Technology

If you missed the overview post, you can see it here. This one is about managing immutable and append-only files on *BSD, Linux, and macOS. Immutable and Append-Only Files BSD-derived operating systems (including macOS) and Linux both support the concept of files being made immutable, so that neither their contents nor attributes can be changed. They also both support files being made append-only, so that the existing contents cannot be changed except by adding more data to the end. They do it in slightly different ways. ...

 Scott Shapiro's 2023 book's aim is to answer three questions: (1) why is the Internet (still) so insecure? (2) how do hackers do what they do? and (3) what can be done about it? He recounts some historical events, the "five extraordinary hacks" of the subtitle, to tell the story, and introduces the terms "upcode" and "downcode" as the core concepts in his framework for understanding--where "downcode" means actual, implemented computer code and "upcode" means the social, political, and institutional forces providing incentives and governance.  This is essentially a simplified version of Lawrence Lessig's four forces of law, social norms, markets, and code spelled out in his 1999 book, Code: And Other Laws of Cyberspace, and also reminded me of the framework in Bruce Schneier's 2012 book, Liars and Outliers: Enabling the Trust That Society Needs to Thrive, where the four forces are moral pressures (internalized incentives), social pressures (social/cultural incentives from other people), institutional guidelines and rules (formal rules, regulations, and laws), and security systems (locks, police, firewalls, fraud detection, etc. -- actual operational controls which may be implemented physically, in code, or by policies and practices). For Shapiro, Lessig's first three forces are "upcode" and only code is "downcode," and Schneier's first three forces and parts of his fourth are "upcode." ...

 OpenBSD 5.9 (current as of this post is 7.5) introduced the "pledge" system call and 6.4 introduced the "unveil" system call, which together provide a means of more granular control of system access by processes running on the system to enforce least privilege.  When a program calls "pledge", it provides a list of categories of system calls (called "promises") that it is planning to make during the life of the running process (children have to make their own pledges and are not restricted), and attempts to make calls outside of those areas will cause the call to be blocked and the process to be killed. Additional calls to pledge cannot add new categories but it can remove them, so access can become more restrictive but not less restrictive. ...

 Unlike ChatGPT, Bard pretty much nailed it on the initial prompt. (However, Bard refused to answer my questions about the Mars Effect like the ones I gave to ChatGPT, even when reworded to be clear I was asking for descriptions of what the effect is and what explanations are offered rather than asking it to identify causes itself.) It does lose points for grammar in the second sentence, though! write a few paragraphs explaining immutable flags in OpenBSD including the commands for setting them and the difference between system and user immutable flags Sure. Here is a few paragraphs explaining immutable flags in OpenBSD, including the commands for setting them and the difference between system and user immutable flags. ...

Not much blogging going on here still, but here's my annual list of books read for 2020.Nicholson Baker, Baseless: My Search for Secrets in the Ruins of the Freedom of Information ActJohn Bolton, The Room Where It Happened: A White House MemoirBen Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics Susannah Cahalan, The Great Pretender: The Undercover Mission That Changed Our Understanding of MadnessMichael Cohen, Disloyal: The True Story of the Former Personal Attorney to President Donald J. TrumpMyke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World Libby Copeland, The Lost Family: How DNA Testing Is Upending Who We Are Barton Gellman, Dark Mirror: Edward Snowden and the Surveillance StateFiona Hill and Clifford G. Gaddy, Mr. Putin: Operative in the Kremlin (2012)James W. Johnson, Arizona Politicians: The Noble and the Notorious (2002) Gene Kim, The Unicorn Project: A Novel about Developers, Digital Disruption, and Thriving in the Age of Data Maria Konnikova, The Biggest Bluff: How I Learned to Pay Attention, Master Myself, and WinTalia Lavin, Culture Warlords: My Journey Into the Dark Web of White Supremacy Carol D. Leonnig and Philip Rucker, A Very Stable Genius: Donald J. Trump's Testing of America Ben Macintyre, The Spy and the Traitor: The Greatest Espionage Story of the Cold War (2018) Nancy MacLean, Democracy in Chains: The Deep History of the Radical Right's Stealth Plan for America (2017)H. Keith Melton and Robert Wallace, with Henry R. Schlesinger, Spy Sites of New York City: A Guide to the Region's Secret History (2020)Jefferson Morley, Morley v. CIA: My Unfinished JFK InvestigationBastian Obermayer and Frederik Obermaier, The Panama Papers: Breaking the Story of How the Rich & Powerful Hide Their Money Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital AgeMary Trump, Too Much and Never Enough: How My Family Created the World's Most Dangerous Man Robert Wallace and H. Keith Melton with Henry R. Schesinger, Spy Sites of Washington, DC: A Guide to the Capital Region's Secret History (2017) Anna Wiener, Uncanny Valley: A MemoirIsabel Wilkerson, Caste: The Origins of Our Discontents Top for 2020: Copeland, Macintyre, Cahalan, Smith and Browne, Buchanan, Obermayer and Obermaier, Gellman, Rid. I started the following books I expect to finish in 2021 (yes, I also said that about LeFeber and Wilson last year--I'm well in to LaFeber's book and thought I might finish before the end of the year, but had only read Wilson's intro so it's barely started): William Dalrymple, The Anarchy: The East India Company, Corporate Violence, and the Pillage of an Empire Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition) Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History I've also pre-ordered and am looking forward to reading: Nicole Perlroth, This Is How They Tell Me the World Ends: The Cyberweapon Arms Race (due to be published on February 9) (Previously: 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

