Security

I’ve been using and administering OpenBSD systems since 1999 (OpenBSD 2.5). During that time, I’ve written numerous scripts to make things easier, more automated, or more secure, or sometimes just to improve my understanding of how things work. When I started managing my home systems, I ran several Internet-exposed services on my home network (DNS, mail, web, SSH). I used djbdns, qmail, and Apache httpd at the start before switching to nsd/unbound for DNS and postfix for mail, and finally to OpenSMTPD for mail. When I got tired of excessive inbound traffic I moved my authoritative DNS to a provider while keeping an internal zone and resolvers, set up two cloud servers for mail and my public webserver. My home network became a hardened, minimal-exposure architecture that only allows Wireguard from expected sources and mail (after mutual TLS authentication with certificates) while continuing to run internal services. ...

 Scott Shapiro's 2023 book's aim is to answer three questions: (1) why is the Internet (still) so insecure? (2) how do hackers do what they do? and (3) what can be done about it? He recounts some historical events, the "five extraordinary hacks" of the subtitle, to tell the story, and introduces the terms "upcode" and "downcode" as the core concepts in his framework for understanding--where "downcode" means actual, implemented computer code and "upcode" means the social, political, and institutional forces providing incentives and governance.  This is essentially a simplified version of Lawrence Lessig's four forces of law, social norms, markets, and code spelled out in his 1999 book, Code: And Other Laws of Cyberspace, and also reminded me of the framework in Bruce Schneier's 2012 book, Liars and Outliers: Enabling the Trust That Society Needs to Thrive, where the four forces are moral pressures (internalized incentives), social pressures (social/cultural incentives from other people), institutional guidelines and rules (formal rules, regulations, and laws), and security systems (locks, police, firewalls, fraud detection, etc. -- actual operational controls which may be implemented physically, in code, or by policies and practices). For Shapiro, Lessig's first three forces are "upcode" and only code is "downcode," and Schneier's first three forces and parts of his fourth are "upcode." ...

   Not much blogging going on here still, but here's my annual list of books read for 2025. Adam Becker, More Everything Forever: AI Overlords, Space Empires, and Silicon Valley's Crusade to Control the Fate of HumanityRutger Bregman, Humankind: A Hopeful History (2019)Samuel D. Brunson, Between the Temple and the Tax Collector: The Intersection of Mormonism and the StateKate Conger and Ryan Mac, Character Limit: How Elon Musk Destroyed Twitter (2024)Mark Jonathan Davis, Grateful: 25 Years of Music, Movies, and Medical Emergencies with Richard Cheese & Lounge Against the Machine, Part One: Stranger in a Strange LoungeRenée DiResta, Invisible Rulers: The People Who Turn Lies Into Reality (2024)Cory Doctorow, Picks and Shovels: A Martin Hench NovelErle Stanley Gardner (Martin H. Greenberg and Charles G. Waugh, eds), The Human Zero: The Science Fiction Stories of Erle Stanley Gardner (1981)Brooke Harrington, Offshore: Stealth Wealth and the New Colonialism (2024)Gabriel Kennedy, Chapel Perilous: The Life & Thought Crimes of Robert Anton Wilson (2024)Thomas Levenson, So Very Small: How Humans Discovered the Microcosmos, Defeated Germs--and May Still Lose the War Against Infectious DiseaseMary Roach, Replaceable You: Adventures in Human AnatomyOliver Sacks, The Island of the Colorblind (1996)Oliver Sacks, The Mind's Eye (2010)Neil Sheehan, A Bright Shining Lie: John Paul Vann and America in Vietnam (1988, 2009 edition)Quinn Slobodian, Hayek's Bastards: Race, Gold, IQ, and the Capitalism of the Far RightDana Stevens, Camera Man: Buster Keaton, the Dawn of Cinema, and the Invention of the Twentieth Century (2023)Katherine Stewart, Money, Lies, and God: Inside the Movement to Destroy American DemocracySpencer Sunshine, Neo-Nazi Terrorism and Countercultural Fascism: The Origins and Afterlife of James Mason's Siege (2024)Sam Tanenhaus, Buckley: The Life and the Revolution That Changed AmericaMark S. Weiner, The Rule of the Clan: What an Ancient Form of Social Organization Reveals About the Future of Individual Freedom (2013)Tim Weiner, The Mission: The CIA in the 21st CenturyLawrence Wright, The Looming Tower: Al-Qaeda and the Road to 9/11 (2006)Sarah Wynn-Williams, Careless People: A Cautionary Tale of Power, Greed, and Lost IdealismTop for 2025 published in 2025: Tanenhaus, Levenson, Roach, Weiner, Davis, Wynn-Williams, Becker, Doctorow; other top reads for the year: Sheehan, M. Weiner, Sacks A few planned or already (or still) in-progress reads for 2026: Robert Caro, The Power Broker: Robert Moses and the Fall of New York (1975)G.A. Cohen, Self-Ownership, Freedom, and Equality (1995)John Ferris, Behind the Enigma: The Authorised History of GCHQ, Britain's Secret Cyber-Intelligence Agency (2020)Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History (2017)Arthur M. Melzer, Philosophy Between the Lines: The Lost History of Esoteric Writing (2014)(Previously: 2024, 2023, 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)  ...

