Bits and Chaos


Between bits and chaos, a sysadmin stands.

HTTP cannot be longer used for authenticated web sites

If you are an user of a web site that requires authentication (which means, basically, every site) you usually access it from a network you don’t have control over it, i.e. you don’t know, besides many other things, which DNS server the infrastructure guy has chosen and which version it’s running.This means that you can be exposed to the well known Dan Kaminsky’s DNS hijack attack (you can actually check for this).

Leveraging on this vulnerability (it’s still plenty of DNS that haven’t fixed) it’s possible to implement a man in the middle attack at the application level, stealing your cookies from the authenticated HTTP session: ladies and gentlemen, please welcome CookieMonster. You are exposed even if your login page is protected via HTTPS, as the auth-cookie will be passed in cleartext in every subsequent HTTP interaction.

This worst case scenario requires a flawed DNS implementation (better, a DNS implementation following the original and flawed DNS protocol) so you can be reasonably safe if you always control your DNS or at least can have some trust in the guys that are operating it, but if you are a roaming user you are completely exposed.

So, as you are a competent Linux user, you could fix this in a very simple way: install a DNS caching webserver and use, as your primary DNS, something you could trust.

If you cannot do this, you must ask to your web application provider to fix this issue (some have already done this, as an example you can force all WordPress administration pages to be accessed only via HTTPS, and I’m writing this blog entry via HTTPS so it works).

If you are a system administrator, you must check and eventually fix your DNS implementation, and probably you should take a look at an SSL accelerator, because your connection peers (i.e. users accessing web sites under your control) could be from every possible insecure networks, and my 2 cents are that this man in the middle attack will be only the first of a new kind based on an interaction of different levels on the TCP/IP stack.

Filed under: network, security, , , ,

How to be dishonest and live happy

It’s simple, write something like this.

The bottom line is: Debian is far more secure than RHEL and Fedora, not due to technical reasons but for their development model. When Debian’s openssl was compromised, they immediately issued a warning, told their users what to do, whilst Red Hat and Fedora were obscure, pointless and corporate-minded.

Dude, you are forgetting that it’s entirely possible that the Debian’s openssl security bug could have been the patient zero, and actual compromise of Red Hat’s server could have been happened starting from a stolen passkey. Also, you are forgetting that, being Red Hat a corporate with some billions cash (of course, they have so much money because it’s plenty of stupid people like me that pay them for their services) they were forced to work closely with law enforcement agencies such an intrusion could occur, and when FBI reaches the crime scene they are not primarily interested in sending an e-mail message on the mailing lists to tell them “ehy, we are here to save the day!”.

Filed under: oss, rhel, , , , ,

Fedora 9 bluetooth file sharing: I’m missing my menu

In Fedora 8, people that want to send a file from their cell phone to Linux via bluetooth have to connect their bluetooth dongle, click on the bluetooth icon to join the ad hoc network, and then on the “Internet Menu” (if I remember correctly) there was a “Bluetooth File sharing” that does exactly what it means.

Ok, it was not a very well integrated solution, but it seems to me that in Fedora 9 there’s a serious usability problem.

Here and now, there is no longer a “Bluetooth File sharing” menu item, instead you have to click on the “System Menu”, then the “Preferences” sub-menu, then the “Internet and Network” and finally you find two items, “Bluetooth” and “Personal File Sharing”, where you defines how to deal with Bluetooth.

It takes some time to figure that this is the intended procedure, i.e. that the disappeared “Bluetooth File Sharing” menu item was not disappeared due to a missing package, but as a result of a new design. Shouldn’t be better to allow for a “fake” menu item that tells the user about the new procedure? Or to add a button to the Bluetooth icon (that promptly appears after connecting the bluetooth dongle) where to fix and control how to send and receive files?

Filed under: fedora, ,

Red Hat acquires Kumranet

A terrific news.

After the acquisition of Xen by Citrix, another virtualization start-up become a part of a global player.

Kumranet develops KVM, which is still in its infantry but promises a lot more than Xen due to its tight kernel integration (see here for a more detailed explanation) and has also a desktop virtualization solution, that is clearly headed toward Citrix Metaframe.

So, they have the operating system, the in-kernel hypervisor, they just need a datacenter  virtualization-aware resource manager.

Filed under: virtualization, , ,