Before I go any further, let’s settle the “security through obscurity” argument. (This could probably turn into its own post but I’ll be brief for now.) Security should always be applied in layers. This provides multiple levels of protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities. In addition, these layers of security should be applied within the environment so that breaking into one server after getting a pivot point in the environment should be just as difficult (if not more difficult) than the original attack that created the pivot point. If “security through obscurity” tactics make up one layer of a multi-layered solution, I’d encourage you to obscure your environment as long as it doesn’t affect your availability.

The key takeaway is:

Security through obscurity is effective if it’s one layer in a multi-layer security solution

Let’s get back to the original purpose of the post.

The biggest benefit to changing the port is to avoid being seen by casual scans. The vast majority of people hunting for any open ssh servers will look for port 22. Some will try the usual variants, like 222 and 2222, but those are few and far between. I ran an experiment with a virtual machine exposed to the internet which had sshd listening on port 22. The server stayed online for one week and then I changed the ssh port to 222. The number of attacks dropped by 98%. Even though this is solely empirical evidence, it’s clear that moving off the standard ssh port reduces your server’s profile.

If it’s more difficult to scan for your ssh server, your chances of being attacked with an ssh server exploit are reduced. A determined attacker can still find the port if they know your server’s IP address via another means (perhaps via a website you host) and they can launch attacks once they find it. Paranoid server administrators might want to check into port knocking to reduce that probability even further.

Remembering the non-standard ssh port can be annoying, but if you have a standard set of workstations that you use for access your servers, just utilize your ~/.ssh/config file to specify certain ports for certain servers. For example:

Host *.mycompany.com
  Port 4321
 
Host nonstandard.mypersonalstuff.com
  Port 2345
 
Host *.mypersonalstuff.com
  Port 5432

If you run into SELinux problems with a non-standard ssh port, there are plenty of guides on this topic.. The setroubleshoot-server package helps out with this as well.

# semanage port -a -t ssh_port_t -p tcp 4321
# semanage port -l | grep ssh
ssh_port_t                     tcp      4321,22

Here is my list of ssh lockdown practices when I build a new server:

• Update the ssh server package and ensure that automatic updates are configured
• Enable SELinux and allow a non-standard ssh port
• Add my ssh public key to the server
• Disable password logins for ssh
• Adjust my AllowUsers setting in sshd_config to only allow my user
• Disable root logins
• For servers with sensitive data, I install fail2ban

Changing your ssh server’s port from the default: Is it worth it? is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Automating the standards can be a little treacherous simply due to the number of things to adjust and check. I’ve created a kickstart for CentOS 6 and tossed it on Github:

• https://github.com/rackerhacker/securekickstarts

Be sure to read the disclaimers in the README before getting started. Also, keep in mind that the kickstarts are in no way approved by or affiliated with the Center for Internet Security in any way. This is just something I’m offering up to the community in the hope that it helps someone.

Automate CentOS 6 deployments with CIS Security Benchmarks already applied is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

In computing, the term wheel refers to a user account with a wheel bit, a system setting that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access. The term is derived from the slang phrase big wheel, referring to a person with great power or influence.

On Red Hat systems (including Fedora), the default sudo configuration allows users in the wheel group to use sudo while all others are restricted from using it in /etc/sudoers:

## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

However, the su command can be used by all users by default (which is something I often forget). Fixing it is easy once you take a look at /etc/pam.d/su:

# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid

Uncomment the line and access to su will only be available for users in the wheel group.

Limit access to the su command is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

SELinux operates in the realm of mandatory access control, or MAC. The design of MAC involves placing constraints on what a user (a subject) can do to a particular object (a target) on the system. In contrast, discretionary access control, or DAC, allows a user with certain access to use discretion to limit or allow access to certain files, directories, or devices. You can set any file system permissions that you want but SELinux can override them with ease at the operating system level.

Consider a typical server running a web application. An attacker compromises the web application and executes malicious code via the web server daemon itself. SELinux has default policies that prevent the daemon from initiating communication on the network. That limits the attacker’s options to attack other services or servers.

