In Schweden sind immer noch Unruhen.

Es gibt jetzt überraschend ein akademisches Paper, in dem halbwegs unabhängige Wissenschaftler zu dem Ergebnis kommen, dass an Rossis "Kalte-Fusion-Reaktor" was dran ist. Vielleicht gibt es ja doch noch Hoffnung.

Die BBC interviewt einen angeblichen Kumpel der Soldatenmörder von London. Der erklärt ihnen, MI5 habe die beiden anzuwerben versucht. Daraufhin wird er noch auf dem BBC-Gelände festgenommen. Ich bin mir sicher, das ist alles total rechtstaatlich und niemand hat da irgendwas peinliches zu verbergen.

Wie kommt das eigentlich, das Disinformation funktioniert? Hier erklärt das mal jemand schön.

In the last couple of weeks, I installed a lot of different Ubuntu-based distros on my system(s). There was Ubuntu 13.04, Xubuntu 13.04, Linux Mint MATE and Crunchbang Linux. The distro I liked most was Xubuntu 13.04, but somehow, it was still too much of stuff pre-installed that I don’t need or even like. While it was pretty comfortable to work with xfce4, I like Openbox more. I even like i3wm more, but that’s another story. On the ThinkPad, I had installed Xubuntu 13.04 and equipped it right after the installation with Openbox, tint2 and conky (I posted about it previously). I’m now using this setup for a week and this is for a long time the best OS in my eyes since I was using OS X as the one-and-only system years ago. I’m superhappy how well it works on the ThinkPad. For work, I run Ubuntu 12.10 on this laptop, and I get around 2h’s when working on the battery. Running my own Xubuntu/Openbox setup increases the battery life to up to 4h+. Of course, as a YouTube addicted one, I quickly decrease the available power by showing videos about vim, different linux (mainly console-based) tools and also flight/flight-sim stuff. However, it works much better with my setup than with the more or less stock Ubuntu (I’ve simply installed the gnome-session-fallback package as I don’t like Unity).

When I read stuff about how to configure stuff (especially for tint2 or conky), I often read on the ArchWiki. It’s with UbuntuUsers-Wiki the best (in my mind) out there. So the question came up, why don’t I use Arch? Ubuntu (or Canonical) is on the best way to become evil with their ways to handle things (maybe not as evil as Google or Apple, but still – I often hear complains).

The reason why I still use and will continue to use Ubuntu for my own computers is that I work with them all-day-long. I’m simply rid of different systems at work and at home. I had this when working for Cisco or Medion, Windows there, Mac at home, or Linux… I’ve now switched completely to Linux and I’m also a bit proud of that. I admit, Arch could be the better Linux for me as there is a very active community who develops stuff, especially when it comes to “pimping” desktops, but as mentioned before – I’m happy to work on the same system now. Workstation, server at home and laptop and more (;)) at work. So that’s why I’ve chosen Ubuntu for this post.

So what is this post about? Well, it’s nothing less then setup a Ubuntu-based setup on your own. Let’s get started!

As base system, I don’t use Ubuntu Desktop. Unfortunately, Canonical has dropped the “Alternate” installation ISOs (or I simply was to blind to find it) – however, I’m gonna use the current server ISO, which is by today Ubuntu Server 13.04.

Part 1 – Installation of the base system

I’ve created a VirtualBox VM to do the steps again and to be able to show you some screenshots.

A very important (in my mind) setting in VirtualBox is to set the NIC to “bridged adapter”. But that is only important if you want to install in VirtualBox, too.

I’ve started the installation and get the the first point of options:

I simply chose “Install Ubuntu Server” here and let it install in the English version (because I blog in English). I then select English as system language and chose (for my own pleasure) the German keyboard. Now it will take some time until some drivers will be loaded and the network autoconfiguration has done it’s job. In my case it failed to use my DHCP (which I guess has to do with my old FritzBox in the basement (I will move DHCP & DNS to an own Alix server in the near future)). So I configure this by hand.

When this is done – I have to give the system a name. I name it “ubuntu-from-scratch”.

I will not use a domain name now, because the new DNS server is not yet set up. I will leave this blank.

my “Full Name” should be Ubuntu User…

and my username is ufs (for Ubuntu from scratch).

Now I have to create a password for my user.

I have to type it twice to be sure I haven’t typed it wrong and then can not login.

Encryption of the home folder (or the whole system) makes sense if you deal with sensible data and/or you use a mobile device. I’ve of course encrypted the whole OS on the ThinkPad, but in this VM, it does not make a lot sense for me, so I’ll skip it.

The Ubuntu setup tries to find the correct timezone. This one is right for me.

The disk setup is much easier today, compared to the very first installation I tried when I was a teenager back in 1993 and I played with very early versions of Slackware (and had very bad experience with the partition schemes ). In my workstation, I have 2 SSDs, a 80GB Intel which I use for the root “/” and a 240GB OCZ which I use for “/home”. I use ext4 on both. In this VM, I simply chose “Guided – use entire disk”.

I accept this and let it write the partition table to the disk. Please note that this will DELETE all your existing data on the disk!

The main installation will now be executed and will take a moment or two, grab coffee/coke/whatever you like and relax for a moment.

If you don’t have a proxy server (normally the case if in private conditions), you can simply skip this message and let apt do it’s work. It will download some data from the web which will, depending on your bandwidth, also take a moment – but hey – you’ve something to drink, don’t you?

Next, the question appears of you want to install updates on your own OR do you want to install them automatically. I’ve been working for years with Windows and I always hated this automatic updates, so I do it on my own, but I’m disciplined enough to do the updates on my own from time to time. Your choice!

In the software selection, I just select “OpenSSH server” – I’ll do the rest by hand later on, when the system is installed.

Guess what – it takes a moment to install

Yes, we want GRUB to be installed to the master boot loader – this is the last step of the configuration – and the fun can begin!

Remove the CD and let the system reboot into your fresh installed Linux.

Part 2 – Setting up the graphical environment

Hopefully you still remember your login & password! Login now.

Oh! Look – there are some updates. Unlike the Debian netinstalled, Ubuntu does not load current files from the web while the installation (I guess there is an ISO for that…), but this is a good moment to show you how to update your system.

$ sudo apt-get update

You will be asked for your password again. Your user HAS superuser-rights by using the sudo command. Enter your own password again, and the system will do the work as root-user. Be careful with sudo.

Once this is done, we’ve updates the repository list. That means that your system had an updated list of available packages on the repositories that you can use.

We gonna upgrade your system – pretty sure we’ll receive a current Linux kernel and updates for installed system software. No worries – this is pretty easy

$ sudo apt-get dist-upgrade -y

The -y at the end simply tells apt-get to allow to download additional software and to install it. If we don’t use this parameter, if could become pretty annoying to type “Y” several times. Also, it works and let your leave the computer for a moment.

Depending on your bandwidth – this will take a while. Once you’re back at the prompt, I recommend to reboot the system, mostly because a fresh kernel is one of the very rare reasons to reboot a Linux system.

$ sudo reboot

Once your system is rebooted, login and let’s install the graphical environment.

We gonna install Xorg in it’s latest (in the repo) available version as well as xinit and the window manager Openbox.

pre class=”lang:default decode:true ” >$ sudo apt-get install xorg xinit openbox -y

See? We use -y again. This will download A LOT of data and install it. Hope you drink isn't too cold/too warm yet?

Done! Now we have the graphical environment installed (well, the basics). We can try and launch it!

$ startx

You don't see much, don't you? No worries - if you see a grey background and the black cursor, you're in the graphical environment. Press the right mouse button to access the menu.

Click the entry "Terminal emulator" and you will be presented - by a terminal. Yeah! More white on black.

Part 3 - Multimedia

It's time to install some additional stuff like audio support and xcompmgr.

$ sudo apt-get install alsa-base alsa-utils alsa-tools-gui xfce4-mixer xfce4-volumed -y

If the software is installed, go and run alsamixer - it will show you if the soundcard was detected - press F6 to display some more information about the default soundcard in your system. You can increase the volume by using the cursor up key on the Master line. Hit "ESC" to leave.

A good way to test your soundcard is to install a browser and the Flash-Plugin and visit YouTube.

$ sudo apt-get install chromium-browser flashplugin-installer -y

This will also install a lot of additional libs - but no worries - that's fine. You can launch the browser by typing:

$ chromium-browser

Go to YouTube and play a video with sound.

You don't hear sound, don't you? No problem. The sound channels are not yet activated, even if the volume is set. Launch the xfce4-mixer to fix this:

Now it should work

Here's a quick way to install the Video LAN Manager, my personal favourite video player on Linux (which gave me nightmares back in 2003 when installing it on Fedora Core 2 )

Today - luckily - it's much much easier - just 1 line:

$ sudo apt-get install vlc -y

Part 4 - xcompmgr and Openbox basic settings

I would recommend to install drivers for your graphics card before you continue.

AMD Radeon
It's pretty easy for the Radeon cards:

$ sudo apt-get install fglrx fglrx-updates -y

Once you've rebooted, you should launch the amdcccle and activate this option:

nVidia

$ sudo apt-get install nvidia-current -y

I can't give you more hints for nVidia cards, as I switched to Radeon cards, which have by now the better drivers. I'm not alone with this idea

xcompmgr
The xcompmgr is what compiz is for other desktops like Gnome, KDE etc. - it works pretty easy but has a very weird line of parameters to launch it correct.

$ sudo apt-get install xcompmgr -y

To test the installation, I use terminator, a very nice terminal emulator which supports native transparency. A reason why this helps me to test if xcompmgr works is that the native transparency under Openbox only works if xcompmgr is correct launched.

$ sudo apt-get install terminator -y

Launch terminator by typing:

$ terminator

Do a right-click on the terminator window and click settings...

...then open the tab Profiles -> Background and set it to 0.5 - activate the "Transparent background" option above and close the window. Close terminator.

Now, we have to launch xcompmgr with the right parameter and launch terminator again to see if native transparency works.

$ xcompmgr -cC -t-5 -l-5 -r4.2 -o.55 &

Launch terminator again:

$ terminator

Of course, 0.5 is a bit to transparent, but it helps to see if it works better. I normally run it with 0.8 to 0.9.

Openbox
We want that this loads up every time we launch our setup. So we gonna create a bash file:

$ echo "xcompmgr -cC -t-5 -l-5 -r4.2 -o.55 &" > ~/compiz
$ chmod +x compiz

Now we need to tell Openbox to run this file on every launch:

$ mkdir ~/.config/openbox
$ echo "~/compiz &" >> ~/.config/openbox/autostart

To test this, we simply exit Openbox and relogin. Do a right-click somewhere on the background and select "Exit", then:

$ startx

Do a right-click on the background and select "Terminal emulator" which is now by default terminator. Do it twice and move one window above the other.

Part 5 - making Openbox more comfortable

Now that we have the painful stuff set up fine, we can relax and set up Openbox. We for sure want to be able to run a tool without having to launch it from the terminal every time. This means we can should do two things:

1. Configure our Openbox menu
2. Create a shortcut for the standard Alt+F2 to run applications

Openbox menu
We have to install a tool to configure the menu - or we should simply edit the config files using vi. I guess people who now vi will be able to do this on their own, so I show you the GUI way.

$ sudo apt-get install obmenu -y
$ obmenu &

Expand the "Openbox 3" entry and feel free to add new entries of delete old ones. You will notice that the "Web browser" will launch, because the system has set it as x-www-browser (it's the only one). If you go and install more, you could add more to this menu. So we go and create a new item for our chromium-browser and install firefox afterwards.

Click on the "Terminal emulator" to be on the right level, now click on "New item" on the menu above. The label is your choice, I use "Chromium", to make it shot. The Action is "Execute" (which is default). What we execute is "chromium-browser".

Hit the 3.5" FDD icon to save and create another New item with these values:
- Label: Firefox
- Action: Execute
- Execute: firefox

Save again and close obmenu. Do a right-click on the background and see if Firefox and Chromium appears. If not, click on "Reconfigure" blow.

Try launching Chromium. It works, doesn't it?

To run Firefox, we of course have to install it first.

$ sudo apt-get install firefox -y

If that's completed - try to launch Firefox from your Openbox menu. Now you know how to configure the menu!

Alt+F2 shortcut
Before we edit the Openbox-config-file, we need to install the programm that pops up and allows us to launch any program. There are different tools to do this job, but I've selected gmrun for this job. Feel free to install your own here.

$ sudo apt-get install gmrun -y

Try it works:

$ gmrun

Press ESC to stop it.

Next, we need to configure the Openbox config-file. This particular file is NOT yet in the right folder. We need to copy the example file over to this folder and edit it afterwards.

$ cp /etc/xdg/openbox/rc.xml ~/.config/openbox

To make it easier for beginners, we gonna install & use mousepad for editing (even if I personally prefer vim ).

$ sudo apt-get install mousepad -y
mousepad ~/.config/openbox/rc.xml

I've selected "Oblivion" from "View" -> "Color Scheme" and also activated "Line Numbers" - this will make it easier to edit the file.

Search for "Launch gnome-screenshot" and paste the following code below:

<keybind key="A-F2">
        <action name="Execute">
            <command>gmrun</command>
        </action>
    </keybind>

Save the file, close mousepad and reconfigure (right-click on the background and select "Reconfigure").

Press Alt+F2 and you should be see the gmrun box (or whatever tool you use).

Here is a shortcut that I personally love (seen in tiling managers like i3wm):

<keybind key="A-Return">
        <action name="Execute">
            <command>terminator</command>
        </action>
    </keybind>

This will launch a terminal everytime you press Alt+Enter. Very helpful if you use them a lot. Just place it below the Alt+F2 shortcut into your ~/.config/openbox/rc.xml.

Part 6 - Font Antialiasing
By default - Linux has not the nicest fonts, but I want them - and Ubuntu shows that this is possible. The trick is to install a package and add a config file.

$ sudo apt-get install gnome-settings-daemon -y

$ mkdir ~/.config/fontconfig
$ mousepad ~/.config/fontconfig/fonts.conf

Now, paste this XML-code into the file:

<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
 <match target="font">
  
  <edit mode="assign" name="rgba">
   <const>rgb</const>
  </edit>

  <edit mode="assign" name="hinting">
   <bool>true</bool>
  </edit>

  <edit mode="assign" name="hintstyle">
   <const>hintslight</const>
  </edit>

  <edit mode="assign" name="antialias">
   <bool>true</bool>
  </edit>

  <edit mode="assign" name="lcdfilter">
    <const>lcddefault</const>
  </edit>
 
 </match>
</fontconfig>

Exit Openbox and relaunch and you will be VERY surprised how much better your fonts will look (or even after installing, without restart).

Part 7 - (Optional) install Japanese fonts
This is pretty easy:

$ sudo apt-get install ttf-takao-mincho ttf-takao -y

Part 8 - Installing tint2
Tint2 is a taskbar - a very flexible and easy to configure one. You install it this way:

$ sudo apt-get install tint2 -y
$ tint2

Here is my config:

# Tint2 config file
# Generated by tintwizard (http://code.google.com/p/tintwizard/)
# For information on manually configuring tint2 see http://code.google.com/p/tint2/wiki/Configure

# Background definitions
# ID 1
rounded = 0
border_width = 0
background_color = #000000 100
border_color = #FFFFFF 16

# ID 2
rounded = 0
border_width = 0
background_color = #afd700 100
border_color = #FFFFFF 48

# ID 3
rounded = 0
border_width = 0
background_color = #FFFFFF 6
border_color = #FFFFFF 68

# ID 4
rounded = 0
border_width = 0
background_color = #ff8700 100
border_color = #FFFFFF 68

# Panel
panel_monitor = all
panel_position = bottom center horizontal
panel_size = 100% 18
panel_margin = 0 0
panel_padding = 0 0 0
panel_dock = 0
wm_menu = 0
panel_layer = top
panel_background_id = 1

# Panel Autohide
autohide = 0
autohide_show_timeout = 0.3
autohide_hide_timeout = 2
autohide_height = 2
strut_policy = follow_size

# Taskbar
taskbar_mode = single_desktop
taskbar_padding = 0 0 0
taskbar_background_id = 0
taskbar_active_background_id = 0

# Tasks
urgent_nb_of_blink = 3
task_icon = 0
task_text = 1
task_centered = 0
task_maximum_size = 100 35
task_padding = 6 2
task_background_id = 3
task_active_background_id = 2
task_urgent_background_id = 4
task_iconified_background_id = 3
task_tooltip = 0

# Task Icons
task_icon_asb = 70 0 0
task_active_icon_asb = 100 0 0
task_urgent_icon_asb = 100 0 0
task_iconified_icon_asb = 70 0 0

# Fonts
task_font = sans 7
task_font_color = #FFFFFF 68
task_active_font_color = #005f00 100
task_urgent_font_color = #870200 100
task_iconified_font_color = #FFFFFF 68
font_shadow = 0

# System Tray
systray = 1
systray_padding = 0 4 5
systray_sort = ascending
systray_background_id = 0
systray_icon_size = 16
systray_icon_asb = 70 0 0

# Clock
time1_format = %H:%M
time1_font = sans 7
#time2_format = %A %d %B
##time2_font = sans 6
clock_font_color = #FFFFFF 74
clock_padding = 1 0
clock_background_id = 0
clock_rclick_command = orage

# Tooltips
tooltip_padding = 2 2
tooltip_show_timeout = 0.7
tooltip_hide_timeout = 0.3
tooltip_background_id = 1
tooltip_font = sans 8
tooltip_font_color = #000000 80

# Mouse
mouse_middle = none
mouse_right = none
mouse_scroll_up = none
mouse_scroll_down = none

# Battery
battery = 0
battery_low_status = 15
battery_low_cmd = notify-send "battery low"
battery_hide = never
#bat1_font = DejaVu Sans 6
bat2_font = DejaVu sans 6
battery_font_color = #FFFFFF 74
battery_padding = 1 0
battery_background_id = 0

# End of config

I don't like the rounded corners in that case - and so I've modified the default tint2rc

To launch tint2 when Openbox startx, add it to the autostart file:

$ echo "tint2 &" >> ~/.config/openbox/autostart

Part 9 - Themes
Of course, Openbox has themes. It also has an own tool to change them:

$ obconf

I personally prefer "Carbon" - but that's taste

Part 10 - Recommended tools

(the name is also the package name)

$ sudo apt-get install [PACKAGE] -y

Filemanager: thunar
Chatclient: pidgin
RAW-Editing: darktable
Graphic-Editing: gimp
Twitter-Client: turpial
FTP-Client: filezilla
Multimedia: vlc
Screenshooter: xfce4-screenshooter
Calculator: gnome-calculator

Resumé
It's not as hard as I thought to setup an Ubuntu from scratch as I thought. I hope these instructions will help you to setup your own Unity-free desktop and make you work with it fun. It finally helped me to do the last step from Windows and OS X to Linux.

I will post much more on how to make Openbox the perfect window manager in the near future. We don't have a wallpaper yet, maybe we want a graphical login? And what about themes and icons for thunar? Stay tuned ^^

Here is a little teaser - a photo I've taken today from my triple-head setup, where I run SLiM as login manager.

Now that our regular user is allowed to execute incrontab, let’s fire it up and look at the denials to build up the policy.

$ incrontab --help

That doesn’t show much does it? Well, if you look into the audit.log (or avc.log) file, you’ll notice a lot of denials. If you are developing a policy, it is wise to clear the entire log and reproduce the “situation” so you get a proper idea of the scope.

