The Hive Archive

Can’t wait for us to ship PowerShell Remoting?

Want remoting to use SSH?

Why wait for us? /N software has just announced a beta of their NetCmdlets V2.0 which provides PowerShell remoting over SSH today! They’ve had this for a while and V2 updates (and improves) the usability of the cmdlets as well as adding a bunch of new and exciting commands.

For example, chances are that you won’t ever see Microsoft ship the [get/send]-s3 cmdlets but /N software V2 does.

http://blogs.msdn.com/powershell/archive/2008/03/27/powershell-remoting-using-ssh.aspx

My blog post from 2006 is currently the #1 Google Result for PowerShell SSH, but finally there is a good solution out there from /N software. It also supports S3. Very cool

Canada blows my mind. My Canadian friends tried to explain their magical blinking protected left traffic lights, and I didn’t quite get it, but I remember thinking there was some logic behind it. Today, driving in Vancouver, I came across regular blinking green traffic lights. I asked my friend about it and after five minutes of explaining, all I got was to go forward on green, I think. Metric continues to blow my mind, even though I spent some of my formative years in Europe. Google Maps automatically switches to metric if your starting position is in Canada. Nifty.

Overall, the most baffling thing I have experienced in Canada is the hotel room key. The hotel is nice, but it has a dated feel to it. At one time, you can imagine that it was all very hi-tech, but parts were just never upgraded. Surprisingly, one of these parts is the hotel room key. While most hotels have chosen to go with magnetic swipe cards, this nameless hotel has kept with punch cards. No kidding.

Check it out:

Yes, just by posting this image, the key could probably be copied. All I could find about this on the ‘Net comes from a 1989 Usenet posting:

There used to be only one kind of Ving card lock. Now there are two kinds,
as I discovered to my horror a while back while at a convention. The first
and possibly “classic” version is all-mechanical, while the second is optical
with an electronic controller. I did a longish article on the mechanical
one back when I got to take it apart, which I will send to anyone who asks,
and since the time of that writing discovered a few more things about it.
I believe this article was sent to this very list years ago…

I love stuff like this. These things were spoken about on a security list in ‘89 with horror and how they ran across them a while back and discussed them “years ago”. Not only do these things seem trivial to copy, but seeing the regular pattern in the holes seems to suggest you could easily reverse engineer the algorithm and make keys for every room in the hotel given the room number. I guess you don’t need high security in a country where people say they don’t even lock their front doors. Good times.

Coming from OpenBSD background, installing Solaris can be an eye opening experience. There are many services enabled and listening to the world; luckily for Sun, most Solaris boxes are running on Sparc. Linux used to do the same thing, up until Red Hat starting to get a reputation for getting owned. Finally, there is some sanity at Sun and the Open Solaris project has some design documents on what they are working toward:

Secure by Default Design Specification

SBD is available in Nevada build 42 and greater.

Ever wanted a new identity?

The folks at xbox-linux have a great article on the 17 Mistakes Microsoft Made in the Xbox Security System. Following is an excerpt of just one back and forth between hackers and Microsoft Security.

The history of Microsoft’s reactions to the font vulnerability is the perfect lesson of how to do it wrong.

1. After MechInstaller had been released, Microsoft fixed the buffer vulnerability in the Dashboard and distributed this new version over the Xbox Live network and shipped it with new Xboxes.
2. For the hackers, this was no major problem: It was possible to downgrade the Dashboard of a new Xbox to the vulnerable version. Just run Linux using a savegame exploit, and “dd” the old image. Some people felt downgrading on new Xboxes was not piracy, because after all, Microsoft upgraded Xbox Live users’ hard disks to the new version without asking.
3. As the next step, Microsoft blacklisted the old Dashboard in the new kernel. It was impossible to just “dd” an old Dashboard image onto newer Xboxes.
4. Still no major problem for hackers: The second executable on the hard disk, “xonlinedash”, which is used for Xbox Live configuration, had the same bug, so it was possible to copy the old “xonlinedash” and to rename it to “xboxdash” to make it crash because of the faulty fonts.
5. Microsoft consequently blacklisted the vulnerable version of “xonlinedash”.
6. Again, no major problem for hackers: All Xbox Live games come with the “dashupdate” application, which adds Xbox Live functionality to the Dashboard for the first Xboxes which came without it. This update application has the same font bug, and it can be run from hard disk. So it is possible to copy the file from any Xbox Live game DVD, rename it to “xboxdash” and let it crash.
7. Microsoft could not blacklist this one. Xbox Live enabled games run the update application every time they start, making sure the Xbox has the Xbox Live functionality. Blacklisting “dashupdate” would break these games.