In addition, SELinux sets policies on which files and directories the web server can access, regardless of any file system permissions. This protection limits the attacker’s access to other sensitive parts of the file system even if the administrator set the files to be readable to the world.

This is where SELinux shines. Oddly enough, this is the point where many system administrators actually disable SELinux on their systems.

Troubleshooting these events, called AVC denials, without some helpful tools is challenging and frustrating. Each denial flows into to your audit log as a cryptic message. Most administrators will check the usual suspects, like firewall rules and file system permissions. As frustration builds, they disable SELinux and notice that their application begins working as expected. SELinux remains disabled and hundreds of helpful policies lie dormant solely because one policy caused a problem.

Disabling SELinux without investigation frustrated me to the point where I started a site at stopdisablingselinux.com. The site is a snarky response to Linux administrators who reach for the disable switch as soon as SELinux gets in their way.

All jokes aside, here are some helpful tips to use SELinux effectively:

Use the setroubleshoot helpers to understand denials
Working through denials is easy with the setroubleshoot-server package. When a denial occurs, you still receive a cryptic log message in your audit logs. However, you also receive a message via syslog that is very easy to read. Your server can email you these messages as well. The message contains guidance about adjusting SELinux booleans, setting contexts, or generating new SELinux policies to work around a really unusual problem. When I say guidance, I mean that the tools give you commands to copy and paste to adjust your policies, booleans and contexts.

Review SELinux booleans for quick adjustments
Although the myriad of SELinux user-space tools isn’t within the scope of this article, getsebool and togglesebool deserve a mention. Frequently adjusted policies are controlled by booleans that are toggled on and off with togglesebool. Start with getsebool –a for a full list of booleans and then use togglesebool to enable or disable the policy.

Quickly restore file or directory contexts
Shuffling files or directories around a server can cause SELinux denials due to contexts not matching their original values. This happens to me frequently if I move a configuration file from one system to another. Correcting the context problem involves one of two simple commands. The restorecon command applies the default contexts specific to the file or directory. If you have a file in the directory with the correct context, use chcon to fix the context on the wrong file by giving it the path to the file with the correct context.

Here are some additional links with helpful SELinux documentation:

• SELinux Project Wiki
• Red Hat Enterprise Linux 6 SELinux Guide
• Dan Walsh’s Blog

Reprint: Stop Disabling SELinux! is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Here are some relatively useful SELinux posts from the blog:

• Getting started with SELinux
• Receive email reports for SELinux AVC denials

Seriously, stop disabling SELinux is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

To get started, make a small file with regular expressions in /etc/postfix/header_checks:

/^Received:.*with ESMTPSA/              IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE

The “ESMTPSA” match works for me because I only send email via port 465. I don’t allow SASL authentication via port 25. You may need to adjust the regular expression if you accept SASL authentication via smtp.

Now, add the following two lines to your /etc/postfix/main.cf:

mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks

Rebuild the hash table and reload the postfix configuration:

postmap /etc/postfix/header_checks
postfix reload

Now, send a test email. View the headers and you should see the original received header (with your client IP address) removed, along with details about your mail client.

Remove sensitive information from email headers with postfix is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

drbd 8.4.2 for Fedora 17 is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

There’s a relatively elegant fix from btm.geek that solved it for me. On your Mac, exit X11/Xquartz and create an ~/.Xmodmap file containing this:

clear Mod1
keycode 66 = Alt_L
keycode 69 = Alt_R
add Mod1 = Alt_L
add Mod1 = Alt_R

Start X11/Xquartz once more and virt-manager should release your mouse pointer if you hold the left control key and left option at the same time.

virt-manager won’t release the mouse when using ssh forwarding from OS X is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

kvm: disabled by bios

After a reboot, the BIOS screen was up and I saw that Virtualization and VT-d were both enabled. Trusted execution (TXT) was disabled, so I enabled it for kicks and rebooted. Now I had two errors:

kvm: disable TXT in the BIOS or activate TXT before enabling KVM
kvm: disabled by bios

Time for another trip to the BIOS. I disabled TXT, rebooted, and I was back to the same error where I first started. A quick check of /proc/cpuinfo showed that I had the right processor extensions. Even the output of lshw showed that I should be ready to go. Some digging in Google led me to a blog post for a fix on Dell Optiplex hardware.