# cd /var/log/audit
# > audit.log
# tail -f audit.log | grep AVC

Now let’s run incrontab –help again and look at the denials:

type=AVC msg=audit(1368707274.429:28180): avc:  denied  { read write } for  pid=7742 comm="incrontab" path="/dev/tty2" dev="devtmpfs" ino=1042 scontext=user_u:user_r:incrontab_t tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
type=AVC msg=audit(1368707274.429:28180): avc:  denied  { use } for  pid=7742 comm="incrontab" path="/dev/tty2" dev="devtmpfs" ino=1042 scontext=user_u:user_r:incrontab_t tcontext=system_u:system_r:getty_t tclass=fd
type=AVC msg=audit(1368707274.429:28180): avc:  denied  { use } for  pid=7742 comm="incrontab" path="/dev/tty2" dev="devtmpfs" ino=1042 scontext=user_u:user_r:incrontab_t tcontext=system_u:system_r:getty_t tclass=fd
type=AVC msg=audit(1368707274.429:28180): avc:  denied  { use } for  pid=7742 comm="incrontab" path="/dev/tty2" dev="devtmpfs" ino=1042 scontext=user_u:user_r:incrontab_t tcontext=system_u:system_r:getty_t tclass=fd

You can start piping this information into audit2allow to generate policy statements, but I personally prefer not to use audit2allow for building new policies. For one, it is not intelligent enough to deduce if a denial should be fixed by allowing it, or by relabeling or even by creating a new type. Instead, it always grants it. Second, it does not know if a denial is cosmetic (and thus can be ignored) or not.

This latter is also why I don’t run domains in permissive mode to see the majority of denials first and to build from those: you might see denials that are actually never triggered when running in enforcing mode. So let’s look at the access to /dev/tty2. Given that this is a user application where we expect output to the screen, we want to grant it the proper access. With sefindif as documented before, we can look for the proper interfaces we need. I look for user_tty_device_t with rw (commonly used for read-write):

$ sefindif user_tty_device_t.*rw
system/userdomain.if: template(`userdom_base_user_template',`
system/userdomain.if:   allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
system/userdomain.if: interface(`userdom_use_user_ttys',`
system/userdomain.if:   allow $1 user_tty_device_t:chr_file rw_term_perms;
system/userdomain.if: interface(`userdom_use_user_terminals',`
system/userdomain.if:   allow $1 user_tty_device_t:chr_file rw_term_perms;
system/userdomain.if: interface(`userdom_dontaudit_use_user_terminals',`
system/userdomain.if:   dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
system/userdomain.if: interface(`userdom_dontaudit_use_user_ttys',`
system/userdomain.if:   dontaudit $1 user_tty_device_t:chr_file rw_file_perms;

Two of these look interesting: userdom_use_user_ttys and userdom_use_user_terminals. Looking at the API documentation (or the rules defined therein using seshowif) reveals that userdom_use_user_terminals is needed if you also want the application to work when invoked through a devpts terminal, which is probably also something our user(s) want to do, so we’ll add that. The second one – using the file descriptor that has the getty_t context – is related to this, but not granted through the userdom_use_user_ttys. We could grant getty_use_fds but my experience tells me that domain_use_interactive_fds is more likely to be needed: the application inherits and uses a file descriptor currently owned by getty_t but it could be from any of the other domains that has such file descriptors. For instance, if you grant the incron_role to sysadm_r, then a user that switched roles through newrole will see denials for using a file descriptor owned by newrole_t.

Experience is an important aspect in developing policies. If you would go through with getty_use_fds it would work as well, and you’ll probably hit the above mentioned experience later when you try the application through a few different paths (such as within a screen session or so). When you think that the target context (in this case getty_t) could be a placeholder (so other types are likely to be needed as well), make sure you check which attributes are assigned to the type:

# seinfo -tgetty_t -x
   getty_t
      privfd
      mcssetcats
      mlsfileread
      mlsfilewrite
      application_domain_type
      domain

Of the above ones, privfd is the important one:

$ sefindif privfd.*use
kernel/domain.if: interface(`domain_use_interactive_fds',`
kernel/domain.if:       allow $1 privfd:fd use;
kernel/domain.if: interface(`domain_dontaudit_use_interactive_fds',`
kernel/domain.if:       dontaudit $1 privfd:fd use;

So let’s update incron.te accordingly:

...
type incron_spool_t;
files_type(incron_spool_t)

###########################################
#
# incrontab policy
#

userdom_use_user_terminals(incrontab_t)
domain_use_interactive_fds(incrontab_t)

Rebuild the policy and load it in memory.

If we now run incrontab we get the online help as we expected. Let’s now look at the currently installed incrontabs (there shouldn’t be any of course):

$ incrontab -l
cannot determine current user

In the denials, we notice:

type=AVC msg=audit(1368708632.060:28192): avc:  denied  { create } for  pid=7968 comm="incrontab" scontext=user_u:user_r:incrontab_t tcontext=user_u:user_r:incrontab_t tclass=unix_stream_socket
type=AVC msg=audit(1368708632.060:28194): avc:  denied  { read } for  pid=7968 comm="incrontab" name="nsswitch.conf" dev="dm-2" ino=393768 scontext=user_u:user_r:incrontab_t tcontext=system_u:object_r:etc_t tclass=file
type=AVC msg=audit(1368708632.062:28196): avc:  denied  { read } for  pid=7968 comm="incrontab" name="passwd" dev="dm-2" ino=394223 scontext=user_u:user_r:incrontab_t tcontext=system_u:object_r:etc_t tclass=file

Let’s first focus on nsswitch.conf and passwd. Although both require read access to etc_t files, it might be wrong to just add in files_read_etc (which is what audit2allow is probably going to suggest). For nsswitch, there is a special interface available: auth_use_nsswitch. It is very, very likely that you’ll need this one, especially if you want to share the policy with others who might not have all of the system databases in local files (as etc_t files).

...
domain_use_interactive_fds(incrontab_t)
auth_use_nsswitch(incrontab_t)

Let’s retry:

$ incrontab -l
cannot read table for 'user': Permission denied

# tail audit.log
type=AVC msg=audit(1368708893.260:28199): avc:  denied  { search } for  pid=7997 comm="incrontab" name="spool" dev="dm-4" ino=20 scontext=user_u:user_r:incrontab_t tcontext=system_u:object_r:var_spool_t tclass=dir

So we need to grant search privileges on var_spool_t. This is offered through files_search_spool. Add it to the policy, rebuild and retry.

$ incrontab -l
cannot read table for 'user': Permission denied

# tail audit.log
type=AVC msg=audit(1368709146.426:28201): avc:  denied  { search } for  pid=8046 comm="incrontab" name="incron" dev="dm-4" ino=19725 scontext=user_u:user_r:incrontab_t tcontext=root:object_r:incron_spool_t tclass=dir

For this one, no interface exists yet. We might be able to create one for ourselves, but as long as other domains don’t need it, we can just add it locally in our policy:

allow incrontab_t incron_spool_t:dir search_dir_perms;

Adding raw allow rules in a policy is, according to the refpolicy styleguide, only allowed if the policy module defines both the source and the destination type of the rule. If you look into other policies you might also find that you can use the search_dirs_patter call. However, that one only makes sense if you need to do this on top of another directory – just look at the definition of search_dirs_pattern. So with this permission set, let’s retry.

$ incrontab -l
no table for user

Great, we have successfully updated the policy until the commands worked. In the next post, we’ll enhance it even further while creating new incrontabs.

A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only.

As I wrote on March 21, 2013,  number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.

Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”

I pinged Microsoft for an answer as to whether this feature was designed to plug the privacy leak exposed by resolver services. The company declined to say specifically what it may have changed about the Skype network and/or its software to address this problem, but it attributed the following emailed statement to a “Skype spokesperson;”

“Skype for Windows Beta 6.5 and Mac 6.4 now offer the option to prevent people not on your contact list from viewing your IP address. With this beta program, only your contacts will be able to access this information. We are allowing users to test this new security function and welcome any feedback as we continue to improve the communication experiences on Skype.”

I tested this beta version of Skype against a free Skype resolver service that has been reliable in the past at looking up IP addresses tied to specific Skype accounts. When I ran it against my everyday account using and older version of Skype, it successfully found my home IP. When I created a new Skype account with the Skype 6.5 beta on a separate machine, enabled the privacy feature and then tried the lookup again, it failed to locate my IP.

I should note that some Skype resolvers will cache previous lookups. That means if your Skype username has previously been looked up at a Skype resolver service, that service may show the correct IP for your Skype username if your IP address hasn’t changed since the last lookup.

Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny.

Take, for example, the login panel for “Betabot“: Attempt to log in to this malware control panel with credentials that don’t work and you’ll be greeted with a picture of this author, accompanied by the following warning: “Enter the correct password or I will write a 3-part article on this failed login attempt.”

The coders behind Betabot evidently have several versions of this login panel warning: According to a threat intelligence report being released tomorrow by RSA, the latest iteration of this kit uses the mugshot from my accounts at Twtter (follow me!) and Facebook (like it!).

As first detailed by Sophos’s award-winning Naked Security blog, the code inside recent versions of the Redkit exploit kit includes what appears to be a message blaming me for…well, something. The message reads: “Crebs, its [sic] your fault.”

The one I probably hear about most from researchers is a text string that is built into Citadel (PDF), an offshoot of the ZeuS banking trojan botnet kit that includes the following reference: “Coded by BRIAN KREBS for personal use only. I love my job and my wife.”

Those are just the most visible examples. More commonly, if Yours Truly is invoked in the name of cybercrime, it tends to show up in malicious links that lead to malware. Here are a few just from the past couple of weeks:

hxxp://hecked-by-brain-krebs.biz/.h/.t/.t/.p/install, a sanitized version of a site that is foisting malware, according to link checkers from 7 out of 39 antivirus vendors at Virustotal. The malware foisted by this link is detected as nasty by malware scans from 33 out of 47 vendors at Virustotal.

Security blogger Kafeine has been chronicling the emergence of an exploit kit variously named “Stamp EK” and “SofosFO” which has apparently added my surname to a URL generator for new malware links. Here’s a screenshot of what that looks like (avoid visiting the IP addresses or URLs shown in the image below unless you know what you’re doing).

Kafeine also shared some information about Citadel botnet controllers recently found invoking my name, including this one (“mudak” is transliterated Russian for “fuc*er).

While not strictly malware-related, the references to this blog and author that have been reported most frequently by readers over the past few weeks come from an Internet meme that someone started about a month ago, using Memegenerator.net. Some of these are a bit crude, but a few of them made me laugh out loud. I’m sure the act of just blogging about this meme will cause more entries to be added (there are currently four pages worth).

To some extent, this silliness has been going on for several years now. In June 2011, someone hacked a news site and planted a story falsely claiming that F-Secure researcher Mikko Hypponen and I had been arrested for selling stolen credit cards. That same month, a Trojan downloader which peddled adult Web sites included a reference that I had somehow gotten married to security blogger Dancho Danchev.

In 2010, Fortinet found a variant of the spam botnet installer Pushdo that was controlled by a domain name called “fuckbriankrebs.com.” In 2009, Sophos wrote about a new email malware campaign disguised as an alert about a wayward DHL package: The message included a “tracking number” that was essentially the same sentiment, only spelled backwards.

Update, 1:31 p.m. ET: Updated the screen shot used in Kafeine’s example.

Die Australische Polizei macht sich Sorgen vor 3d-Printer-Pistolen und hat das mal ausprobiert. Sie ist ihnen um die Ohren geflogen beim Testen. Ich würde die Vermutung wagen, dass sie nachgeholfen haben, um Unsicherheit bei der Zielgruppe zu streuen. Aber selbst wenn nicht. Ich würde mir viel mehr Sorgen um sowas hier machen. Wie wohl die Gesetzeslage in Australien so ist? Ich vermute mal, das wird kein Land wirklich effektiv verhindern können, dass man sich dan eben die Teile ordert und selbst zusammenbaut. Ich dachte immer, die Teile könne man gar nicht einzeln kaufen. Denn wenn man das kann, ergibt ja der ganze Zirkus mit Background Checks und Seriennummern überhaupt keinen Sinn.

Oh gucke mal! Die Botschaft ist offensichtlich angekommen: Apple erhöht ihre Lobby-Ausgaben. Soll mal jemand sagen, Kriminalität lohnt sich nicht!

Die Infrastruktur in den USA ist ja eh furchtbar marode, weil die Bevölkerung sich so nachhaltig gegen Steuererhöhungen auf das Niveau anderer Industrienationen wehrt, dass es eben keine Budgets für irgendwas gibt. Und das Geld, das reinkommt, geben sie lieber für Militär aus. Viele US-Bundesländer haben die Wartung von Highways und Brücken und so dann über massive Verschuldung "gelöst", Washington State aber hat dann halt nicht repariert. Vielleicht war die Idee, dass die Leute angesichts des Elends dann ihren Widerstand gegen Steuererhöhung aufgeben würden. Wenn das so war, hat es nicht funktioniert. Im Gegenteil. Die Leute argumentieren jetzt eher noch schärfer gegen Steuererhöhungen, weil sie in ihrer persönlichen Erfahrung sehen können, dass die Kohle eh nicht da ausgegeben wird, wo es gebraucht würde oder ihnen nutzt.

Und so kommt es in Washington State immer wieder zu spektakulären Unglücken mit Brücken. Aktuell ist eine zentrale Highwaybrücke zwischen Seattle und Kanada eingestürzt. Als Ursache hieß es erst, naja, die war halt marode ("sufficiency rating 57.4 of 100"), aber jetzt heißt es, da sei ein Laster gegen einen Streben gekommen.

Auch ansonsten gibt es immer wieder peinliche Brückenprobleme. Hier ist die I-90-Brücke über Lake Washington. Auch dieses berühmte Video kommt aus Washington State. Und die gerade erst neu gebaute 520-Brücke haben sie auch schon wieder verkackt. Lustigerweise gibt es in den USA die Regelung nicht, dass man Straßen und Brücken und so nicht nach lebenden Menschen benennen darf, und so hat die Gouverneurin, unter der die Brücke gebaut wurde, die gleich nach sich selbst benannt. Das ist dann natürlich gleich nochmal doppelt peinlich, wenn da dann der übliche Baupfusch entdeckt wird :-)

Pünktlich zum Start der Tornodasaison fällt der Haupt-Wettersatelit der Amerikaner aus.

Pictures

Mir ist der offizielle last.fm Client wegen seiner Abhängigkeiten zu QT4 wieder mal tierisch auf den Senkel gegangen denn das passt so garnicht in meinen schön gepflegten GTK/Xfce Desktop. Zum Glück hab ich dann aber Vagalume gefunden. Eine wirklich tolle Applikation die auch meine hochgeliebten Last.fm Radios spielen kann doch leider ist der noch so neu, dass man ihn nicht in den Ports findet. Also die Fußballsocken hochgekrempelt und selber gemacht. Das Resultat nach knapp 2h sieht schon brauchbar aus.

Anforderungen

Die Vorgaben sind für 2008 wohl relativ leicht nachvollziehbar. Ich brauch einen Router der wirklich 1GBit routen kann, mindestens 4x 1GBit Netzwerke bedient, möglichst wenig Strom verbraucht (weniger als 35W im Idle) und unter einem BSD läuft. Der Preis spielt natürlich auch eine Rolle aber bei den heutigen Hardwarepreisen war mir der Stromsparaspekt wichtiger.

Stromsparende Hardwareauswahl

 Undervolting

Ergebnis

Pictures

 

Die Entstehung

Die Software ist der Schlüssel

Der schwierige Weg an die Spitze

 

Die Probleme

Die "neue" Community

Das Ende

It's not true anymore that FreeBSD does not support any DVB-S devices. Thanks to the work of Hans Petter Selasky on video4bsd there are now DVB-S/2 devices for USB that just work.

• http://www.linuxtage.at/gallery/index.html - Official Pictures
• http://glt10.flo.cx/index.php?spgmGal=Grazer_Linuxtage_2010 - More Pictures
• http://blog.frozen-zone.org/2010/04/linuxday-in-graz/

Over the weekend we had a few hungarian beers at the BSDDay in Budapest together with other FreeBSD developers. It was well organized and a good opportunity to talk to interested students. I'm definitely looking forward to next years BSDDay.

• http://graz.bsdstammtisch.at/2010/11/24/pictures-from-the-bsdday-2010/

A few weeks ago we had the BSDDay 2011 in Bratislava with a lot of interesting talks and cheap beer. Follow the link to the trip report and a few pictures from the event.

• http://graz.bsdstammtisch.at/2011/11/17/trip-report-bsdday-2011-in-bratislava/

• access to all redports building machines (more power!)
• parallel builds on multiple boxes
• archived buildlogs
• run QAT jobs for multiple FreeBSD versions/architectures
• nice web frontend with RSS feeds and the usual modern stuff
• you still get mails of course

• http://www.golem.de/0905/66952.html
• http://ivoras.sharanet.org/blog/tree/2009-05-06.virtualbox-on-freebsd.html
• http://www.pro-linux.de/news/2009/14155.html
• http://miwi.bsdcrew.de/2009/05/virtualbox-on-freebsd-first-screenshots/

There will be a FreeBSD booth (booth #21) in the Expo area at Texas LinuxFest, to be held at the AT&T Conference Center in Austin, Texas on Saturday June 1. Registration is required for this event at a cost of $25 or $55.

Stop by the booth to discuss the Foundation's projects, check out the cool swag, or to make a donation to the FreeBSD Foundation.

Funktioniert! Die Einrichtung war eine Sache von zehn Minuten. Ich verwende das Munin-Plugin von Christian Weiske und gehe davon aus, dass ich in Zukunft noch weitere Sensoren in der Wohnung verteilen werde.

Die andere Lösung habe ich aufgrund von Problemen mit dem Shellskript noch nicht zum Laufen bekommen.

Wenn man Smokeping mit TCPPing zum Laufen bekommen möchte, sollte man beachten, dass es unter Debian zwei Versionen von tcptraceroute gibt. Eine, für die man Root-Rechte benötigt, und eine für die man keine benötigt. Für Smokeping braucht man die zweite.

The next step after having a basic skeleton is to get incrontab running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of posts). As a result, we probably do not want everyone to be able to launch commands through this application.

What we want to do is to limit who can invoke incrontab and, as such, limit who can decide what is invoked through incrond. First of all, we define a role attribute called incrontab_roles. Every role that gets this attribute assigned will be able to transition to the incrontab_t domain.

We can accomplish this by editing the incron.te file:

policy_module(incron, 0.2)

# Declare the incrontab_roles attribute
attribute_role incrontab_roles;

...
type incrontab_t;
type incrontab_exec_t;
application_domain(incrontab_t, incrontab_exec_t)
# Allow incrontab_t for all incrontab_roles 
role incrontab_roles types incrontab_t;

Next, we need something where we can allow user domains to call incrontab. This will be done through an interface. Let’s look at incron.if with one such interface in it: the incron_role interface.

## inotify-based cron-like daemon

#########################################
## <summary>
##      Role access for incrontab
## </summary>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <param name="domain">
##      <summary>
##      User domain for the role.
##      </summary>
## </param>
#
interface(`incron_role',`
        gen_require(`
                attribute_role incrontab_roles;
                type incrontab_exec_t, incrontab_t;
        ')

        roleattribute $1 incrontab_roles;

        domtrans_pattern($2, incrontab_exec_t, incrontab_t)

        ps_process_pattern($2, incrontab_t)
        allow $2 incrontab_t:process signal;
')

The comments in the file are somewhat special: if the comments start with two hashes (##) then it is taken into account while building the policy documentation in /usr/share/doc/selinux-base-*. The interface itself, incron_role, grants a user role and domain the necessary privileges to transition to the incrontab_t domain as well as read process information (as used through ps, hence the name of the pattern being ps_process_pattern) and send a standard signal to it. Most of the time, you can use signal_perms here but from looking at the application we see that the application is setuid root, so we don’t want to grant too many privileges by default if they are not needed.

With this interface file created, we can rebuild the module and load it.