We won.

Found the following at http://daemons.net/~matty/blog/?p=456:

SARC case 2004/368 : Secure By Default
BUG/RFE:4875624 *syslogd* turn off UDP listener by default
BUG/RFE:5004374 Ship with remote services disabled by default
BUG/RFE:5016956 By default rpcbind should not listen for remote requests
BUG/RFE:5016975 By default snmpd/dx should not be enabled.
BUG/RFE:5016998 By default inetd should not listen for remote connections.
BUG/RFE:5017041 By default sendmail should not listen for remote connections
BUG/RFE:5046450 Create a greenline profile for Secure by Default installation
BUG/RFE:6267741 RFE: One-touch knob for outbound-only sendmail
BUG/RFE:6414308 syslogd could use some lint soap

Oddly enough, I was just complaining about this myself.

Tom Moertel wrote a very concise port scanner in Haskell. I have never looked at Haskell in any detail, but this program seems pretty impressive. You wouldn’t be able to do a port scanner quite so neatly in most other languages. I guess I’ll have to put that on the long stack of things to look into in more someday.

I fixed up the parsing issues on Shelob so that it is somewhat respectable, instead of a bunch of hacks. It was obvious once I started looking at what the client was sending me (the LiveHTTP headers Firefox extension rocks), that I needed to break up each line and then seperate the values into a name and value.

After rewriting the getHeaders() function to use STL hash tables, not only is the code more flexible, but it is also cleaner. For example:

[code]
log.writeLogLine(inet_ntoa(sock->client.sin_addr), request_line, 200, size, headermap["Referer"], headermap["User-Agent"]);
[/code]

Here, with the headermap, it is obvious what values I am passing. Before the rewrite, I just had a bunch of tokens[3], tokens[5], etc.

I’m also toying around with the idea of privilege seperation and chroot jails. This sort of flows with the previous post of a micro-kernel type approach, similar to how Postfix works. While it is more secure, the programming challenges are pretty high. I may leave that for a later version. I still have a bit of cleanup to do before a release.

Aside:

Theo de Raat gave a nice presentation on exploit mitigation techniques that OpenBSD is using which relates to some of these ideas.

I finally started fixing some of the computers I’ve had lying around the house. Someone asked me if I was embarassed that I had three broken systems. I guess that gave me some motivation, plus I wanted to play Tony Hawk Pro Skater 3 on my projector and I needed a Windows PC. I’ve been using my PowerBook G4 for almost two months now and it has done everything I’ve needed except hardcore gaming.

It took me about an hour to piece together all the parts into one working PC. I finally got XP to boot and then realized I had forgotten my password, and since I had increased the security settings to insane levels, I locked out all my accounts, including administrator. Sigh. So I spent another two hours downloading Linux boot CD-ROMS with utilities to “hack” the Windows password file. While I was burning one, I discovered that if you boot XP into safe mode, it happily ignores the account lockouts. I don’t know whether to laugh that I locked myself out of my own PC, or to cry that Windows would allow such an easy bypass.

Well maybe tomorrow I’ll get the energy to get OpenBSD on the G3 I have sitting in the corner. I expect OpenBSD running on PPC is slightly more secure than XP.

Bruce Schneier, noted security expert, summarizes some of what is being said about Vista’s new security model. It is amazing how clueless Microsoft can be in ignoring the security models that have proven themselves to be successful and useful in other operating systems. This is one area where I wouldn’t give Microsoft flack for not innovating. Security is tough, learn from the mistakes others have made!

I’m very disappointed with this, especially because NTFS has such a fine grained permissions system. They could have really pulled off something nice. Thankfully, I’ve been using nothing but Linux and Apple OSX for the past month. If more games were available for OSX, there would be no need for Windows in my life ever again.