Tales of an IT Nobody

devbox:~$ iptables -A OUTPUT -j DROP

Is there a hacking campaign against open source? September 26, 2011

Linux.com, kernel.org, mysql(twice this year), wordpress and php have all reported breaches of some sort this year. Is there some sort of campaign against these ‘high profile’ open source projects? It’s starting to feel like it, to me.

The more hands you get in the pot, the more nervous you should get as an administrator. System issues stem from more than password change frequency and difficulty – stale keys and giving access to folks that shouldn’t have access happens.

I also feel isolation or ‘separation of concerns’ is a tactic that is pushed aside in the name of maxing out a system, more often than not this stop gap would save a lot of trouble. Apache’s ability to mitigate concern from last year’s breaches is a good example of isolation, they had a fairly sophisticated break in and the repercussions weren’t as vocal as the ones from this year.

There doesn’t seem to be sufficient coverage of this MySQL hack right now – how sure are we this isn’t a sample set from a compromised browser as opposed to the site?

I hope there will be continued disclosure so everyone can learn something extra to safeguarding themselves.

While it doesn’t feel right to ream MySQL (at all, or at this point of the news) I have some initial thoughts I just can’t shake:

  1. If MySQL was ‘hacked’: Infiltrated earlier this year; you made no extra measures on a wider scope? really?
  2. Why the hell is your web/any cluster accessible without a VPN? It sounds like they’re selling shell access directly to the host/s..

 C’est la vie

No Comments on Is there a hacking campaign against open source?
Categories: mysql security servers

The inherent risks of ‘daemonize’ features in developer tools – Git, Mercurial (hg) September 24, 2011

A handful of tools such as mercurial, git, (soon PHP – which chances are will be it’s own binary) have their own ‘daemonize’ functionality.

Whatever your reasons – if you want to disable these; there’s little to no help in figuring out how… til now…

If you want to disable Mercurial’s hg serve:
Open the file (Your python install path may differ, but this should give you an idea of what to search for)

/usr/local/lib/python2.x/dist-packages/mercurial/hgweb/server.py: 

Find the function ‘create-server’ and add ‘sys.exit()’ in the first line:

How to verify this works:

1. Before patching – run ‘hg serve’ from a mercurial repository. It will report the port number and remain active in console.
2. After patching – ‘hg serve’ from a mercurial repository will simply exit and say nothing.
3. netstat, ps -A ux |grep ‘hg serve’

If you want to disable git’s git daemon:
This one is probably the easiest of the two: find and ‘chmod a-x’ (remove execute permissions) from the ‘git-daemon’ binary on your system – mine is in /usr/libexec/git-core. You can also relocate it somewhere in-accessible.

How to verify this works:

1. Before relocating/removing/chmodding – run ‘git daemon’ – your console will remain active as if it’s listening. (You can try a base dir for a proper daemon setup if you want …)
2. After relocating/removing – run ‘git daemon’, you’ll get an error saying there are insufficient privileges, or in the case of relocating/removing you’ll see “not a git command”.
3. netstat, ps -A ux |grep ‘git daemon’

No Comments on The inherent risks of ‘daemonize’ features in developer tools – Git, Mercurial (hg)
Categories: git hg linux security servers

Day of the Googmonster – from … a google blog… September 12, 2011

This is a must read for anyone who feels Google can do no evil, putting them on a pedestal.
If you embrace every little ‘tech’ knick knack they throw out to the world, or If you’re in the percentile with a who’s seeing Google turn into a cashgrabber like everyone else – you should read it!

It is by far the most concise rundown of why I have a love-hate relationship with Google. I’m not against a company making some coin; anyone who knows me knows I’m a reasonable capitalist, but I do -not- agree with the direction Google seems to keep poking at.

The pace of change from Google over the past year has been alarming. I’m not talking about the new pretty UI stuff – I’m talking about their business and technological tact.