# make -f /usr/share/selinux/strict/include/Makefile incron.pp
# semodule -i incron.pp

But how to assign this interface to users? Well, what we want to do is something like the following:

incron_role(user_r, user_t)

When interfaces are part of the policy provided by the distribution, the definitions of it are stored in the proper location and you can easily add it. For instance, in Gentoo, if you want to allow the user_r role and user_t domain the cron_role access (and assuming it doesn’t have so already), then you can call selocal as follows:

# selocal -a "cron_role(user_r, user_t)" -c "Granting user_t cron access" -Lb

However, because the interface is currently not known yet, we need to create a second small policy that does this. Create a file (called localuser.te or so) with the following content:

policy_module(localuser, 0.1)

gen_require(`
        type user_t;
        role user_r;
')

incron_role(user_r, user_t)

Now build the policies and load them. We’ll now just build and load all the policies in the current directory (which will be the incron and localuser ones):

# make -f /usr/share/selinux/strict/include/Makefile
# semodule -i *.pp

You can now verify that the user is allowed to transition to the incrontab_t domain:

# seinfo -ruser_r -x | grep incron
         incrontab_t
# sesearch -s user_t -t incrontab_exec_t -AdCTS
Found 1 semantic av rules:
   allow user_t incrontab_exec_t : file { read getattr execute open } ; 

Found 1 semantic te rules:
   type_transition user_t incrontab_exec_t : process incrontab_t; 

Great, let’s get to our first failure to resolve… in the next post ;-)

Die US-Regierung hoch verschuldet, das Budget ist überstrapaziert, da muss gespart werden. Welche Behörde macht man also tageweise zu? Na klar! Das Finanzamt!

m(

Money Quote:

The IRS noted that taxpayers should continue to file their returns and pay any taxes due as usual.

Bug des Tages: 7000 Angestellte von Unis in NRW warten seit Monaten auf ihre Gehälter. Grund: Softwareumstellung. Klaaaaar, der Computer ist Schuld!1!!

Und es gibt heute noch einen Bug des Tages: Das Secure Boot von dem Samsung Galaxy S4 lässt sich umgehen, indem man in dem Kernel-Image eine bestimmte Startadresse einträgt. Der Loader läd nämlich das Image über die Adresse, die da im Image steht, und prüft dann die Signatur. Wenn man die Adresse geschickt wählt, überschreibt sich der Loader mit dem Image dabei selbst, bevor er zum Prüfen kommt.

Das mit Apple und der Senatsanhörung neulich habt ihr ja sicher mitgekriegt. Dachtet ihr auch, da ginge es um Steuern? Haha, reingefallen! Hier erklärt das mal ein Washington-Insider. Ich zitiere mal die wichtige Erkenntnis:

Senators are angry that tech giant Apple isn't paying its fair share.

I'm not talking about taxes. This is about campaign contributions and lobbying fees.

Schöne Firma haben Sie da! Wäre ja zu schade, wenn der was zustöße!

Es gibt da so ein schönes Zitat von Mark Twain, das es schön auf den Punkt bringt.

It could probably be shown by facts and figures that there is no distinctly native American criminal class except Congress.

Apples Vergehen war nicht, dass sie wenig Steuern gezahlt haben, sondern dass sie zu wenig Schmiergeld gezahlt haben. Das gleiche Spiel haben die werten Herren Senatoren auch schon mal mit Microsoft gemacht. Da gab es auch längliche "kartellrechtliche Untersuchungen", damit Microsoft einsieht, dass das ernst gemeint ist. Microsoft hat dann ihre Lobbyausgaben hochgeschraubt, und dann gingen die Kartennuntersuchungen unverrichteter Dinge wieder weg.

Auch Walmart und die Finanzbranche wurde so oder so ähnlich zum Schutzgeldzahlen animiert. Nur Apple bleibt beharrlich dabei, nur eine Million für Lobbying auszugeben im Jahre 2010.

Ich weiß nicht, ob euch das allen klar ist, aber nach internationalem Kriegsrecht ist ein Drohnenlenker ein legitimes Ziel im Krieg. Ob der jetzt im Kriegsgebiet sitzt oder in Omaha — oder Potsdam —, spielt dabei keine Rolle. Und wenn die Drohnenoperatoren mitten in der Innenstadt zwischen zivilen Gebäuden sitzen, dann fällt das unter die Definition von Menschliches Schutzschild. Aber die Kasernen sind doch nicht direkt zwischen zivilen Gebäuden, sagt ihr jetzt vielleicht? Mag sein, aber nachts geht der Drohnenoperator nach Hause zu seiner Familie. Und DAS fällt dann auf jeden Fall darunter.

In der Schweiz wird gerade eine Volksabstimmung diskutiert, bei der der zentrale Vorschlag ist, dass kein Unternehmenschef pro Monat mehr kriegen soll, als die Firma als kleinstes Jahresgehalt auszahlt. Also ein Limit der Gehaltsschere von 1:12. Das soll in die Verfassung, fordert die auf die Sozialisten zurückgehende Volksabstimmung.

Bug des Tages: Aus dem 9front-Changelog:

hifn7751: Don’t keep the last blocksize-bytes of ciphertext for use as the next plaintext’s IV, in CBC mode. Use arc4random() to acquire fresh IVs per message.

Das ist einer für Kryptologen. Wer den nicht versteht: ignorieren.

Obama hat erstmals zugegeben, mit seinen Drohnen-Anschlägen auch vier US-Bürger umgebracht zu haben. Und nur einer davon war ein Versehen.

Die Französische Polizei macht jetzt keine Suchen nach vermissten Personen mehr. Stattdessen schlagen sie vor, man solle im Internet suchen, bei Facebook und co.

Kleiner Realitätsabgleich zur Justiz in Deutschland: Der Richter im Gustl-Mollath-Fall (der hier) hat die von der Verteidigung vorgebrachten Dokumente nicht gelesen. Er habe "anderes zu tun gehabt". Das sagte er jetzt dem Landtags-Untersuchungsausschuss. In dem Urteil liest sich das dann so:

"In der Hauptverhandlung vom 25. 09. 2003 vor dem Amtsgericht Nürnberg übergab der Angeklagte in einem Schnellhefter zusammengefasste Schriftsätze zu seiner Verteidigung, die in keinerlei erkennbarem Zusammenhang mit den Anklagevorwürfen stehen."

Klar kann man keinen Zusammenhang erkennen, wenn man das nicht liest. Und als sie den Richter auf diesen Satz ansprachen, sagte er erst:

"Ich lese doch keine 110 Seiten."

und beim zweiten Mal

"Dieses Konvolut ist mir nicht bekannt."

Nur falls da jemand Illusionen hatte.

Die Sache mit den V-Leuten ist noch krasser als bisher angenommen. AFP berichtet, dass die EU-Kommission V-Leute sogar bei schweren Straftaten wie Verstoß gegen das Kriegswaffenkontrollgesetz oder Mitgliedschaft in einer kriminellen Vereinigung vor Verfolgung schützen will. Money Quote:

Zudem müssten die Beamten des Verfassungsschutzes gegenwärtig immer mit einem Strafverfahren wegen Anstiftung rechnen, wenn V-Leute Straftaten begingen.

No Shit, Sherlock! DAS IST JA AUCH DIE IDEE! Wenn der Verfassungsschutz in Straftaten involviert ist, dann müssen die in den Knast, und zwar alle, einmal die gesamte Chain of Command durch bis ganz nach oben. Unfassbar, dass da Ausnahmen geschaffen werden sollen!

Die Telekom erklärt, wieviel Internet sie ihren Kunden zubilligt.

Erinnert ihr euch an die Pro-Guttenberg-Demo Anfang 2011? Da laufen immer noch Gerichtsverfahren. Nein, wirklich! Bei Metronaut gibt es Details. Da kriegt man Einsichten in die Denke der Berliner Polizei, die man so gar nicht haben wollte.

Ich will an dieser Stelle mal mit dem Gerücht aufräumen, die Telekom wolle keine Netzneutralität. Das stimmt ja mal sowas von gar nicht!1!! Hier erklärt die Telekom, was sie unter Netzneutralität versteht. ... widdewiddewie sie mir gefällt!

Das ist hoffentlich der Todesstoß: Bierbrauer wollen kein Fracking, fürchten um das Reinheitsgebot

Die IAEA hat ihre Meinung zum Atomausstieg geändert. Bisher hat sie das kritisiert, jetzt lobt sie es. Ist eigentlich wie immer im Leben. Erst sagen alle "das geht gar nicht", dann macht es jemand, dann sagen alle "haben wir doch gleich gesagt, dass das die richtige Idee war!1!!"

Die beiden Mörder von dem Anschlag in London gestern waren den Sicherheitsdiensten bekannt. Na SO eine Überraschung! Das hatten wir ja noch NIE nach solchen Anschlägen!1!!

In Schweden gibt es jetzt seit vier Tagen Ausschreitungen. Dabei werden Autos angezündet, heute Nacht ging auch ein Restaurant in Flammen auf. Wenn man den Analysen glauben darf, sind das Jugendproteste gegen Armut und Jugendarbeitslosigkeit. Das sind ja Probleme, die ganz Europa betreffen. Dass das ausgerechnet in Schweden platzen würde, damit hat wohl niemand gerechnet, am wenigsten die schwedische Regierung selbst.

Hundreds of youth have burned down a restaurant, set fire to more than 340 cars and attacked police during a fourth night of rioting in the suburbs of the Swedish capital

Kurze Durchsage der Innenministerkonferenz: Wir scheißen auf die Erkenntnisse der Untersuchungskommission und deklarieren das NSU-Problem zu einer Serie von 60 unglücklichen Einzelfällen. Fakten wie dass der "Verfassungsschutz" auf dem rechten Auge blind ist, dass es ein komplettes Systemversagen gegeben hat, das leugnen die einfach. Und sie finden auch nicht, dass man Polzei und "Verfassungsschutz" pauschal für inkompetent erklären kann.

Ich glaube ja, zu deren eigenem Wohl wäre es jetzt an der Zeit für eine Elektroschocktherapie. Und anschließend Sicherheitsverwahrung. Diese Menschen sind offensichtlich nicht mal ansatzweise in unserem Universum beheimatet.

The FreeBSD Foundation sponsored 7 attendees of BSDCan 2013. The first trip report is from Eitan Adler, a doc committer, who attended the BSDCan Developers Summit. Eitan writes:

I arrived Tuesday night and met Colin Percival at the airport.  After dropping off luggage at the university, I met up with some of the other developers.

The first day, I attended the "Netflix and FreeBSD" session run by Scott Long.  It was interesting to see what kind of problems users of FreeBSD ran into when running at scale.

For the afternoon working group, I chose to attend the "ports and packages" session.  A variety of topics were discussed but the most discussed topic was cross-building ports across both versions and architectures.  This is a topic that came up repeatedly in prior
discussion and that would come up again in other working groups, so it was good to know about the latest work in this area.

The vendor summit came next.  In the past, the vendor summit focused on kernel work but this one revolved around the user land.  This is particularly important to me as I run FreeBSD on my laptop as my primary development machine.

At night I spent some time in the hacking lounge or other shared areas meeting people.  It was very nice to be able to meet the people I've been talking to for the past three years.

On Thursday I spent my morning in the "Desktop" session.  Getting FreeBSD running well on desktops is critical in attracting new developers in the future.  Kris Moore, from PCBSD, spoke a lot about the customizations that they made.  I pressed to share the improvements
that could be committed upstream.  Other issues discussed were packaging for the desktop and a graphical boot loader for FreeBSD/PC-BSD.

The afternoon session for me was "Documentation": a significant portion of the discussion was about the future print edition of the book and what sections need to be updated and improved.  In particular, how we could get more source committers involved in writing documentation.  We also discussed how to work going forward with other teams that need access to the documentation (e.g., portmgr and postmaster).   We also touched on the FAQ, translations, and the new toolchain.  The final topic we discussed was the automated QA and statistics tools we have (and don't have) and how we could improve in that area.

After dinner I did some work at the documentation hackathon.  I spent the remainder of the night at the hacker lounge discussing kernel internals with Peter Wemm, Sean Bruno, and others.

Unfortunately, I had to leave prior to the conference itself, but I felt that meeting people at the developer summit was well worth the time spent.

The FreeBSD Foundation is pleased to announce Ed Maste's new role as the Foundation's part-time Director of Project Development.  Ed has served on the Foundation's board for two years, and has stepped down in order to accept this new position.

In this position, Ed will manage the Foundation's sponsored work, including projects funded under specific grants, operational support and project development undertaken by the Foundation's permanent technical staff. Working with the Foundation's Board of Directors, Ed will identify and document specific areas of future project work interest. This roadmap planning will include coordination with FreeBSD consumers and the FreeBSD community.

"2012 represented an inflection point in the Foundation's history,'' said Justin T. Gibbs, President of the FreeBSD Foundation. "The Foundation has a stated goal of investing in permanent staff through 2013. With Ed taking on this new position I'm excited by the Foundation's increased capacity to manage our project development and operational support.''

Ed has over ten years of experience in companies building products on FreeBSD, in both technical and managerial roles. He resides in Kitchener, Ontario, Canada.

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

Organized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

“They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost,” said Jim Mitchell, an adjuster for EMC.

According to J.T. Alexander & Son, the company’s bank – Peoples Bancorp of North Carolina Inc., a state-chartered bank with $1.1 billion in assets and 22 branches across the state — had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.

“Also, it used to be we could only access the bank’s site from my computer,” said Kristie Williams, who works in accounting and finance for J.T. Alexander. “The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

Peoples Bank did not return calls seeking comment.

These types of cyberheists — in which neither the victim organization nor its financial institution notice the theft for days on end — can be especially costly. It’s difficult to assign blame for such incidents to either the victim or its bank — there were failures on both parts, to be sure — but typically the liability for these breaches lies with the victim. That’s why it’s vitally important for small businesses that wish to bank online to assume they are targets of organized crime and to take the necessary precautions, wherever possible.

If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.

So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we’re going to create our own policy for it.

In SELinux, policies are generally written through 3 files:

1. a type enforcement file that contains the SELinux rules applicable to the domain(s) related to the application (in our example, incron)
2. a file context file that tells the SELinux utilities how the files and directories offered by the application should be labeled
3. an interface definition file that allows other SELinux policy modules to gain rights offered through the (to be written) incron policy

We now need to create a skeleton for the policy. This skeleton will define the types related to the application. Such types can be the domains for the processes (the context of the incrond and perhaps also incrontab applications), the contexts for the directories (if any) and files, etc.

So let’s take a look at the content of the incron package. On Gentoo, we can use qlist incron for this. In the output of qlist, I added comments to show you how contexts can be (easily) deduced.

# Application binary for managing user crontabs. We want to give this a specific
# context because we want the application (which will manage the incrontabs in
# /var/spool/incron) in a specific domain
/usr/bin/incrontab  ## incrontab_exec_t

# General application information files, do not need specific attention
# (the default context is fine)
/usr/share/doc/incron-0.5.10/README.bz2
/usr/share/doc/incron-0.5.10/TODO.bz2
/usr/share/doc/incron-0.5.10/incron.conf.example.bz2
/usr/share/doc/incron-0.5.10/CHANGELOG.bz2
/usr/share/man/man8/incrond.8.bz2
/usr/share/man/man5/incron.conf.5.bz2
/usr/share/man/man5/incrontab.5.bz2
/usr/share/man/man1/incrontab.1.bz2

# Binary for the incrond daemon. This definitely needs its own context, since
# it will be launched from an init script and we do not want it to run in the
# initrc_t domain.
/usr/sbin/incrond ## incrond_exec_t

# This is the init script for the incrond daemon. If we want to allow 
# some users the rights to administer incrond without needing to grant
# those users the sysadm_r role, we need to give this file a different
# context as well.
/etc/init.d/incrond ## incrond_initrc_exec_t

With this information at hand, and the behavior of the application we know from the previous post, can lead to the following incron.fc file, which defines the file contexts for the application.

/etc/incron.d(/.*)?     gen_context(system_u:object_r:incron_spool_t,s0)

/etc/rc\.d/init\.d/incrond      --      gen_context(system_u:object_r:incrond_initrc_exec_t,s0)

/usr/bin/incrontab      --      gen_context(system_u:object_r:incrontab_exec_t,s0)

/usr/sbin/incrond       --      gen_context(system_u:object_r:incrond_exec_t,s0)

/var/spool/incron(/.*)?         gen_context(system_u:object_r:incron_spool_t,s0)

The syntax of this file closely follows the syntax that semanage fcontext takes – at least for the regular expressions in the beginning. The last column is specifically for policy development to generate a context based on the policies’ requirements: an MCS/MLS enabled policy will get the trailing sensitivity with it, but when MCS/MLS is disabled then it is dropped. The middle column is to specify if the label should only be set on regular files (--), directories (-d), sockets (-s), symlinks (-l), etc. If it is omitted, it matches whatever class the path matches.

The second file needed for the skeleton is the incron.te file, which would look like so. I added in inline comments here to explain why certain lines are prepared, but generally this is omitted when the policy is upstreamed.

policy_module(incron, 0.1)
# The above line declares that this file is a SELinux policy file. Its name
# is incron, so the file should saved as incron.te

# First, we declare the incrond_t domain, used for the "incrond" process.
# Because it is launched from an init script, we tell the policy that
# incrond_exec_t (the context of incrond), when launched from init, should
# transition to incrond_t.
#
# Basically, the syntax here is:
# type 
# type 
# 
type incrond_t;
type incrond_exec_t;
init_daemon_domain(incrond_t, incrond_exec_t)

# Next we declare that the incrond_initrc_exec_t is an init script context
# so that init can execute it (remember, SELinux is a mandatory access control
# system, so if we do not tell that init can execute it, it won't).
type incrond_initrc_exec_t;
init_script_file(incrond_initrc_exec_t)

# We also create the incrontab_t domain (for the "incrontab" application), which
# is triggered through the incrontab_exec_t labeled file. This again follows a bit
# the syntax as we used above, but now the interface call is "application_domain".
type incrontab_t;
type incrontab_exec_t;
application_domain(incrontab_t, incrontab_exec_t)

# Finally we declare the spool type as well (incron_spool_t) and tell SELinux that
# it will be used for regular files.
type incron_spool_t;
files_type(incron_spool_t)

Knowing which interface calls, like init_daemon_domain and application_domain, we should use is not obvious at first. Most of this can be gathered from existing policies. Other frequently occurring interfaces to be used immediately at the skeleton side are (examples for a foo_t domain):

• logging_log_file(foo_log_t) to inform SELinux that the context is used for logging purposes. This allows generic log-related daemons to do “their thing” with the file.
• files_tmp_file(foo_tmp_t) to identify the context as being used for temporary files
• files_tmpfs_file(foo_tmpfs_t) for tmpfs files (which could be shared memory)
• files_pid_file(foo_var_run_t) for PID files (and other run metadata files)
• files_config_file(foo_conf_t) for configuration files (often within /etc)
• files_lock_file(foo_lock_t) for lock files (often within /run/lock)

We might be using these later as we progress with the policy (for instance, the PID file is a very high candidate for needing to be included). However, with the information currently at hand, we have our first policy module ready for building. Save the type enforcement rules in incron.te and the file contexts in incron.fc and you can then build the SELinux policy:

# make -f /usr/share/selinux/strict/include/Makefile incron.pp
# semodule -i incron.pp

On Gentoo, you can then relabel the files and directories offered through the package using rlpkg:

# rlpkg incron

Next is to start looking at the incrontab application.

Erinnert ihr euch an die Internetsperren gegen Kinderpornographie, die die Schweiz eingeführt hatte? Die, die NUR für Kinderpornographie und KEINESFALLS JEMALS für andere Dinge benutzt werden sollten? Schon gar nicht für Bagatellen wie "Raubkopieren", weil das Runterladen von Filmen und Musik in der Schweiz eh legal ist?

Nun, äh, dann wird euch sicher genau so sehr wie mich überraschen, dass in der Schweiz im Gespräch ist, Internetsperren gegen Raubkopien einzusetzen. Zurück geht das auf eine Lobbygruppe namens "Bund gegen die Piraterie".

Island bricht die Beitrittsverhandlungen mit der EU ab. Ich hatte mich eh gefragt, was Island in der EU will. Da können die doch nur Nachteile von haben. Die können dem Schengen-Abkommen beitreten, das ist das Wichtigste. Vielleicht noch der Zollunion, wenn sie das ausgerechnet haben und sich das lohnt (was ich nicht glaube, ehrlich gesagt). Aber den Rest von diesem EU-Moloch? Das kann doch nichts werden.

Update: Mir mailt gerade jemand, dass Island bereits im Schengenraum ist. Hups :-)

Geschichten aus der neuen Welt:

Josephine County, in the southwest corner of Oregon, was probably the hardest hit. The sheriff's department lost more than half of its funding. As a result, deputies no longer respond to emergency calls in the evenings or on the weekends.

