requires the right tool, like Site Check at Networking4All.  To test, I entered the alternate URL for Gmail, as shown in Figure 2.

 

Figure 2

 

Since the certificate is actually for mail.google.com, this is a good way to see if Site Check accurately tags the cert as invalid.  It did, as shown in Figure 3.  Although this is a valuable test for common certificate issues, the MD5 exploit described in this post would likely pass.  However, note that the results show the chain of trust as well as the hashing functions used.  If the certificate is signed with MD5, and the certificate was obtained after the exploit was made public, you are armed with information necessary to possibly avoid the site or take additional steps to verify authenticity.  If a business partner uses MD5 signed certificates, ’strongly encourage’ them to replace them with certificates signed with SHA-1.

 

Figure 3

The final word

So is SSL broken?  Not really.  The problems with MD5 are certainly cause for concern, but the risk is not high enough to mourn the demise of secure sockets, especially if simple steps are taken to avoid high-risk behavior.  Further, the problem is not with SSL itself.

Yes, MD5 is broken.  Of that there is no doubt.  So with years of advanced warning, were the CAs negligent for continuing to use MD5?  Was the risk high enough to make the shift before release of a successful proof-of-concept hack?  What do you think?

Q: Were the CAs negligent for continuing to use MD5?

• 
  Yes
• 
  No

View Results

 Loading …

Do you believe the December proof-of-concept renders SSL insecure?

• 
  Yes
• 
  No
• 
  Not sure

View Results

 Loading …

I updated some of this site's design. The most obvious changes are cosmetic (new banner logo at the top, slight color/layout differences). The least obvious change (hopefully) is that this site is now layed out purely with CSS, not tables.

After refreshing my rotting CSS braincells, I got a layout working properly and was quite happy. Then I tested in IE, and saw my <pre> tags being displayed incorrectly (according to my desire, not necessarily the code, which don't always align):

The above should have been two lines of text with a horizontal scroll bar. I want to say use scroll-bar for text that's too wide but expand vertically without a scroll bar: Never a vertical scroll bar, only ever a horizontal one.

I've spent a bit today scouring the web with not much help. I've randomly permuted css values for overflow, overflow-x, overflow-y, min-height, etc. Having failed that, I read everything I could find from randomly permuted search queries, one of which lead me to a depressingly long detail about IE6's expanding box problems. The page claims (and several others do, also) that IE7 fixes several box expansion problems.

I created a very small demo with minimal CSS to show the problem here: Click here to view the demo. It includes the solution I found, detailed below.

After some other random permutation, I gave up and tried wrapping the pre in a div and applying the overflow properties to the div. It worked. It's 2009 and I still have to deal with weird and obscure browser rendering inconsistencies. I came up with this: <style> .scroll-wide { height: auto; overflow-x: auto; overflow-y: hidden; max-width: 500px; } /* On firefox, pre tags have a top and bottom margin > 0, which makes your * scrolling div have a blank top line, which isn't what * we want. Fix one weirdness to find another? I didn't fully investigate. * Here's the fix: */ div pre { margin-top: 0; margin-bottom: auto; } </style> ... <div class="scroll-wide"> <pre> stuff </pre> </div>

Solving this with wrap-pre-in-a-div can be automated with jQuery and a CSS definition: // javascript $("pre").wrap("<div class='pre-wrap'></div>"); // In CSS div.pre-wrap { /* overflow/height/whatever options */ } It's still possible I was doing something wrong and that this hack isn't necessary, but I don't know. I'm just glad to have it working now.

PS: If you use Meyer's reset.css, you'll want to include pre { margin-bottom: auto; } , or IE will again clip the bottom of the pre contents with the scrollbar.