Somewhat OT: ISSA meeting coming up

From: Mark Quering 
------------------------------------------------------
Hey all


For those of you who are security inclined (who isn't) the third quarterly
meeting of the local chapter of ISSA is coming up.

Info: http://chattanooga.issa.org/?p=1
Register: http://conta.cc/1pNTngS


-- 

Thanks;
Mark Quering

up:time
simply reliable technology
423.320.2744

building packages

From: Christopher Rimondi 
------------------------------------------------------
This question is probably 50% based on circumstance and 50% on personal
preference but I wanted to get opinions from people who have built OS
packages; debs, rpms, whatever.

What do you usually include in the package? Upstart scripts, user/group
creation, post install scripts? Other logic?

As a general philosophy: Less is more or more is more?

Thanks,

Chris

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

Anyone want to start a ps2 connector based computer company?

From: Rod-Lists 
------------------------------------------------------
or maybe comtronix and serial mice?
Why the Security of USB Is Fundamentally Broken
http://www.wired.com/2014/07/usb-security/

Ed, you and I could be rich! ;)

Oh boy... We *ARE* criminals!!!

From: kitepilot@kitepilot.com
------------------------------------------------------
Linux Lands on NSA Watch List
http://www.eweek.com/security/linux-lands-on-nsa-watch-list.html

Fwd: Linux Journal: Awesome Tech Magazine or Extremist Forum?

From: Jonathan Calloway 
------------------------------------------------------


Begin forwarded message:

> From: Linux Journal 
> Subject: Linux Journal: Awesome Tech Magazine or Extremist Forum?
> Date: July 8, 2014 at 8:00:46 AM EDT
> To: jonathancalloway@epbfi.com
> Reply-To: Linux Journal =

>=20
> Linux Journal: Awesome Tech Magazine or Extremist Forum?
> =20
>=20
> NSA: Linux Journal is an "extremist forum" and its readers get flagged =
for extra surveillance
> by Kyle Rankin
> A new story published on the German site Tagesschau and followed up by =
BoingBoing and DasErste.de has uncovered some shocking details about who =
the NSA targets for surveillance including visitors to Linux Journal =
itself.
>=20
> While it has been revealed before that the NSA captures just about all =
Internet traffic for a short time, the Tagesschau story provides new =
details about how the NSA's XKEYSCORE program decides which traffic to =
keep indefinitely. XKEYSCORE uses specific selectors to flag traffic, =
and the article reveals that Web searches for Tor and Tails--software =
I've covered here in Linux Journal that helps to protect a user's =
anonymity and privacy on the Internet--are among the selectors that will =
flag you as "extremist" and targeted for further surveillance. If you =
just consider how many Linux Journal readers have read our Tor and Tails =
coverage in the magazine, that alone would flag quite a few innocent =
people as extremist.
>=20
> While that is troubling in itself, even more troubling to readers on =
this site is that linuxjournal.com has been flagged as a selector! =
DasErste.de has published the relevant XKEYSCORE source code, and if you =
look closely at the rule definitions, you will see =
linuxjournal.com/content/linux* listed alongside Tails and Tor. =
According to an article on DasErste.de, the NSA considers Linux Journal =
an "extremist forum". This means that merely looking for any Linux =
content on Linux Journal, not just content about anonymizing software or =
encryption, is considered suspicious and means your Internet traffic may =
be stored indefinitely.
>=20
> One of the biggest questions these new revelations raise is why. Up =
until this point, I would imagine most Linux Journal readers had =
considered the NSA revelations as troubling but figured the NSA would =
never be interested in them personally. Now we know that just visiting =
this site makes you a target. While we may never know for sure what it =
is about Linux Journal in particular, the Boing Boing article speculates =
that it might be to separate out people on the Internet who know how to =
be private from those who don't so it can capture communications from =
everyone with privacy know-how. If that's true, it seems to go much =
further to target anyone with Linux know-how.
>=20
> It's bad news to all of us who use and read about Linux on a daily =
basis, but fortunately we aren't completely helpless. Earlier in the =
year I started a series on security, privacy and anonymity in my Hack =
and / column that included articles on how to use the Tor browser bundle =
and Tails. With either piece of software in place, you can browse Linux =
Journal (and the rest of the Internet) in private.
>=20
> Read this and other privacy-related stories at LinuxJournal.com.
>=20
> A Bundle of Tor
> Tails above the Rest: the Installation
> Tails above the Rest, Part II
> Are you an extremist?
> Dolphins in the NSA Dragnet
> Are you an extremist?
> Get the T-Shirt!
> Get the T-Shirt by itself or take advantage of our special (and =
temporary) offer and get a 1-year subscription with your shirt for just =
$10 more!
>=20
>=20
>=20
>  Follow us on Twitter | Like us on Facebook
> Copyright =A9 2013 Linux Journal, All rights reserved.
> Our mailing address is:
> Linux Journal
> 2121 Sage Road, Ste 395
> Houston, TX 77056
>  If you do not wish to receive further e-mails regarding Linux Journal =
products, please visit: =
http://linuxjournalservices.com/portal/unsubscribe/?V77Dxgls%2FB0Xo8NsY%2B=
qzRuMrEAEQbeqSA.=20
> =20
>=20

