System Overlord

A blog about security engineering, research, and general hacking.

My Life in Big Bang Theory

I was thinking this evening about how being a generalist kindof sucks.  I don't feel like I've found my niche yet, and I'm fairly disappointed by that.  I've also been watching Big Bang Theory and realized why the show appeals to me as much as it does.  While my life is (unfortunately) not like that of the characters in the show, I see some similarities between myself and the characters:

  • Dr. Sheldon Cooper -- Much like Sheldon, I sometimes nerd out to a degree that others don't understand.  Granted, I'm not a physicist, but man, I can nerd out about computers.  Plus I'm pretty socially awkward.
  • Dr. Leonard Hofstadter -- I like to think that most of my life is like Leonard.  Except I've found and secured my "Penny" (being married and all).  I'm not very up on pop culture, sports, or all that other stuff.  Of course, neither is Leonard and it hasn't seemed to hurt him -- too much.
  • Howard Wolowitz, M.S. -- Much like Howard, I'm insecure by my lack of expertise and specialization.  I hope I'm not quite as sleazy, but I do like my wife... enough said.
  • Dr. Rajesh Koothrappali -- Again, I'm incredibly socially awkward.

Now... to find my niche.


The Importance of Verifiable Security

A number of services online claim to store data securely.  Often, this claim is attached to comparatively unimportant data.  A claim that, for example, your microblogging "direct" messages are stored securely generally results in little risk.  (Hopefully, you're not sending secret data in those sort of messages.)  However, solutions like Dropbox and LastPass (among many others) claim to store and transmit your personal data in an encrypted form.

Given that both use a closed-source binary and that neither solution has offered third-party verification, I can't quite see using them for anything involving data I want kept secret.  I certainly wouldn't use LastPass (or any other password sync solution) without being able to see that the data is really encrypted locally before being sent to a server, and that the server doesn't have access to my passphrase.  Firefox Sync, on the other hand, is included with the Firefox source, which at least allows verification.  (I haven't done so yet, but I might do so at some point.  If so, details will be posted here.)  Anything sensitive that goes into my Dropbox goes in encrypted, generally using GnuPG.

Remember: just because the marketing info says "encrypted" doesn't mean it's secure.  Dropbox obviously has access to your passphrase at some times -- how else could they build a web interface?  Even if stored encrypted, when they have your passphrase, they could store it.  If their server was compromised, both your data and passphrase could be at risk.

Ask your service providers (especially those you pay for their services) to provide either the source, third party verification, or best, both.  Even providing the client source could be enough to demonstrate security.  (If the data is encrypted with a known-good algorithm before being transmitted and the key is never transmitted, then the data should be secure.)


Major Sites that a 'tiered' Internet Would Have Killed

Again and again, we hear about the idea of a "tiered" Internet, containing 1st and 2nd class citizens.  In some variants, entire sites would be cut off by ISPs.  Let's take a look at sites that probably would not have been able to get started with the notion of a "tiered" Internet.  In this list, I'm including major sites that were started without major commercial backing, whose success only came after making it big -- something that takes users being able to access the site, of course.  Let's assume that a tiered Internet came out about a decade ago, right after the fall of the dot-com era.

  • January 15, 2001 -- Wikipedia is launched.  Wikipedia is now the #7 most-visited site on the Internet.  Due to the ad-free nature of their site, having to pay "premiums" to every ISP would likely kill Wikipedia.
  • May 27, 2003 -- Wordpress is released.  Wordpress.com, a free host for blogs, is the #19 Internet site.  Would they have to work out contracts with the ISPs to keep providing a free service?
  • February 4, 2004 -- Facebook is launched from a college dorm room.  Facebook didn't turn a profit until 2009.  They are now the #2 site on the Internet.  I'm sure they wouldn't have been able to survive those first 5 years if only some ISPs were able to access their site.
  • December 5, 2004 -- The launch of Digg.com, the first major social news site.  Digg.com was launched by Kevin Rose, and is today the #88 website in the U.S.
  • February 14, 2005 -- YouTube is launched.  YouTube was founded by 3 private individuals with $11.5 million in VC money.  Given that YouTube now ranks as #3 globally and is responsible for 10% of the world's Internet traffic, it's likely that it would never have gotten to see any amount of success in a tiered Internet.
  • July 15, 2006 -- Twitter, the most successful microblogging site in the world, is launched.  Twitter has only recently begun to generate revenues worth mentioning.  Without a significant revenue model in place, it is unlikely venture capitalists would have invested, leading to an early death for Twitter.

