Random Passwords: Idle Hands Are The Devils Workshop

I started toying around with the idea of capturing randomness for a source of good n-length random passwords. There are numerous PRNG and TRNG sources out there to make an endless stream of random passwords to use, so this was mostly just an effort in light curiosity.

I thought about a good “fat” source of potentially random data, what did I have on me that could generate a nice big file? My iPhone can do it, specifically the camera. However, I need something random, so I marked up a checkerboard using a piece of paper and cut it into little squares. I put it all in a styrofoam cup and shook the daylights out of it. Dumped the paper from the cup onto my desk and spread out all the paper. Then I took a shot with my iPhone.

This created shot1.jpg. It’s a file with 1,893,984 bytes to it. Since the paper marks will never be in that arrangement ever again, I’d say it’s a pretty good source of randomness.

Next up, I used the shuf command to shuffle the lines of the image together, on a Mac I only had access to GNU’s coreutils via homebrew, so for me it’s:

gshuf shot1.jpg > shot1.rnd.

Then to turn the data into text, I thought about base64 encoding. The command was:

base64 -b 20 shot1.rnd > randpass1.txt

This created a text file with 126,266 lines. Since each line is a password, that’s my next 126,266 passwords. They look something like this:

Gkmd12A/IecVMjSsNnzS
45BrC+HsYh0X7VGzFnXD
gLRhg3NaF5kQAiMZHb1r
0IvqeO63YEyG7U7y0jFl
p+1Bi/Xrnj8PpWlkYX1s

Finally, with the text file handy and in a safe place, I’ll always have a nice random 20-character password handy for quite some time.

So of course, at the end, cleaning up using gshred, but on a journaled file system like HPFS on my Mac, chances are some parts of the data may hang around for a while. However, I was never seriously going into it, so technically a plain delete is good enough, but anyways:

gshred -n 3 -z -u file.ext

 

Automatic Blacklisting using iptables

My home server, an elderly Mac Mini with Debian 8 was recently exposed to the public Internet on port 22, sshd service. I did that on purpose, so I could use the dynamic DNS addressing so I could open a secure shell from wherever I might be, even if that’s not home.

Of course, with a port opened up like this, I have exposed this Mac Mini to the wilds of the public Internet, and it has been scanned thoroughly. When I looked at /var/log/auth.log, it was full of attempts to login using root, admin, and pi. The last one, pi, is hilarious because the hostname was never changed when the OS was migrated from running on my Raspberry Pi, so people who scan the IP and get the hostname think it’s a Raspberry Pi.

This has led to a curious exploration of how to prevent people from scanning and attempting to brute-force my sshd server running on this machine. The passwords are complex, so I’m not really worried about anyone breaking into the box, but I do want to dissuade people from even trying. So after some research, I came up with this iptables definition:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 86400 –hitcount 3 -j LOGDROP

I adapted a bunch of good ideas floating around on other help pages, and these instructions are rather straightforward until the end. I found the LOGDROP chain to be really useful, it will log and then drop traffic in one call, without having to mess around with multiple log and drop jumps. The next keeps any current SSH shell running no matter what, then everything from loopback, and then everything from my internal network. The next sequence sets up a tracking database in the server, if someone attempts to chat up my sshd server more times than three in a day, their IP addresses are installed in a blacklist and their traffic is dropped.

Obviously this is overkill, and my next step is to add 2FA to PAM on this server so that I will need to enter a password and a six digit 2FA code that changes every 30 seconds and never repeats. If anyone else out there is looking for something similar to this, you’re welcome to try it out. Good luck!

Hyundai – Never Again

This tale of woe begins in October of 2015. I take my 2007 Hyundai Santa Fe into Maple Hill Hyundai for an oil change, and I learn about a service campaign, there is a recall on the Valve Cover Gasket for all Santa Fe’s like mine. Maple Hill performs the operation; I get a new gasket and a new alternator and the oil change. I drive away happy; everything is back to normal.