hiring

From: Christopher Rimondi 
------------------------------------------------------
We are hiring if you know anyone who fits this:

http://newton.newtonsoftware.com/career/JobIntroduction.action?clientId=8aa00506326e915601326f65b82e1fcb&id=8a32181446937e290146afb8652b3b14&source=%200

Ping me off list.

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

OpenVPN on pfSense problems

From: David White 
------------------------------------------------------
So I sent the following email to the pfSense list a few minutes ago, but I
also thought I'd post the question here... I'm having trouble getting
OpenVPN working on pfSense (I think I'm cursed with OpenVPN - I've never
had a successful deployment of it, either stand-alone on CentOS or in
pfSense!)

I'm not sure if the problem is on the server or on the client. I tend to
think that the problem is on the client's side.

Here's the email I sent:

I'm having trouble connecting my Windows 7 OpenVPN client to the pfSense
2.1.4 server. I have tried two different types of ciphers (BF-CBC and
AES-256-CBC).

This is a fresh 2.1.4 install with the server's settings generated using
the Wizard. I'm including my local config file. As you can see, I'm trying
to connect via username / password and not via SSL certificate.

*dev tun*
*persist-tun*
*cipher BF-CBC*
*auth SHA1*
*tls-client*
*client*
*resolv-retry infinite*
*remote 204.93.122.117 1194 udp*
*lport 0*
*auth-user-pass*
*ca C:\nnh-vpn.crt*
*comp-lzo*

It seems that the client is hitting the server, but for some reason, my
client isn't successfully connecting. Here's the last 50 entries in the
OpenVPN server's log (see end of this email).

I'm having trouble tracking down the log files on the client machine, so
perhaps this email should go to OpenVPN folks and not pfSense. But I'm
wondering if anyone on this list has any suggestions.

Thanks,
David

Jun 30 23:29:19openvpn[98461]: /sbin/ifconfig ovpns1 10.1.5.1 10.1.5.2 mtu
1500 netmask 255.255.255.255 upJun 30 23:29:19openvpn[98461]:
/usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.1.5.1 10.1.5.2 initJun 30
23:29:19openvpn[99566]: UDPv4 link local (bound): [AF

Home Automation and more

From: Dave Brockman 
------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pretend you are designing your dream home (or perhaps are remodeling
and have all the walls torn down and have to run new electrical
service anyway), what would you put in?

Audio/Video/Network/Automation/Alarm/Security/Camera/Paging

Rack full of Linux servers/VMs goes without saying, so we're on-topic.
:)  I've already decided on multiple CAT-6A pulls through-out the
house.  I have been impressed enough with Unifi that I will be using
their wireless, controlled by a Debian VM.  I know some of you have
some awesome ideas.  Feel free to unicast if you don't want to share
on the public forum, but I would enjoy hearing those ideas.