The fix was to do this:

1. Within the BIOS, disable virtualization, VT-d, and TXT
2. Save the BIOS configuration, reboot, and pull power to the computer at grub
3. Within the BIOS, enable virtualization and VT-d but leave TXT disabled
4. Save the BIOS configuration, reboot, and pull power to the computer at grub
5. Boot up the computer normally

Although it seems a bit archaic, this actually fixed my problem and set me on my way.

Late night virtualization frustration with kvm is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Then someone suggested Tiny Tiny RSS. I couldn’t learn more about it on the day Google Reader’s shutdown was announced because the site was slammed. In a nutshell, Tiny Tiny RSS is a well-written web UI for managing feeds and a handy API for using it with mobile applications. The backend code is written in PHP and it supports MySQL and Postgres.

There’s also an Android application that gives you a seven day trial once you install it. The pro key costs $1.99.

The installation took me a few minutes and then I was off to the races. I’d recommend implementing SSL for accessing your installation (unless you like passing credentials in the clear) and enable keepalive connections in Apache. The UI in the application drags down a ton of javascript as it works and enabling keepalives will keep your page load times low.

If you want to get your Google Reader feeds moved over in bulk, just export them from Google Reader:

1. Click the settings cog at the top right of Google Reader and choose Reader Settings
2. Choose Import/Export from the menu
3. Press Export, head over to Google Takeout and download your zip file

Unzip the file and find the .xml file. Open up a browser, access Tiny Tiny RSS and do this:

1. Click Actions > Preferences
2. Click the Feeds tab
3. Click the OPML button at the bottom
4. Import the xml file that was in the zip file from Google

From there, just choose a method for updating feeds and you should be all set!

Survive the Google Reader exodus with Tiny Tiny RSS is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Want to beta test some new features on icanhazptr.com and icanhaztrace.com? Give them a try!

Getting your reverse DNS entry is easy:

$ curl -4 icanhazptr.com
ord.icanhazip.com
$ curl -6 icanhazptr.com
ord.icanhazip.com

Traceroutes are straightforward as well:

$ curl -4 icanhaztrace.com
traceroute to 166.78.118.193 (166.78.118.193), 30 hops max, 60 byte packets
 1  212.111.33.229  20.031 ms
 2  212.111.33.233  1.011 ms
 3  149.11.30.61  107.976 ms
...
$ curl -6 icanhaztrace.com
traceroute to 2001:4801:7818:6:abc5:ba2c:ff10:275f (2001:4801:7818:6:abc5:ba2c:ff10:275f), 30 hops max, 80 byte packets
 1  2a01:7e00:ffff:0:8a43:e1ff:fea3:fa7f  2.183 ms
 2  2001:4d78:fe01:2:1:3:b90:1  1.330 ms
 3  2001:978:2:45::d:1  8.388 ms
...

While this sits in beta, here are some things to keep in mind:

• If a PTR record doesn’t exist for your IP address, your IP address will be returned
• Failing traceroutes will cause your IP address to be returned
• A PTR record will be chosen at random if multiple PTR records are returned
• PTR lookups for traceroutes are currently disabled

Let me know if you find any bugs.

New icanhaz features: reverse DNS and traceroutes is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

This fixes a bug that was submitted earlier this month.

drbd 8.4.2 for Fedora 18 is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Be flexible and raise awareness
BYOD was a hot topic at this year’s conference and I was fortunate enough to sit in with a Peer2Peer session with 24 other attendees. One security team member from a large company talked about how they reduced their stress level and increased their effectiveness by focusing on securing the data rather than trying to secure every single device on their network. It seems trivial at first, but after additional thought, it really makes sense. Allowing every single device ever made onto your network might not be an option, but there are many actions we can take to make it more difficult for non-trusted machines to access sensitive company data.

