So today researchers at Princeton released their findings that hard disk encryption isn't the a silver bullet to protect data on stolen laptops. I'm still working my way through the paper, but my initial thoughts go something along the lines of "woah..." This is some really nice work. You can read the paper at http://citp.princeton.edu/memory/.
They also have a nice video presentation of the weakness. My hat is off to these folks. Great work.
Last week I was down in the Los Angeles area doing some work and I decided at the last second to attend SCALE 6X with some friends at the last second. I'm glad I did, since I had a great time, met some cool people and got a ton of new T-shirts.
We started out the day with a presentation on PostgreSQL 8.3 by Josh Berkus. Josh is a developer for Sun Microsystems and is a member of the core PostgreSQL team. He gave a great presentation on the features of the 8.3 release and really got me thinking about a system I maintain. There may be an upgrade project coming to this machine soon.
Next we wandered around the vendor hall for a bit. Mostly I collected T-Shirts and stickers, but things got really interesting when we stopped to chat with the people at the Zenoss, Hyperic and OpenNMS booths. We are looking at revamping our monitoring quite a bit at work, so this was a good chance to throw out questions. First we talked to the Zenoss guys. I've used Zenoss in the past and I like how much information it is able to pull from devices and servers. It's all done over SNMP, which has its own issues, so I don't have to install an agent on the target systems. It handles network equipment and Windows servers with the same ease. I can also use Nagios plugins to extend its capabilities. Really, its a nice app all around.
Things got really interesting at the OpenNMS booth though. I still don't know a ton about OpenNMS, but what caught my attention was how I could manage workflow with it. They have been working with Hyperic on integration to each other. One scenario that I liked was that a Hyperic check could cause an event in OpenNMS. Normal pager notifications, emails, etc go out. But to take it a step further, I can also define a handler in OpenNMS that when a specific event occurs the application automatically opens up a ticket in Jira for tracking and remediation! Now this I thought was cool. How many times have you had a repetitive issue with an application and struggled to communicate the impact of the issue to management. With this, I can track the work done to resolve each incident, the time taken and create a report for management to summarize the issue. Ok, it's boring, but still pretty cool. Who knows, with this kind of information maybe the root cause of the issue could get fixed.
Last we headed over to a presentation on Puppet by Luke Kanies of Reductive Labs. Puppet provides you with tools to keep your system configurations consistent and ease the difficulty of manually maintaining configurations and packages. It looks really cool and I'm going to play with it some. I still have a question about how secure the communications are between the clients and master server, but I heard something about client SSL certificates so maybe that will do the trick. Anyhow, some testing is definitely in order.
Other than that, not much else exciting at the show. I had a good time and got somethings to play with. If you're down in the LA area next year when SCALE 7X is, I'd recommend checking it out. For $70, it's hard to beat.
I'm out of town this week, but I've been doing some reading on MySQL performance, load balancing, high availability, etc. Some issues at work are at the root of this list, plus some consulting work that I have coming up soon.
First off, some reading directly from dev.mysql.com
High Performance MySQL
Next, a presentation by Jay Pipes and Bjorn Hansen. This one has stuff over my head and is written towards developers. Still, very good stuff.
Real World MySQL Performance Tuning
Download the PDF for it here
This isn't MySQL centric, but I ran across it in Jay and Bjorn's presentation
The High Availability Linux Project
MMM (MySQL Master-Master Replication Manager) - I need to do some testing on this one. Seems like it has some really wild application.
http://code.google.com/p/mysql-master-master/
http://groups.google.com/group/mmm-devel/
MySQL on FreeBSD
http://wiki.freebsd.org/MySQL
MySQL Performance Blog
http://www.mysqlperformanceblog.com/
Optimizing MySQL on FreeBSD
Link Here
More to come later.
I resurrected my old FreeBSD server with a new hard drive and power supply the other day. Because I only have a 2 port KVM, I decided to setup a serial console connection to my primary desktop. I've used systems on a serial connection several times, but I've never actually setup a BSD server to use one before though. Turns out this was a very simple setup.
Track down a null modem cable with female connections at either end. Hook it up to your terminal server and your target machine at the available serial ports. Then do the following.
Recently I was attempting verify some web application security issues reported by one of our vendors. Their report was fairly useless, since it complained about a couple of pages, but gave no information about how to duplicate the results. After manually trying reproduce the flaw for a while, I threw in the towel and started hunting around for a free XSS scanner.
I ran into a tool called SpringenWerk and decided to play around with it. It only took a couple of minutes to set up. I did some quick reading on how to use the tool and fired it off at the suspect page. The script ran for a little while and then exited out. Final score? Two XSS vulnerabilites, neither of which were found by the previously mentioned vendor. So I got curious and fired the script off at an HTTPS URL to see how it handled SSL. No problems at all. It negotiated the connection and did its testing from there. A very nice tool and was useful for me when I was stuck. You can take a loot at it at http://springenwerk.org/.
I never did find the issues the vendor reported and they said it was probably a false positive. Maybe, maybe not. I asked for the actual attack strings that they used, but so far they have not been able to produce them. Suspect...
This issue has bit me hard a couple of times this week, so I decided to make some notes on it. When installing a service pack on Microsoft Windows, you may get an "Access is denied" error message and have the entire install fail. In one case, I lost the entire machine and it wouldn't reboot. Another time, it survived the reboots, but still was a bit unnerving. Here is what I found out about the issue.
Apparently, this is a permissions issue within the registry. To verify this, check c:\windows\svcpack.log and search for "Access is denied". I found this in the log file.
1024.156: DoRegistryUpdates:SetupInstallFromInfSection Failed for ProductInstall.GlobalRegistryChanges.Install error: 0x5
1024.156: INF_REGISTRY Failed
1024.156: DoInstallation:DoRegistryUpdates failed
1034.047: Unregistration of sprecovr successful
1034.234: Access is denied.
To reset the permissions to the registry to the defaults you will need to use the secedit tool. I ran the following:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /areas regkeys
/areas regkeys tells the tool to only reset permissions on the registry and leave the rest of the OS alone. This is important, since firing it off at everything will reset file permissions, etc.
Once the registry permissions are reset, go ahead and fire the service pack install again. I used "WindowsServer2003-KB914961-SP2-x86-ENU.exe /norestart" to prevent a restart before I was ready. For my issue, this worked perfectly.
Links are:
Access is denied when installing SP - http://support.microsoft.com/kb/873148
Reseting registry permissions - http://support.microsoft.com/?kbid=313222
So things have been pretty silent for the last 4 months on the blog. It's not that I've been idle, but I've just had so much going on that writing was one of the last things on my mind. Here's a recap of some of the more notable events.
Well, I guess the title of this post is a *bit* unfair, but it's close enough for me. First some background. I'm studying cross site scripting right now for my final independent study at school. As part of this I'm messing around with a book on AJAX to learn more about javascript and how this whole Web 2.0 booya works. Tonight I'm banging on one of the early examples in the book. I created the HTML and javascript files on my local machine and hit them via Firefox. The javascript makes an XMLHttpRequest to the author's web site since there is almost zero info on server side code in the book. Firebug immediately starts complaining to me with "Permission denied to call method XMLHttpRequest.open". What the heck?? Time to troll google.
Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...
Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*