Regards,

dtb
- -- 
"Some things in life can never be fully appreciated nor understood
unless experienced firsthand. Some things in networking can never be
fully understood by someone who neither builds commercial networking
equipment nor runs an operational network." RFC 1925
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTojgDAAoJEMP+wtEOVbcdKCIH/jbyfkqz4mqDxMPo2PakWvDz
ZhVFMYxRQiCOYFR8FvBrzerGOJmsQD49o4gpQPr0iEvP8tW8HJZwX8q20yiuIN0s
DQtUc1bhMUJ5s6WKhSjhIwi2V1n/xGg/xSo1cTgcQC4459aUUw+vqeygoyJSZ4Cu
m1Wcgs2dEDHfDv0EYJQfAIri8lyCRRjhtL/j3GW68r4ZBRj5eHOI4Dk4gPKLwaB+
1OSaQs45Q4msTCwqk9woQSP0wATa3924DTZKa2qeFTyIeR6/KTDGzv80YffIcKMc
HD7H4UKMiMcoxG5rkThVUzMo/PoMBHgDPK2nnhAFrmlp4+pgTnhbxJBWLGGSUi8=
=0fTq
-----END PGP SIGNATURE-----

Keren Elazari: Hackers: the Internet's immune system

From: David White 
------------------------------------------------------
I just watched this.

Not all hackers and security researchers break the law, but I found this
video fascinating, and it raises a lot of good points.

https://www.youtube.com/watch?v=erCAp

I'm baaaaaaack!

From: Ed King 
------------------------------------------------------
Got bumped off the list back in mid May due to "too many bounces".    Been checking chugalug.org webpage occasionally for any job announcements or hardware sells/freebies ;-)

I stayed unsubbed for awhile (and missed Hack-a-nooga too) because I needed to focus on our latest and biggest client rollout, which went "live" on 6/2/2014.    To "save money" we switched hardware platforms a few weeks before rollout (went from $800 kids-toy netbooks to $300 Dell Venue tablets), but the software platform stayed the same (albeit with some custom mods for the new client):    lamp stack (linux/apache/php/mysql) on qemu.    Why are we running in a vm/emulator?  Well its a long story but a previous 3rd party vendor wrote our field software.  This 3rd party vendor required Windows netbooks.  Their software was slow and flakey (as you'd expect from dot-net) so we ditched them and rewrote the field software in-house (like we wanted to do in the first place, and we did it in less than half the time, and still had more features and flexibility!).    But... we couldn't just throw out twenty $800 netbooks, so we leveraged that hardware "investment"
 by using qemu to run our lampp stack, thinking that it would also be portable if we ever moved to android (does anyone know of a qemu package for android that doesn't SUCK?)

Back-end:   For "security" this client did not want their data on the same server as our other clients, so I set up a new Debian server just for them.  HTTPS and automated sftp file transfers. 

Well now that this new client is up 'n running, I figured it was time for me to re-sub, so...  I'm back.  This new client is our biggest client to-date, and has doubled the amount of inspectors in the field (and doubled the data collection too...  thank goodness we solved that mysql lock problem we used to have).   Things are running smoothly!   I dare say that the support calls have somehow decreased (oh great, now I've jinxed us).    

Props to our little I.T. team:    Danny "dj" Smith Jada "coldfish" Case, and Master Ed :)









To use PGP, or not to use PGP...

From: David White 
------------------------------------------------------
I'm working on a presentation I'll give next month at a conference geared
towards folks working for smaller Christian / missionary-focused nonprofits
on "Introduction to Security."

Some of the folks who attend my presentation will probably be a 1-man shop
with very little general IT knowledge, and others will probably know oodles
more than I about security and information systems.

Anyway... I installed OpenPGP into Thunderbird a few months ago, although
I've rarely (if ever) used it to sign or encrypt legitimate messages,
partly due to the fact that almost no one that I email uses PGP or have
ever heard of it.

Recently, I've been doing some research into how useful it actually is, and
whether or not it is actually secure.

My findings so far is that the current version of PGP is very secure.