Und dann haben sie da einen Notruf. Eine Frau ruft die Polizei, weil ihr Ex-Freund gerade versucht, in ihr Haus einzubrechen versucht. Der Mann wurde polizeilich gesucht.

The call came in on a Saturday at 4:58 in the morning. None of the sheriff's deputies in Josephine County were on duty. So dispatch transferred the call to the Oregon State Police, but they also didn't have anyone available.

Und so erklärt die freundliche Dame vom Polizeinotruf der Frau, sie hätten gerade niemanden, den sie vorbeischicken könnten. Und sie könnte ja versuchen, dem Mann zu sagen, dass er weggehen soll. Dann kommt noch der Vorschlag, sie könne sie ja verstecken. Am Ende bricht der Typ in das Haus ein und vergewaltigt die Frau.

SHERIFF GIL GILBERTSON: There isn't a day go by that we don't have another victim.

Wenn man das so hört, versteht man auch, wieso die Schusswaffenlobby in den USA so einflussreich ist.

Man kann ja auf Youtube alles mögliche lernen oder zu lernen versuchen. Von Mauern über Drachensteigen und Kochen bis Klavierspielen. Konnte, im Fall von Klavierspielen, denn Youtube hat jetzt die Lektionen von einem Online-Klavierunterricht runtergeschmissen, weil sie Urheberrechtsverletzungen witterten. Und sie haben völlig Recht, ich an deren Stelle wäre da auch lieber zu vorsichtig als Post vom Landgericht Hamburg oder der GEMA zu riskieren. Solange die frei herummarodieren dürfen, kann ich als Ausweg nur eine Grunderneuerung des Urheberrechts sehen, noch klarer formuliert, um solchen Missbrauch auszuschließen.

Wir verabschieden uns an dieser Stelle von unserem Verteidigungsminister: Merkel spricht De Maiziere ihr volles Vertrauen aus. Der Mann ist so gut wie abgetreten.

Die Polizei, dein Freund und Helfer: Eifersüchtiger NYPD-Cop soll in 40 Email-Accounts eingebrochen sein, um seine Ex-Freundin zu überwachen. Aber der eigentliche Hammer an der Geschichte:

According to a FBI press release, Vargas allegedly paid an e-mail hacking service more than $4,000 to obtain the log-in credentials of at least 43 personal email accounts and one cellular phone belonging to at least 30 different individuals.

Öh, das ist ja mal ein Geschäftsmodell! Und wieso verhaften die dann nicht di eBetreiber von diesem Service?

In this series of posts, we’ll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At the end of the series, we’ll have a hopefully well working policy.

The first step in developing a policy is to know what the application does and how/where it works. This allows us to check if its behavior matches an existing policy (and as such might be best just added to this policy) or if a new policy needs to be written. So, what does incron do?

From the documentation, we know that incron is a cron-like application that, unlike cron, works with file system notification events instead of time-related events. Other than that, it uses a similar way of working:

• A daemon called incrond is the run-time application that reads in the incrontab files and creates the proper inotify watches. When a watch is triggered, it will execute the matching rule.
• The daemon looks at two definitions (incrontabs): one system-wide (in /etc/incron.d) and one for users (in /var/spool/incron).
• The user tabfiles are managed through incrontab (the command)
• Logging is done through syslog
• User commands are executed with the users’ privileges (so the application calls setuid() and setgid())

With this, one can create a script to be executed when a file is uploaded (or deleted) to/from a file server, or when a process coredump occurred, or whatever automation you want to trigger when some file system event occurred. Events are plenty and can be found in /usr/include/sys/inotify.h.

So, with this information, it is safe to assume that we might be able to push incron in the existing cron policy. After all, it defines the contexts for all these and probably doesn’t need any additional tweaking. And this seems to work at first, but a few tests reveal that the behavior is not that optimal.

# chcon -t crond_exec_t /usr/sbin/incrond
# chcon -t crontab_exec_t /usr/bin/incrontab
# chcon -R -t system_cron_spool_t /etc/incron.d
# chcon -t cron_log_t /var/log/cron.log
# chcon -R -t cron_spool_t /var/spool/incron

System tables work somewhat, but all commands are executed in the crond_t domain, not in a system_cronjob_t or related domain.
User tables fail when dealing with files in the users directories, since these too run in crond_t and thus have no read access to the user home directories.

The problems we notice come from the fact that the application is very simple in its code: it is not SELinux-aware (so it doesn’t change the runtime context) as most cron daemons are, and when it changes the user id it does not call PAM, so we cannot trigger pam_selinux.so to handle context changes either. As a result, the entire daemon keeps running in crond_t.

This is one reason why a separate domain could be interesting: we might want to extend the rights of the daemon domain a bit, but don’t want to extend these rights to the other cron daemons (who also run in crond_t). Another reason is that the cron policy has a few booleans that would not affect the behavior at all, making it less obvious for users to troubleshoot. As a result, we’ll go for the separate policy instead – which will be for the next post.

Erinnert ihr euch an den Wirbelsturm Sandy? Der im Nordosten der USA große Schäden anrichtete? Als diverse Republikaner-Senatoren gegen Bundeshilfen stimmten? Unter anderem der von Oklahoma? Nun, der Senator von Oklahoma findet heute, dass Sandy und der Tornado in Oklahoma was VÖLLIG anderes seien.

“Let’s look at that, that was totally different,” Inhofe told Jansing. “They were getting things — for instance that was supposed to be in New Jersey, they had things in the Virgin Islands, they were fixing roads there, they were putting roofs on houses in Washington, D.C.; everyone was getting in and exploiting the tragedy taking place. That won’t happen in Oklahoma.”

Seht ihr? Was GANZ anderes!1!!

Ihr habt vielleicht gehört, dass es eine US-Senatsanhörung mit dem Apple-CEO gab, wo es eigentlich um peinliche Fragen wie "wieso zahlt Apple eigentlich so wenig Steuern" gehen sollte. Aber wenn man den Apple-CEO schon mal vor der Flinte hat, ... John McCain will wissen, wieso er eigentlich dauernd die ganzen Apps aupdaten muss auf seinem Mobiltelefon :-)

My original post about loyalty cards missed the supermarkets that I’m actually using nowadays, because they are conveniently located just behind my building (for one) and right on the way back home from my office (for the other). Both of them are part of the EuroSpar chain and have the added convenience of being open respectively 24/7 and 7-22.

So, when I originally asked the store if they had any loyalty card, I was told they didn’t. I checked the website anyway and found the name of their loyalty program, which is “SuperEasy”, and the next time, I asked about it explicitly, and they gave me the card and a form to fill in; after filling almost all of it, I found that I could also do it online, so I trashed the paper form. They can’t get my name right anywhere here when I spell it.

On the website, strangely enough they even accept my surname as it should be, wow that’s a miracle, I thought… until I went to use the card at the shop and got back the bill that you see on the left. Yes that’s UTF-8 converted to some other 8-bit codepage which is not Latin-1. Indeed it reminds me of CP850 at the time of MS-DOS. Okay I give up, but the funniest part was getting the bill tonight, the one on the right.

But beside them mangling my name in many different possible ways, is there anything that makes EuroSpar special enough for me to write a follow-up post on a topic that I don’t really care about or, honestly, have experience in? Yes of course. Compared with the various rewards I have been talking about last time, this seems to be mostly the same: one point per euro spent, and one cent per point redeemed.

The big difference here is that the points are accrued to the cent, rather than to the lower euro threshold! Not too shabby, considering that unlike Dunnes they do not round their prices to full euros most of the time. And the other one is that even though they have a single loyalty scheme for all the stores.. the cards are per-store, or so they proclaim. The two here are probably owned by the same person so they are actually linked and they work on each.

Another interesting point is that while both EuroSpar host an Insomnia café, neither accept Insomnia’s own loyalty card (ZapaTag) — instead they offer something similar in the sense that you get the 10th drink free. A similar offer is present at the regular Insomnia shops, but there, while you can combine the 10th drink offer with the ZapaTag points, you cannot combine it with other offers such as my usual coffee and brownie for €3,75 (the coffee alone is €3,25 while the brownie is €2,25)… at EuroSpar instead this is actually combinable, but of course if I use the free coffee while getting a brownie, I still have to pay almost as much as the coffee.. but sometimes I can skip on the pastry.

So yes, I think it was worth noting the differences about EuroSpar. And as a final note I’ll just say that even the pharmacy on the way to work has a loyalty card… and it’s the usual discount one, or as they call it “PayBack Card”. I have to see what Tesco does, but they somehow blacklisted my apartment in their delivery service.

Euch sind bestimmt auch schon die ganzen Überwachungskameras auf den Autobahnen aufgefallen, an den Brücken und so. Vielleicht habt ihr euch gefragt, was die da tun, und euch dann eine Geschichte überlegt, dass die nur zur Stauvermeidung sind, für Statistik im Verkehr, und nicht alle Nummernschilder scannen und archivieren. Denn das verstöße ja gegen die Ansagen des Verfassungsgerichtes. Und überhaupt, so technisch fit sind die bestimmt nicht. Und warum würde man das alles speichern wollen. Das muss ja auch jemand bezahlen. Und Auswertungssysteme kosten ja auch geld. Wie man sich so die Realität immer schönredet.

Heute war im Kölner Express dieser Kasten am Rande. Hat mir jemand gemailt, die URL, kann ich gerade nicht prüfen. Da steht, dass die Polizei bei der Verkehrsüberwachung Anfragen stellen kann, ob Nummernschild soundso am 23. Mai um 17:42 zwischen Köln und Bonn im Stau stand. Und die können das dann nicht nur beantworten, sondern tun das auch im Regelfall vier Mal pro Tag.

Nur falls jemand Illusionen hatte, weil in Deutschland doch immer von Datenschutz und so die Rede ist. Und weil das Verfassungsgericht das explizit untersagt hat. Aber auf Recht und Gesetz scheißen und ethische Bedenken ignorieren ist ja in NRW nicht erst seit Büssow Tradition.

The phpMyFAQ Team would like to announce the availability of phpMyFAQ 2.8.0, the “Maurice Wilkes” release. This major new release now requires PHP 5.3.3 or later and is licensed under the terms of the Mozilla Public License 2.0. The HTML5/CSS3 layout is based on Twitter Bootstrap 2.3.2 and we ship the new version with jQuery [...]

Berlusconi schlägt vor, die Strafen für Zusammenarbeit mit der Mafia von 12 auf 5 Jahre zu senken. Ihr könnt euch ja denken, was dafür der Auslöser gewesen sein wird.

Eines der Argumente gegen Abhörschnittstellen ist ja immer, dass das auch von unautorisierten Stellen genutzt werden könnte. "Die Chinesen" würde man heute sagen. Ach was, kommt dann immer, das könnte NIE passieren, da achten wir schon drauf, daran arbeiten bei uns die BESTEN der BESTEN der BESTEN, so Leute wie Google oder Microsoft. Bis dann die Chinesen bei Google und Microsoft einbrechen und sich die Lawful Interception Datensätze kopieren.

Just a quick screenshot of my current Xubuntu/Openbox desk (on the ThinkPad)

Used:
- Xubuntu 13.04 as “base system” (maybe I should try something else in future)
- tint2 as taskbar (bottom)
- Conky (top) for system information
- feh to set the wallpaper
- Pidgin to chat to my XMPP/Jabber-Server (finally escaped from GTalk)
- xfce4-power-manager to control the power, what should happen if the cover with closed etc.
- terminator as terminal emulator
- vim as editor
- powerline plugin in vim
- numbers plugin in vim
- Turpial as Twitter client
- Chromium as web-browser

The font I use overall is (Bitstream) DejaVu Sans and in the Terminal DejaVu Sans Mono.

Guantanamo ist so gut wie geschlossen. Das WLAN ist jedenfalls schonmal aus. Wo haben die denn da WLAN, werdet ihr euch fragen. Na völlig klar, in dem Starbucks und dem Irish Pub!

Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers – the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.

Earlier this year, the closely-guarded English-language crime forum darkode.com was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, darkode.com welcomed a new member — a bulletproof hosting broker aptly named “Off-sho.re” — who promised to defend the site from future DDoS attacks.

Off-sho.re also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean. Off-sho.re’s timing was perfect: Darkode desperately needed both, and Off-sho.re seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting.

STOPHAUS V. SPAMHAUS

Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, Off-sho.re was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group Spamhaus.org.

Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands.

Off-sho.re is moderator of the Stophaus forum, and not long after joining darkode.com, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges Off-sho.re had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.

In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger.

“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” Off-sho.re wrote in a darkode.com posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from Cloudflare.com about the attack, Off-sho.re stated that “Some BP hosters were lately united, check out our latest prank.”

Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to Off-Sho.re, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” Off-Sho.re wrote in an online chat with KrebsOnSecurity.

If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that Off-sho.re very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.

According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.

“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys – Vincent Chan – fake Chinese products.”

Oddly enough, this coincides with Off-sho.re’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode, Off-sho.re  referenced his bulletproof hosting sales threads at two Russian-language forums — expoit.in and damagelab.org. In these threads, which began in Sept. 2012, Off-sho.re advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, Off-sho.re proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).

CRUELTY-FREE CYBERATTACKS?

The attack that hit Spamhaus — known as a DNS reflection and amplification attack — leveraged unmanaged DNS servers on the Web to create huge traffic floods. DNS servers act as the white pages of the Internet, transforming or “resolving” human-friendly domain names into numerical network addresses used by computers. Typically, DNS servers only provide services to machines within a trusted domain. But DNS reflection attacks rely on consumer and business routers equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web. Attackers can send spoofed DNS queries to these so-called “open recursive” DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The amplification part of the attack takes advantage of the ability to craft DNS queries so that the responses are much bigger than the requests; they do this by leveraging an extension to the DNS protocol that enables large DNS messages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

I reached out to Off-sho.re via instant message to ask why he thought it was okay to hijack servers that belonged to someone else for use in attacks on third-parties.

“No one launched or abused any attack, all DNS resolvers were machines that had this option open,” Off-sho.re explained. “No bots were used and no one was infected. The individuals who did the attack, didn’t harm any computer in order to launch it. So your question about the legal aspect of this thing is not relevant.”

Off-sho.re insisted he did not directly participate in launching the attacks on Spamhaus. But as I discovered in my reporting, he had no qualms about ordering his minions to attack my site prior to our chat conversation. A few days before I reached out to him, Off-sho.re orchestrated an attack against KrebsOnSecurity.com as a means of vetting a new darkode.com member.

That assault was part of the initiation process for “Abscond,” a hacker who was seeking admittance to darkode.com and who’d claimed his specialty was providing DDoS services. To prove his firepower, Abscond was told to knock one of three sites offline: Darkode.com, krebsonsecurity.com, or xylibox.com (the blog for a French security researcher who goes by the pseudonym “Xylitol”). The conversation below took place between Off-sho.re and Abscond after the latter’s botnet failed to bring down Darkode.com.

[00:01:51] <Off-sho.re> You can try on DK enemy sites as well, that will give you my vouch as well
[00:01:56] <abscond@jabber.org> ok
[00:01:58] <abscond@jabber.org> ill try that
[00:02:04] <abscond@jabber.org> let me try attack first
[00:02:09] <Off-sho.re> Ok.
[00:02:10] <abscond@jabber.org> and a few mins for bots to come back
[00:02:14] <abscond@jabber.org> so im at full power
[00:04:26] <abscond@jabber.org> whats the enemy site?
[00:04:33] <Off-sho.re> there are 2, choose any
[00:04:40] <Off-sho.re> krebsonsecurity.com, xylibox.com
[00:04:47] <abscond@jabber.org> haha
[00:04:49] <abscond@jabber.org> krebs
[00:04:50] <abscond@jabber.org>
[00:04:52] <abscond@jabber.org> fkin fagt
[00:05:10] <Off-sho.re> Krebs is on Prolexic
[00:05:15] <abscond@jabber.org> ok.
[00:05:53] <abscond@jabber.org> darkode got some good ddos protection
[00:08:26] <abscond@jabber.org> krebs down?
[00:08:30] <Off-sho.re> Checking
[00:10:13] <Off-sho.re> Krebs is down, well done this time

“I confirm that Abscond can provide DDoS services,” Off-sho.re wrote to the darkode community.

Asked about the incident in a private chat via Jabber, Off-sho.re said the attack on my site was just a “stress test”.

“Regarding the site stress test – nothing personal,” Off-sho.re wrote.

By the way, “stress testing” is the new euphemism for launching DDoS attacks. If you aren’t yet familiar with this term as it relates to online attacks, see DDoS Services Advertise Openly, Take PayPal, and Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?

Off-sho.re’s attitudes about ownership and what’s legal and acceptable online seems common in denizens of groups like Stophaus and other grey- and black-hat hacking collectives: that if something can be done then it is must be legal, allowable and otherwise okay. The governing mantra of these folks seems to be, “what’s-mine-is-mine and what’s-your-is-mine, too.”

If you notice that a process is running in the unlabeled_t domain, the first question to ask is how it got there.

Well, one way is to have a process running in a known domain, like screen_t, after which the SELinux policy module that provides this domain is removed from the system (or updated and the update does not contain the screen_t definition anymore):

test ~ # ps -eZ | grep screen
root:sysadm_r:sysadm_screen_t    5047 ?        00:00:00 screen
test ~ # semodule -r screen
test ~ # ps -eZ | grep screen
system_u:object_r:unlabeled_t    5047 ?        00:00:00 screen

In permissive mode, this will be visible easily; in enforcing mode, the domains you are running in might not be allowed to do anything with unlabeled_t files, directories and processes, so ps might not show it even though it still exists:

test audit # ps -eZ | grep 5047
test audit # ls -dZ /proc/5047
ls: cannot access /proc/5047: Permission denied
test audit # tail audit.log | grep unlabeled
type=AVC msg=audit(1368698097.494:27806): avc:  denied  { getattr } for  pid=4137 comm="bash" path="/proc/5047" dev="proc" ino=6677 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir

Notice that, if you reload the module, the process becomes visible again. That is because the process context itself (screen_t) is retained, but because the policy doesn’t know it anymore, it shows it as unlabeled_t.

Basically, the moment the policy doesn’t know how a label would be (should be), it uses unlabeled_t. The SELinux policy then defines how this unlabeled_t domain is handled. Processes getting into unlabeled_t is not that common though as there is no supported transition to it. The above one is one way that this still can occur.

Oklahoma hat mal wieder ein Tornado-Problem. Die Verwüstung ist recht stark, und das ist diesmal nicht irgendwo ein Kaff auf dem Land sondern ein Stadtteil von Oklahoma City. Es gibt auch ein Video. Nichts für schwache Nerven.

Die olympischen Spiele in Brasilien werden mit Robotern aus den USA, Drohnen aus Israel, Raketen aus Russland und Panzern aus Deutschland gesichert. Was erwarten die da wohl? Eine Invasion von Außerirdischen?

So schön wie die FAZ hier hat lange niemand mehr Berlin gebasht. Und erfreulicherweise mit Fakten. Wie man so schön sagt: "Never offend someone with style when you can offend them with substance".

Die AP-Geschichte war nur die Spitze des Eisbergs. Der Krieg gegen Journalismus und unabhängige Berichterstattung der Obama-Junta geht noch deutlich weiter. Am härtesten betroffen ist ironischerweise jemand von Fox News, die man ja generell eher nicht so mit Journalismus assoziieren würde.

The FBI tracked Rosen's movements in and out of the State Department, traced the timing of his calls, and - most amazingly - obtained a search warrant to read two days worth of his emails, as well as all of his emails with Kim.

Und es geht hier nicht mal um Geheimnisverrat, denn die verratenen Informationen sind, dass die USA glauben, Nordkorea würde auf weitere UN-Sanktionen mit mehr Atomtests reagieren. Das war 2009.

Kurzer Hinweis am Rande: Obama hat bisher doppelt so viele Whistleblower verfolgt als alle seine Vorgänger zusammen.