At the end of 2017, I start noticing some odd lights in my car, and generally odd behavior starting to crop up. I’ve got 130000 miles on the vehicle, so I figure that it’s cold weather and old age. The gas tank needle gets daffy, not registering full tanks of gas, so I use the trip-o-meter to measure out 200 miles and then fill up from there. I can adapt. Then on really cold mornings, I notice the battery light flickers for a little bit, alternating with the seatbelt light, but after a few minutes both go out. I drive it around, and everything is normal.

Then we went to Chicago, Illinois to C2E2. The Santa Fe loaded with suitcases and comic books, I drive it into the parking structure, and that’s that. We have a wonderful time in Chicago, and then we pull it out of the parking structure. I notice that the battery light and seatbelt light have started to blink, but then it goes away and I figure that it’s business as usual. I drop off my niece and her boyfriend at their car and then drive off. As I approach the highway, the battery light and seatbelt light continue to flicker. We get on I-94, headed back to Michigan, and right after we cross from Illinois to Indiana, the battery light is on. Then TPMS, BRAKE, ABS, AIRBAG, all the lights turn on and Check Engine comes on. Then the lights get dimmer and dimmer, and we roll into a Walmart parking lot.

I’m panicking. My car is dying, I’m 125 miles from home, and it’s late Sunday night. After I chill out in the Walmart, we get back to the car, and I turn it on. Check Engine is still on, but everything else is off, and the car is behaving like everything is fine. So we tool around the parking lot a few times, and everything remains fine. So I get on the highway again. We get 25 miles down the road, and then the battery light starts to blink. Then again, everything goes downhill. The car gradually slows down, until I’m pretty much just crawling along on idle speed, the gas pedal is hilariously worthless. We turn a few times and get right up to the parking lot of an Econolodge. All that is left is one tiny little lamp in the instrument cluster, and it’s half-lit anyhow. The car is fully dead. Transmission is stuck in everything but park, and so I get out, and with Scott’s help, we try to push the Santa Fe up the little incline to the parking lot of the Econolodge Hotel. A stranger appears out of nowhere and runs over and asks if he can help, and all three of us push the Santa Fe to the middle of the empty parking lot. I turn the car off, but the panic sets in again because I can’t put the transmission in park. I wait a few minutes and try to turn the car on, I get accessories to come on, and the transmission goes to park. I turn everything off and get a room at that Econolodge.

Now, here is where we place a mental pin in the tale, keep this spot in mind because what happens next is full of consequence.

I wake up the next morning, I don’t know what is wrong with my car, and my first idea is to see if I can find a repair shop. There are lots of auto dealers around, there’s a Kia, there is a Chevy, and a Toyota, but no Hyundai. So I figure I need some sort of shop, so I search Yelp for “auto repair,” and I find Adam’s Towing and Service of Porter, Indiana. I call them, reach Adam, and tell him what happened to my car. He suggests that it’s the alternator and I ask for a tow so he can work on it. The tow guy comes, super amazing fellow, and they get my Santa Fe on the skid and tow it away. I follow after in a rental car I picked up from an Enterprise location in Burns Harbor. We get to Adam’s shop, and they start working on it. I take the rental back to Kalamazoo and drop off everything; we get a call from Adam, my car is ready. He replaced the Serpentine Belt, and the Alternator and everything is back to normal. We get back, drop the rental car and pick up the Santa Fe and drive it back to Kalamazoo. Everything is back to normal. While talking to Adam, he asks if there was anything about motor oil with my car, because the alternator was soaked with oil and that’s why it died. I remember back to the service campaign that Hyundai performed and immediately do a Google Search, and many other people have had the gasket go out on them and struggle with Hyundai about repairs. So I’m thinking that’s what is going on with my Santa Fe. I go to Maple Hill Hyundai, and I learn that the job cannot be cleared because the leak is coming from the Timing Cover Gasket and that repairing that is a $1200 to $1600 process. For me, that totals the Santa Fe.

So then I start talking with Hyundai Corporate, talk to many people about my problem, and I believe that the problem is still the valve cover gasket. That motor oil that was inside my engine got outside and killed the alternator. I’d like my money back from the repair job, and I’d like someone to fix the gasket, just like Hyundai did in October 2015. Just like all those other Santa Fe owners who had this EXACT SAME PROBLEM.

