Saturday, April 22, 2017

Privilege and Accountability

Given the state of the world these days, and especially with the state of our current leadership, I've been thinking a lot about priveledge and personal accountability.  I'd like to share those thoughts.

I consider myself to be a fairly successful individual.  While I don’t own/operate my own business, I am good at what I do and I am paid well for it.  I did this without college and was largely self-taught, at least in a formal sense.  Most of what I know in terms of technology I gained through experimentation, reading and learning from those around me.  I’m successful because I’m motivated and I work hard.

But that’s only part of the story.  I was also very lucky.

Out of high school I was accepted to the computer science program of a local university.  I ended up not attending for financial reasons, instead getting a job in the music department of a local retailer.  I was good at my job. I worked hard and managers tended to like me.  I made good friends there, and they helped me get out of the depression that so many teenagers deal with.

Then, in 1997, the whole chain went out of business.  Without that event, there’s a good chance I would have stayed there much longer.  Perhaps I would eventually have become a manager there, or work my way up the corporate chain.  It could have been a good job, but it wasn’t what I wanted for myself.

Later that year I took my first technical support role at a computer providing outsourced telephone helpdesk support.  They provided a lot of training, and I did well.  Before too long I was consistently a top team member in terms of issues handled and issues resolved.   Within a year I joined their Mentor in Training program and helped other team members succeed.  At the end of the Mentor in Training program I ended up being passed up for a promotion to the team mentor position.  They did offer to essentially allow me to remain in the program, essentially doing the Mentor job without the title.

One weekend a co-worker asked what I was even doing there.  He told me that I was wasting my time at that point and should move on to bigger and better things.  We hadn’t worked together for very long, so I don’t recall his name anymore but I wish he did because he changed my life.
After a relatively short period of time searching, I joined a local tech startup as a contractor at roughly twice the rate that I was making at my first tech job.  I stepped into a team which had just been formed and really had no processes or tools and worked with my team members to really build up the group.  It was a time of rapid learning.  Before too long I was a Lead Engineer and then Senior Engineer.

We grew fast, from 40 employees when I started to over one thousand a year or two later.  Then came the bubble burst in 2001 which killed off a lot of our customers and forced a layoff that eliminated a large set of great people.  I survived and stayed on, changing rolls several times.  I was able to spend time in Network Operations, Information Security, IT, Professional Services, Software Testing and then finally our OS team.  I did well in most of them and was paid well for my service.

A good part of this was due to intelligence and hard work, but not all of it.  If I had gone to college like I had intended, my life could have been very different.  I would have had far less work experience when the bubble burst.  If the store chain had survived I could still be there or perhaps I would have gone into computers at a later time, missing out on the fast growth of the tech sector in the 90s.  If I hadn’t worked the weekend shift at my tech job, I might not have been convinced to look around. I could have been included in the layoffs at my company like a number of my friends were.
In addition to luck, I had privileges not available to some of my peers.

I grew up in a house where we had access to a computer in the late 1980s.  This was uncommon.  And I was given the ability to use it quite a bit, and even break things on occasion.  I learned the most when I'm forced to recover from my own mistakes.  I could very well see a kid screwing up a computer in the 80s resulting in them no longer being able to touch/learn from it.

I grew up in a town which decided to hire a great Computer Science teacher while I was in high school.  I was exposed to computer BBSes by an uncle who ran one from our house, and learned a lot accessing them and eventually setting up one myself.

The town was also in the greater Boston area which had the tech sector of the 128 belt and then the startups of Cambridge.

I am also white.  While this shouldn’t matter, in reality it does.  As far as I’m aware, no one went out of their way to help me due to my race, but I’m certain I had an advantage due to unintentional bias at a minimum.  I was never assumed to be a hoodlum as a teenager or a terrorist in my 20s after 9/11.  Sometimes privilege isn’t about what people do for you, but rather what they don’t do *to* you.

I understand that I got ahead with a combination of skill, hard work, luck and privilege and this makes it hard to hold it against others simply because they missed out on one or more of these.  People getting their start in a tough economy.  People who have had their jobs outsourced or automated away.  People who were born with less intelligence, potentially capping how far they can get ahead.  People being discriminated against.

None of us succeed or fail in a vacuum.  I built on what others provided.  I learned what others taught.  I rode on the coattails of a growing business.  And I took full advantage of the benefits that were awarded to me.