Not much blogging going on here still, but here's my annual list of books read for 2019. Graham T. Allison, Destined for War: Can America and China Escape Thucydides's Trap? Ross Anderson, Security Engineering (3rd edition, draft chapters) Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld Heidi Blake, From Russia with Blood: The Kremlin's Ruthless Assassination Program and Vladimir Putin's Secret War on the West Rutger Bregman, Utopia for Realists: How We Can Build the Ideal World Oliver Bullough, Moneyland: The Inside Story of the Crooks and Kleptocrats Who Rule the World Bryan Caplan and Zach Weinersmith, Open Borders: The Science and Ethics of Immigration C.J. Chivers, The Fighters: Americans in Combat Sefton Delmer, Black Boomerang Nina J. Easton, Gang of Five: Leaders at the Center of the Conservative Crusade (bio of Bill Kristol, Ralph Reed, Clint Bolick, Grover Norquist, and David McIntosh) Ronan Farrow, Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators Ronan Farrow, War on Peace: The End of Diplomacy and the Decline of American Influence Ian Frisch, Magic is Dead: My Journey into the World's Most Secretive Society of Magicians Anand Giridharadas, Winners Take All: The Elite Charade of Changing the World Reba Wells Grandrud, Sunnyslope (Images of America series) Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers Jodi Kantor and Megan Twohey, She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement Stephen Kinzer, Overthrow: America's Century of Regime Change From Hawaii to Iraq Michael Lewis, Flash Boys: A Wall Street Revolt Jonathan Lusthaus, Industry of Anonymity: Inside the Business of Cybercrime Ben MacIntyre, A Spy Among Friends: Kim Philby and the Great Betrayal Joseph Menn, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World Anna Merlan, Republic of Lies: American Conspiracy Theorists and Their Surprising Rise to Power Jefferson Morley, Our Man in Mexico: Winston Scott and the Hidden History of the CIA Sarah T. Roberts, Behind the Screen: Content Moderation in the Shadows of Social Media Hans Rosling, with Ola Rosling and Anna Rosling Rönnlund, Factfulness: Ten Reasons We're Wrong About the World--and Why Things Are Better Than You Think Russell Shorto, Amsterdam: A History of the World's Most Liberal City Alexander Stille, The Sack of Rome: Media + Money + Celebrity = Power = Silvio Berlusconi Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech Erik Van De Sandt, Deviant Security: The Technical Computer Security Practices of Cyber Criminals (Ph.D. thesis) Tom Wolfe, The Right Stuff Tim Wu, The Attention Merchants: The Epic Scramble to Get Inside Our Heads Top for 2019: Bullough, Farrow (Catch and Kill), Wu, Chivers, Rosling, Greenberg, Blake, Allison, Caplan and Weinersmith, Kinzer, Delmer. I started the following books I expect to finish in early 2020: Myke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition) Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital Age Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History Two books I preordered and look forward to reading in 2020: Anna Wiener, Uncanny Valley: A Memoir (due out January 14) Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (due out April 21) (Previously: 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