Habt ihr schonmal von Patient Dumping gehört? So nennt man das, wenn ein Krankenhaus Patienten in einen Bus packt und außer Landes fährt und dann hinter der Grenze auf die Straße schmeißt. In diesem Fall war es eine Psychiatrie in Las Vegas, die offenbar seit Jahren systematisch verwirrte Patienten in Kalifornien dumpt. Die Staatsanwaltschaft in Kalifornien ermittelt jetzt. Und es handelt sich nicht um irgendeine Hinterhofklitsche!

Multiple agencies, including the Los Angeles city attorney's office, are investigating whether Rawson-Neal Psychiatric Hospital in Las Vegas, Nevada's primary public mental health facility, has been systematically dumping patients across state lines for years.

Und kaum guckt man bei sowas mal nach, blubbern da Fäkalien hoch, dass es einem den Atem verschlägt.

A Bee investigation found that the hospital had bused roughly 1,500 psychiatric patients to cities across the nation over the past five years, a third of them to California. By policy, those patients were put on buses alone, with one-way tickets out of town, a small supply of medication and several bottles of Ensure nutritional supplement for the journey.

Das war da so Policy! Da hat nicht ein Arzt durchgedreht, das war Krankenhaus-Policy!

Die Uni Graz muss einem Ex-Studenten Schadenersatz zahlen, weil sie zu wenig Plätze in Lehrveranstaltungen zur Verfügung gestellt hat. Das hat der Oberste Gerichtshof Österreichs entschieden.

Darauf hat die Welt gewartet: IBM schiebt COBOL in die Cloud!

Today, nearly 15 percent of all new enterprise application functionality is written in COBOL. [...] With more than 200 billion lines of COBOL code being used across industries such as banking, insurance, retail and human resources [...]

*grusel*

Weil die Frontex-Überwachungstechnologie so gut geworden ist, kommen die Afrikaner jetzt per Schlauchboot. Leider findet sie dann auch die Seenotrettung nicht mehr.

Mal ein kleiner Realitätsabgleich: Was Videoüberwachungssysteme so an Auswerte-Funktionen mitbringen.

Next up: Empfangen von Temperatur- und Luftfeuchtigkeitsdaten. Ich hab mir erstmal den WDE und zwei Sensoren bestellt. Vielleicht wird das später noch erweitert.

Foto von einem Blick durch Google Glass. Das werden vermutlich nur die älteren Semester verstehen. Den anderen empfehle ich They Live zu gucken. In Deutschland lief der unter "Sie leben!" im Kino.

Der Joke ist natürlich falsch herum, das müsst ihr mir nicht alle schreiben jetzt. Google Glass müsste eher anders herum diese Botschaften versteckt einblenden als sie sichtbar machen.

Julian Assange hat GCHQ in der Pinkelpause erwischt und per Informationsfreiheitsantrag interne Instant Messages gekriegt, in denen u.a. einer zum Schluss kommt, dass die Anklage aus Schweden vorgeschoben ist, um ihn aus England extrahiert zu kriegen.

Yahoo kauft Tumblr für 1,1 Milliarden Dollar in Cash. Die Acquisition selbst find ich uninteressant, aber dass sie bar zahlen und nicht in Aktien, das ist — insbesondere bei so einer Größenordnung — unüblich. Was da wohl passiert ist? Das fragt man üblicherweise an, als zu kaufende Firma, und der Käufer lacht dann einmal herzlich und gibt einem Aktien. Zumindest den Löwenanteil. Und dann vereinbart man Stillschweigen. Yahoo steht offensichtlich mit dem Rücken zur Wand und weiß es.

For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement “feature” of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it worked), but as far as I’m concerned, it is working… and that is all that matters (for now). I’ll have to look deeper into the IPv6 stuff to understand it all better though.

On the client side, dhcpcd is ran with the following options:

dhcpcd_eth0="-t 5 -L --ipv6ra_own"

I had to enable --ipv6ra_own to get it to obtain its global address, otherwise it only got its link local one (fe80:: something). I also added a hook into /lib/dhcpcd/dhcpcd-hooks to get it to trigger a hostname update for IPv6.

$ cat 28-set-ip6-address 
if $ifup; then export new_ip_address=${ra1_prefix%%/64}; fi

SELinux-policy wise, I had to enable dhcpc_t to write to the hostname proc file and set the system hostname. The first one (21) is needed because of the --ipv6ra_own parameter.

# selocal -l | grep dhcpc_t
21: allow dhcpc_t self:rawip_socket create_socket_perms; # dhcpclient
22: kernel_rw_kernel_sysctl(dhcpc_t) # set hostname
23: allow dhcpc_t self:capability sys_admin; # set hostname

Finally, in /etc/dhcpcd.conf, I removed the nohook lookup-hostname and set the force_hostname one:

#nohook lookup-hostname
env force_hostname=YES

On the server side, I use the following configuration of dnsmasq (snippet):

dhcp-range=2001:db8:81:e2::,ra-only
enable-ra
dhcp-option=option6:dns-server,[2001:db8:81:e2::26b5:365b:5072]

As you can see, I use the documentation prefix for now (since it is meant for internal communication only, and makes it easier to copy/paste into documentation ;-) but when I am going to use full IPv6 access to the Internet, this prefix will of course change.

Finally, I enabled IPv6 forwarding on the tap0 interface because otherwise I continuously got the following messages on the clients:

May 12 18:43:07 test dhcpcd[3869]: eth0: adding default route via fe80::d848:19ff:fe0d:55c2
May 12 18:43:07 test dhcpcd[3869]: eth0: fe80::d848:19ff:fe0d:55c2 is no longer a router
May 12 18:43:07 test dhcpcd[3869]: eth0: deleting default route via fe80::d848:19ff:fe0d:55c2
May 12 18:43:13 test dhcpcd[3869]: eth0: fe80::d848:19ff:fe0d:55c2 is unreachable, expiring it

To enable IPv6 forwarding, you can use sysctl but I added it in the script that sets up the tap0 interface:

tunctl -b -u swift -t tap0
ifconfig tap0 add 2001:db8:81:e2::26b5:365b:5072/64
vde_switch --numports 16 --mod 777 --group users --tap tap0 -d
echo 1 > /proc/sys/net/ipv6/conf/tap0/forwarding

Google schmeißt XMPP raus. Zumindest die Federation ist mit dem Übergang von Talk zu Hangout weg. Wer einen Jabber-Account außerhalb von Google hat, kann darüber nicht mehr mit Google-Hangout-Usern reden.

Ich sehe das in einer Reihe mit RSS und CalDAV und frage mich, was als nächstes ins Gras beißt. SMTP vielleicht? Bei HTTP haben sie ja auch schon einen Gegenstandard, SPDY.

Man kann sagen, dass Google damit Facebook in Bösartigkeit überholt hat, denn deren Chat-User kann man noch per XMPP erreichen.

Das ist schon ein faszinierender kleiner Computer. Kaum größer als eine Zigarettenschachtel und so vielseitig. Gestern und heute eingerichtet und jetzt läuft er ohne viel Strom zu brauchen, geschweige denn Lärm zu machen.

Ich habe Raspbian installiert und das ganze ein wenig optimiert. Der Turbo Mode lief nicht stabil, ich wage einen weiteren Versuch wenn die Kühlkörper da sind. Außerdem läuft statt des Apache ein Nginx, das genügt mir um die paar Seiten statisch auszuliefern: Der Hauptzweck der kleinen Kiste ist Monitoring verschiedener Server mit Smokeping und Munin.

Hier mein Einkaufszettel:

• Raspberry Pi
• Netzteil
• Gehäuse
• WLAN-Adapter
• SD-Karte

Vielleicht fällt mir in Zukunft noch mehr ein…

This is about playing around with the Openbox package installed on top of my Xubuntu 13.04 installation. I like Openbox a lot and after using and liking xfce4 in the last few days a lot, some things don’t work as I would like them to.

As you’ve read in my previous posts, I’m a bit paranoid about tearing. I simply hate this! So here’s a quick way to get your Openbox running smoothly with transparency and no tearing.

This is for the Intel graphics, I guess the first part is NOT needed for nVidia or AMD drivers – just make sure they load with an enabled compsite extension.

We need to add a new file for Xorg:

# mkdir /etc/X11/xorg.conf.d
# vi /etc/X11/xorg.conf.d/20-intel.conf

Now paste the following lines into this file:

Section "Device"
	Identifier	"Intel Graphics"
	Driver		"intel"
	Option		"AccelMethod"	"sna"
	Option		"TearFree"	"true"
EndSection

Reboot your system (yes, seriously – believe me, that’s the fastest way ).

Back in Openbox, we want to install and run xcompmgr which is similar to compiz (and compiz does NOT work with Openbox):

# apt-get install xcompmgr transsset

Logout/login as your regular user and run:

$ xcompmgr -l 0.5 -t 0.5 -o 0.5 -r 2 -c &
$ transset 1

The first command enables the compmgr with some predefined settings. The second one creates a cross – click on your terminal (I recommend using terminator).

Now, open another terminal and configure it to run transparent (right click -> settings -> profiles -> background -> hit “transparent background” -> for this test, I recommend to move the slider to 0.6).

This should give you a nice transparent window. Tearing (like in scrolling in your browser quickly should also disappear).

Of course, this is a test-setup, you should put the xcompmgr lines into a autostart script, but more on this later

More and more, I feel home on Linux on the desktop. In the past I always said that Linux is fantastic – for a server, but not for a desktop. Seems like I simply was not open minded enough. For my photo editing (RAW) I use the great tool Darktable, which has some similarities with Adobe’s Lightroom. It’s a great tool, even if it’s far from perfect – like Lightroom and Aperture – that’s why they get updates.

Now that Xubuntu 13.04 works fine on my triple-head workstation, I wanted to run it on the ThinkPad T530 as well. Oh boy! This wasn’t as easy as expected, but not because of missing drivers (what I first thought that this was the reason. No. The reason were simply some compiz settings and packages missing. I found a tutorial that was written for Xubuntu 12.10, but it works fantastic on 13.04, too.

The problems I had were: not working compiz and a lot of tearing when moving windows. I for sure wanted to solve this after having so much success with enabling composite on the workstation previously

The tutorial (or how to) can be found over on webupd8 and explains very well how to get it working. Even though, I have 2 parts who are not working with 13.04.

1. I couldn’t find the keys in the gconf-editor
2. I couldn’t set the border theme from the windows-management in the main settings, because it simply stopped launching

No problem as there are other tools to use like the gnome-tweak-tool that you can install quickly:

$ sudo apt-get install gnome-tweak-tool

and then run with a simple

$ gnome-tweak-tool

It will drive you nuts if compiz disables previously activated plugins. I have/had this problem with Xubuntu 13.04 on the ThinkPad – it always “forgot” to enable the application switched (alt+tab). Here’s how to fix this issue.

First, install the following package:

$ sudo apt-get install compizconfig-backend-gconf

Next, go your compiz-settings and set under options: “GSettings Configuration Backend”.

Also be sure, that the “active desktop integration” is enabled.

I would also recommend to reload compiz, go to your terminal and run:

$ compiz --replace &

Okay so now it’s over a month I’ve been staying in Dublin, it’s actually over a month I’m at my new job, and it is shaping up as a very good new experience for me. But even more than the job, the new experiences come with having an apartment. Last year I was leaving within the office where I was working, and before that I’ve been living with my mother, so finally having a place of mine is a new world entirely. Well, I’ll admit it: only partially.

Even though I’ve been living with my mother, like the stereotype of Italian guys suggests, it’s not like I’ve bee a parasite. Indeed, I’ve been paying all the bills for the past four years, and still I’m paying them from here. I’ve also been doing my share of grocery shopping, cleaning and maintenance tasks, but at least I did avoid the washing machine most of the time. So yeah, it wasn’t a complete revolution for my life, but it was a partial one. So right now I do feel slightly worse for wear, especially because I had a very bad experience with the kitchen, which was not cleaned before I moved in.

Thankfully, Ikea exists everywhere. And their plastic mats for drawers and cabinets are a lifesaver. Too bad I already finished the roll and I’ve not completed half the kitchen yet. I think I’ll go back to Ikea in two weeks (not next week because my sister’s visiting). With this time I bought the same identical lamp three times. Originally in Italy, then again in Los Angeles, and now in Dublin — only difference is that the American version has a loop to be able to orient it, probably because health and safety does not require having enough common sense as to not touch the hot cone…

The end line is that I’m very happy about having moved to Dublin. I love the place, and I love the people. My new job is also quite interesting, even if not as open-source focused as my previous ones (which does not mean it is completely out of the way of open source anyway), and the colleagues are terrific… hey some even read my blog before, thanks guys!

While settling down took most of my time and left me no time to do real Gentoo contributions or blogging (luckily Sven seems to have taken my place on Planet Gentoo), things are getting much better (among others I finally have a desk in the apartment, and tomorrow I’m going to get a TV as well, which I know will boost my ability to keep the house clean — because it won’t require me to stick to the monitor to watch something). So expect more presence from me soon enough!

While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without a real need for them. So in the majority of cases, the policy developer wants to disable auditing of this:

dontaudit <somedomain> self:capability { dac_read_search dac_override };

When applications wants to search through directories not owned by the user as which the application runs, both capabilities will be checked – first the dac_read_search one and, if that is denied (it will be audited though) then dac_override is checked. If that one is denied as well, it too will be audited. That is why many developers automatically dontaudit both capability calls if the application itself doesn’t really need the permission.

Let’s say you allow this because the application needs it. But then another issue comes up when the application checks file attributes or access permissions (which is a second occurring denial that developers come across with). Such applications use access() or faccessat() to get information about files, but other than that don’t do anything with the files. When this occurs and the domain does not have read, write or execute permissions on the target, then the denial is shown even when the application doesn’t really read, write or execute the file.

#include <stdio.h>
#include <unistd.h>

int main(int argc, char ** argv) {
  printf("%s: Exists (%d), Readable (%d), Writeable (%d), Executable (%d)\n", argv[1],
    access(argv[1], F_OK), access(argv[1], R_OK),
    access(argv[1], W_OK), access(argv[1], X_OK));
}

$ check /var/lib/logrotate.status
/var/lib/logrotate.status: Exists (0), Readable (-1), Writeable (-1), Executable (-1)

$ tail -1 /var/log/audit.log
...
type=AVC msg=audit(1367400559.273:5224): avc:  denied  { read } for  pid=12270 comm="test" name="logrotate.status" dev="dm-3" ino=2849 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:logrotate_var_lib_t tclass=file

This gives the impression that the application is doing nasty stuff, even when it is merely checking permissions. One way would be to dontaudit read as well, but if the application does the check against several files of various types, that might mean you need to include dontaudit statements for various domains. That by itself isn’t wrong, but perhaps you do not want to audit such checks but do want to audit real read attempts. This is what the audit_access permission is for.

The audit_access permission is meant to be used only for dontaudit statements: it has no effect on the security of the system itself, so using it in allow statements has no effect. The purpose of the permission is to allow policy developers to not audit access checks without really dontauditing other, possibly malicious, attempts. In other words, checking the access can be dontaudited while actually attempting to use the access (reading, writing or executing the file) will still result in the proper denial.

Habt ihr euch auch mal gefragt, wieso eigentlich so viele Leute in den USA im Knast sitzen? Hier hat das mal jemand einen Großinvestor von CCA gefragt (CCA ist die Corrections Corporation of America, die betreiben Gefängnisse). Die Antwort ist episch:

“America is the freest country in the world,” he told me. “America allows more freedom than any other country in the world, much more than Russia and a whole lot more than Scandinavia, where they really aren’t free. So offering all this freedom to society, there’ll be a certain number of people, more in this country than elsewhere, who take advantage of that freedom, abuse it, and end up in prison. That happens because we are so free in this country.”

Der Inbegriff der Freiheit — wenn man mal von den ganzen Inhaftierten absieht.

Recently I have been experiencing a strange with an installation of the Community Edition of Zimbra Collaboration Server 8: Although all services were running, no e-mails were delivered. In the log file /var/log/zimbra.log I found messages like "zimbra amavis[9323]: (09323-01) (!!)TROUBLE in process_request: connect_to_ldap: unable to connect at (eval 111) line 152.".

The strange things about this was, that the OpenLDAP daemon (slapd) was running and answering requests. After restarting Zimbra (/etc/init.d/zimbra restart), the problem disappeared, however it reappeared after the next reboot.

After some time I figured out, that - right after the reboot - slapd was only listening on an IPv4 socket, not on an IPv6 socket. After restarting the OpenLDAP server (ldap stop && ldap start as user zimbra), the problem disappeared again and netstat showed that now slapd was also listening on the IPv6 socket.

In the end I could not figure out, why the OpenLDAP daemon would only listen on IPv4 when started during system boot but would listen on both IPv4 and IPv6 when started later. I was suspecting some problem with name resolution in the early boot process (although both the IPv4 and the IPv6 address were listed in /etc/hosts).

However, I found a work-around for the problem: By setting the local configuration option ldap_bind_url to ldap:/// (zmlocalconfig -e ldap_bind_url=ldap:///) , I could configure OpenLDAP to listen on all local interfaces, which apparently fixed the problem.

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or call. Or, if I know what the interface or definition is, I want to see it (show).

For instance, to find the name of the interface that allows us to define file transitions from the postfix_etc_t label:

$ sefindif filetrans.*postfix_etc
contrib/postfix.if: interface(`postfix_config_filetrans',`
contrib/postfix.if:     filetrans_pattern($1, postfix_etc_t, $2, $3, $4)

Or to show the content of the corenet_tcp_bind_http_port interface:

$ seshowif corenet_tcp_bind_http_port
interface(`corenet_tcp_bind_http_port',`
        gen_require(`
                type http_port_t;
        ')

        allow $1 http_port_t:tcp_socket name_bind;
        allow $1 self:capability net_bind_service;
')

For the definitions, this is quite similar:

$ sefinddef socket.*create
obj_perm_sets.spt:define(`create_socket_perms', `{ create rw_socket_perms }')
obj_perm_sets.spt:define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
obj_perm_sets.spt:define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
obj_perm_sets.spt:define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
obj_perm_sets.spt:define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
obj_perm_sets.spt:define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
obj_perm_sets.spt:define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')

$ seshowdef manage_files_pattern
define(`manage_files_pattern',`
        allow $1 $2:dir rw_dir_perms;
        allow $1 $3:file manage_file_perms;
')

I have these defined in my ~/.bashrc (they are simple functions) and are used on a daily basis here ;-) If you want to learn a bit more on developing SELinux policies for Gentoo, make sure you read the Gentoo Hardened SELinux Development guide.

Der Bundestag hat die Honorare und Gebühren für Anwälte um 12% erhöht. Bei Notaren sogar um bis zu 20%.

50% der Regierungsmitglieder sind Volljuristen. Auch unter den Abgeordneten sind Juristen deutlich überproportional vertreten.

Also in UNSEREM Stromnetz, da sind ja Totalausfälle wie in Amerika VÖLLIG undenkbar. Außer ein Multicast-Paket verirrt sich ins falsche Netz. Dann bricht alles zusammen. Aber hey, Multicast-Routing is hard. Let's go shopping!

GEMA-Flurschaden der Woche: Projekt stellt Klaviere in München auf, auf denen Passanten frei klimpern dürfen. Finanziert u.a. vom Kulturreferat der Stadt. Und was passiert?

Sie forderte die Bezahlung einer Mindestpauschale pro Klavier und Tag. Ursprünglich wäre damit eine Summe zusammengekommen, die einschließlich 7 Prozent Mehrwertsteuer nicht allzuweit von der 5.000 Euro Marke entfernt war.

Im Übrigen bin ich der Meinung, dass wir die GEMA zerschlagen müssen.

Update aus dem bayerischen Landtag:

Nachdem im Jahre 1999 Bayern als letztes Bundesland ein Verbot der Beschäftigung enger Familienangehöriger bei Landtagsabgeordneten diskutierte, das dann 2000 mit einer Ausnahmeregelung für "Altfälle" beschlossen wurde, haben schnell noch 34 Abgeordnete Familienangehörige eingestellt.

Keine weiteren Fragen.

