“Bruce Schneier brings us his perspective on a future filled with kill switches; from OnStar-equipped automobiles and city buses that can be remotely disabled by police to Microsoft’s patent-pending ideas regarding so-called Digital Manners Policies. In Schneier’s view, these capabilities aren’t exactly high points of our potential future. From the article:

Once we go down this path — giving one device authority over other devices — the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

I just bought a new server today from the very excellent folks at Server Beach who I have been using for 4 or 5 years now for all my hosting needs (Anyone who signs up with them after reading this please use referrer code 5C2APE5ZPX). Server Beach offers servers of all sizes running any of a fairly large range of Linux versions (or Windows) for a monthly fee, however unfortunately none of the versions of Linux offered are SUSE. Now, a lesser geek would pick one of the available Linux versions, grumble about it a bit, then get on with using the server, however a fully certified ubergeek like myself will have nothing of that, and immediately starts exploring reinstallation options.. Now, the logistics at first glance appear to be a little daunting: * Server is in USA * Server has no CD ROM Drive * No remote access to Server BIOS, Keyboard or Video * Geek is 8000km away in Istanbul, Turkey

Now, the answer of course is the McGyver method of: * Provision the Server with whatever Linux is available (CentOS for example) * Login to the server with SSH * Download an openSUSE installation image to the server’s hard disk * Set the server to boot directly into the openSUSE installation image configured with SSH access * Cross Fingers * Reboot the server * Wait impatiently for the server to (hopefully) reappear on the internet * SSH to the server and kicking off the openSUSE installation

Now, the first and last time I did this proceedure was just over 2 years ago, and it took me 2 goes to get it right, after reading, rereading, and modifying some obscure instructions on the net pointed out to me by some friends working at SUSE. (Hi Darix.. Hi Henne..) Now, having not carried out the proceedure for 2 years, given that it is a little complex, I first checked though my bookmarks in vain, then did a google search to try and find the original instructions. Unfortunately, the original instructions I followed no longer seem to exist, but luckily someone else had bothered to write up the exact proceedure I was looking for. Upon closed inspection it turned out that it was me who wrote the document, and it is hosted on the server that I am planning to obsolete after I finish installation of the new server… Are other people this absent minded as well, or is it only me?

Anyway, without further ado, here is HOWTO Install SUSE Linux Remotely without Physical Access

In yet another stunning stupid move one of the Turkish Courts have Blocked Google for Turkish internet users

American military chiefs have been left dumbstruck by an undetected Chinese submarine popping up at the heart of a recent Pacific exercise and close to the vast USS Kitty Hawk. By the time it surfaced, the 160ft Song Class diesel-electric attack submarine had sailed within viable range for launching torpedoes or missiles at the carrier. The incident caused consternation in the US Navy, which had no idea China’s fast-growing submarine fleet had reached such a level of sophistication.

I can’t count the number of times recently that people have told me that they are about to or just have purchased a Blackberry just so that they could have the all important, critical to business, world goes dark without, feature of “push email“. As a Nokia E61i smartphone user, I have the ability to install “Blackberry” support, as well as MS Exchange “Direct Push” support (Available in Exchange Server 2003 and later) but the feature that I actually use is trusty old IMAP! Yes, ladies and gentlemen, the Internet Message Access Protocol (known as IMAP to most of us) has had “push email” ever since the IBM T.J. Watson Research Center published RFC2177 in June 1997. I guarantee that this is WAAAAAY before anyone reading this had either a “smart phone” or had heard of “push email”.

 continue reading

Today I needed to make one of my Django sites authenticate against the same usebase as one of my FreeRADIUS servers. Now, given that the RADIUS userbase is in PostgreSQL, this could have been done without touching RADIUS per se, however that would not have been nearly as interesting or elegant as making Django speak RADIUS. (And given the strange record format that FreeRADIUS uses, would have taken nearly as long to implement) After about half an hour of hacking on a Django custom Authentication Backend I now have a Django happily authenticating from my FreeRADIUS server with all the flexibility that implies (Being able to proxy requests to third parties, set time of day restrictions, use multiple clustered backends etc etc). Without further ado, here is the first cut:

from django.conf import settings
from django.contrib.auth.models import User
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

class RadiusBackend:
    """
    Authenticate against a RADIUS Server.