I’ve been using OpenBSD since way back at release 2.3 in 1998, so I’ve gone through upgrades that took a fair amount of work due to incompatible changes, like the switch from ipf to pf for host firewalling or the change to ELF binaries. The upgrade from 5.7 to 5.8 was a pretty smooth and easy one, for the most part. The two most painful changes for me were the replacement of sudo with doas and the dropping of support in the rc.conf for the pf_rules variable. While sudo is still available as a package, I like the idea of reducing attack surface with a simpler program, so I made the switch. The two things I miss most about sudo are the ability to authenticate for a period of time and the ability to have a single config file across a whole set of servers. The former I’m just living with, the latter I’ve adjusted to by having a single config file that has lines commented out depending on which server it’s on. I did have one moment of concern about the quality of doas when it incorrectly reported the line number on which I had a syntax error in the config file–fortunately, this was just a failure to increment the line count on continuation lines (ending with a “") which is fixed in the -current release. The removal of the pf_rules variable support from rc.conf was a bigger issue–I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be. This wasn’t the first time an incompatible change decreased my level of security–the removal of tcpwrappers support from SSH was another. I used to use a combination of pf rules and hosts.allow as additional layers of protection on my SSH access, and had a set of tools that allowed me to easily add IP addresses to or remove them from my hosts.allow files. This would have been a layer of defense still in place with the loss of my pf rules, had it still been in existence. Fortunately, I also have SSH on a non-standard port and only allow SSH key logins, not user/password logins, and most of my systems can’t be reached on any port without first making a VPN connection, which requires two-factor authentication. A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments. My “reportnew” log monitoring tool has a feature that allows you to be notified if files that are expected to change on some periodic schedule do not change, and that would be more appropriate than getting daily notifications that yes, the autotrust anchor file has been updated yet again. But what would really be ideal here would be a check that the non-comment components have not changed. (Others have also complained about this.) A final issue I’ve run into with OpenBSD 5.8 is not a new issue, but it’s one that still hasn’t been fixed with pf. That is that pf logs certain traffic (IGMP in particular) when it matches a rule that does not call for logging. This appears to be the same issue that was fixed earlier this year in pfsense, which is derived from an older fork of pf.

I thought that Google Authenticator might be a quick and easy two-factor authentication solution for VPN access to my personal network, so I did some Google searches to see if that were so. I found quite a few sources describing how to set it up with systems that use Linux Pluggable Authentication Modules (PAM), but very little about using it with BSD Authentication on OpenBSD. The most promising link I came across was to an implementation of Google Authentication for OpenBSD that was last updated in early 2013, based on Google’s PAM code, but I couldn’t get it to work. It compiled and installed, and the googleauth code for generating a secret (and a very insecure way of generating a QR code to use to import it into the Google Authenticator application) worked fine, but I couldn’t successfully use it for console login, OpenSSH login, or OpenVPN login. I also found the standard OpenBSD port for openvpn_bsdauth, which compiled, installed, and worked successfully for password authentication by adding these lines to my OpenVPN configuration: ...

I recently had a few opportunities on a plane to catch up on some reading and podcasts.  A few of the more interesting things I came across: A bunch of interesting articles in The Economist for the past few weeks: January 28-February 3, 2012: "Saving Lives: Scattered Saviors" -- harnessing social media and mobile devices to deploy first aid faster than an ambulance can arrive (United Hatzalah in Israel believes it will be able to have first responders on the scene within 90 seconds). "China's new tribes: Ant tribes and mortgage slaves" -- a new vocabulary in Mandarin describing emerging social groups in China.  (Reminds me of Cory Doctorow's Eastern Standard Tribe.) "Affinity fraud: Fleecing the flock" -- the rise in affinity fraud, especially religious affinity fraud, during the economic downturn, and why it works so effectively.  (Also see my blog post from 2008 and another on the same topic from the Secular Outpost in 2006.)  Briefly mentioned is the Baptist Foundation of Arizona affinity fraud, which victimized my step-grandfather by stealing most of his retirement savings. "Visible-light communication: Tripping the light fantastic" -- an update on where we stand with Li-Fi (using LED lighting as a mechanism for data transmission). February 4-10, 2012: "Synaesthesia: Smells like Beethoven" -- A new study finds correlations between odors and sounds, even among people who are not synaesthetes. "Scientific publishing: The price of information" -- On the boycott of Elsevier by scientists tired of excessive charges for journals, and the competition from arXiv and PLoS. "Biomimetics: Not a scratch" -- lessons from the microstructure of scorpion armor for reducing wear rates on aircraft engines and helicopter rotors. Podcasts: Philosophy Bites interview with Alain de Botton on Atheism 2.0: de Botton, author of Religion for Atheists, argues that there are good and useful components of religion which can be secularized, and that it is as legitimate to borrow things we like from religion while discarding what we don't as it is to prefer different kinds of art and music.  (Also see the Token Skeptic interview with de Botton and watch his TED talk.)  I think his picture of religion, like that of Scott Atran (In Gods We Trust) and Pascal Boyer (Religion Explained) makes more sense than the way some atheists talk about it as though fundamentalist religion is the essence of religion, and should be discarded completely (which doesn't seem likely to happen as long as we live in social communities). Rationally Speaking interview with Joseph Heath: Heath, author of Economics without Illusions: Debunking the Myths of Modern Capitalism (Canadian title: Filthy Lucre: Economics for People who Hate Capitalism, which the publishers decided wouldn't sell in the U.S.), talks about misunderstandings of economics on both the right and the left.  (Also see this BloggingHeads TV interview of Heath by Will Wilkinson, who writes: "The section on right-wing fallacies is largely on the money and a great challenge for rote libertarians and conservatives. The section of left-wing fallacies is terrific, and it would be terrific if more folks on the left were anywhere near as economically literate as Heath.")  Heath's "Rationally Speaking pick" also sounds fascinating, Janos Kornai's The Socialist System: The Political Economy of Communism, which explains the creative but ultimately futile ways that human beings tried to replace markets with planning and design.)