Die Magneten in Apples Geräten können implantierte Defibrilatoren deaktivieren, wenn z.B. ein Herzpatient mit einem Ipad auf der Brust einschläft.

Falls irgendjemand Illusionen hatte bezüglich Steinbrücks "Expertenteam": Steinbrücks Netzpolitik-Expertin spricht sich für eine Frauenquote in Talkshows aus.

Das klärt dann wohl auch die Frage, wie sie auf ihre aktuelle Position gekommen ist.

Update: Auch ihre Position zur Vorratsdatenspeicherung lässt keine Fragen offen:

Eine generelle Vorratsdatenspeicherung ist kritisch - Ausnahmen kann es nur bei schwersten Straftaten und nach rechtsstaatlichen Grundsätzen geben.

Und DIE ist da jetzt für NETZPOLITIK zuständig! Au weia.

Florida führt ein "mein Nachbar ist ein Terrorist!1!!"-Denunziationssystem ein. Was kann da schon schiefgehen.

SIS II wird teurer. Also DAMIT konnte ja wohl NIEMAND rechnen!1!!

Endlich kümmert sich mal jemand: EU verbannt Olivenölkännchen von den Tischen in Restaurants. Stattdessen sollen da jetzt nicht nachfüllbare und versiegelde Flaschen stehen. Begründung: damit man die Labels lesen kann.

Lange sah ich nichts mehr, wo so offensichtlich Regulierungsbedarf bestand!1!! Aber die Telekom darf drosseln, nee klar.

There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.

In short, the vulnerability is an out-of-bound access to an array within the Linux perf code (which is a performance measuring subsystem enabled when CONFIG_PERF_EVENTS is enabled). This subsystem is often enabled as it offers a wide range of performance measurement techniques (see its wiki for more information). You can check on your own system through the kernel configuration (zgrep CONFIG_PERF_EVENTS /proc/config.gz if you have the latter pseudo-file available – it is made available through CONFIG_IKCONFIG_PROC).

The public exploit maps memory in userland, fills it with known data, then triggers an out-of-bound decrement that tricks the kernel into decrementing this data (mapped in userland). By looking at where the decrement occurred, the exploit now knows the base address of the array. Next, it targets (through the same vulnerability) the IDT base (Interrupt Descriptor Table) and targets the overflow interrupt vector. It increments the top part of the address that the vector points to (which is 0xffffffff, becoming 0×00000000 thus pointing to the userland), maps this memory region itself with shellcode, and then triggers the overflow. The shell code used in the public exploit modifies the credentials of the current task, sets uid/gid with root and gives full capabilities, and then executes a shell.

As Brad mentions, UDEREF (an option in a grSecurity enabled kernel) should mitigate the attempt to get to the userland. On my system, the exploit fails with the following (start of) oops (without affecting the system further) when it tries to close the file descriptor returned from the syscall that invokes the decrement:

[ 1926.226678] PAX: please report this to pageexec@freemail.hu
[ 1926.227019] BUG: unable to handle kernel paging request at 0000000381f5815c
[ 1926.227019] IP: [] sw_perf_event_destroy+0x1a/0xa0
[ 1926.227019] PGD 58a7c000 
[ 1926.227019] Thread overran stack, or stack corrupted
[ 1926.227019] Oops: 0002 [#4] PREEMPT SMP 
[ 1926.227019] Modules linked in: libcrc32c
[ 1926.227019] CPU 0 
[ 1926.227019] Pid: 4267, comm: test Tainted: G      D      3.8.7-hardened #1 Bochs Bochs
[ 1926.227019] RIP: 0010:[]  [] sw_perf_event_destroy+0x1a/0xa0
[ 1926.227019] RSP: 0018:ffff880058a03e08  EFLAGS: 00010246
...

The exploit also finds that the decrement didn’t succeed:

test: semtex.c:76: main: Assertion 'i<0x0100000000/4' failed.

A second mitigation is that KERNEXEC (also offered through grSecurity) which prevents the kernel from executing data that is writable (including userland data). So modifying the IDT would be mitigated as well.

Another important mitigation is TPE – Trusted Path Execution. This feature prevents the execution of binaries that are not located in a root-owned directory and owned by a trusted group (which on my system is 10 = wheel). So users attempting to execute such code will fail with a Permission denied error, and the following is shown in the logs:

[ 3152.165780] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /home/user/test by /home/user/test[bash:4382] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:4352] uid/euid:1000/1000 gid/egid:100/100

However, even though a nicely hardened system should be fairly immune against the currently circling public exploit, it should be noted that it is not immune against the vulnerability itself. The methods above mentioned make it so that that particular way of gaining root access is not possible, but it still allows an attacker to decrement and increment memory in specific locations so other exploits might be found to modify the system.

Now out-of-bound vulnerabilities are not new. Recently (february this year), a vulnerability in the networking code also provided an attack vector to get a local privilege escalation. A mandatory access control system like SELinux has little impact on such vulnerabilities if you allow users to execute their own code. Even confined users can modify the exploit to disable SELinux (since the shell code is ran with ring0 privileges it can access and modify the SELinux state information in the kernel).

Many thanks to Brad for the excellent write-up, and to the Gentoo Hardened team for providing the grSecurity PaX/TPE protections in its hardened-sources kernel.

Der Frachter im Hamburger Hafen, der am 1. Mai in Flammen stand, hatte radioaktives Material geladen. Uranhexafluorid. Fast 9 Tonnen davon. Oh und 3,8 Tonnen Munition. Und 500 Meter davon entfernt fand der Eröffnungsgottesdienst des Kirchentages statt.

We got back together on the #gentoo-hardened chat channel to discuss the progress of Gentoo Hardened, so it’s time for another write-up of what was said.

Toolchain

GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin header install problem in 4.8 and its not certain that the (trivial) fix is in 4.8.1, but it certainly is inside Gentoo’s release.

Blueness is also (still, and hopefully for a long time ;-) maintaining the uclibc hardened related toolchain aspects.

Kernel and grSecurity/PaX

The further progress on the XATTR_PAX migration was put on a lower level the past few weeks due to busy, busy… very busy weeks (but this was announced and known in advance). We still need to do XATTR copying in install for packages that do pax markings before src_install() and include the user.pax XATTR patch in the gentoo-sources kernel. This will silence the errors for non-hardened users and fix the loss of XATTR markings for those packages that do pax-mark before install.

The set then needs to be documented further and tested on vanilla and hardened systems.

Zorry asked if a separate script can be provided for those ebuilds that directly call paxctl. These ebuilds might want to switch to the eclass, but if they need to call paxctl or similar directly (for instance because the result is immediately used for further building), a separate script or tool should be made available. Blueness will look into this.

On hardened-sources, we are now with stable 2.6.32-r160, 3.2.42-r1 and 3.8.6 due to some vulnerabilities in earlier versions (in networking code). There is still some bug (nfs-related) that is fixed in 3.2.44 so that part might need a bump as well soon.

SELinux

The selocal command is now available for Gentoo SELinux users, allowing them to easily enhance the policy without having to maintain their own SELinux policy modules (the script is a wrapper that does all that).

The setools package now also uses the SLOT’ed swig, so no more dependency breakage.

On SELinux userspace and policy, both have seen a new release last month, and both are already in the Gentoo portage tree.

Finally, the SELinux policy ebuilds now also call epatch_user so users can customize the policies even further without having to copy ebuilds to their overlay.

Now that tar supports XATTR well, we might want to look into SELinux stages again. Jmbsvicetto did some work on that, but the builds failed during stage1. We’ll look into that later.

Integrity

Nothing much to say, we’re waiting a bit until the patches proposed by the IMA team are merged in the main kernel.

Profiles

Two no-multilib fixes have been applied to the hardened/amd64/no-multilib profiles. One was a QA issue and quickly resolved, the other is due to the profile stacking within Gentoo profiles, where we missed a profile and thus were missing a few masks defined in that (missed) profile. But including the profile creates a lot of duplicates again, so we are going to copy the masks across until the duplicates are resolved in the other profiles.

Blueness will also clean up the experimental 13.0 directory since all hardened profiles now follow 13.0.

Docs

The latest changes on SELinux have been added to the Gentoo SELinux handbook. Also, I’ve been slowly (but surely) adding topics to the SELinux tutorials listing on the Gentoo wiki.

The grSecurity 2 document is very much out of date, blueness hopes to put some time in fixing that soon.

So that’s about it for the short write-up. Zorry will surely post the log later on the appropriate channels. Good work done (again) by all team members!

On Monday, I profiled asylumbooter.com, one of several increasingly public DDoS-for-hire services posing as Web site “stress testing” services. Today, we’ll look at ragebooter.net, yet another attack service except for one secret feature which sets it apart from the competition: According the site’s proprietor, ragebooter.net includes a hidden backdoor that lets the FBI monitor customer activity.

This bizarre story began about a week ago, when I first started trying to learn who was responsible for running RageBooter. In late March, someone hacked and leaked the users table for ragebooter.net. The database showed that the very first user registered on the site picked the username “Justin,” and signed up with the email address “primalpoland@gmail.com.”

That email address is tied to a now-defunct Facebook account for 22-year-old Justin Poland from Memphis, Tenn. Poland’s personal Facebook account used the alias “PRIMALRAGE,” and was connected to a Facebook page for an entity called Rage Productions. Shortly after an interview with KrebsOnSecurity, Poland’s personal Facebook page was deleted, and his name was removed from the Rage Productions page.

Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis.

I “friended” Poland on Facebook and said I wanted to interview him. He accepted my request and sent me a chat to ask why I wanted to speak with him. I said I was eager to learn more about his business, and in particular why he thought it was okay to run a DDoS-for-hire service. While we were chatting, I took the liberty of perusing his profile pictures, which included several of a large tattoo he’d had inked across the top of his back — “Primal Rage” in a typeface fashioned after the text used in the Transformers movie series.

“Since it is a public service on a public connection to other public servers this is not illegal,” Poland explained, saying that he’d even consulted with an attorney about the legality of his business. When I asked whether launching reflected DNS attacks was okay, Poland said his service merely took advantage of the default settings of some DNS servers.

“Nor is spoofing the sender address [illegal],” he wrote. “If the root user of the server does not want that used they can simple disable recursive DNS. My service is a legal testing service. How individuals use it is at there [sic] own risk and responsibilitys [sic].  I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product. How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.”

The conversation got interesting when I asked the logical follow-up question: Had the police or federal authorities ever asked for information about his customers?

That was when Poland dropped the bomb, informing me that he was actually working for the FBI.

“I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”

When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me. I replied that I hadn’t and wouldn’t agree that any of our discussion was to be off the record, and he in turn promised to sue me if I ran this story. That was more or less the end of that conversation.

As to the relative legality of booter services, I consulted Mark Rasch, a security expert and former attorney for the U.S. Department of Justice. Rasch said companies hire stress testing services all the time, but usually as part of a more inclusive penetration testing engagement. In such engagements, Rasch said, it is common for the parties conducting the tests to insist upon and obtain beforehand a “get out of jail free card,” essentially a notarized letter from the customer stating that the testing firm was hired to break into and otherwise probe the security and stability of the targeted Web site.

“This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you,” Rasch said. “The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.”

On Monday, I pinged Mr. Poland once more, again using Facebook’s chat function. I wanted to hear more about his claim that he was working for the feds. To my surprise, he gave me the number of a Memphis man he referred to as his FBI contact, a man Poland said he knew only as “Agent Lies.”

The man who answered at the phone number supplied by Poland declined to verify his name, seemed peeved that I’d called, and demanded to know who gave me his phone number. When I told him that I was referred to him by Mr. Poland, the person on the other end of the line informed me that he was not authorized to to speak with the press directly. He rattled off the name and number of the press officer in the FBI’s Memphis field office, and hung up.

Just minutes after I spoke with “Agent Lies,” Justin dropped me a line to say that he could not be my ‘friend’ any longer. “I have been asked to block you. Have a nice day,” Poland wrote in a Facebook chat, without elaborating. His personal Facebook page disappeared moments later.

Not long after that, I heard back from Joel Siskovic, spokesman for the Memphis FBI field office, who said he could neither confirm nor deny Poland’s claims. Siskovic also declined to verify whether the FBI had an Agent Lies.

“People come forward all the time and make claims they are working with us, and sometimes it’s true and sometimes it’s not,” Siskovic said. “But it wouldn’t be prudent for us to confirm that we have individuals helping us or assisting us, either because they’re being good citizens or because they’re somehow compelled to.”

I tried to imagine a scenario in which someone in Poland’s situation would make up a story like that, or — if the story were true — might be bold enough to brag about it. I went back over some of the screen shots I’d taken from Poland’s Facebook account before it was deleted, and discovered a saddening discussion where Poland says he is depressed because he can’t quit his habit of smoking marijuana incessantly. In one post he admits to spending more than $1,200 a week on pot. I’m not sure if $1,200 worth of weed is even humanly possible for one man to consume on his own in a week and still function, but it would certainly explain his erratic behavior. Anyway, apparently business is good.

I had a lot of help on this research from Brandon Levene and Allison Nixon, two security consultants who have been digging into the booter scene for some time now. Levene and Nixon said they happened on ragebooter.net after a generic search for other booters indicated it was one of the top three results.

“What made things interesting, however, were the top advertisements for this service from a forum poster using the name ‘Primal Rage,’” Levene said. “The contact information across multiple forums included the email Velocitypro@live.com, which tied to a [now-defunct] Facebook page for Velocity Production, and from this page we identified the private Facebook account of the owner, Justin Poland. Further research revealed more forum profiles using the name Primal Rage and another domain, Hybrid-host.com, registered to Justin Poland (polandjd@gmail.com).

Levene said the biggest break in their research came from a fawning post on a slightly less public site – leakforums.org – a forum dedicated to sharing information on, well, leaked forum databases for one thing. In a twist that makes this already odd story even weirder, Primal Rage/Justin says in his application for membership on leakforums.org that he is starting a new company called “Booter Be Gone,” which he said would be all about “leaking booters online and there [sic] databases.”

The short CV he posted to the leakforums application said he had experience as a computer repair technician and “Ddos mitigation specialist.” Translation: Eliminate the competition by leaking their databases, and then sell DDoS mitigation services to businesses besieged by attacks of the sort launched by his booter services. What could go wrong?

“Justin’s cross-contamination of online personas  led me to dig deeper,” Levene said. “Simply by drawing focus he made himself a target. The whole thing with his service being for ‘legitimate stressing’ is silly. Even the news updates from the login panel are discussing ways to target users.”

Nixon said her research on ragebooter.net showed it to be a booter under active development and one that seems to average more than 400 attacks per day.

Oh, and that backdoor Poland claims he added for the FBI? Nixon may have found at least one of them:

“The booter has some information leakage problems too,” Nixon said.  ”The victims can see the ragebooter.net username of the logged in attacker because that info is, bizzarely, sent within attack traffic.”

The real irony of all this? Poland admitted in one of our Facebook chats that his own site was recently breached, leading to the leak of ragerbooter’s user database; the attackers broke into his Skype account, and then rifled through his Skype chats until they found login credentials to his servers. Was it the work of hackers allied with competing booter services? A spurned FBI agent? Or Justin himself? One thing’s for sure: If Poland’s “booter be gone” soon, it is nobody’s fault but his own.

One final note: Services like ragebooter.net would not be nearly as usable or profitable if they were unable to accept payment via PayPal. A Paypal spokesperson declined to comment on this particular booter service, but said the use of its service for DDoS-for-hire sites would violate its terms of use agreement.

“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”

Kapitalismus, fuck yeah! Man kann jetzt in Palästina KFC-Fast-Food ordern. Dann kommt ein Schmuggler und bringt das Zeug aus Ägypten durch einen Schmuggeltunnel nach Palästina. Gut, das ist dann möglicherweise schon kalt, weil das wohl so um die vier Stunden dauert mit dem Liefern, aber hey, wollen wir mal die Kirche im Dorf lassen :-)

I admit, I’m a YouTube junkie! I consume a lot of Linux-related videos, PC hardware and a lot of flight-sim or real-flight stuff over there.

As I now have my triple-setup running, I like to have a YouTube video on one of the screens while I work in for example the terminal or on this blog on one of the other windows. By Default, YouTube plays the video fine in fullscreen mode, but always bounces back to windowed mode once you click anywhere else. This is annoying, but here is a quick fix that helps you to go around this issue and enables fullscreen.

This video shows how to: Multi-Screen Flashplayer Fix In Linux

Be careful with ghex! And yes – it works

Israel legalisiert nachträglich vier illegale Siedlungen in der West Bank.

Obama hat den Chef des Finanzamts gefeuert. Da gab es die Tage einen wunderschönen Skandal, weil das Finanzamt angeblich bevorzugt "gemeinnützige" Organisationen aus dem Tea Party-Umfeld genauer geprüft hat. Obama hat darauf ziemlich sofort mit einem großartigen Statement reagiert. Das war 1a Krisenmanagement, wie er da in jedem Nebensatz raushängen ließ, dass das Finanzamt ja unabhängig ist und damit das nicht seine Schuld sei. Tja und jetzt fliegt der zuständige Chef.

Zuerst hatten sie es mit Bauernopfern probiert, die übliche Chain of Command bei Skandalen. Das waren zwei verwirrte Einzeltäter, hieß es.

Ich kann mir ehrlich gesagt nicht vorstellen, dass das unter republikanischen Regierungen nicht exakt genau so läuft, dass vor allem den Democrats nahestehende Gruppierungen auditiert werden.

Habt ihr das auch gehört, das Amazon gar keine Steuern zahlt in Europa, weil sie geschickt ihre Geschäftsstruktur auf Steueroasen verteilt haben? Stimmt gar nicht, Amazon zahlte 3 Millionen Pfund Steuern in England, bei einem Umsatz von 4,2 Milliarden Pfund. Von "gar keine Steuern" kann also überhaupt keine Rede sein!1!!

Die Bahn hat eine Methode gefunden, um die Verspätungen ihrer ICEs zu bekämpfen: ICE-Lokführer "vergisst", in Göttingen zu halten. Das kennt man sonst nur aus Wolfsburg!1!!

On Tuesday evening, I wanted to make a backup of my webserver. As usual I launched gftp and selected the directories I had planned to save to the local fileserver. I was very surprised to see gftp dying. It seems like it has opened a LOT of connections to the server. The download included 25909 files. Imagine your FTP clients tries to download all of them parallel. Bad idea

However, I’ve installed Filezilla, which is a very good client, removed the tree views and set up my connections. The backup finished within 3 hours (I had to backup a lot of data ).

So if you’re looking for an alternative GUI client for Linux, give Filezilla a run.

PS. If you wonder why I had not mounted the FTP via console – I had, but ran into some permission issues because curlftpfs was not (yet) set up correctly.

The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today’s so-called “booter” or “stresser” services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.

Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.

Today we’ll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn’t designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.

Asylum says it deletes records of attacked sites after one month, and the leaked database confirms that. But the database also shows the sheer volume of online attacks that are channeled through these services: Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks.

According to the leaked database for Asylum, the administrator and first registrant on the site uses the address chandlerdowns1995@gmail.com. That same email address was the beneficiary of more than $35,000 in Paypal payments made by customers of the service. Overall, more than 33,000 user accounts were created on the site.

That chanderdowns1995@gmail.com address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. A reverse WHOIS report (PDF) ordered from domaintools.com shows other interesting sites registered with that same email address.

In a brief interview conducted over Gmail chat, Downs maintained that the service is intended only for “stress testing” one’s own site, not for attacking others. And yet, asylumstresser.com includes a Skype resolver service that lets users locate the Internet address of anyone using Skype. Asylum’s resolver wouldn’t let me look up Downs’ own Skype address — “hugocub1.” But another Skype resolver service shows that that Skype username traces back to a Comcast Internet address outside of Chicago.

Asylumstresser.com also features a youtube.com ad that highlights the service’s ability to “take down your competitors’ servers or Web site.”

