Enjoy supernova 1.0.0

The first supernova commit to GitHub appeared just over two years ago. It’s been stable for quite some time, but it’s made it to version 1.0.0 today!

As always, you can get supernova from PyPi using pip:

pip install -U supernova

All of the documentation has moved to ReadTheDocs and it looks much better than the giant README file in GitHub that served as the documentation for so long. Thanks to everyone that has committed code, found bugs, or called out my inability to write Python!

Evade the Breach

This post appeared on the Rackspace Blog last week and I copied it here so that readers of this blog will see it.

You’ve heard it before: information security isn’t easy. There’s no perfect security policy or piece of technology that will protect your business from all attacks. However, security is a process and processes can always be improved.

Last month, the great folks at Accruent invited me to talk about this topic at the annual Accruent Insights 2014 conference held in Austin, Texas. Their users wanted to know more about the Target breach and the Heartbleed attack, as well as strategies for strengthening their security safeguards against unknown threats.

To understand these threats, it’s important to have a good grasp of the basic concepts around information security. Businesses don’t exist to be secure; they exist to build innovative products, create relationships with customers and provide a great work environment for their employees. Security must be woven into the processes that drive a business forward. There’s no finish line for security and it’s rarely successful when it’s bolted on as an afterthought.

Donald Rumsfeld delivered an unexpectedly cohesive summary of modern information security back in 2002 when reporters asked him about the lack of evidence surrounding Iraq and weapons of mass destruction:

Reports that say there’s — that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.

–Donald Rumsfeld, United States Secretary of Defense

Rumsfeld probably didn’t know it at the time, but he summarized the challenges of information security in a few sentences. There are things we know will be problematic (a known known) and we must fix them or prepare ourselves for the damage they may cause. There are other things that we don’t know enough about (a known unknown) and we must learn more about them. The last group, the unknown unknowns, is the most challenging. If you’re looking for a good example of these, just examine the Heartbleed attack.

Dealing with all of these attacks requires a multi-layer approach: preventative, detective and corrective.

The preventative layer reduces your chances of being breached. If you lock your doors or close your blinds when you leave your home, then you already understand the value of the preventative layer. Making the attacker’s job more difficult reduces the chance that they will target you. Let’s face it: most attackers are looking for an easy target. Going after a hard target means there’s a greater risk of getting caught.

However, there are situations where someone has targeted your business individually, and they will do whatever it takes to get what they want. It’s critical to detect that activity as soon as it occurs. At home, we set our security alarms and join neighborhood watch programs. These measures will alert us to attacks that make it through our preventative layers. Businesses might use intrusion detection systems or log monitoring solutions in their defensive layer.

When all else fails, the corrective layer is the last line of defense. This layer consists of the things you must do to remove a threat and return everything back to normal. For property owners, examples of the corrective layer include calling the police, purchasing homeowner’s insurance or acquiring firearms. These mechanisms are much more costly, and they require thought before they’re used.

Each layer gives you a feedback loop for the previous layers. For example, if someone breaks in through a window and takes your TV, you may invest in better detective layers (like an alarm system with a glass break sensor) or preventative layers (like thorny bushes in front of your windows).

If these layers make sense, then you understand defense in depth and risk management. Defense in depth requires you to assume the worst and build more layers of defense (think about castles). Risk management involves identifying and avoiding risk. If you have heirloom jewelry at home, you might place it in fire safe. You’ve just practiced defense in depth (the jewelry is in a locked safe in a locked house) and risk management (there’s a high impact to you if the jewelry is stolen and you reduced the risk).

In summary, good security practice stems from exactly that: practice security each day and make it part of your normal business processes. Security improvements must be made with changes to people, process and technology. The businesses that truly excel in information security are those that insulate themselves from risk–internal and external–with effective preventative, detective and corrective layers.

If you’d like to review the presentation slides from the Accruent Insights conference, you can download the big PDF or find them on SlideShare.

I’m always trying to get better at presenting so please feel free to send me some constructive criticism. ;)

Switching to systemd on Debian jessie

Debian-iconIt seems like everyone is embracing systemd these days. It’s been in Fedora since 2011 and it’s already in the RHEL 7 release candidate. Arch Linux and Gentoo have it as well. Debian got on board with the jessie release (which is currently in testing).

Switching from old SysVinit to systemd in Debian jessie is quite simple. For the extremely cautious system administrators, you can follow Debian’s guide and test systemd before you make the full cutover.

However, I’ve had great results with making the jump in one pass:

apt-get update
apt-get install systemd systemd-sysv

After you reboot, you might notice /sbin/init still hanging out in your process list:

# ps aufx | grep init
root         1  0.0  0.1  45808  3820 ?        Ss   08:16   0:00 /sbin/init

That’s actually a symlink to systemd:

# ls -al /sbin/init
lrwxrwxrwx 1 root root 20 Mar 19 13:15 /sbin/init -> /lib/systemd/systemd

You also have journald for quick access to logs:

# journalctl -u cron
-- Logs begin at Tue 2014-05-20 08:16:21 CDT, end at Tue 2014-05-20 08:31:20 CDT. --
May 20 08:16:24 jessie-auditd-2 /usr/sbin/cron[837]: (CRON) INFO (pidfile fd = 3)
May 20 08:16:24 jessie-auditd-2 cron[774]: Starting periodic command scheduler: cron.
May 20 08:16:24 jessie-auditd-2 systemd[1]: Started LSB: Regular background program processing daemon.
May 20 08:16:24 jessie-auditd-2 /usr/sbin/cron[842]: (CRON) STARTUP (fork ok)
May 20 08:16:24 jessie-auditd-2 /usr/sbin/cron[842]: (CRON) INFO (Running @reboot jobs)
May 20 08:17:01 jessie-auditd-2 CRON[990]: pam_unix(cron:session): session opened for user root by (uid=0)
May 20 08:17:01 jessie-auditd-2 /USR/SBIN/CRON[991]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

Text missing in chrome on Linux

I’m in the process of trying Fedora 20 on my retina MacBook and I ran into a peculiar issue with Chrome. Some sites would load up normally and I could read everything on the page. Other sites would load up and only some of the text would be displayed. Images were totally unaffected.

It wasn’t this way on the initial installation of Fedora but it cropped up somewhere along the way as I installed software. Changing the configuration within Chrome wasn’t an option — I couldn’t even see any text on the configuration pages!

The only commonality I could find is that all pages that specified their own web fonts (like the pages on this site) loaded up perfectly. Everything was visible. However, on sites that tend to use whatever font is available in the browser (sites that specify a font family), the text was missing. A good example was The Aviation Herald.

I remembered installing some Microsoft core fonts via Fedy and I added in some patched powerline fonts to work with tmux. A quick check of the SELinux troubleshooter alerted me to the problem — the new fonts had the wrong SELinux labels applied and Chrome wasn’t allowed to access them.

I decided to relabel the whole filesystem:

restorecon -Rv /

The restorecon output was line after line of fonts that I had installed earlier in the evening. Once it finished running, I started Chrome and it was working just as I had expected.