I can even understand people who “don’t work hard enough” according to some.  I work hard, but I also love what I do.  If I was stuck working one or more dead-end jobs in order to make ends meet will struggle to work hard.  The work may not be interesting.  They may be overtired from working multiple jobs.  They may have to take abuse from an uncaring public or management. That type of environment is demotivating, even depressing.  You cannot be expected to work two jobs to pay the bills, and then be able to work even more to try to get ahead.

Instead of talking about "lazy millennials", or making assumptions about various ethnic groups, we should instead strive to give them the opportunities that they would otherwise be missing.  Cutting fundings for schools hurts everyone.  How can we as a country expect to succeed if we work on increasing the percentage of people in the country who are uneducated?

We work to automate or outsource our work to countries where labor is cheaper.  I don't expect us to stop progress (and don't want us to), but it is cruel to take these actions and then demonize the people impacted.  How many times have you heard people talk about Wal*Mart and McDonalds employees not deserving a living income?  As if it is their fault that they need to work those jobs in order to make ends meet.  Perhaps they could put effort into getting a better job, except they may very well be working multiple jobs in order to just put food on the table.  

Not to mention people who just don't have the capabilities to get ahead on their own.  Mental illness, lower intelligence, and physical handicap are just some of the reasons why someone may not *have* any options beyond what many consider to be entry-level work.  Should they suffer for that?

This is a solved problem in the world.  Finland for example is starting to provide a basic income to some of their people.  The idea is that if people don't have to struggle to live, they will have the opportunity to explore options that wouldn't otherwise be available to them.  Perhaps they want to be a musician, or an artist.  Or they want to get into the world of computer programming, but just don't have the time to devote to learning it.

Some are concerned that this will just make people lazy.  I suspect they may very well be right for a subset of the people.  But is that really so bad?  In a world where the total number of jobs is not increasing at the rate that the working age population is, wouldn't you rather just deal with motivated employees?  And do we really want to punish everyone else in order to avoid letting them "get away" with not working?

Let's work together to create a future where automation doesn't lead to even more massive income disparity.  Where companies like Wal*Mart don't make 120 Billion dollars while their employees starve on food stamps.  Or run "food drives" to have their employees feed each other.   Or companies like Uber leverage the under employed masses to take the profits of Taxi companies while simultaneously working on self-driving cars in preparation for putting those masses out of business as well.

Tuesday, June 28, 2016

Installing Ubuntu 16.04 on a ZFS root filesystem

One of the major new pieces of functionality in Ubuntu 16.04 (Xenial) is built in support for ZFS filesystems.  I was disappointed to learn that ZFS support is not actually built into the installer itself, leaving you to piece things together yourself.  I did find a few good tutorials online for this, but they all seem to be missing a few pieces.  I'm hoping that this guide will be a bit more complete for people.

It is based on a combination of the following two guides:

Booting Into the Install Environment

Setting up a ZFS filesystem requires a full set of userspace tools rather than the limited set included within the actual installer.  Due to this, we're going to boot a Ubuntu Desktop live CD, and do a manual installation within its root filesystem.  I found that the easiest way to do this was to boot the live CD, set a password for the ubuntu user, and SSH into the machine from a remote box.  This way it is much easier to copy/paste commands from the webpage.

To start off, we need to install the ZFS tools and debootstrap which we will use for actually installing the operating system:

apt-add-repository universe
apt-get update
apt-get install --yes zfsutils-linux debootstrap


Partitioning the Disks

Next, we partition the disks.  For now we're going to assume a two disk system which is just doing striping, but you can change as desired:

parted -- /dev/sda mklabel msdos Y mkpart primary zfs 0% 100%
parted -- /dev/sdb mklabel msdos Y mkpart primary zfs 0% 100%

Device naming during bootup on Linux isn't always static, so we want to reference the disks through a static identifier like disk ID (/dev/disk/by-id), unfortunately Grub fails to properly identify the devices from the zfs command output, so we need this hack for now to make sure that update-grub will correctly identify the disks.  Specifically, it forces creation of symlinks in /dev which map to the device names in /dev/disk/by-id.  Some additional details about the issue can be found in this grub2 launchpad bug.