“Do you get annoyed all the time because of skids on xBox Live? Do you want to take down your competitors’ servers or Web site?,” reads the site’s ad, apparently recorded by this paid actor at Fiverr.com. “Well, boy, do we have the product for you! Now, with asylumstresser, you can take your enemies offline for just 30 cents for a 10 minute time period. Sounds awesome, right? Well, it gets even better: For only $18 per month, you can have an unlimited number of attacks with an increased boot time. We also offer Skype and tiny chat IP resolvers.”

Downs said he was not the owner of the site – just the administrator. He shrugged off the ad’s message, and said Asylum wasn’t responsible for what customers did with the service.

“You are able to block any of the ‘attacks’ as you say with rather basic networking knowledge,” Downs said. “If you’re unable to do such a thing you probably shouldn’t be running a website in the first place. No one would spend money to stress a site without a reason. If you’re giving someone a reason, that’s your own fault.”

Not so fast, said Mark Rasch, a computer security expert and former U.S. Justice Department attorney.

“If they’ve got their fingers on the trigger and they launch the attacks when they’re paid to, then I would say they’re criminally and civilly liable for it,” Rasch said.

Allison Nixon, a security consultant who recently left a job analyzing attack traffic at Dell SecureWorks, looked at all of the attack methods offered by Aslyum. Nixon said she was disappointed to discover a glitch in the site’s code: No matter which attack method she chose, the booter ran the same attack: A reflected DNS attack, and some weeks later, a UDP flood.

“They promise all these attacks – like Layer 7 attacks, SYN floods, Apache memory exhaustion, and all I ever got was reflected DNS attacks and UDP floods,” Nixon said. ”Booters are written and modified by amateur coders who often don’t know what they are doing, so these sort of bugs are unsurprising.”

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum – vastresser.ru – is hosted on the same network — at 93.114.41.94.

Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.

Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.

“I think it is outrageous that Paypal processes money for these people,” Nixon said of Asylum. “If law enforcement cared at all, every booter uses Paypal and the owners’ real financial info will be tied up in it.  It would be super easy for the cops to find them and round all of them up.  And if the info is fake, Paypal should be freezing those accounts.”

Update, 8:24 p.m. ET: A Paypal spokesperson sent the following statement in response to this story:

“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”

Update, May 16, 12:07 p.m. ET: Downs took rather strong exception to several statements in this story. Principally, he maintains the site is owned by someone else, but he has not supplied any information about that individual other than a commonly-used hacker handle. I thought it made sense to share a few more details about my reporting that led me to believe Downs was running the site, if not also profiting directly from it. Check out this thread from Hackforums.net, where this service is primarily advertised. It shows that the user “Asylum” states that his contact nickname on Skype is “hugocub1,” which as mentioned in the story above traces back to a user in Chicago. But a more important and interesting find comes from Downs’ youtube.com channel (referred to by his gaming profile XBLvirus — one of the nicks listed in the Domaintools report linked above), which features mostly videos of his xBox Live gaming and hacking prowess. In one video, the narrator can be heard stating, “Hey youtube, what’s up, it’s Chandler from darklitstudios.” At around  4:01 in this video, if you pause it just right, you can see Lastpass listing his available stored passwords, including several different accounts using the nickname “hugocub”. Hat tip to Allison Nixon for digging up this additional information.

Neuartige Revolutionsmethoden: Venezuelas Opposition hortet Klopapier, um an die Macht zu kommen. Das sagt jedenfalls der neue venezoelanische Präsident Maduro, und will jetzt 50 Millionen Rollen Klopapier importieren, um das Elend zu mindern. Klingt lächerlich, aber es stimmt schon, dass man Revolutionen am besten auslöst, indem man dafür sorgt, dass die Leute akut unzufrieden sind. Und was eignet sich da besser als kein Klopapier mehr zu haben?

Gefängnisausbruch in Sachsen. Der Ausbrecher gab sich schlicht als sein Zellennachbar aus, dem er anscheinend halbwegs ähnlich sah. Die mussten nur noch ihre Frisuren anpassen.

Die staatliche iranische Nachrichtenagentur PressTV sagt, Israels Angriff auf Syrien habe Atombomben benutzt. Nicht die großen Atombomben, mit denen man eine Stadt wegmacht, sondern die "kleinen", mit denen man die Erde penetriert, um in Bunker reinzukommen.

Erinnert ihr euch an die Sache, dass Den Deal gibt es nicht mehr. Mangels Nachfrage. Da sieht man mal, wie viele Mitglieder der FDP so weggelaufen sind in letzter Zeit.

Samsung hat 94,7% der Profite mit Android-Geräten im 1. Quartal eingefahren. Platz 2 ist LG mit 2,5%.

I’ve said it before – support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use “modern” techniques, I fail to see why the old, but proven/stable methods would be wrong.

Consider the “Chat with Support” feature that many vendors have on their site. Often, these services use a webbrowser, AJAX-driven method for talking with support engineers. The problem with this that I see is that it is difficult to keep track of the feedback you got over time (unless you manually copy/paste the information), and again that it isn’t public. With free software communities, we still often redirect such “online” support requests to IRC.

Internet Relay Chat has been around for ages (1988 according to wikipedia) and still quite active. Gentoo has all of its support channels on the freenode IRC network: a community-driven, active #gentoo channel with often crosses the 1000 users, a #gentoo-dev development-related channel where many developers communicate, the #gentoo-hardened channel for all questions and support regarding Gentoo Hardened specifics, etc.

Using IRC has many advantages. One is that logs can be kept (either individually or by the project itself) that can be queried later by the people who want to provide support (to see if questions have already been popping up, see what the common questions are for the last few days, etc.) or get support (to see if their question was already answered in the past). Of course, these logs can be made public through web interfaces quite easily. For users, such log functionality is offered through the IRC client. Another very simple, yet interesting feature is highlighting: give the set of terms for which you want to be notified (usually through a highlight and a specific notification in the client), making it easier to be on multiple channels without having to constantly follow-up on all discussions.

Another advantage is that there is such a thing like “bots”. Most Gentoo related channels do not allow active bots on the channels except for the project-approved ones (such as willikens). These bots can provide project-specific help to users and developers alike:

• Give one-line information about bugs reported on bugzilla (id, assignee, status, but also the URL where the user/developer can view the bug etc.)
• Give meta information about a package (maintainer, herd, etc.), herd (members), GLSA details, dependency information, etc.
• Allow users to query if a developer is away or not
• Create notes (messages) for users that are not online yet but for which you know they come online later (and know their nickname or registered username)
• Notify when commits are made, or when tweets are sent that match a particular expression, etc.

Furthermore, the IRC protocol has many features that are very interesting to use in free software communities as well. You can still do private chats (when potentially confidential data is exchanged) for instance, or even exchange files (although that is less common to use in free software communities). There is also still some hierarchy in case of abuse (channel operators can remove users from the chat or even ban them for a while) and one can even quiet a channel when for instance online team meetings are held (although using a different channel for that might be an alternative).

IRC also has the advantage that connecting to the IRC channels has a very low requirement (software-wise): one can use console-only chat clients (in case users cannot get their graphical environment to work – example is irssi) or even webbrowser based ones (if one wants to chat from other systems). Even smartphones have good IRC applications, like AndChat for Android.

IRC is also distributed: an IRC network consists of many interconnected servers who pass on all IRC traffic. If one node goes down, users can access a different node and continue. That makes IRC quite high-available. IRC network operators do need to try and keep the network from splitting (“netsplit”) which occurs when one part of the distributed network gets segregated from the other part and thus two “independent” IRC networks are formed. When that occurs, IRC operators will try to join them back as fast as possible. I’m not going to explain the details on this – it suffices to understand that IRC is a distributed manner and thus often much more available than the “support chat” sites that vendors provide.

So although IRC looks archaic, it is a very good match for support channel requirements.

Im Moment wird man ja auf allen Kanälen mit Google-PR bombardiert. Das meiste davon spielt keine weitere Rolle, aber eine Sache fiel mir auf: Die haben eine Nexus-Version vom Galaxy S4 angekündigt. Das ist ein Galaxy S4 — ohne die ganze Crapware, die Samsung da draufgöbelt. Und keiner merkt was.

Wenn andere Leute ein Geschäftsmodell daraus machen, dein Gerät zu verkaufen, aber ohne die ganzen Zugaben, von denen dir deine PR-Flachpfeifen erklärt haben, dass es der Differenzierung im Markt hilft, ... wäre das nicht der perfekte Moment für die Einsicht, dass NIEMAND DIESE GANZE SCHEISSE HABEN WILL, die du deinen Kunden da überhilfst? HTC ist ja genau so. WTF? Niemand will diesen ganzen Müll haben! Und dazu kommt natürlich auch noch das Detail mit "wegen unserer umfangreichen Änderungen gibt es Updates gar nicht oder Monate bis Jahre zu spät". Ganz super, Samsung. Könnt ihr nicht mal jemanden einstellen, der genug Hirnzellen übrig hat, um an der Stelle 1 und 1 zusammenzuzählen?

Und die Entwicklung dieser ganzen nicht entfernbaren Crapware kostet die Firmen jeweils Millionen! Unglaublich. Was für eine Verschwendung von Lebenszeit.

Nach dem jahrelangen FDP-Bashing hier ist es an der Zeit, denen auch mal zu danken. Für all die großartige Arbeit, die diese Partei über die Jahre geleistet hat. In diesem Sinne: Gut gemacht, FDP!

CDUWatch präsentiert Highlights von der Merkel-Grundsatzrede auf der "CDU MediaNight". Popcorn!

Um ihre Verhandlungsposition bei den Verhandlungen mit Japan über die Senkaku-Inselgruppe zu stärken, fängt China jetzt an, Japans Ansprüche auf Okinawa zu hinterfragen. Hat aber wohl nicht funktioniert.

This is just a quick update on how I set up my AMD Radeon HD6850 on my 3x 24″ screens with an enabled composite extension.

Yes, I’ve got my 3rd 24″ display back on my desk, so I now have my good old 3x 24″ wall in front of me. Yey!

I already had installed the fglrx and the fglrx-updates, which includes amdcccle.

First, I had set Xubuntu up with 3 separate Xinerama screens, but I couldn’t get the composite extension to work. This is just a feature that I like, but I wanted to have that enabled. I like the style of a slightly transparent terminal and also – the screenshot-tool that came with Xubuntu (and also Ubuntu) has an option to draw a rectangle on the screen which will be your screenshot. Unfortunately, this one uses composite. I was kinda shocked to see a black screen when selecting this option. Sure, I could create a rectangle and do the screenshot, but I had no idea what is below this dark screen. I know and use this tool also on my ThinkPad T530 that I use for work, and so I know that it should be a bit transparent. So I was looking for a solution and was not able to find one on the web. So I fired up amdcccle and removed the Xinerama mode to put my screens into an “expanding” mode.

Here is my current xorg.conf:

Section "ServerLayout"
	Identifier     "amdcccle Layout"
	Screen      0  "amdcccle-Screen[1]-0" 0 0
EndSection

Section "Module"
EndSection

Section "ServerFlags"
	Option	    "AIGLX" "on"
	Option	    "Xinerama" "off"
	Option	    "Composite" "enable"
EndSection

Section "Monitor"
	Identifier   "0-DFP1"
	Option	    "VendorName" "ATI Proprietary Driver"
	Option	    "ModelName" "Generic Autodetecting Monitor"
	Option	    "DPMS" "true"
	Option	    "PreferredMode" "1920x1200"
	Option	    "TargetRefresh" "60"
	Option	    "Position" "1920 0"
	Option	    "Rotate" "normal"
	Option	    "Disable" "false"
EndSection

Section "Monitor"
	Identifier   "0-DFP6"
	Option	    "VendorName" "ATI Proprietary Driver"
	Option	    "ModelName" "Generic Autodetecting Monitor"
	Option	    "DPMS" "true"
	Option	    "PreferredMode" "1920x1200"
	Option	    "TargetRefresh" "60"
	Option	    "Position" "0 0"
	Option	    "Rotate" "normal"
	Option	    "Disable" "false"
EndSection

Section "Monitor"
	Identifier   "0-DFP7"
	Option	    "VendorName" "ATI Proprietary Driver"
	Option	    "ModelName" "Generic Autodetecting Monitor"
	Option	    "DPMS" "true"
	Option	    "PreferredMode" "1920x1200"
	Option	    "TargetRefresh" "60"
	Option	    "Position" "3840 0"
	Option	    "Rotate" "normal"
	Option	    "Disable" "false"
EndSection

Section "Device"
	Identifier  "amdcccle-Device[1]-0"
	Driver      "fglrx"
	Option	    "Monitor-DFP1" "0-DFP1"
	Option	    "Monitor-DFP6" "0-DFP6"
	Option	    "Monitor-DFP7" "0-DFP7"
	BusID       "PCI:1:0:0"
EndSection

Section "Device"
	Identifier  "amdcccle-Device[1]-1"
	Driver      "fglrx"
	Option	    "Monitor-DFP6" "0-DFP6"
	BusID       "PCI:1:0:0"
	Screen      1
EndSection

Section "Device"
	Identifier  "amdcccle-Device[1]-2"
	Driver      "fglrx"
	Option	    "Monitor-DFP7" "0-DFP7"
	BusID       "PCI:1:0:0"
	Screen      2
EndSection

Section "Screen"
	Identifier "amdcccle-Screen[1]-0"
	Device     "amdcccle-Device[1]-0"
	DefaultDepth     24
	SubSection "Display"
		Viewport   0 0
		Virtual   5760 1920
		Depth     24
	EndSubSection
EndSection

Section "Screen"
	Identifier "amdcccle-Screen[1]-1"
	Device     "amdcccle-Device[1]-1"
	DefaultDepth     24
	SubSection "Display"
		Viewport   0 0
		Depth     24
	EndSubSection
EndSection

Section "Screen"
	Identifier "amdcccle-Screen[1]-2"
	Device     "amdcccle-Device[1]-2"
	DefaultDepth     24
	SubSection "Display"
		Viewport   0 0
		Depth     24
	EndSubSection
EndSection

A composite enabled setup should give you a terminal (in my case: terminator) with set up 0.8 of opacity that looks like this:

Maybe these hints are useful for the one or other – if not, it’s a kinda-wiki for myself if I break my config

Diese AfD scheint ein noch üblerer Versagerhaufen zu sein als die Piraten. Au weia. Tja, so wird das wohl nichts mit dem CDU-kaputtmachen. Schade.

Die Russen haben einen CIA-Agenten auf frischer Tat ertappt, als er einen russischen Agenten abwerben wollte. Genüsslich nennen sie nicht nur den Namen, sondern zeigen auch Fotos und zählen auf, was der so dabei hatte:

The agency stressed that Christopher had “special technical equipment” in his possession, including an additional wig, a microphone, multiple pairs of dark sunglasses and a lot of cash in euro – along with a Moscow atlas, a compass, a knife, and an American Bic lighter.

Harr. Und sie zeigen auch den Brief mit der Kontaktprozedur und dem Angebot, das die Amis machen wollten. Au weia. Totalschaden.

Witzigerweise hatten sie einen Haufen Bargeld dabei, aber nicht Dollar oder Rubel sondern Euro. :-)

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you’re all set. But what if you want to remove some rules?

Well, sadly, SELinux does not support deny rules. Once an allow rule is loaded in memory, it cannot be overturned anymore. Yes, you can disable the module itself that provides the rules, but you cannot selectively disable rules. So what to do?

Generally, you can disable the module that contains the rules you want to disable, and load a custom module that defines everything the original module did, except for those rules you don’t like. For instance, if you do not want the skype_t domain to be able to read/write to the video device, create your own skype-providing module (myskype) with the exact same content (except for the module name at the first line) as the original skype module, except for the video device:

dev_read_sound(skype_t)
# dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
# dev_write_video_dev(skype_t)

Load in this policy, and you now have the skype_t domain without the video access. You will get post-install failures when Gentoo pushes out an update to the policy though, since it will attempt to reload the skype.pp file (through the selinux-skype package) and fail because it declares types and attributes already provided (by myskype). You can exclude the package from being updated, which works as long as no packages depend on it. Or live with the post-install failure ;-) But there might be a simpler approach: epatch_user.

Recently, I added in support for epatch_user in the policy ebuilds. This allows users to create patches against the policy source code that we use and put them in /etc/portage/patches in the directory of the right category/package. For module patches, the working directory used is within the policy/modules directory of the policy checkout. For base, it is below the policy checkout (in other words, the patch will need to use the refpolicy/ directory base). But because of how epatch_user works, any patch taken from the base will work as it will start stripping directories up to the fourth one.

This approach is also needed if you want to exclude rules from interfaces rather than from the .te file: create a small patch and put it in /etc/portage/patches for the sec-policy/selinux-base package (as this provides the interfaces).

Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Microsoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.7.0.1860. Also, Adobe has released new versions of Adobe Reader and Acrobat that fix at least 27 security holes in these products. See this link for more detail on those patches. Adobe said it is not aware of any active exploits or attacks in the wild targeting any of the issues addressed in these updates.

As always, please drop a note in the comments section if you experience problems applying any of these updates.

It’s not a secret that I’m interested in japanese language, even if I’ve stopped learning it, because of too less for it. I’m still (more or less) able to read & type Hiragana and Katakana. On the Mac, it was pretty easy to enable the support for those input types, because it was built in.

On my Linux workstation, I’ve installed Xubuntu 13.04. To add the option to type in Japanese, I use the IBus input method. It’s handy and honestly a bit irritating, but here’s how to install it.

First of all – IBus should be pre-installed, if not, simply install the package ibus.

For japanese, we need to install another package:

$ sudo apt-get install ibus-anthy

That was the easy part To configure IBus, we should be sure that it does not run in the background, so we kill it, if we have a running IBus process.

To check if such a process runs, we gonna use ps and grep for ibus-daemon.

$ ps axu | grep ibus-daemon | grep -v grep
dennis    2587  0.0  0.1 278832  6316 ?        Sl   07:10   0:13 /usr/bin/ibus-daemon --xim

The first result line shows the ibus-daemon running in the background with the parameter –xim. By the way: if we don’t use the | grep -v grep at the end, we will get a second line which shows the grepping itself.

To kill the process, we do it a bit radical with this option:

$ kill -9 2587

The 2587 is the PID (process id) of the ibus-daemon, you should be sure that this is indeed the correct process, otherwise you will kill maybe an important process, even if you’re not the root-user in this example.

Now that the process is killed, we want to launch it again. I would recommend to press Alt+F2 (for example on Xubuntu or Ubuntu) and simply launch ibus-daemon or you can do this right from the terminal by putting the process into the memory and return to your shell by attaching the & sign to the end of the command.

$ ibus-daemon &

This could create some annoying output in your terminal, even if you’ve backgrounded the process! You can close your terminal and reopen it, however, launching it with Alt+F2 (or maybe using DMenu) is faster

In your menu, you will now have the IBus icon, which is an i on a white ground. Click it and select the settings (German here, but I’m sure you’ll find the settings).

A new window pops up, select the second tab for input settings. Please ignore Ctrl+S in the field shown here. This DOES NOT work! But more on this a bit later.

Once you’ve reached the right tab, you should be able to select the “Japanese -> Anthy” method. I’ve played with the mozc input method, but Anthy seems to be the better one

Next, add this method to the list below and close the settings windows. I would recommend to restart IBus as shown above if the “Japanese” entry does not appear instantly.

Working with IBus-Anthy is easy – if you know the shortcuts.. I’ve spend quiet a bit of time to find them in the settings menu until it worked as expected. Open a GUI editor like mousepad, gedit etc. so you can try to type in japanese.

Once you’re inside your editor, you are able to use IBus, this only works if you are able to enter something – what makes sense in my mind!

Press Ctrl+Space to activate IBUs-Anthy and type “ohayou”. It should print “おはよう”, underlined. While you type, the latin characters will be live translated into Hiragana, which is fine for this particular word. While you type and it’s still underlined, there will possibly pop down a windows with options to choose from; those are the same (or similar words but in Hiragana, Katakana, Kanji and mixed with Kanji). To use them – you should at least know a bit about these signs and the differences ).