Google business observations:

– Apps angine, dirt cheap – now expensive and complicated for saving money.
– Labs is being retired (I view this as a strong indicator of their new business stance).
– “Music beta” – seeing this first hand makes me wonder “what’s the catch” – it doesn’t feel like Google, it -WILL- change dramatically! (I predict this will either be pulled, or quickly move to a “paid” service – another ‘get em hooked’ tactic).
– More aggressive advertisement in every facet – especially GMail.
– Self driving cars. What don’t they want their fingers in?
– Drop of Android app inventor (Platform training / consultation anyone?)

The above things are all OK with me – they can do what they want with their company!

My problem lies in an old fashioned tactic used by the likes of Microsoft, Netscape, etc to round up users and get them stuck on an exclusive technology (ranging from mundane protocols to programs) – now it’s Google bringing Dart and the likes of WebP to the fray.

I don’t hate Google – a lot of engineering feats give them their credibility and “trust” from the masses – the world has benefited for sure! However, I trust them much less than I did 2+ years ago… and most certainly don’t think that there’s no strings attached to these attempts to re-invent (add to) old problems.

Maybe my contention for all of this is just a sign of being winded in “web development”… I’d rather setup key gen + git access on “dev”, or work on making MegaCli stomachable than tread water in the emotions of  browser and it’s dependent technology…

No Comments on Day of the Googmonster – from … a google blog…
Categories: google rant

Kernel.org, linux.com down, still… also, Git! – Updated! September 11, 2011

With news breaking about the compromised systems for kernel.org, linux.com, which are sites are “down for maintenance”. Completely – and it’s been this way for many days now. (Kernel.org since the 28th)

I think it’s safe to say the range and scope of the issues are pretty disappointing – the longer these systems stay down the more obvious it is that the damages are probably higher than perceived before; I’m having a hard time saying the administrators of these groups are just this slow at being cautious. (Especially the ‘forward facing  ‘ hosts)

(Segway to Git)

It’s interesting to note that a LOT of bullets with the security breach are dodged with the parity cryptography used by Git. Pretty cool! (Linus seems to be flirting with the idea of using Github for latest kernel developement.)

After keeping an eye on the “choosing a DVCS” discussions for PHP, a lot of people are in favor of leveraging Git purely because of Github – whereas Mercurial, something we use at M State has been around for a bit less – has a stronger, more mature toolset (Albeit, a bumpy ride for sure!); and, from my standpoint – better cross platform implementation. The speed differences are somewhat minimal.

The allure of Github is the social endeavour; this has fueled a much more active community (compared to Bitbucket, less ‘social-ly’). It looks like Git has finished clobbering competitors like Bazaar and Perforce and finally, I’m willing to throw in the towel for my support of Mercurial and say there’s little room for traction for Hg.

The programming world is a lot of work to follow =\

(Also: It’s September 11th – take a moment to reflect – cast some sympathy and reverence for the lives lost! ) 

UPDATE: 2011-09-21- 
linux.com has been updated and now states that they will be “restoring service shortly” – different from the original FAQ page they had up about the breach.

I’d expect kernel.org to follow.

After over half a month (almost a month for kernel.org) of being down with poorly communicated “maintenance” pages. I hope there’s a fallout for the culprits – and I hope the maintainers of those domains take a more serious approach to how they handle this situation next time…

No Comments on Kernel.org, linux.com down, still… also, Git! – Updated!
Categories: linux security

Google App Engine – Pricing changes and another prediction September 9, 2011

I’m not sure what the Goog’monster is thinking with so many dramatic changes over the last year. Most of them have been good – but the loss of labs, app inventor and the pricing hikes for the Google App Engine platform is really rising some eyebrows for me – It seems they’re tightening their belt and distancing themselves from individuals and more toward bigger dollars.

Anywho, anyone unhappy with the pricing changes will enjoy reading what I will call the “GAE reaming” thread.

Is it a matter of time before they trickle pricing for Music and Docs? Starting to wonder …

No Comments on Google App Engine – Pricing changes and another prediction
Categories: google rant