Security awareness was talked about often. No matter how much a company spends on security products, a single user clicking on a phishing email can open the door for attackers. It’s critical to make security awareness real by making it personal. When users think about more of their actions before taking them, the overall security of the business increases. One of the speakers made a good point that the job of a corporate security team in 2013 is to keep the business secure while allowing employees to soar and do what they do best. The days of blocking access to everything are over.

Maintain and constantly re-evaluate focus
Securing your entire company isn’t possible so put your focus on the things that matter most. Wrap security around the most important data you have and shore up security in areas where you are threatened most often. A presenter noted that everyone has legacy baggage in their companies but the stronger companies think about the baggage they leave behind before they create it.

Follow your users
The whole idea of encouraging collaborative security between corporate security teams and the business seemed to surprise attendees the most. One of the talks pushed security departments to learn about what users within the company are doing and how their needs are evolving. This allows security teams to shift focus, modernize, and provide useful, secure alternatives for employees.

Bring outliers into corporate security
The most moving talk I attended was from Winn Schwartau titled Solving the Cyber Security Hiring Crisis – Hiring the Un-Hireable. He had a no holds barred talk about the “hiring crisis” in information security because we’re looking for the wrong types of people. Winn claimed that we’re looking for clean cut people for corporate security while we should be considering a larger applicant group. His critical point was that deception should be one of the few reasons (other than lack of skills) for not hiring someone and he offered up several questions to ask to look for deceptive behavior. Questions like “How many times have you hacked illegally?” and “Do you illegally download music or movies?” worked well in his experience.

He ended with a quote that I must emphasize:

If it’s important, you’ll find a way. If not, you’ll find an excuse.

Summary
Overall, the conference was well worth the trip. The delegate pass price was quite steep but there were tons of conference organizers and security guards who were happy to help attendees. There was rarely a time where sessions where scheduled and none of the available sessions interested me. It was an awesome experience to see Vint Cerf in person and I’d recommend taking the time to listen to him talk if you ever have the opportunity.

As a side note, I noticed that security awareness among conference attendees was extremely poor. I’ll save that for another post.

Thoughts on RSA Conference 2013 is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

The discussion started around how to authenticate and manage mobile devices, but it soon ended up covering the handling of data on personal and company-issued devices. A corporate security leader for a large company said the healthiest shift for them was when they stopped focusing on the devices themselves and moved their focus to the data they wanted to protect. They found that they could lock down all the devices in the world, but their employees would mishandle the data no matter what actions they took to protect the endpoint.

That led me to start a ruckus on Twitter:

How does a corporate security team keep sensitive data out of products like Evernote and Dropbox effectively? It’s a tall order.

— Major Hayden (@rackerhacker) March 2, 2013

Which I soon followed with this:

My last question got a lot of good responses. Thanks! But how do you *ENFORCE* a corporate policy against something like Dropbox/Evernote?

— Major Hayden (@rackerhacker) March 3, 2013

The responses started piling up in a hurry. (To see the verbatim responses for yourself, click the date on one the embedded tweets above.) Here’s a quick summary of the suggested ways to attack the problem from the tweets I received:

• Education & awareness – Ensure that users not only understand where they should keep confidential data but also ensure they understand how to classify the data they’re handling.
• Provide alternatives – If users like the functionality of a particular product, try to purchase an enterprise version of the product or re-create the product internally. Users will be more likely to use the approved version of the product and the company will have a bit more control over the data.
• Top-down policies & enforcement – Make policies that define where data can and cannot go and follow that up with enforcement and accountability.
• Deny access – Set firewall or DLP policies to disallow access to certain products while on the corporate network. This doesn’t cover situations where employees are off the corporate network.

Many people suggested a blend between educating, providing alternatives, and enforcement. This is a real change for corporate IT and security departments that would normally opt for denying access to unapproved applications entirely. This quickly turns into a game of cat-and-mouse in which there are no clear winners.