So then, after being told that it wasn’t covered by Maple Hill, I reached out to another shop where I had my brakes done previously and brought it to them. The owner said “How do they know where the leak is, did they clean the side of the engine and run a dye test?” and the answer is no. While we had the hood open, he also pointed out that the plastic cowl that covers the engine was missing nuts, and one was cross-threaded and abused badly by a torque driver. But I don’t know who did it, so who is to blame? Haven’t a clue, but there are only three shops in this tale, Maple Hill, Adam’s, and the place where it sits now.

So then this morning I call Hyundai and I relate the tale to the rep, updating with my misgivings about which gasket really is the problem, and that I want proof that it is either the valve cover gasket or the timing cover gasket, and that I don’t want my money back from the alternator fix, but I really want to prevent this from happening again because I want my car to work for me for a while longer if I can manage it. I relate the tale, and then when I mention Adam’s Towing and Service and the shop that will wash the engine block and run the dye test, the Hyundai rep stops me and tells me that I can stop right there. Hyundai refuses to honor any warranty, expressly or implicitly formed because I took my vehicle to an Independent Repair Facility. So, go back to the pin I mentioned about the momentous choice I made. I was stranded on the highway, no warranty from Hyundai, no clue it was the gasket, and so because I didn’t push the vehicle to a Hyundai dealership, I’m quite shit out of luck.

So that’s the end of it. Hyundai walks away, from a service campaign that they botched, maybe, how can anyone tell? Nobody but the IRF even mentioned cleaning the engine and running a dye test! And what burns the most is that while I was regaling the Hyundai Corporate Rep with my tale of suffering, she searches for a Hyundai dealer in Chesterton, Indiana. Norris Hyundai. She then proceeds to waggle this Hyundai dealers location in my face, over the phone. If only I had pushed my dead 2000 pound Santa Fe to Norris Hyundai, then maybe Hyundai would talk to me. But because I was in the middle of the dark, with a dead car, work on Monday, and all the other stress, that I didn’t search for Norris and I didn’t PUSH MY CAR THERE, that there is nothing left to talk about and that I should have a nice day.

So I am done with Hyundai. I am done with the brand; I’m done with Maple Hill. There is no point in calling Fox Hyundai or Norris Hyundai, or anyone else. Hyundai only has one thought, and that is to hide in their fine print and treat me with such disrespect that it takes my breath away. They have no interest in their customers, no interest in repairing what is their fault. So I’m going to find out since it doesn’t matter now, I’m throwing in all the way with my new repair shop. This fellow will wash the side of the engine block, add the dye, and give me an authoritative answer as to which gasket is leaking. And then I’ll face the question of what to do from that point forward. It will answer the question, is it the timing cover gasket or the valve cover gasket? And if it is the valve cover, I might pay to have this new fellow do the work.

It is clear to me that Hyundai is uninterested in being human to me. They want to be a company, and that is their prerogative. It is my choice to associate with humans or companies, and I make my choices based on what I perceive to be the humanity of whom I am dealing with. Hyundai hides behind their fine print and their rules. That’s perfectly fine. I don’t want anything to do with a company like that. And if that means that I burn all the bridges to all the automakers in my life, then so be it. I have to make a stand, and I will live with the consequences. I will fucking walk if I have to. This deep violation of the Golden Rule is so upsetting to me that I cannot even see straight, so that’s fine Hyundai, hide behind your fine print and your rules and utterly fail to treat others as you would have them treat you.

There is a place in hell for you, and the punishment for a company is expressed regarding karma. You deserve what you get.

Cisco SmartInstall Vulnerability Mitigation

At work, I use Cisco gear everywhere. Recently the SmartInstall Hack has become a security concern. There is a vulnerability in the SmartInstall system that allows bad actors to send arbitrary commands to your network infrastructure.

So I started out knowing how my network is shaped, that I customarily keep the 10-net IP space organized by state, then by city, and then finally by kind of equipment. Out of the four octets, the first one has to be 10, the second one is the state, and the next is the city in that state, and finally, I prefer to keep all my infrastructure gear between 250 and 254.