echo 'KERNEL=="sd*[!0-9]", IMPORT{parent}=="ID_*", SYMLINK+="$env{ID_BUS}-$env{ID_SERIAL}"
> KERNEL=="sd*[0-9]", IMPORT{parent}=="ID_*", SYMLINK+="$env{ID_BUS}-$env{ID_SERIAL}-part%n"' > /etc/udev/rules.d/90-zfs.rules
udevadm trigger

Create Your Zpool

Now we actually create the zpool and import it to /mnt:

zpool create -m none -o ashift=12 -O compression=lz4 rpool /dev/sda1 /dev/sdb1
zfs create -o mountpoint=/ rpool/root
zpool export rpool
zpool import -d /dev/disk/by-id -R /mnt rpool

So here we create the zpool by device name, and then re-import it by device ID while mounting at /mnt.

And then create various partitions off of the root filesystem:

zfs create -o setuid=off rpool/root/home
zfs create -o mountpoint=/root rpool/root/home/root
zfs create -o canmount=off -o setuid=off -o exec=off rpool/root/var
zfs create -o com.sun:auto-snapshot=false rpool/root/var/cache
zfs create rpool/root/var/log
zfs create rpool/root/var/spool
zfs create -o com.sun:auto-snapshot=false -o exec=on rpool/root/var/tmp

We break out these various subdirectories so we have the ability to optionally enable/disable compression, support for setuid/exec, and various other options.  We can also choose to limit the maximum size of each mount independently.

Install Ubuntu

The install of Ubuntu itself is pretty straightforward:


debootstrap the OS

debootstrap xenial /mnt
zfs set devices=off rpool
grep -v cdrom /etc/apt/sources.list > /mnt/etc/apt/sources.list
cp /etc/udev/rules.d/90-zfs.rules /mnt/etc/udev/rules.d/90-zfs.rules

You'll notice at the end here we copy our hacky udev rule to the new filesystem.  The "devices=off" option we set here disables the ability to create device nodes in the filesystem.  This works since /dev is actually a devtmpfs partition of its own.


Configure the network interface

export INTERFACE=$(ip addr list | grep ^[0-9]: | grep -v "lo" | awk {'print $2'} | cut -d ":" -f 1)
echo test > /mnt/etc/hostname
echo 127.0.1.1  >> /mnt/etc/hosts
echo "auto $INTERFACE
iface $INTERFACE inet dhcp" > /mnt/etc/network/interfaces.d/$INTERFACE


Enter the chroot for some final setup

mount --rbind /dev /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
chroot /mnt /bin/bash --login

locale-gen en_US.UTF-8
echo 'LANG="en_US.UTF-8"' > /etc/default/locale
apt-get update
apt-get install --yes zfsutils-linux zfs-initramfs grub-pc linux-image-generic ssh
dpkg-reconfigure tzdata
update-initramfs -c -k all


Set Up Grub's configuration

sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT\)=.*/\1=""/g' /etc/default/grub
sed -i 's|^\(GRUB_HIDDEN_TIMEOUT=.*\)|#\1|g' /etc/default/grub
sed -i 's/^\(GRUB_CMDLINE_LINUX\)="\(.*\)"/\1="boot=zfs \2"/g' /etc/default/grub

ln -s /proc/mounts  /etc/mtab
update-grub
rm /etc/mtab


Set a root password and exit the chroot

passwd root
exit


Install the grub bootloader

grub-probe /mnt
grub-install --root-directory=/mnt /dev/sda
grub-install --root-directory=/mnt /dev/sdb


Reboot into the environment

reboot

Friday, October 11, 2013

Eating your own dog food

I got this unsolicited e-mail today:
Hi,

Hope you doing well. I am writing in regards to see if there is any possibility for us to work with your company. We are leading provider of B2B, B2C and B2G lists and excellent list compiler with highest delivery rate and data appending solutions. Our opt-in email database of Key decision makers can be used for your online promotion, brand awareness and to generate potential leads.

We build list according to your requirements based on your targeted business. We are specialized in Email Campaign and Data Append Solution, where you can add your clients missing data (email, fax etc).
Apparently they provide opt-in only mailing lists.  Shame they don't use them themselves.

Wednesday, February 29, 2012

Whoops!

My home server is configured to send me daily e-mails with any security events. Typically this means SSH brute force login attempts, and I occasionally take the opportunity notify people that their servers were breached and are being used for attacks.