Take an example like Evernote. If I was blocked from accessing it at work, I could VPN into another location and send Evernote over the VPN. If VPN access was blocked, I could start an ssh proxy and send the Evernote traffic through it. If ssh was blocked, I could remotely access another system via RDP or VNC where Evernote was installed and use it there. The truly frustrated user might invest in a 3G/4G device and use that in the office instead. That’s even worse for the security department since none of their traffic would be passing through the corporate network.

Here are my suggestions for protecting data at a modern company:

1. Listen to your users – Find out why users like a particular third party application and why they don’t like the current tools provided by the company. Learn about the types of data they’re storing on that third party application.
2. Regain some control of your data through alternatives – If your users prefer a particular application, try to purchase an enterprise or self-hosted version of the application. Your users will be pleased since they get the functionality they expect and the security teams can gain a little more control over the data stored in the application.
3. Make a solid data classification policy – Creating an easy to use data classification policy is the first step to securing your data through awareness. Employees need to identify the sensitivity of the data they’re handling before they can know what they can and can’t do with it. Make the data classifications easy to identify and ensure that users have an escalation point they can use when they have questions or they need to release sensitive data.
4. Create enforcement policies – If a user deliberately disobeys corporate policy, this where the rubber meets the road. Ensure that the policy is fair to users of various technical levels within the company and vet it thoroughly with your legal and HR departments. These enforcement policies may be required by various compliance programs, so check to see if they’re on paper but not enforced.
5. Educate users about sensitive data – Humanize your data classification policy and help users understand how to identify and handle sensitive data. Remind employees about the importance of company data and what can happen if it was misplaced or stolen. There will be a significant amount of questions coming from this process so be sure that you’re ready to tackle them. If you do this right, you’ll get employees policing themselves and their peers.
6. Rinse and repeat – Regularly check in with users to verify that the internal applications are meeting their needs. Go through the awareness work on a regular basis. When policies become dormant or ineffective, revise them to meet the current needs.

This problem isn’t going away anytime soon and it’s rapidly evolving. Your corporate security department must evolve with it. A coworker of mine hit the nail on the head with this:

@rackerhacker that’s probably the number 1 security dilemma for the next two years.

— letterj (@letterj) March 3, 2013

The best thing about this approach is that it scales better and is more effective than denying access. It takes a significant amount of work up front for a corporate security department, but it pays off in the end. Employees soon call out other employees for poor security hygiene and they become informal delegates of the corporate security team. Security can go viral in your organization just like the usage of third party tools.

The key to success is driving security innovation within your company that equals or outpaces the innovation coming from third party applications.

New tools and services may appear on a daily basis, but if your employees know what belongs there and what doesn’t, they’ll do your work for you.

Controlling sensitive company data means losing some control of it is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Rackspace’s HQ in San Antonio, “The Castle”

Are you planning to attend the RSA Conference in San Francisco this year? Are you looking for a new career with a security team that strives to break the mold of traditional security? If so, apply for the open position and let’s meet at the conference. I’ll be glad to answer questions about what makes security at Rackspace so unique.

We’re looking for enthusiastic Security Architects who think that securing a company as dynamic as Rackspace is more than just a job. Our team constantly finds new ways to do the traditional work of securing the business. We still do much of the traditional security work, like assessments, compliance programs, and incident response, but we take an entirely different approach. Imagine a security environment where policy creation is collaborative with less friction when it comes time for implementation. That’s just the tip of the iceberg.

Interested? Get in touch with me to learn more.

I’m recruiting at the RSA Conference in San Francisco is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Get around proxies on port 81
Quite a few people had issues with local proxies that filtered traffic on port 80 and delivered the wrong results for their external IP address. You can now reach the site on port 81.