I started with nmap because I wanted a memory refresher so that I wouldn’t miss a device.

nmap 10.1-10.1-10.250-254

This command provides me a handy report of all the places on the inside of my network where ssh or telnet (depending on the age of the gear) reside. I print off the list, and it becomes an authoritative checklist for all my infrastructure gear.

Then one at a time, either ssh or telnet into the infrastructure devices and issue these commands in one paste command:

conf t
no vstack
end
wr mem

I don’t care if the command fails, it’ll write NVRAM to Flash either way which suits me fine. Once I was sure I got all the equipment that could be affected, I know that at least for this vulnerability, we’re all done. There won’t be anything, at least for this, at work for me to worry over.

Now if you use vstack or SmartInstall, your mileage may vary, but I certainly don’t use it. The default is to leave it on, so the smart money is in forcing it off. Why leave it open as a vulnerability if you don’t have any chance of bad actors on your LAN? Because it is one less thing to worry over.

Dreamscapes of Chicago

While I’ve been enjoying Chicago, and we’ve been pretty much carless the entire time with the Santa Fe parked in the hotels parking structure and taking Uber rides everywhere it has done nothing to reduce the nightmares that I suffer every night sleeping in this place.

Car Theft.

These nightmares are riffs on a theme, different thieves, different cars, different lives, different settings. Cars without wheels, somehow rolling away, cars without any internal parts whatsoever operating as if they had them. Thieves that are anonymous or thieves that are caught but chatty occupy the dreamscape.

I’ve had three cycles of sleep here, and in each cycle, the same exact thing. My vehicle is stolen. When I try to stop the thieves, they explain to me that it has to be this way, that it always has to be this way.

And while I’ve had a delightful time at C2E2, I am going to welcome my exit from this place. I can’t stay in Chicago much longer, if nothing more that I can’t endure many more of these nightmares every single night, like clockwork.

TWSBI Fountain Pen

A few months ago while talking with a friend about technology the conversation turned to throwback items that we enjoy using. I brought up my fondness for fountain pens, which always seems to surprise people. The idea of a pen as a writing instrument goes back a really long time. Around the turn of the last century, there was an explosion in patents related to fountain pens and how they hold and dispense ink as you write. After my conversation with my friend, I was inspired to go shopping a little bit. I had some money that I set aside for small little gifts to myself that I had set aside over the past number of years. I never really touch it, so the money sits in my accounts. I came across a company that sells a highly regarded fountain pen, called TWSBI. As I got to browsing the options on Amazon, I looked at my Lamy branded Fountain Pen and realized that it was good as entry level pens go, but I wanted to move up a notch. TWSBI seemed a good option. The pen I selected was the TWSBI Diamond 580AL Silver Fountain Pen with the medium nib. I also got the “Broad Nib” as many reviewers expressed pleasure at writing with both.

580AL_1024x1024.png

TWSBI 580AL Fountain Pen

I have to say that writing with it is quite an experience. I started writing with fountain pens back in college and found that the way the ink flows beat any other sort of pen hands down. Plus the way the nib moves on good paper makes writing longhand a pleasure. It can still work on rough stock, but it struggles with the rough material, and there is more skritch-skritch-skritch while writing on some of the lowest class papers out there.

The Lamy I have uses a piston-convertible insertable tank, while the TWSBI has its piston tank built into the frame of the pen itself. I find that the TWSBI holds more ink, way more ink than my Lamy ever did.

Another little bit to note, fountain pens aren’t meant for left-hand writers as far as I know. The ink doesn’t dry fast enough for the way a lot of left-handed writers have to use a pen. Although I don’t have many folks I know that are left-handed writers, so there is no way to see if they could use it or not without making a mess of their hands with the ink.

If you have a little bit of spending money, this pen can go a long way in both its look and its function to add a little something to your workaday life. It won’t solve problems or anything like that, but it is something nice to have that a lot of people appreciate. I always chuckle to myself when people remark on how I use a fountain pen, and what I do for a living, which makes people think I should be keyboard bound. Sometimes old things peak, and iterations afterward are all downhill from that peak. In a lot of ways, just like Windows 2000. LOL.