From just the .com, .net, .org, .info, .biz, and .us TLDs, there are over 127 Million registered domains. As of even 2002, it was estimated there were 3500-4000 ISPs in the United States.  So, are these sites supposed to sign 4000 contracts each?  A total of something like 508 Billion contracts in the US alone?  This is positively insane.

Maybe I'm crazy, but it seems that Wired.com has made this same argument.  I, for one, will never use an ISP that cuts off access to part of what I'm paying for.  Charge me for my bandwidth, just as Google's ISP charges them for their bandwidth.

[Most of the site statistics are from Alexa.com.  Founding dates from Wikipedia.]


Welcome to Nginx!

If you're reading this, it's thanks to Nginx.  As of about midnight last night, all content on SystemOverlord.com is being served up by Nginx.  I did this for two reasons: Nginx has a much smaller memory profile than Apache, which is important when running on a 512MB VPS, and Nginx's preferred PHP path is through a FastCGI interface, which allows me to run separate PHP FastCGIs under different users for each application on my server.  Privilege separation for different webapps has always been a big thing security-wise, and I'm glad I was able to get it going with a minimum of fuss.  Wordpress, Nginx, MySQL, and Ubuntu Server powered, all on a Linode VPS!


Announcing NetStatUI: A PyGTK interface for network statistics

NetStatUI is my first significant FOSS release. It’s also my first significant Python project and my first use of GTK+. Yes, that’s a lot of firsts all at once, so I apologize if I’ve done things sub-optimally. I’m still learning some of the wonderful niceties of Python (a subject of a later post) and so I may have done some things “the other way.” NetStatUI is a program to display statistics and information about the IP connections currently on your system. It is an attempt to provide a usable NetStat work-alike for the desktop user. Many new users are shy of the command line, and having a graphical version may be useful.

Homepage: https://launchpad.net/netstatui

NetStatUI has several caveats, and many more TODOs, described below. This is my first significant Python application, my first GTK+ application, and probably my first significant FOSS application. Feedback is welcomed and appreciated.

CAVEATS:

Displaying hostnames is INCREDIBLY slow. For some reason, Python’s implementation of socket.gethostbyaddr() is very slow. We do cache lookups to speed up future calls, but the first time a full screen is looked up, it can take 30s+ NetStatUI does not support Unix domain sockets. At present, there are no plans to change this. If you need Unix domain sockets, you likely know how to use netstat(8). If you need Unix domain sockets and DON’T know how to use netstat(8), I’d love to hear what your use case is. For some things, NetStatUI requires root access. I hate running things on my desktop as root when I can avoid it, but NetStatUI gathers process information by walking the /proc tree, and only root can read other user’s process information. See the -p option to netstat(8) for more details. TODO:

NetStatUI is intended to have columns to display per-connection bandwidth usage. My intent is to gather this information via the conntrack interface. Parsing ip_conntrack is non-trivial, but there is a Python binding for libconntrack. I’ll need to test it out and see if it meets the needs of NetStatUI. The Kill Process and TCPDump buttons are clickable, but don’t do anything. Those are likely to be implemented in short order. While the GPL does not require this, I’d appreciate that if you create a derivative work, you let me know so I can see what you’ve done. My contact information is at the top of this document. Thanks for giving NetStatUI a try!

To obtain NetStatUI right now, you’ll need to use the bzr distributed version control tool. As NetStatUI is hosted on launchpad, it’s as simple as bzr branch lp:netstatui.