Get your external IP address over HTTPS
Some users reported that defensive network infrastructure mangled all of their web traffic to the site, so I’ve enabled SSL listeners for icanhazip.com. Bear in mind that the SSL certificate is only valid for icanhazip.com and not the other subdomains (like ipv4.icanhazip.com). If you are using applications like curl to access subdomains, you’ll need to use the -k argument, like this:

$ curl https://icanhazip.com/
74.125.225.224
$ curl https://ipv4.icanhazip.com/
curl: (51) SSL peer certificate or SSH remote key was not OK
$ curl -k https://ipv4.icanhazip.com/
74.125.225.224

Local icanhazip.com servers
The site now exists in Dallas-Fort Worth (US), Chicago (US), and Maidenhead (UK). There are many new DNS records available to use:

• Random location: icanhazip.com, ipv4.icanhazip.com, ipv6.icanhazip.com
• DFW: dfw.icanhazip.com, ipv4.dfw.icanhazip.com, ipv6.dfw.icanhazip.com
• ORD: ord.icanhazip.com, ipv4.ord.icanhazip.com, ipv6.ord.icanhazip.com
• UK: uk.icanhazip.com, ipv4.uk.icanhazip.com, ipv6.uk.icanhazip.com

One of the HTTP response headers should confirm which node you’re querying:

$ curl -si icanhazip.com | grep NODE
X-ICANHAZNODE: ord.icanhazip.com

Let me know what you think!
If you have new ideas for features, let me know. Also, be sure to tell me if something’s not working properly for you.

More upgrades for icanhazip.com is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

$ whois rackerhacker.com | grep date
Creation date: 14 Feb 2007 00:22:00
Expiration date: 14 Feb 2017 00:22:00

The blog is now six years old! Thanks to everyone who has followed it, commented, and suggested new topics for posts.

You may have noticed that I’m adding content a bit slower than I usually do, and that’s probably due to two big factors: we have a newborn at the house and my work at Rackspace has totally changed. I’ve received quite a few ideas for new posts from readers and I’ve come up with some of my own. Thanks to some help from a friend, I should have some more posts on the Rackspace Blog as well this year.

Six years of rackerhacker.com is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Be smart and only enable Flash and Java for the sites you explicitly trust.

Although the whitelisting process may slow you down at first, the number of times you need to whitelist a site will decrease over time. The added security benefit of disabling these plugins far outweighed the minor annoyance of whitelisting for me.

The Naked Security blog from Sophos has instructions for disabling Java in various browsers. For Flash, there are some handy plugins and extensions available for Chrome, Firefox, and Safari.

Keep in mind that Java and Flash vulnerabilities will affect all operating systems in some way. Although much of the malware dropped by vulnerable applications is written for Windows, there are an increasing number of malware variants which are able to infect OS X and Linux. Facebook and Apple are currently working through some compromises on various operating systems.

Block Flash and Java in your browser today is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Encrypting files is simple: just click OpenPGP: Encrypt File and a window will pop asking you which key you’d like to use for encryption. You also have the option of encrypting it with a password. Decrypting, signing, and validating files is easy and extremely fast. In addition, you’ll get Growl notifications upon success or failure.

GPGTools also integrates with Mail.app to allow for seamless signing, encrypting, decrypting and verification of email content. There’s a preview version available that integrates quite well with Mountain Lion’s Mail.app, but you can only acquire it via donation.

Quick access to OpenPGP tasks with GPGTools in OS X is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Many companies seem to make a natural progression in security as they grow larger, bring on larger accounts, or find themselves subject to regulation or compliance requirements. That gradual process is usually more straightforward than the reactive process brought on by a security breach and it ends up delivering better overall results for the company.

This reactive process seems oddly similar to the way my son has learned to eat. Confused? Keep reading.

Entirely oblivious
This is how my son first got started. He was so busy trying to figure out how to eat that he had no idea how much of a mess he was making. Eventually, someone would either step in all of the dropped food or spilled juice and it would be all over the kitchen.

If you replace the food and juice with information at a small company, you can see how the same would apply. Many startups and small businesses are focused so heavily on building a product or brand that they forget about the importance of securing the data they are generating and collecting. Everything from trade secrets to sensitive customer data is at risk of being lost. Basic security measures are taken and there’s usually no way to know if a breach has occurred and how deep the breach has gone.

Purely reactionary
Eventually my son realized that making a mess wasn’t a good thing and he started to react whenever he ended up with a lap full of spaghetti. He would notice the problem and cry for someone else to come and help. I’d clean him up and he was back to normal again. The food would end up in his lap again, he would cry, and I’d be back to clean it up.