Starve The Beast

Finally moved all my Facebook Saved Links out to Pocket and dumped them from Facebook. Went from 600 pages liked to 300, although I think there are items on that list that Facebook is no longer revealing, and I suspect it is a bid to prevent people from using automated tapeworms to delete their Facebook account via hollowing. Leave the account in place, but dump all the guts out.

I don’t care to encourage people to do anything. The more I see how much Facebook knows about me, the more shocked I feel. That they have monetized me was always a part of the deal, but the Cambridge Analytica scandal points to a deeper corruption that runs along with the platforms inability to admit error and only responds when caught red-handed. If they have been corrupt all along, how far does the corruption go? How much have they sold us all for profits? Who has the data that describes us so well?

In many ways, #DeleteFacebook is a matter of bonum ira. It’s a good sort of anger that helps clean up a mess that we all have made of things. Facebook demands punishing, in a manner of speaking and retraction of personal data is probably the only rational way to achieve this sort of effort.

I don’t want to delete Facebook as much as starve it of data.

Security Notes: OpenDNS Umbrella

In my workplace, I have deployed OpenDNS Umbrella across my company network to secure and manage my DNS system. I have found that Umbrella is remarkably good at preventing unwanted behavior and protecting my corporate network from threats both outside the firewall and inside it.

All traffic destined for domain resolution must pass to two Hyper-V VM’s located in my Headquarters branch. These two virtual machines handle all requests from my entire network, including the branches across the Data WAN, facilitated by the Meraki Site-to-Site VPN mesh network that the Meraki system handles for me automatically. These two VM’s then pass all their collected queries to OpenDNS itself, where my policies about what kind of Layer 7 categories I have allowed and disallowed for resolution. Malware is the primary reason for Umbrella, as everything from viruses to trojan horses all rely on DNS to function and be clear as a bell so they can function in a harmful manner. Umbrella acts as a canary in a coal mine, messaging the admins about everything from Command-and-Control requests, to Malware requests and category violations throughout the company.

As I have been working with Umbrella, I noticed an immediate vulnerability in the way the system works. There is technically no reason why a user with a company device, or theirs even, could define their DNS servers manually and side-step Umbrella completely. Specifically, I am thinking about Google’s DNS servers at 8.8.8.8 and 8.8.4.4, although any public DNS server would work in this arrangement. It is important to include in this discussion that as an IT administrator I buck the trend against my own industries best practices, that all users are local admins of their machines. I don’t believe in “nailing down the workstations” at all. Instead, I keep my security surface deep into the domain controller and file server, a much tighter arrangement that affords end users more liberty. With the liberty comes a risk that end users could perform some action which would ruin their day. This keeps the users responsible, and it keeps what we have to say in IT more relevant than ever. We don’t keep you from ruining your day, we help you cope. I have found that users, for the most part, treat their computers like simple tools, they don’t go poking about where they shouldn’t, and it has served me very well. Except in situations like this one, where users or malware have the inherent rights to change the DNS resolver settings if they know where to go and how to do it.

So that started me thinking about ways to address this risk and naturally I thought of the switching layer that everyone is connected to. The best place to control this is within the Cisco Catalysts themselves. It’s a matter of an ACL, an Access Control List. I poked about online and eventually came up with this solution. My two DNS resolvers are at 10.1.1.238 and 10.1.1.239 respectively:

ip access-list extended FIXDNS
!
permit udp any host 10.1.1.238 eq domain
permit udp 10.1.1.238 0.0.0.0 any eq domain
permit udp any host 10.1.1.239 eq domain
permit udp 10.1.1.239 0.0.0.0 any eq domain
permit tcp any host 10.1.1.238 eq domain
permit tcp 10.1.1.238 0.0.0.0 any eq domain
permit tcp any host 10.1.1.239 eq domain
permit tcp 10.1.1.239 0.0.0.0 any eq domain
deny tcp any any eq domain log
deny udp any any eq domain log
permit ip any any
!