Indeed, according to Wikipedia, there is no known method to breaking PGP
encryption: http://en.wikipedia.org/wiki/Pretty

Linux Kernel Patches over 4-Year-Old Bug

From: David White 
------------------------------------------------------
This looks a bit serious:
http://arstechnica.com/security/2014/05/linux-gets-fix-for-code-execution-flaw-that-went-unpatched-since-2009/

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

Open Source Security Initiative

From: David White 
------------------------------------------------------
This looks promising. Sounds like the Open Source Foundation is behind it /
heading it up, which I greatly prefer over a Google- or Facebook- led
initiative or some initiative led by a combination of large tech firms.

http://www.infosecurity-magazine.com/view/38120/google-facebook-microsoft-and-other-tech-giants-to-fund-open-source-security-initiative

Thoughts on Cloudflare?

From: Rod 
------------------------------------------------------
Just wondering what y'all thought of it's services.
Heard it was a good dynamic dns among other things.
But the CDN, Optimizer, and security options look interesting.

-- 
The unregulated free market is like Yog-Sothoth, a mythical being whose  
followers make bloody sacrifice to hasten its arrival to this world.

http://snowdenandthefuture.info/documents.html

Using Opera's mail client: http://www.opera.com/mail/

Fwd: NSA reportedly knew about Heartbleed

From: David White 
------------------------------------------------------
Whenever I send these emails to multiple mailing lists and put 'em on the
BCC line, Chugalug always bounces because it's an "implicit" recipient. So
here's my "try again"!


http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
.

This is one of the most critical internet security bugs of all time. If
true, the NSA put billions' of accounts in jeopardy.

Also if true, this proves my point, EXACTLY, as to why the NSA does not
have the best interest of the internet security community:
http://www.davidmartinwhite.com/2014/03/24/how-does-the-nsa-do-what-it-does/

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234



-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

Major OpenSSL Vulnerability

From: David White 
------------------------------------------------------
I got a security advisory from the CentOS maintainers last night about it,
and I just read this CNET article:
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

Here's the security advisory from CentOS:

Earlier in the day today, we were made aware of a serious
issue in openssl as shipped in CentOS-6.5 ( including updates issued
since CentOS-6.5 was released ); This issue is addressed in detail
athttp://heartbleed.com/

Upstream have not released a patched version of openssl, although we
are reliably informed that there is quite a bit of effort ongoing
to release a patched package soon.

As an interim workaround, we are releasing packages that disable the
exploitable code  using the published workaround( tls heartbeat );
Note that these packages do not resolve the issue, they merely
disable the feature that is being exploited.

Notes:
1) All versions of CentOS prior to 6.5 are unaffected.
2) the release tag in these packages is marked in a manner that the next
upstream version will override and replace these packages.

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

OT - Wanting Guest Blog Posts (maybe)

From: David White 
------------------------------------------------------
Hiya folks,
Since I launched Develop CENTS  over a year ago,
I've kept a somewhat active blog. My goal is to post at least twice a
month, although that hasn't always happened.

Since then, I know that I have a few regular readers, but I believe most of
my traffic comes from organic search results, outside of the initial social
media push whenever I publish a new post.

That said, I've tried to gear my blog posts towards content that would be
helpful to the average Joe computer user, with a bent on security. I try to
incorporate simple steps a user can take to solve problems on their own,
but at the end of the day, the goal of my blog has always been to get
people interested in more complicated services Develop CENTS provides.

That said, I've been thinking about opening up the blog to guest posts.

What you'd get:

   - Your picture at the top of the blog post (just like mine -
   http://developcents.com/blog/03142014-1626/securely-discarding-your-old-hard-drives">http://developcents.com/blog/03142014-1626/securely-discarding-your-old-hard-drives
   )
   - A link to your website with a description of who you are and what you
   do, in italics at the end of the post.

What I'd get:

   - Your blog post with the above themes in mind

If you're interested, contact me.

I'm still thinking about this (not sure if I want to do it or not), but I'm
exploring the idea right now.

- David

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

David Byrne:what if we rebuilt a spy-proof internet?