LulzSec breached the security of the Arizona Department of Public Service (DPS) at some point in the past, and on June 23 around 4 p.m. Arizona time, posted some or all of what they had acquired. This included the names, email addresses, and passwords of several DPS officers as well as a number of internal documents which appeared to have been obtained from email attachments or perhaps from the compromise of end user systems. The documents included a PowerPoint presentation on gang tattoos that purported to be a way of identifying Islamic radicals, which was reminiscent of similar ludicrous law enforcement presentations from the 1980s about identifying Satanic cult members by their black clothing and occult symbols. (Some police departments still promote such nonsense, citing exposed fraud “Lauren Stratford” as a source). The documents also included a bulletin which expresses concern about the “Cop Recorder” iPhone application. On June 24, DPS posted a press release responding to the attacks, accusing LulSec of being a “cyber terrorist group”–a term better reserved for the use of criminally disruptive activities intended to cause physical harm or disruption of critical infrastructure, not embarrassing organizations that haven’t properly secured themselves. In the press release, DPS enumerates the steps they’ve taken to secure themselves and the safeguards they’ve put in place. It’s an embarrassing list which suggests they’ve had poor information security and continue to have poor information security. First, their press release has a paragraph suggesting that the damage is limited, before they’re probably had time to really determine that’s the case. They write: There is no evidence the attack has breached the servers or computer systems of DPS, nor the larger state network. Likewise, there is no evidence that DPS records related to ongoing investigations or other sensitive matters have been compromised. Just because they have “no evidence” of something doesn’t mean it didn’t happen–what records did they review to make this determination? Were they doing appropriate logging? Have logs been preserved, or were they deleted in the breach? Do they have centralized logging that is still secure? When did the compromise take place, and when did DPS detect it? The appearance is that they didn’t detect the breach until it was exposed by the perpetrators. What was the nature of the vulnerability exploited, and why wasn’t it detected by DPS in a penetration test or vulnerability assessment? LulzSec has complained about the number of SQL injection vulnerabilities they’ve found–was there one in DPS’s web mail application? Next, they report what they’ve done in response, and again make statements about how “limited” the breach was: Upon learning that a limited number of agency e-mails had been disclosed, DPS took action. In addition to contacting other law enforcement agencies, the Arizona Counter Terrorism Information Center (ACTIC) has been activated. Remote e-mail access for DPS employees remains frozen for the time-being. The security of the seven DPS officers in question remains the agency’s top priority and, since a limited amount of personal information was publicly disclosed as part of this breach. Steps are being taken to ensure the officers’ safety and that of their families. They’ve disabled the e-mail access that they believe was used in the breach–that’s good. Presumably the exposed officer passwords were discovered to be from this system. Perhaps they will not re-enable the system until they have a more secure mechanism that requires VPN access and two-factor authentication–or at least intrusion prevention, a web application firewall, and effective security monitoring. They’ve notified ACTIC–presumably in part because of their overblown claim that this breach constitutes “terrorism” and in part because there are some ACTIC personnel who have good knowledge of information security. And they’re doing something to protect the safety of officers whose personal information (including some home addresses) was exposed. In the final paragraph of the press release, they list some of the safeguards they have in place: ...