Today I found something amusing in the logs. Apparently some idiot hacker mixed up their username and password files for their attack:
Feb 28 02:32:53 buddha sshd[57691]: Invalid user QFhGj8kE7D3Vs from 223.4.115.46
Feb 28 02:32:55 buddha sshd[57693]: Invalid user aMb0lgX8umqqQGpFRjiGiP from 223.4.115.46
Feb 28 02:32:58 buddha sshd[57695]: Invalid user crinalove from 223.4.115.46
Feb 28 02:33:00 buddha sshd[57697]: Invalid user xyzsun123 from 223.4.115.46
Feb 28 02:33:02 buddha sshd[57699]: Invalid user 20090924 from 223.4.115.46
Feb 28 02:33:05 buddha sshd[57713]: Invalid user aicumine from 223.4.115.46
Feb 28 02:33:07 buddha sshd[57715]: Invalid user Router#32SOS from 223.4.115.46
Feb 28 02:33:10 buddha sshd[57717]: Invalid user cotinga from 223.4.115.46
Feb 28 02:33:13 buddha sshd[57719]: Invalid user cornalito from 223.4.115.46
Feb 28 02:33:15 buddha sshd[57721]: Invalid user l0p33os from 223.4.115.46
Feb 28 02:33:18 buddha sshd[57723]: Invalid user !mir@nine from 223.4.115.46
Feb 28 02:33:20 buddha sshd[57725]: Invalid user mucleus.caca.root from 223.4.115.46
Feb 28 02:33:23 buddha sshd[57727]: Invalid user !@#$%^ from 223.4.115.46
Feb 28 02:33:25 buddha sshd[57729]: Invalid user easy2use from 223.4.115.46
Feb 28 02:33:28 buddha sshd[57731]: Invalid user diana4ever from 223.4.115.46
Feb 28 02:33:33 buddha sshd[57733]: Invalid user pw2009inx from 223.4.115.46
Feb 28 02:33:36 buddha sshd[57735]: Invalid user eth0eth1254 from 223.4.115.46
Feb 28 02:33:38 buddha sshd[57737]: Invalid user eth0eth0 from 223.4.115.46
Feb 28 02:33:40 buddha sshd[57739]: Invalid user 1q2w3e4r5t6y7u8i9o0p from 223.4.115.46
Feb 28 02:33:43 buddha sshd[57741]: Invalid user kentlung from 223.4.115.46
Feb 28 02:33:45 buddha sshd[57743]: Invalid user 1q2w3e4r5t6y from 223.4.115.46
Feb 28 02:33:48 buddha sshd[57745]: Invalid user kta1234 from 223.4.115.46
Feb 28 02:33:50 buddha sshd[57747]: Invalid user Kt@1234 from 223.4.115.46
Feb 28 02:33:53 buddha sshd[57749]: Invalid user !mi$ from 223.4.115.46
Feb 28 02:33:55 buddha sshd[57751]: Invalid user perfectpassword from 223.4.115.46
Feb 28 02:33:58 buddha sshd[57753]: Invalid user !mir@ninie from 223.4.115.46
Feb 28 02:34:00 buddha sshd[57755]: Invalid user !mir@Ninie from 223.4.115.46
Feb 28 02:34:03 buddha sshd[57757]: Invalid user !Mir@nine from 223.4.115.46
Feb 28 02:34:05 buddha sshd[57759]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:08 buddha sshd[57761]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:10 buddha sshd[57763]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:13 buddha sshd[57765]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:15 buddha sshd[57767]: Invalid user d3v__3f__j3b0n from 223.4.115.46
Feb 28 02:34:17 buddha sshd[57769]: Invalid user kany123kany from 223.4.115.46
Feb 28 02:34:20 buddha sshd[57771]: Invalid user gywjddl!@!* from 223.4.115.46
Feb 28 02:34:22 buddha sshd[57773]: Invalid user aprkvkldf!!! from 223.4.115.46
Feb 28 02:34:25 buddha sshd[57775]: Invalid user dnjao123! from 223.4.115.46
Feb 28 02:34:28 buddha sshd[57777]: Invalid user eltmzm!!! from 223.4.115.46
Feb 28 02:34:31 buddha sshd[57779]: Invalid user #7364! from 223.4.115.46
Feb 28 02:34:34 buddha sshd[57781]: Invalid user disk!!! from 223.4.115.46
Feb 28 02:34:36 buddha sshd[57783]: Invalid user @#Rq92u8fjewRweqf45y43tgh3 from 223.4.115.46
Feb 28 02:34:39 buddha sshd[57785]: Invalid user @n!md@mP#$@&#3141$&#@!#mTadm!n$@ from 223.4.115.46
Feb 28 02:34:41 buddha sshd[57787]: Invalid user BUNdAS@#$RT%GQ~EQW#%^QW from 223.4.115.46
Feb 28 02:34:44 buddha sshd[57789]: Invalid user 163typist from 223.4.115.46
Feb 28 02:34:46 buddha sshd[57791]: Invalid user dudejr5542 from 223.4.115.46
Feb 28 02:34:48 buddha sshd[57793]: Invalid user E1T1RDs7 from 223.4.115.46
Feb 28 02:34:51 buddha sshd[57795]: Invalid user 198287 from 223.4.115.46
Feb 28 02:34:54 buddha sshd[57797]: Invalid user r9A6YOFYEh from 223.4.115.46
Feb 28 02:34:56 buddha sshd[57799]: Invalid user 9swL2k5Cp7 from 223.4.115.46
Feb 28 02:34:59 buddha sshd[57801]: Invalid user oxbow@852 from 223.4.115.46
Feb 28 02:35:01 buddha sshd[57803]: Invalid user frigfurg from 223.4.115.46
Feb 28 02:35:03 buddha sshd[57805]: Invalid user xew4upjg from 223.4.115.46
Feb 28 02:35:06 buddha sshd[57809]: Invalid user K4tp0ng from 223.4.115.46
Feb 28 02:35:08 buddha sshd[57811]: Invalid user dkagh!@#$ from 223.4.115.46
Feb 28 02:35:11 buddha sshd[57813]: Invalid user rhg0704 from 223.4.115.46
Feb 28 02:35:13 buddha sshd[57815]: Invalid user 654312 from 223.4.115.46
Feb 28 02:35:16 buddha sshd[57817]: Invalid user glaemsp!!! from 223.4.115.46
Feb 28 02:35:18 buddha sshd[57819]: Invalid user whznskwhdk from 223.4.115.46
Feb 28 02:35:21 buddha sshd[57821]: Invalid user globalpass from 223.4.115.46
Feb 28 02:35:23 buddha sshd[57823]: Invalid user punglor21 from 223.4.115.46
Feb 28 02:35:26 buddha sshd[57825]: Invalid user nic#!@ruc148 from 223.4.115.46
Feb 28 02:35:29 buddha sshd[57827]: Invalid user dudejrqwer!@#$ from 223.4.115.46
There are a LOT more in the log, but you get the picture.

