System Overlord

A blog about security engineering, research, and general hacking.

Where My Goals Lie

15 Sep 2011 in Personal (Reading time: 6 minutes)

Lately, I've been doing a lot of thinking about my life goals.  While I realize that 26 is still comparatively young, I really feel like I'm not making enough progress towards where I want to be.  Rather than moping on about it, as I have for quite some time, I've been inspired by Sacha Chua to actually do something about it.  Sacha is all about getting things done and making the most out of life, or, to quote her blog title, "Living an Awesome Life."  Whining is not living an awesome life.

I've decided to identify (some of) my life goals, what is preventing my from achieving them, what I am doing to accomplish them, and what else I could be doing to accomplish them.

Goal #1: Achieve financial comfort.

While it may seem greedy or shallow to list a monetary goal first, financial stress can inhibit the ability to achieve other goals.  Having little to no savings makes career changes riskier and more stressful.  Many of my other goals have SOME financial requirements.

This goal is intertwined into many other aspects of my life, including my progress towards a graduate degree.  I like my current job, but I'm not sure that there's much (if any) more room for advancement there.  Eventually it will be time to move on, no matter how hard it may be.

Goal #2: Do original work in Information Security.

I have long been fascinated by the technical aspects of information security.  Securing applications, penetration testing, IDSs, firewalls, and other security technologies are just a few of the things I want to get into more.  I'd like to do original research and development in Information Security.

In order to do that, I need to find a more specific niche to work on, and devote some time to really working on it.  I think part of that involves reading more, but even more so, DOING more.  I need to stop just reading and use what I've learned to develop the deeper understanding needed for original work.  I'm hoping to incorporate some of this into my M.S. in Computer Science, but again, I'll need a more specific topic.

Goal #3: Engage more with like-minded individuals.

I fairly regularly attend meetings like Atlanta Linux Enthusiasts, DC404, etc.  I do this less for the presentations (although lately I've been a frequent speaker at ALE meetings) than for the interaction with the other individuals.  While there are a couple of people at work who have similar interests, it's a rare opportunity to have an in-depth conversation about the topics that interest me.

I have yet to figure out how to fix this one.  The only idea I've had so far involves career change, which might be a bit much to meet this goal.  I guess my meetings will have to do for now.

Goal #4: Speak at a 'major' conference.

I've done quite a bit of speaking at minor conferences, monthly meetings, etc., and really enjoy the level of preparation necessary to teach others.  I don't think I could teach professionally, but I feel like being accepted to speak at a large conference somehow validates your work, be it original research or just presenting a topic to an audience unfamiliar with it.

I'm working my way up there.  I've got a couple of topics I'm thinking about developing for a talk at SELF next year.  Eventually, I'd like to get up to SCALE, Defcon, etc.

Goal #5: Find my niche.

This goal intertwines with all of the above.  Right now, I'm somewhat of a generalist in the realm of information technology.  While that's certainly valid, I'd like to specialize more into security, but even that is very general.  Moxie Marlinspike is known for his SSL research, Dan Bernstein for DNS, Bruce Schneier for Cryptography, etc.  All of them interest me, and I don't have the time and/or energy to get into all those fields.

I hope that one day I'll stumble upon my niche, or -- at least -- develop something within one of those fields.  Again, it comes down to "doing" rather than "talking."

More minor goals in my life:

  • Attend Defcon, Black Hat, SCALE, OSCON, LinuxCon, DerbyCon, and the other top-shelf *cons.
  • Obtain a CISSP and LPIC-3
  • Get over my health-related anxieties.
  • Find something good to do with an Arduino.
  • Have fun!

 

This list is not comprehensive, and even writing it out has led to some internal revelations regarding what I should be doing to achieve my goals.  This, being a blog, is also an invitation to input on what I'm missing from achieving my goals.

Git On Your Web Server: A Security Reminder

31 Aug 2011 in Security (Reading time: 2 minute)

Earlier this month, I wrote about managing a Drupal site with git.  What I neglected to remember, of course, is this places a full copy of your git repository within your web server's document root.  This has the potential to expose any data in your git repository -- a malicious attacker could (depending on your configuration) clone the entire repository, thus exposing source code, configuration files, database dumps, and other sensitive data.

