crazylazy.info

txtSecurity Now proudly announced, and I'm very astonished: look at that graph. Amazing. Kicked their asses!


While celebrating this I get an ICQ Spam... since I'm online at this service again after years, the Spam level increased dramatically to an almost annoying level. What many people don't know: you can get the IP of all people in your contact list. This means this Spam is not anonymous by default - it comes with the IP. I know that you can tunnel traffic through TOR or I2P, or similar. But I doubt that this has been used for reasons.


Allright: this is not typically here: I'm not doing an operating system administration blog. But this contains many security thoughts on practise:

My epic fight with qmail on Debian:

Dan Bernstein: I'm using his tcpserver, his qmail, his djbdns (or maradns (not Dan Bernstein code :) )).

My setup of openvpn e. g. was quite painless on Debian: apt-get install openvpn and afterwards build the certs with easyrsa2. Takes an hour - doing it slow, having some music and coffee in background.
And the fastest webserver setup I ever had was lightttpd: installed, worked. I just edited the config file 2 minutes and now it's working perfectly. Very light: light setup, lightweight process. No worries. Brilliant.


Now the epic fight: qmail. qmail is worth it. Beware: this is a hardcore setup!

1.

echo 'deb ftp://ftp.de.debian.org/debian/ stable main non-free contrib' >> /etc/apt/sources.list

There're license issues.

2.

apt-get install qmail-src ucspi-tcp-src procmail

Installs that. But just qmail's src - because we want the patches.

3.

qmail uses the tcpserver and not the inetd - which I think is a security aware decision. Therefore we build this one:

build-ucspi-tcp

Because we're not going to patch it, let in compile just as it is.

4.

build-qmail

Press ENTER to continue...

NO!

4.1. SMTP-AUTH:

cd /tmp/qmail && \
wget http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0... && \
tar xzf qmail-smtpd-auth-0.31.tar.gz && \
cd qmail-smtpd-auth-0.31 && \
cp README.auth base64.c base64.h ../qmail-1.03 && \
patch -d ../qmail-1.03 < auth.patch && \

Now: ENTER

5. Edit /etc/qmail/me and insert $hostname.%domain.$tld


6. /etc/init.d/qmail start


7. Because the RFC declares:
Edit /var/qmail/alias/.qmail-postmaster.


8. Have fun... with the details: I edited the whole init script, which is written in a very technical code, as I'd say, to start and stop vpopmail and spamassasin, together with qmail. Afterwards you can have some fun: the Debian packages of Courier-SSL come without SMTP-AUTH. Yeahr, source it Baby. But that's not all: after I debugged them 3h with strace I found out that they have to get a SUID.

Dear boys: there's much space for better setups. Please :). I always thought having an Exchange eMail server is work. But man... this was ugly. If it's so hard to install a secure Mailserver - who the hell is able to do that?


9. An example of the init-script:

case "$1" in
start)
echo -n "Starting mail-transfer agent: qmail"
sh -c "start-stop-daemon --start --quiet --user qmails \
--exec /usr/sbin/qmail-send \
--startas /usr/sbin/qmail-start -- \"$alias_empty\" $logger &"
# prevent denial-of-service attacks, with ulimit
ulimit -v 8192
sh -c "start-stop-daemon --start --quiet --user qmaild \
--exec /usr/bin/tcpserver -- -R -H \
-u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 smtp \
/usr/sbin/qmail-smtpd mein.servername.tld \
/var/vpopmail/bin/vchkpw /bin/true 2>&1 | $logger -t qmail -p mail.notice &"

Yes, just shell, but Man... did I ever write here about coding conventions. Hello? What is this supposed to be? The Enigma?
Now you might mention: "Use a good editor!"
Well exactly: on a shell? Via ssh? There're choices. But:

cat > /etc/tcp.smtp <eof
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
EOF

cat is the best editor. vim takes ages to start. I don't know why jet: vim-full seems to be very feature-rich. And I need these features, to be honest. nano is faster, but not my editor of choice. ed is very cool...
But that's no excuse for this kind of coding!


10.

qmailadmin is fun - with lighttpd's cgi-bin. rcpthosts is somehow strange, but the rest is a very solid mailserver solution.

Back to the real stuff and what we learn:

Form the 1st June 2009: if you want to provide signed devices and drivers you've to implement UAC. That's something which is not enforced in free operating systems, jet. Independent Software Vendors have to follow M$'s new policy. A huge step forward. And I'm sure they will do that. Good news from Redmond!


Of course that doesn't fight Google - which steps forward using Chrome (Link to hackerpublicradio!).
Thing is: maybe it's not sending stats to google if you change the config. But who does that? No one. No one edits his Google Cookies to enforce his privacy, no one uses gmail just with GnuPG, no one configures Third Party Cookie Rejecting - unless he is a computer specialist.

That's what the qmail setup I mentioned and the Google thing have in common: usability problems. When it comes to education we fail in security. Completely as I'd say: qmail is a very secure mailserver, but a setup for a normal Standard Joe Ubuntu User is impossible. He won't understand it. He just can't. The setup requires deep knowledge of the Unix environment and userland applications, of Debian in this case and the apt-get repositories.
Chaning the options in Chrome implies on you know what they mean, and that they exist. No one will read the documentation. So... it'll be used with the standard options Google defines. By >90%.



Pauldotcom has something new: a monthly security summary.

Post-exploitation techniques & defense
Fyoder scans the Internet, finds TELNET!
Attack between the client and the server
Social Networks - A tool for all attackers
Web Application Testing Tips
FAIL Of The Month (FOTM)

And you know what I like Larry and Paul for: they don't take themselves seriously while doing this podcast, and they're educating. You've fun during you learn something. Here are the slides, and you'll have fun. I bet. This summary is not the podcast. Latter will be available after it has been edited.


Another informative podcast and project place will be (hopefully soon) Stackoverflow (Linked to the podcast). I tried to get member of the beta testing. But hmmh, didn't work.
This won't be just another programming forum: it'll be a question blog without accounts and that stuff... very good idea. Go there, look for infos, write some stuff, and that's it. No registration, no stupid advertisments... just a good web-workflow.

Some links:

North Korea does bad things:

The real surprise is to learn that they have computers, email, and networks in North Korea.

Frogs and virtualisation. An upcoming presentation: VMware released a ton of patches: look here e. g.. I'm sure that'll turn out to be interesting.

- Don't know jet: SecuraBit podcast, new.


The Mythbusters are not allowed to hack RFID. You know what: my grandma hacked RFID.
Really: it's easy.

[youtube=http://www.youtube.com/watch?v=X034R3yzDhw&hl=en&fs=1]


Wow... Security ROI at Schneier's blog: Well well... I could write a lot, but I just quote:

Security ROI

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.
It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.

When it comes to data leakage problems with medical data: IT HAPPENS!


Thank God: this week no new OS fail: If there weren't any chaotic failures in security this week, well I guess, that's it.


Have fun,
wishi