Wednesday, April 21, 2010

Python Tivo Library

I've decided its about time I start really learning to code, so I've picked a project and I'm working to see how much I can actually implement.

The long term goal of the project is to create a way to archive TV shows off of your Tivo and provide a mechanism to transfer the shows back on demand for showing. I'm working on creating it on Python, and as a starting point I've begun work on a general python library for interacting with them. Right now provided an IP address and your media access code it can connect to your tivo and give you a listing of all of your shows.

My eventual goal is to provide it both a web interface and an interface that the Tivo can use as well as add autodiscovery of tivo devices. I'd like to also tie it into pytivo for the show playback. One nice thing is that would allow you to compress the shows for better storage.

If anyone is interested in taking a look I'm hosting it at Sourceforge as a way to do revision control as well as learn Subversion a bit better (I'm more familiar with Perforce right now).

http://tivoarchive.sf.net

Wednesday, October 14, 2009

New blog available

Electr0n has setup a new blog for the ##security channel on Freenode, and has asked me to help with some content. I just posted there on Pastebin hacking in light of the recent Hotmail password fiasco.

Check it out.

Monday, August 17, 2009

Career "Advancement"

About 2 years back I left my job in an InfoSec group. That particular position wasn't the right fit for me anymore, and somehow I didn't think I would be a good fit for a security role in most other organizations. I don't have the pen testing experience needed for most security companies, and the thought of maintaining firewall rules at some retail house would bore the crap out of me.

Since then I've been struggling to find myself career wise. I spent some time in an IT role, and I'm now trying a more customer facing role. Still I find myself happiest in ##security on Freenode, answering people's security questions.

So, what now? Maybe someday I'll figure that out.