Companies find themselves in this situation when they’ve been hit with a breach previously and a new issue has appeared. Their security stance has only changed a little and they’re able to determine that something has happened after it has happened. Companies in this stage may consider creating a team focused on security issues or they may look to outside contractors or consultants for help. Much of the focus now shifts to answering “how do we prevent this from happening again?”

Partially proactive
As my son became more skillful at working with a fork and a spoon, he was able to be more focused on eating and he made fewer messes. They may have occurred less frequently but when they did occur, his clothes still needed to be washed and he was still quite upset. He knew what to watch out for and he knew which foods were going to present a particular challenge. It was obvious that he was putting in much more effort to eat spaghetti than he would with something simple like crackers.

This stage in a company’s development usually involves a dedicated or semi-dedicated security team that is beginning to understand the threats and risks involved with the company’s operation. They’re putting focus in certain higher-risk areas but there’s still not a lot of proactive work being done to limit the damage from security breaches. For example, a company might institute stricter firewall rules and OS patching for their most important servers but they might not have any security within their internal network. This would allow an attacker free reign over the environment if they can take over one of the servers.

Passionately proactive
When my son eats, he does quite a few things to ensure success. First off, he sits down and asks for his chair to be pushed in before he eats. He wants a paper towel close by in case something bad happens. With certain foods, he knows the chance of making a mess is higher and he tries to put less of it on his fork. He’s determined to not let food get in his lap, and when it does, he wants to ensure that his clothes stay as clean as possible.

Companies that reach this stage have now realized the risks involved in the operation of their business and they’ve determined how to reduce the impact of a breach. They’re consciously aware that they’re a target and they are taking an offensive security stance. These companies often test their own security measures to make sure that they’re effective against the most frequently seen threats. Their security posture isn’t perfect, but they are able to react more efficiently (and with less chaos) when a serious issue presents itself.

So let’s summarize…
Some readers may think this post is way too generalized. However, the generalization is the point I’m trying to make. Creating a security mindset within a company is generally the easy part; applying it is where things get tough. The concept of information security is actually quite simple: ensure that information is readily available to people who should be able to access it and ensure it’s not available for people who shouldn’t. If you’re starting a small business or you’re working for one right now, build your products and your infrastructure with security in mind. Your other option is to retrofit it later, but you’ll surely make a mess.

What my toddler taught me about information security is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

A quick Google search took me to a LaunchPad entry about a better ICC profile for the X1 Carbon. After applying the ICC file via GNOME Control Center’s Color panel, the display looks fantastic.

Feel free to download a copy of the color profile and try it for yourself:

• Original Link
• Mirror

Fixing the Lenovo X1 Carbon’s washed out display is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

Section "InputClass"
        Identifier "touchpad catchall"
        Driver "synaptics"
        MatchIsTouchpad "on"
        MatchDevicePath "/dev/input/event*"
        Option "TapButton1" "1"
        Option "TapButton2" "3"
        Option "TapButton3" "2"
	Option "VertTwoFingerScroll" "on"
	Option "HorizTwoFingerScroll" "on"
	Option "HorizHysteresis" "50"
	Option "VertHysteresis" "50"
	Option "PalmDetect"    "1"
	Option "PalmMinWidth"  "5"
	Option "PalmMinZ"      "40"
EndSection

There are a few important settings here to note:

• TapButtonX – this sets up the single, double and triple taps to match up to left, right and middle mouse clicks respectively
• Vert/HorizHysteresis – reduces movement during and between taps
• Palm* – enables palm detection while you’re typing with some reasonable settings

You will need to restart X (or reboot) to apply these settings from the configuration file. If you want to test the settings before restarting, you can apply individual adjustments with synclient without any restarts:

synclient "HorizHysteresis=50"

Handy settings for the touchpad/clickpad in the Lenovo X1 Carbon is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

I stumbled upon dmenu after trying out the i3 tiling window manager and I was hooked almost immediately. It’s extremely fast, unobtrusive, and the auto-completion is really intuitive. Another added bonus is that there is no daemon or window manager hook required for the launcher to operate.