 OpenBSD 5.9 (current as of this post is 7.5) introduced the "pledge" system call and 6.4 introduced the "unveil" system call, which together provide a means of more granular control of system access by processes running on the system to enforce least privilege.  When a program calls "pledge", it provides a list of categories of system calls (called "promises") that it is planning to make during the life of the running process (children have to make their own pledges and are not restricted), and attempts to make calls outside of those areas will cause the call to be blocked and the process to be killed. Additional calls to pledge cannot add new categories but it can remove them, so access can become more restrictive but not less restrictive. ...

 After seeing a CNN headline "Exclusive: 42% of CEOs say AI could destroy humanity in five to ten years," I thought it was only fair to get an AI opinion in response. Turns out, 50% of AIs consulted said CEOs of large corporations could destroy the world in five to ten years. Google Bard: How likely is it that CEOs of large corporations will destroy the world in the next five to ten years? The likelihood of CEOs of large corporations destroying the world in the next five to ten years is low, but not impossible. The biggest threats to the planet come from climate change, pollution, and resource depletion. These are all problems that are caused by the activities of large corporations, and if they are not addressed, they could lead to catastrophic consequences.However, there are also many CEOs who are committed to sustainability and environmental protection. These CEOs are working to develop new technologies, products, and practices that will help to reduce our impact on the planet. If these efforts are successful, it is possible to avoid the worst-case scenarios and create a more sustainable future. ...

 I was thinking about writing a blog post about file system immutability flags in OpenBSD, and thought I'd ask ChatGPT to write it for me. It appears to have gleaned its content from OpenBSD man pages, but it is highly misleading and inaccurate, misrepresenting the key distinction between system and user immutability flags. What it got right is that only the superuser (root) can set and unset the system immutability flag (schg/noschg) while users (if they own the file) can set and unset the user immutability flag (uchg/nouchg). But either flag can be set or unset on any kind of file. ...

Not much blogging going on here still, but here's my annual list of books read for 2019. Graham T. Allison, Destined for War: Can America and China Escape Thucydides's Trap? Ross Anderson, Security Engineering (3rd edition, draft chapters) Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld Heidi Blake, From Russia with Blood: The Kremlin's Ruthless Assassination Program and Vladimir Putin's Secret War on the West Rutger Bregman, Utopia for Realists: How We Can Build the Ideal World Oliver Bullough, Moneyland: The Inside Story of the Crooks and Kleptocrats Who Rule the World Bryan Caplan and Zach Weinersmith, Open Borders: The Science and Ethics of Immigration C.J. Chivers, The Fighters: Americans in Combat Sefton Delmer, Black Boomerang Nina J. Easton, Gang of Five: Leaders at the Center of the Conservative Crusade (bio of Bill Kristol, Ralph Reed, Clint Bolick, Grover Norquist, and David McIntosh) Ronan Farrow, Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators Ronan Farrow, War on Peace: The End of Diplomacy and the Decline of American Influence Ian Frisch, Magic is Dead: My Journey into the World's Most Secretive Society of Magicians Anand Giridharadas, Winners Take All: The Elite Charade of Changing the World Reba Wells Grandrud, Sunnyslope (Images of America series) Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers Jodi Kantor and Megan Twohey, She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement Stephen Kinzer, Overthrow: America's Century of Regime Change From Hawaii to Iraq Michael Lewis, Flash Boys: A Wall Street Revolt Jonathan Lusthaus, Industry of Anonymity: Inside the Business of Cybercrime Ben MacIntyre, A Spy Among Friends: Kim Philby and the Great Betrayal Joseph Menn, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World Anna Merlan, Republic of Lies: American Conspiracy Theorists and Their Surprising Rise to Power Jefferson Morley, Our Man in Mexico: Winston Scott and the Hidden History of the CIA Sarah T. Roberts, Behind the Screen: Content Moderation in the Shadows of Social Media Hans Rosling, with Ola Rosling and Anna Rosling Rönnlund, Factfulness: Ten Reasons We're Wrong About the World--and Why Things Are Better Than You Think Russell Shorto, Amsterdam: A History of the World's Most Liberal City Alexander Stille, The Sack of Rome: Media + Money + Celebrity = Power = Silvio Berlusconi Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech Erik Van De Sandt, Deviant Security: The Technical Computer Security Practices of Cyber Criminals (Ph.D. thesis) Tom Wolfe, The Right Stuff Tim Wu, The Attention Merchants: The Epic Scramble to Get Inside Our Heads Top for 2019: Bullough, Farrow (Catch and Kill), Wu, Chivers, Rosling, Greenberg, Blake, Allison, Caplan and Weinersmith, Kinzer, Delmer. I started the following books I expect to finish in early 2020: Myke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition) Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital Age Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History Two books I preordered and look forward to reading in 2020: Anna Wiener, Uncanny Valley: A Memoir (due out January 14) Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (due out April 21) (Previously: 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

Rep. Tom Graves (R-GA14) has circulated a draft bill, the “Active Cyber Defense Certainty Act” (or ACDC Act), which amends the Computer Fraud and Abuse Act (18 USC 1030) to legalize certain forms of “hacking back” for the purposes of collecting information about an attacker in order to facilitate criminal prosecution or other countermeasures. The bill as it currently stands is not a good bill, for the following reasons: ...