This code block creates an ACL package named FIXDNS in the switch, and then on individual ports, or VLAN’s, or even the entire switch input flow I can affix this command and put this rule into operation:

ip access-group FIXDNS in

Obviously, I would use this in individual cases across the system, applying the limits only to end-user facing ports and skipping the trunks and support services like servers, copiers, and plotters. Being only a single command, it also makes it a snap to tear it out of ports as well, just on the off chance that I want to relax my security posture for some specific reason. I like the idea of the granularity of control this solution provides me, and I spend every day in my switching systems, so managing this is not any more work for me than usual.

I tested it in the lab as well, which is how this all got started. If the test laptop is configured to fetch its DNS settings from the DHCP pool, the users notice absolutely nothing at all unusual about their connection. Their DNS queries head off to OpenDNS Umbrella for resolution as normal, and everything works as it should. Acceptable traffic is allowed, while malware or banned categories are blocked. In the lab, if I set the laptops NIC to a specific DNS server outside my organization, like Google DNS, then any DNS related queries do not work. As a matter of record, I have included log directives in the block statements above, so if someone is breaking the rules, we’ll see where they are attempting to get their DNS services from and head out to correct it. Although the chances are that they would likely call us to find out why their Internet has stopped working.

I have this FIXDNS package installed on all my switches company-wide, but I haven’t actually enabled it anywhere. I think I am going to roll out the blocks very slowly and make sure that there aren’t any alarms raised at my efforts. Not that I seriously think anyone has the interest or know-how to customize their DNS resolvers, but it is nice to know that they cannot even if they tried.

Kalamazoo #NeverAgain March

Today we drove up to Western Michigan University and joined the community in the anti-NRA #NeverAgain March from the flagpoles on campus to Bronson Park.

It was surreal to park on that campus again. We walked up to the flagpoles and the crowd was quite well organized and burgeoning. Several schoolkids were there with the event organizers to speak to the crowd and offer their viewpoints and context to what we were about to accomplish. Here’s a sample of what we saw:

IMG_0027.JPG

The group was peaceful and orderly, there was no violence and no exclamations. As we walked away from the flagpoles, and down past the entry to Sangren Hall on Western’s campus, that was the only point that I noticed any counter-protestors. There was supposedly going to be counter-protestors from the local Open Carry group, but Western’s Public Service does not allow open carry on University grounds, so the only counter-protestors we saw were some people with signs. There were very many of us and maybe a handful of the counter protestors.

The event organizers helped a lot by telling all of us that counter-protestors were expected and that the best way to interact with them is to not interact at all. This was an exercise of First Amendment Rights on both sides, the teeming horde of us in the #NeverAgain march, and the handful of counter-protestors. Nobody that I saw made contact, there were some glances, but nothing overt that I witnessed. The march downtown was met with lots of honking horns from the rerouted traffic. The police were kind, principally silent, and really to keep watch around the edges and to handle traffic. We came into contact with one police officer who was attempting a charm offensive, he thanked us for our orderly civic display and we thanked him for traffic control and keeping watch over us all.

The march itself was very pleasant. There wasn’t anything remotely provocative about any of the progression down to the central park downtown. There were no accidents that I saw, no foolishness from anyone, and we all demonstrated our political viewpoints in a very calm, exceptionally orderly manner.

Afterwards, when the words were said and the kids had their moment to shine, the march broke up and everyone drifted away. We ended up going to Kelvin & Company for a snack because we really wanted a break from the chilly wind and all that walking. After our little stop, we dropped by another new store on the Kalamazoo Walking Mall, RocketFizz. We enjoyed some Special Dark Hersheys Chocolate Bars and I bought a bottle of butterscotch root beer from a bottler in Washington State, Oh-So brand, I think. The walk back was long, and upon reflection if we had stashed the Juke somewhere downtown we probably would have had a faster way to get back to campus. Political marches aren’t very common, so that we missed out on a logistical tip wasn’t so awful. We got in a lot of walking steps on our Fitbits, at least.