Installing dmenu on Fedora is as easy as:

yum install dmenu

XFCE is my desktop environment of choice and the dmenu integration is pretty simple:

• Applications Menu > Settings > Keyboard
• Click the Application Shortcuts tab
• Click Add
• In the Command box, enter /usr/bin/dmenu and press OK
• On the next screen, enter a key combination to launch dmenu (I use LCTRL-SPACE)
• Click OK

From now on, you can press your key combination and start typing the name of any executable application in your path for dmenu to run. If you launch dmenu accidentally, just press ESC to close it.

Launch applications quickly with dmenu in XFCE is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

With that said, the best segue I can find for the rest of this post is this quote that I first heard when I was a kid:

“I alone cannot change the world, but I can cast a stone across the waters to create many ripples.” — Mother Teresa

I’ll reach my six year Rackspace anniversary in December and I’ve spent just shy of the last four years working on Rackspace’s cloud virtualization products. It started shortly after the Slicehost acquisition and I was on teams that helped to expand Slicehost, created Cloud Servers, and most recently, launched a new Cloud Servers infrastructure powered by OpenStack. Being able to participate in these big changes and work alongside some of the best technical folks (and friends) has been an amazing experience and I’m extremely lucky to be a small part of what we’ve made.

Walking away from that challenging work and those amazing people isn’t easy. However, I’m going to give it a try.

I’ve accepted a position as Rackspace’s Chief Security Architect and I’m transitioning into that position over the next few weeks. There are quite a few familiar faces in this part of the business at Rackspace and I have a strong team of knowledgeable security architects to lead. It certainly won’t be an easy road to travel but I’m glad to have the opportunity to make a difference along with my team. Also, my team is expanding and we’re in need of some talented people!

Some of the topics on this blog might change a little but please don’t worry: I’m still a Linux nerd at heart.

The other big change is that I’ve been appointed to the Fedora Board. I’ve been a long time Fedora user (since Core 2 in 2004) and I’m eager to continue some of the great work that has been done in the past. I’m also a new Fedora Ambassador and I’ll be glad to help you get started or get more out of Fedora if you need a hand.

If you follow OpenStack closely and you enjoy using supernova, I’ll still be maintaining that project since I still use OpenStack clouds regularly.

Reaching a new milestone and making some big changes is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

If you build a virtual environment and inspect the files found within the bin directory of the virtual environment, you’ll find that the first line in the executable scripts is set to use the python version specific to that virtual environment. Here’s an example from a virtual environment containing the OpenStack glance project:

#!/home/major/glance/.venv/bin/python
# EASY-INSTALL-SCRIPT: 'glance==2013.1','glance-api'
__requires__ = 'glance==2013.1'
import pkg_resources
pkg_resources.run_script('glance==2013.1', 'glance-api')

However, what if I wanted to take this virtual environment and place it somewhere else on the server where multiple people could use it? The path in the first line of the scripts in bin will surely break.

The first option is to make the virtual environment relocatable. This can produce unexpected results for some software projects, so be sure to test it out before trying to use it in a production environment.

$ virtualenv --relocatable .venv

A quick check of the same python file now shows this:

#!/usr/bin/env python2.6
 
import os; activate_this=os.path.join(os.path.dirname(os.path.realpath(__file__)), 'activate_this.py'); execfile(activate_this, dict(__file__=activate_this)); del os, activate_this
 
# EASY-INSTALL-SCRIPT: 'glance==2013.1','glance-api'

This allows for the path to the activate_this.py script to be determined at runtime and allows you to move your virtual environment wherever you like.

In situations where one script within bin would import another script within bin, things can get a little dicey. These are edge cases, of course, but you can get a similar effect by adjusting the path in the first line of each file within bin to the new location of the virtual environment. If you move the virtual environment again, be sure to alter the paths again with sed.

Relocating a python virtual environment is a post from: Major Hayden's blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.