In Andy Greenberg’s Wired article on February 9, 2017, “Trump Cybersecurity Chief Could Be a ‘Voice of Reason," he writes: But when Trump’s draft executive order on cybersecurity emerged last week, it surprised the cybersecurity world by hewing closely to the recommendations of bipartisan experts—including one commission assembled by the Obama administration. The described timing and the link both refer to the original draft cybersecurity executive order, which does not at all resemble the recommendations of Obama's Commission on Enhancing National Cybersecurity or the recommendations of the Center for Strategic and International Studies Cyber Policy Task Force, which both included input from large numbers of security experts. Contrary to what Greenberg says, the executive order he refers to was widely criticized on a number of grounds, including that it is incredibly vague and high level, specifies an extremely short time frame for its reviews, and that it seemed to think it was a good idea to collect information about major U.S. vulnerabilities and defenses into one place and put it into the hands of then-National Security Advisor Michael T. Flynn. That original version of the executive order resembled the Trump campaign's website policy proposal on cybersecurity. The positive remarks, instead, were for a revised version of the cybersecurity executive order which was verbally described to reporters on the morning of January 31, the day that the signing of the order was expected to happen at 3 p.m., after Trump met for a listening session with security experts. The signing was cancelled, and the order has not yet been issued, but a draft subsequently got some circulation later in the week and was made public at the Lawfare blog on February 9. This executive order contains recommendations consistent with both the Cybersecurity Commission report and the CSIS Cyber Policy Task Force report, mandating the use of the NIST Cybersecurity Framework by federal agencies, putting the Office of Management and Budget (OMB) in charge of enterprise risk assessment across agencies, promoting IT modernization and the promotion of cloud and shared services infrastructure, and directing DHS and other agency heads to work with private sector critical infrastructure owners on defenses. One key thing it does not do, which was recommended by both reports, is elevate the White House cybersecurity coordinator role (a role which the Trump administration has not yet filled, which was held by Michael Daniel in the Obama administration) to an Assistant to the President, reflecting the importance of cybersecurity. Greenberg's piece seems to assume that Thomas Bossert is in the lead cybersecurity coordinator role, but his role is Homeland Security Advisor (the role previously held by Lisa Monaco in the Obama administration), with broad responsibility for homeland security and counterterrorism, not cybersecurity-specific. Despite Greenberg's error confusing the two executive orders being pointed out to him on Twitter on February 9, the article hasn't been corrected as of February 16. Anonymous (2017-03-06): Dear Mr. Lippard, I apologize for contacting you in this odd way, but as your email does not seem to be publicly available, I found it my only recourse. ...

I’ve been using OpenBSD since way back at release 2.3 in 1998, so I’ve gone through upgrades that took a fair amount of work due to incompatible changes, like the switch from ipf to pf for host firewalling or the change to ELF binaries. The upgrade from 5.7 to 5.8 was a pretty smooth and easy one, for the most part. The two most painful changes for me were the replacement of sudo with doas and the dropping of support in the rc.conf for the pf_rules variable. While sudo is still available as a package, I like the idea of reducing attack surface with a simpler program, so I made the switch. The two things I miss most about sudo are the ability to authenticate for a period of time and the ability to have a single config file across a whole set of servers. The former I’m just living with, the latter I’ve adjusted to by having a single config file that has lines commented out depending on which server it’s on. I did have one moment of concern about the quality of doas when it incorrectly reported the line number on which I had a syntax error in the config file–fortunately, this was just a failure to increment the line count on continuation lines (ending with a “") which is fixed in the -current release. The removal of the pf_rules variable support from rc.conf was a bigger issue–I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be. This wasn’t the first time an incompatible change decreased my level of security–the removal of tcpwrappers support from SSH was another. I used to use a combination of pf rules and hosts.allow as additional layers of protection on my SSH access, and had a set of tools that allowed me to easily add IP addresses to or remove them from my hosts.allow files. This would have been a layer of defense still in place with the loss of my pf rules, had it still been in existence. Fortunately, I also have SSH on a non-standard port and only allow SSH key logins, not user/password logins, and most of my systems can’t be reached on any port without first making a VPN connection, which requires two-factor authentication. A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments. My “reportnew” log monitoring tool has a feature that allows you to be notified if files that are expected to change on some periodic schedule do not change, and that would be more appropriate than getting daily notifications that yes, the autotrust anchor file has been updated yet again. But what would really be ideal here would be a check that the non-comment components have not changed. (Others have also complained about this.) A final issue I’ve run into with OpenBSD 5.8 is not a new issue, but it’s one that still hasn’t been fixed with pf. That is that pf logs certain traffic (IGMP in particular) when it matches a rule that does not call for logging. This appears to be the same issue that was fixed earlier this year in pfsense, which is derived from an older fork of pf.