Adam Baldwin did an interesting study on exposed repositories, and shows that the problem is widespread, even among very large-scale websites.  He also offers points on how to protect your git repositories, but the Nginx directions didn't exactly work for me.  No matter what I tweaked, I couldn't get "deny all;" to actually deny anyone!  I ended up using "return 403;" and that worked quite well.  You could even return 404 if you wanted to hide the repository entirely.  For completeness, here's my configuration for protecting git:

location ~ /\.git {
    return 403;
}

Managing Drupal with Git

04 Aug 2011 in Drupal (Reading time: 1 minute)

For a while now, I've been meaning to manage my Drupal site (and the modules and features on it) with git.  The release of Drupal 7.7 provided a perfect opportunity to make this transition.  I've now cloned the main Drupal.org git repository, added my features (as submodules) and added the modules I use (also as submodules).  I'm still getting used to working with git, and I wish there was a way to push parts of my configuration remotely, but I understand why you can't.

If anyone is wondering, the following modules are used on this site:

  • APC
  • Boost
  • CAPTCHA
  • CKEditor
  • Context
  • CTools
  • ELFinder
  • Entity
  • Features
  • Field Group
  • Geshi Filter
  • Git Deploy
  • Google Analytics
  • Gravatar
  • Libraries
  • Link
  • Linkit
  • Media
  • Panels
  • Pathauto
  • Pathologic
  • ReCaptcha
  • Redirect
  • Secure Login
  • Secure Pages
  • Strongarm
  • Styles
  • Token
  • Views

Automatically Creating Archives from Git Tags

16 Jul 2011 in Linux (Reading time: 3 minutes)

At work, we've been moving all of our development processes to git. As part of that, I've encouraged that alphas, betas, and releases be tagged in git -- it's important to know which versions are in use where. Additionally, my director wanted archives (zips/tars) of each of these versions to make it easier to install the releases, particularly for the members of our department who are not git-friendly. I realized that with git hooks and our use of gitolite, we could produce automated archives when tags with the words alpha/beta/release are pushed to the gitolite server. The script below is placed in the $GL_PACKAGE_HOOKS/common directory. It uses the name of the repository to decide if it should be archived (matches $ALLOW_ARCHIVE) and where the archive should be put (within $ARCHIVE_DIR). 

#!/bin/bash
# post-receive gitolite hook to produce archives
 
# Debug mode
DEBUG=1
 
# Where to put archives
ARCHIVE_DIR=/srv/archives/
 
# When to allow archiving (regex)
ALLOW_ARCHIVE="^(drupal|moodle)"
 
#### NO CONFIG BELOW ####
# Check if this repo can be archived
if [[ ! "$GL_REPO" =~ $ALLOW_ARCHIVE ]] ; then
    [[ $DEBUG ]] && echo "Archiving for this repository is disabled." 
    exit 0
fi
 
# Get repo name
ARCHIVE_DIR="${ARCHIVE_DIR}/${GL_REPO}"
 
while read rev1 rev2 ref ; do
    if [[ ! "$ref" =~ ^refs/tags ]] ; then
        [[ $DEBUG ]] && echo "Not a tag reference..."
        continue
    fi
 
    # Get tag name
    tag=${ref##*/}
 
    # Check if tag contains alpha, beta, or release:
    if [[ ! $tag =~ (alpha|beta|release) ]] ; then
        [[ $DEBUG ]] && echo "Not alpha/beta/release"
        continue
    fi
 
    # Ensure directory exists
    mkdir -p ${ARCHIVE_DIR}
 
    # Repo base name
    REPO_BASE=${GL_REPO##*/}
 
    # Make archive
    [[ $DEBUG ]] && echo git archive --format=zip --prefix=${REPO_BASE}/ -o "${ARCHIVE_DIR}/$tag.zip" $ref
    git archive --format=zip --prefix=${REPO_BASE}/ -o "${ARCHIVE_DIR}/$tag.zip" $ref
done

Avenue Q

19 Jun 2011 in Personal (Reading time: 2 minute)

Last night, Ann and I attended a local performance of "Avenue Q" at the Horizon Theatre Company with some people from my work.  I wasn't sure what it would be like, but the 175-seat theater is a perfect setting.  We got there just before showtime, so got seats in the very back, but even those seats have a great view.  The entire theater can only be described as an intimate setting.

While I was familiar with a few of the songs in Avenue Q, I had no idea how well the play would click with my sense of humor.  It was, without a doubt, the funniest thing I have ever seen.  I never thought I would say that I empathized with puppets, but I did in Avenue Q.  The performers at Horizon were incredibly talented and passionate professionals who put on a truly top-notch show.  If you've wanted to see Avenue Q, I can't recommend enough checking out Horizon before the show ends July 3rd.