From: Rod 
------------------------------------------------------
What will life be like after the internet? Thanks to the mass surveillance  
undertaken by the National Security Agency and the general creepiness of  
companies like Google and Facebook, I've found myself considering this  
question. I mean, nothing lasts forever, right?

There's a broad tech backlash going on right now; I wonder just how deep  
the disillusionment runs. I get the feeling that there are folks out there  
who would relish putting the internet behind us sooner rather than later.  
Imagine that: even the internet could be a thing of the past one day. What  
would that be like? No Facebook. No Google. No government nerds looking  
through your webcam.

But could we become more secure without abandoning the internet? What if  
there's a third way? One that doesn't involve either passive resignation  
to being exploited or a Luddite smash-the-looms fantasy. What if we began  
to develop and encourage the adoption of machines and a network that are  
actually secure – through which neither thieves, corporations, nor the NSA  
could track us – and what if these could be configured by us, to really do  
what we want them to do? To stop the spying, stealing and monitoring, but  
to allow other things to continue.

What would that look like?

http://www.theguardian.com/commentisfree/2014/mar/24/david-byrne-nsa-rebuild-secure-internet

-- 
The unregulated free market is like Yog-Sothoth, a mythical being whose  
followers make bloody sacrifice to hasten its arrival to this world.

Using Opera's mail client: http://www.opera.com/mail/

penetrate me!

From: William Roush 
------------------------------------------------------
I've dealt with pentesters before, it's kind of aggravating when I have 
working exploits they don't find and we're forking over tons of money 
for them to go on some tangent that results in nothing... :\

Though I as I understand it the market is going the way of SEO and the 
like, once valid, now full of a lot of people that barely know how to do 
it and will just run the same tools you found and charge you insane 
amounts of money for it.

Your client will probably want someone that can rubber stamp a pen test 
on you, so sadly it'll take more than someone that just /knows/ security 
but can give you the paperwork to back it up and a company name.

William Roush
william.roush@roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/27/2014 12:58 AM, Ed King wrote:
> Our "network administrator" at the main office quit over a year ago 
> and a replacement was never hired.
> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>
> Our "network administrator" at our "NOC" quit over a year ago and 
> never got replaced.
> www.linkedin.com/in/mlaman
>
> Our "phone system guy" quit a year ago, a replacement was hired, but 
> I've seen him, like, once.  When the phone/fax systems goes down, they 
> call ME.
> http://www.linkedin.com/profile/view?id=49461976
>
> So guess what?  I and one of the other programmers on my team 
> inherited all these extra support duties (without a single f'ing penny 
> of a pay raise, mind you).
>
> We inherited hardware and software that hasn't been updated in years 
> (insert career-damaging-but-painfully-true 
> my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment 
> here)
>
> We know basic firewall, iptables, am mindful of sql injection, can 
> install/run/monitor virus scanners etc, but we are not security 
> experts nor do we play one on t.v.
>
> If this situation wasn't stressful enough, it has now come to a boil 
> as a potential (big!) client "demands" proof of pen testing before 
> they will let us host their data.    At this point I'm spread way to 
> thin and told my boss today that he needs to crack open that wallet 
> and hire an outside pen tester.    Anyone on the list "qualified" to 
> do it?    Willing to work for peanuts?
>
> What defines a qualified pen tester?  I see what appears to be "free" 
> software I could download and run myself, if I was inclined to take on 
> more responsibility w/o pay.    I suppose this free software would be 
> a "good start" but is a pen test done by an "internal" employee good 
> enough for the client, I doubt it.
>
>
>
>
>
> 

OT bugs and code quality

From: Christopher Rimondi 
------------------------------------------------------
For those of you are on/lead teams of developers or engineers what do you
do keep everyone focused on reducing bugs and thinking through the impact
of changes? I get there is a lot that can be done with unit and integration
testing and formal QA. However, what I am asking centers more on keeping
quality front and center in the team's mindset.

There is probably no easy answer to this but, how do you separate bugs that
are caused from "moving fast/meeting deadlines" versus we probably should
have caught this one?

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com