However, if you’ve written the word anime “あにめ” in Hiragana, that’s wrong – it should be in Katakana, but as long as it’s underlined, you can switch the complete word to Katanaka by pressing the F7 key: “アニメ” will appear, press F6 if you want to switch it back to Hiragana. After each word, you should press Enter! This is pretty normal in japanese input systems, because in japanese language, you don’t have a space between words (what makes it pretty hard for bloody beginners like myself ).

But what if you want to type directly in Katanaka and want to switch to latin quickly, for example if you want to type the word “Linux” which will (as far as I know) also appear in latin letters also in japanese?

To enable IBus, we had hit Ctrl+Space, to disable, you simply hit Ctrl+Space again. But if you want to circle through the different input methods, you can do this by pressing Ctrl+, (comma) once IBus is enabled. There is also a latin input method in the japanese language, called Romaji. This is NOT the same as your regular latin letters, because the space between the letters is (even if not always and this depends on the used font as well) smaller. You will also notice “half width” and “full width” in Katakana and also in Romaji. If you want to type 100% perfect japanese, I’m sure Romaji is the better option, but better ask a native japanese writer.

IBus features do not stop here, but this is more about the basics. In the settings, you can enable “Show language panel” to “When active” and a little popup appears if you’ve IBus enabled. This will show you a lot other options and also give you the option to switch between the input methods by mouse clicks. The popup looks like this:

I hope this is useful for my readers. I’ve spent a lot time with a lot of different input methods, namely SCIM, mocz and of course IBus, but here on my Xubuntu, IBus + Anthy works best

またね！

Bloomberg hat über 10000 private Nachrichten zwischen Anwendern ihres Systems online gepostet. Bloomberg verkauft Terminals an Finanzdienstleister. Die sind jetzt schlecht gelaunt, weil sie da sensibleren Umgang mit privaten Daten erwartet hatten.

Schwedens Staatsanwaltschaft bemüht sich gerade beim obersten Gerichtshof um eine Gefängnisstrafe für einen Filesharer. Begründung:

The prosecutor’s office says a prison sentence is needed so the police can legitimately raid the homes of file-sharers.

Für Adblock Plus hat sich die Kampagne der Verlage jedenfalls gelohnt.

Das US-"Justiz"-Ministerium hat die Verbindungsdaten von AP abgeschnorchelt. Natürlich mit einer fadenscheinigen Ausrede, wie immer, irgendwas mit nationaler Sicherheit und Terroristen.

Oh und wo wir gerade bei abschnorcheln und fadenscheinigen Security-Ausreden waren: Microsoft liest eure Skype-Konversationen mit und klickt auf übermittelte Links. Und als Ausrede faseln sie was von Schutz vor Spam, Betrug und Phishing.

Und solange wir Verbrecher mit solchen Ausreden durchkommen lassen, wird das alles immer nur noch schlimmer werden.

Six months have passed since the November security incident which brought the Project's binary package building capacity offline; we are pleased to announce that all services are now restored.

With all the reports surrounding Cdorked, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.

First of all, we don’t know yet how the malware gets installed on the server. We do know that the Apache binaries themselves are modified, so the first thing to look at is to see if this risk can be reduced. Of course, using an intrusion detection system like AIDE helps, but even with Gentoo’s qcheck command you can test the integrity of the files:

# qcheck www-servers/apache
Checking www-servers/apache-2.2.24 ...
  * 424 out of 424 files are good

If the binary is modified, this would result in something equivalent to:

Checking www-servers/apache-2.2.24 ...
 MD5-DIGEST: /usr/sbin/apache2
  * 423 out of 424 files are good

I don’t know if the modified binary would otherwise work just fine, I have not been able to find exact details on the infected binary to (in a sandbox environment of course) analyze this further. Also, because we don’t know how they are installed, it is not easy to know if binaries that you built yourself are equally likely to be modified/substituted or if the attack checks checksums of the binaries against a known list.

Assuming that it would run, then the infecting malware would need to set the proper SELinux context on the file (if it overwrites the existing binary, then the context is retained, otherwise it gets the default context of bin_t). If the context is wrong, then starting Apache results in:

apache2: Syntax error on line 61 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_actions.so into server: /usr/lib64/apache2/modules/mod_actions.so: cannot open shared object file: Permission denied

This is because the modified binary stays in the calling domain context (initrc_t). If you use a targeted policy, then this will not present itself as initrc_t is an unconfined domain. But with strict policies, initrc_t is not allowed to read httpd_modules_t. Even worse, the remainder of SELinux protections don’t apply anymore, since with unconfined domains, all bets are off. That is why Gentoo focuses this hard on using a strict policy.

So, what if the binary runs in the proper domain? Well then, from the articles I read, the malware can do a reverse connect. That means that the domain will attempt to connect to an IP address provided by the attacker (in a specifically crafted URL). For SELinux, this means that the name_connect permission is checked:

# sesearch -s httpd_t -c tcp_socket -p name_connect -ACTS
Found 20 semantic av rules:
   allow nsswitch_domain dns_port_t : tcp_socket { name_connect } ; 
DT allow httpd_t port_type : tcp_socket { name_connect } ; [ httpd_can_network_connect ]
DT allow httpd_t ftp_port_t : tcp_socket { name_connect } ; [ httpd_can_network_relay ]
DT allow httpd_t smtp_port_t : tcp_socket { name_connect } ; [ httpd_can_sendmail ]
DT allow httpd_t postgresql_port_t : tcp_socket { name_connect } ; [ httpd_can_network_connect_db ]
DT allow httpd_t oracledb_port_t : tcp_socket { name_connect } ; [ httpd_can_network_connect_db ]
DT allow httpd_t squid_port_t : tcp_socket { name_connect } ; [ httpd_can_network_relay ]
DT allow httpd_t mssql_port_t : tcp_socket { name_connect } ; [ httpd_can_network_connect_db ]
DT allow httpd_t kerberos_port_t : tcp_socket { name_connect } ; [ allow_kerberos ]
DT allow nsswitch_domain ldap_port_t : tcp_socket { name_connect } ; [ authlogin_nsswitch_use_ldap ]
DT allow httpd_t http_cache_port_t : tcp_socket { name_connect } ; [ httpd_can_network_relay ]
DT allow httpd_t http_port_t : tcp_socket { name_connect } ; [ httpd_can_network_relay ]
DT allow httpd_t http_port_t : tcp_socket { name_connect } ; [ httpd_graceful_shutdown ]
DT allow httpd_t mysqld_port_t : tcp_socket { name_connect } ; [ httpd_can_network_connect_db ]
DT allow httpd_t ocsp_port_t : tcp_socket { name_connect } ; [ allow_kerberos ]
DT allow nsswitch_domain kerberos_port_t : tcp_socket { name_connect } ; [ allow_kerberos ]
DT allow httpd_t pop_port_t : tcp_socket { name_connect } ; [ httpd_can_sendmail ]
DT allow nsswitch_domain ocsp_port_t : tcp_socket { name_connect } ; [ allow_kerberos ]
DT allow httpd_t gds_db_port_t : tcp_socket { name_connect } ; [ httpd_can_network_connect_db ]
DT allow httpd_t gopher_port_t : tcp_socket { name_connect } ; [ httpd_can_network_relay ]

So by default, the Apache (httpd_t) domain is allowed to connect to DNS port (to resolve hostnames). All other name_connect calls depend on SELinux booleans (mentioned after it) that are by default disabled (at least on Gentoo). Disabling hostname resolving is not really feasible, so if the attacker uses a DNS port as port that the malware needs to connect to, SELinux will not deny it (unless you use additional networking constraints).

Now, the reverse connect is an interesting feature of the malware, but not the main one. The main focus of the malware is to redirect customers to particular sites that can trick the user in downloading additional (client) malware. Because this is done internally within Apache, SELinux cannot deal with this. As a user, make sure you configure your browser not to trust non-local iframes and such (always do this, not just because there is a possible threat right now). The configuration of Cdorked is a shared memory segment of Apache itself. Of course, since Apache uses shared memory, the malware embedded within will also have access to the shared memory. However, if this shared memory would need to be accessed by third party applications (the malware seems to grant read/write rights on everybody to this segment) SELinux will prevent this:

# sesearch -t httpd_t -c shm -ACTS
Found 2 semantic av rules:
   allow unconfined_domain_type domain : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ; 
   allow httpd_t httpd_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ; 

Only unconfined domains and the httpd_t domain itself have access to httpd_t labeled shared memory.

So what about IMA/EVM? Well, those will not help here since IMA checks for integrity of files that were modified offline. As the modification of the Apache binaries is most likely done online, IMA would just accept this.

For now, it seems that a good system integrity approach is the most effective until we know more about how the malware-infected binary is written to the system in the first place (as this is better protected by MAC controls like SELinux).

Das Verteidigungsministerium hat keine Zulassung für die "Euro Hawk"-Drohne gekriegt. Das war vorher abzusehen, aber sie haben trotzdem über eine Milliarde für die Anschaffung in den Sand gesetzt. EINE MILLIARDE!!

Neulich haben die Saudis bei Moxie Marlinspike nachgefragt, ob er ihnen nicht helfen will, eine ordentliche Internet-Überwachungsinfrastruktur aufzubauen. Moxie, falls das jemandem nichts sagt, ist ein Cypherpunkts-Urgestein, und kämpft schon sein ganzes Leben lang auf der anderen Seite der Barrikaden. Moxie tat also, was jeder in der Situation tun sollte, und heuchelte eine Weile Interesse, um die Details zu erfahren, und publizierte die dann. :-)

Mir erzählt gerade jemand, dass er von einem Betrüger angerufen wurde, der sich als "Mahngericht Hamburg" ausgab und angeblich eine Forderung über 1200 Euro eintreiben wollte. Der konnte aber auf Nachfrage kein Aktenzeichen o.ä. nennen und war auch sonst eher schwach vorbereitet. Das spannende Detail ist aber, dass als Rufnummer 040-428280 übermittelt wurde, und wenn man da anruft, kommt man tatsächlich beim Verwaltungsdienst der Stadt Hamburg raus — aber der arme Mann hinter der Nummer weiß von nichts und kann nur zur Anzeige gegen unbekannt raten.

In Sachen Behördenkommunikation kann man anscheinend inzwischen nur noch Dingen trauen, die vom Gerichtsvollzieher an die Tür gebracht werden.

Die britische Polizei bittet um Mithilfe:

Police are trying to track down an unlikely getaway driver - a man on a mobility scooter who escaped the scene at just 4mph.

Ich musste bei der Meldung spontan an die Verfolgungsszene aus Bubba-Ho-Tep denken. :-)

Hey, psst, wollt ihr die Daten aller 4g-Kunden von EE (UK-Mobiltelco) kaufen?

The report alleges that the data passed on to Ipsos MORI included gender and age information, users' postcodes, as well as information on when and to whom calls were made, plus web and app use details - and would be able to track a user's location within 100 metres.

Angeblich sind die rumgerannt und haben das wie schales Bier an den Mann zu bringen versucht, von der Polizei bis hin zu privaten Interessenten. EE dementiert.

Gute Nachrichten für Samsung: Kasperskys Parasiten-Tentakel haben sich bis in den Hirnstamm von Qualcomm gebohrt. Wer also ab jetzt performante ARM-basierte Geräte haben will, muss Exynos statt Snapdragon kaufen. :-)

Oder vielleicht ist das auch nicht so schlimm wie vermutet:

Kaspersky told The INQUIRER that it has agreed to offer "special terms" for preloading Kaspersky Mobile Security and Kaspersky Tablet Security products on Android devices powered by Qualcomm Snapdragon processors.

Das könnte ja auch dazu führen, dass die ganzen Qualcomm-Kunden heiser lachen und dieses großartige Angebot ausschlagen.

Telekom-Chef Obermann pullt einen Mielke.

"Wir haben mit Kritik gerechnet", sagte Obermann. "Und dass man mit der Ankündigung einer Preisdifferenzierung innerhalb der Netzgemeinde niemals Sympathiepunkte sammeln kann, war uns auch klar." Höttges und Obermann meinten aber: "Wir lieben unsere Kunden." Die Telekom kämpfe um jeden einzelnen Kunden "heute und in Zukunft."

Falls jemand zu jung ist für diese Referenz: Youtube hilft.

Ich finde es auch besonders großartig, dass sie sagen, dass sie um jeden Kunden kämpfen. Wer schonmal versucht hat, von der Telekom zu einem anderen DSL-Provider zu wechseln, der wird diese Aussage auch ausgesprochen humoristisch hochwertig finden.

Ich könnte mich ja über die "macht doch bitte eure Adblocker aus"-Kampagne amüsieren. Das ehemalige Nachrichtenmagazin hat auch noch die Dreistigkeit, uns in ihrem Appell ins Gesicht zu lügen, ihre Werbung sei ja total zurückhaltend und blinke nicht. Soll das ein Witz sein? Vielleicht mal nen Optiker aufsuchen?

Und bei der Süddeutschen muss man runterscrollen, um den ersten Text sehen zu können, und die Irland-Anzeige darüber ist animiert. War Ehrlichkeit nicht mal eine Tugend, auf die Journalisten stolz waren?

Der Lacher ist ja, dass ausgerechnet das ehemalige Nachrichtenmagazin ÜBERHAUPT keine Ausrede hat, denn die betreiben ihr Werbenetzwerk seit ewigen Jahren selbst. "Quality Channel" heißt das. Die können also nicht sagen, ihr Netzwerk habe ihnen Konditionen diktiert und deshalb hätten sie statt einem Banner oben ein halbes Dutzend nervige Blink-Anzeigen pro Seite reinnehmen müssen. Oder die Anzeigen, die einmal den gesamten Bildrand fressen.

Mein Mitleid hält sich in Grenzen. Ich hörte, die ersten Werbeblocker blocken jetzt auch das Nagging.

Man sollte ja denken, dass den Leuten in der Sekunde ein Licht aufgeht, wo andere Leute einen Monat Lebenszeit investieren, um eine Browser-Extension zu schreiben, die eure Werbung wegfiltert. Spätestens an der Stelle muss doch auch dem letzten CSU-Wähler klar sein, dass die Werbung zu nervig geworden ist.

Commander Hadfield singt zum Abschied von der ISS Space Oddity. Wie cool! Gibt es schon einen Wettpool, wann die GEMA das Video sperrt? Oder ist das schon gesperrt in Deutschland?

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command:

# iptables -t mangle -A INPUT -p tcp --src 192.168.1.2 --dport 443
  -j SECMARK --selctx system_u:object_r:myauth_packet_t

With this command, packets that originate from the 192.168.1.2 host and arrive on port 443 (typically used for HTTPS traffic) are marked as myauth_packet_t. SELinux policy writers can then allow domains to receive this type of packets (or send) through the packet class:

# Allow sockets with mydomain_t context to receive packets labeled myauth_packet_t
allow mydomain_t myauth_packet_t:packet recv;

The SELinux policy modules enable this through the corenet_sendrecv_<type>_{client,server}_packets interfaces:

corenet_sendrecv_http_client_packets(mybrowser_t)
# allow mybrowser_t http_client_packet_t:packet { send recv };

As a common rule, packets are marked as client packets or server packets, depending on the role of the domain. In the above example, the domain is a browser, so acts as a web client. So, it needs to send and receive http_client_packet_t. A web server on the other hand would need to send and receive http_server_packet_t. Note that the packets that are sent over the wire do not have any labels assigned to them – this is all local to the system. So even when the source and destination use SELinux with SECMARK, on the source server the packets might be labeled as http_client_packet_t whereas on the target they are seen as http_server_packet_t.

As far as I know, when you want to use SECMARK, you will need to set the contexts with iptables yourself (there is no default labeling), so knowing about the above convention is important.

Again, Paul Moore has more information about this.

The January to March 2013 Status Report is now available with 31 entries.

Allow me to start with an important warning: I don’t have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I’ve investigated in my attempt to understand SELinux policy writing for networking stuff.

So, with that out of the way, let’s look into peer labeling. As mentioned in my previous post, SELinux supports some more advanced networking security features than the default socket restrictions. I mentioned SECMARK and NetLabel before, but NetLabel is actually part of the family of peer labeling technologies.

With this technology approach, all participating systems in the network must support the same labeling method. NetLabel supports CIPSO (Commerial IP Security Option) where hosts label their network traffic to be part of a particular “Domain of Interpretation”. The labels are used by the hosts to identify where a packet should be for. NetLabel, within Linux, is then used to translate those CIPSO labels. SELinux itself labels the incoming sockets based on the NetLabel information and the context of the listening socket, resulting in a context that is governed policy-wise through the peer class. Since this is based on the information in the packet instead of defined on the system itself, this allows remote systems to have a say in how the packets are labeled.

Another peer technology is the Labeled IPSec one. In this case the labels are fully provided by the remote system. I think they are based on the security association within the IPSec setup.

In both cases, in the SELinux policies, three definitions are important to keep an eye out on: interface definitions, node definitions and peer definitions.

Interface definitions allow users to (mainly) set the sensitivity that is allowed to pass the interface. Using semanage interface this can be controlled by the user. One can also assign a different context to the interface – by default, this is netif_t. The permissions that are checked on the traffic is ingress (incoming) and egress (outgoing) traffic, and most policies set this through the following call (comment shows the underlying SELinux rules, where tcp_send and tcp_recv are – I think – obsolete):

corenet_tcp_sendrecv_generic_if(something_t)
# allow something_t netif_t:netif { tcp_send tcp_recv egress ingress };

Node definitions define which targets (nodes, which can be IP addresses or subnets) traffic meant for a particular socket is allow to originate from (recvfrom) or sent to (sendto). Again, users can define their own node types and manage them using semanage node. The default node I already covered in the previous post (node_t) and is allowed by most policies by default through the following call (where the tcp_send and tcp_recv are probably deprecated as well):

corenet_tcp_sendrecv_generic_node(something_t)
# allow something_t node_t:node { tcp_send tcp_recv sendto recvfrom };

Finally, peer definitions are based on the labels from the traffic. If the system uses NetLabel, then the target label will always be netlabel_peer_t since the workings of CIPSO are mainly (only?) mapped towards sensitivity labels (in MLS policy). As a result, SELinux always displays the peer as being netlabel_peer_t. In case of Labeled IPSec, this isn’t the case as the peer label is transmitted by the peer itself.

For NetLabel support, policies generally include two methods – one is to support unlabeled traffic (only needed the moment you have support for labeled traffic) and one is to allow the NetLabel’ed traffic:

corenet_all_recvfrom_unlabeled(something_t)
# allow something_t unlabeled_t:peer recv;
corenet_all_recvfrom_netlabel(something_t)
# allow something_t netlabel_peer_t:peer recv;

In case of IPSec for instance, the peer will have a provided label, as is shown by the call for accepting hadoop traffic:

hadoop_recvfrom(something_t)
# allow something_t hadoop_t:peer recv;

However, this alone is not sufficient for labeled IPSec. We also need to allow the domain to be allowed to send anything towards an IPSec security association. There is an interface called corenet_tcp_recvfrom_labeled that takes two arguments which, amongst other things, enables sendto towards its association.

corenet_tcp_recvfrom_labeled(some_t, thing_t)
# allow { some_t thing_t} self:association sendto;
# allow some_t thing_t:peer recv;
# allow thing_t some_t:peer recv;
# corenet_tcp_recvfrom_netlabel(some_t)
# corenet_tcp_recvfrom_netlabel(thing_t)

This interface is usually called within a *_tcp_connect() interface for a particular domain, like with the mysql_tcp_connect example:

interface(`mysql_tcp_connect',`
        gen_require(`
                type mysqld_t;
        ')

        corenet_tcp_recvfrom_labeled($1, mysqld_t)
        corenet_tcp_sendrecv_mysqld_port($1) # deprecated
        corenet_tcp_connect_mysqld_port($1)
        corenet_sendrecv_mysqld_client_packets($1)
')

When using peer labeling, the domain that is allowed something is based on the socket context of the application. Also, the rules when using peer labeling are in addition to the rules mentioned before (“standard” networking control): name_bind and name_connect are always checked.

For more information, make sure you check Paul Moore’s blog, such as the egress/ingress information. And if you know of resources that show this in a more practical setting (above is mainly to work with the SELinux policy) I’m all ears.