    You must have a working RADIUS Server and Secret
    configured in settings.py. For example:

    RADIUS_SERVER = '127.0.0.1'
    RADIUS_SECRET = 'testing123'
    """
    def authenticate(self, username=None, password=None):

        srv=Client(server=settings.RADIUS_SERVER, 
                        secret=settings.RADIUS_SECRET,
                        dict=Dictionary("/usr/share/pyrad/dictionary"))

        req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest)
        req["User-Name"] = username
        req["User-Password"] = req.PwCrypt(password)
        req["NAS-Identifier"] = "django"

        reply=srv.SendPacket(req)
        if reply.code==pyrad.packet.AccessAccept:
            print "access accepted"
            try:
                user = User.objects.get(username=username)
            except User.DoesNotExist:
                # Create a new user. Note that we can set password
                # to anything, because it won't be checked; the password
                # configured on the RADIUS server will.
                user = User(username=username, password='Koh8oF7eiRou4xahxoob')
		#TODO: Use user.set_unusable_password() once
                # Django SVN > 5608 + openSUSE 10.3 bug is fixed
                user.is_staff = False
                user.is_superuser = False
                user.save()
            return user
        else:
            print "access denied"
            return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None

Just copy and paste this code into myproj/radiusauth.py and then stick the following in settings.py:

AUTHENTICATION_BACKENDS = (
    'myproj.radiusauth.RadiusBackend',
    'django.contrib.auth.backends.ModelBackend',
)

This code makes use of Wiggy’s wonderfull Pyrad library, so you will need to have it installed also to make things work.

My morning mail traffic contained a very sobering post to one of the security mailing lists I follow regarding the security of industrial control systems. Choice quotes include:

The typical lifetime of an industrial control system is can be 10 to 15 years. Chew on that for a minute. What were YOU playing with 15 years ago?

And:

There is much to be afraid of. Cities depend on an infrastructure that runs all too well; utilities are so reliable that we forget about how integral they are to daily life. We’re nearly invisible until something breaks. Think of this the next time you flush your toilet. How long could a large city last without water? The only people who sleep well in my industry are those who do not understand the problem.

Makes you think…

As it turns out my new company requires a PPTP VPN connection to be able to check email from outside the LAN. While some might argue that you are better off not having access to work email from home, it is a necessary evil for most of us. While I personally think that an industry standard SSL encrypted IMAP connection is at least as secure as the broken PPTP protocol, there is something to be said for hiding Exchange Servers behind firewalls (Have that firewall be a Microsoft server itself, on the other hand is obviously a questionable gain in security).

Anyway, without more ado, here is the proceedure to painlessly (Without booting Windows) connect Linux to a MS PPTP Server:

Install the NetworkManager-pptp package (openSUSE users can find it at http://repos.opensuse.org/home:/hgraeber)

Restart NetworkManager (It may be easier to simply reboot)

Right Click on the NetworkManager icon in the GNOME/KDE sytem tray (next to the clock) and select “Options / Configure”

Select “VPN Connections / Add”

From the “Service” list select “ppp” (If you run KDE you will now see “You have the GNOME configuration applet installed and can use this to configure the VPN connection……” Press OK to run the GNOME configuration applet)

Select “Add

Select “Next / PPTP Tunnel / Next”

Give a “Connection Name”, Select type of “Windows VPN (PPTP)” and put in the hostname of your Windows VPN server

On the “Authentication” tab select “Refuse EAP” (Otherwise Windows rejects the connection attempt)

Optionally enable deflate and BSD compression modules from the “Compression and Encryption” tab

Click “Forward”, then “Apply”, then “Close”

You should now have a new selection with the name you selected for the VPN connection in NetworkManager’s “VPN COnnections submenu. Click on it and you should be able to connect to your VPN server (After entering a valid username and password)

Well, as many of you know, things with my company Suntel have been a bit unclear since my business partner went to work for our largest partner company (Vodafone). After many discussions, much soul searching, and several months of uncertainty (Including considering a move back to Australia) I am happy to say that I have started working with a great team of people at AirTies Wireless Networks as the “R&D Manager, VoIP Systems”.

AirTies is very strong in the ADSL and Wireless market in Turkey with several million deployed devices, but is really just getting started in the voice market (To be fair the voice market is just getting started in Turkey also). We have some existing combo VoIP Gateway / Router products, but we have significant work ahead of us to become a serious player in the VoIP industry.

Turk Telekom is currently in the process of un-bundling the local loop, and alternate operators should be able to assign and route local Turkish telephone numbers over IP by the end of the year, so it should be an exciting ride!