Skip to main content
  1. Tags/

security

2023


Migrating to AWS CloudFront

·2339 words·11 mins
New experiences bring joy! After working with fun AWS CloudFront hacks at work this week, I decided to migrate this blog to AWS S3 and CloudFront. ⛅

2022


Use GNOME Keyring with Sway

·1064 words·5 mins
Add encrypted ssh keys to your workflow more efficiently with gnome-keyring in the sway window manager.

2021


Secure Tailscale networks with firewalld

·648 words·4 mins
Tailscale provides a handy private network mesh across multiple devices but it needs security just like any other network. 🕵

2019


2018


2017


Old role, new name: ansible-hardening

·164 words·1 min
The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role.

RHEL 7 STIG v1 updates for openstack-ansible-security

·204 words·1 min
DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes.

Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

·840 words·4 mins

IBM Interconnect 2017 Bruce SchneierBruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World”1, covered a wide range of security concerns.

There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post.

People, process, and technology #

Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it’s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product.

The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn’t a lot of value there. It’s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable.

Certainty vs. uncertainty #

The talk moved into incident response and how to be successful when the worst happens. Automation only works when there’s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic.

Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense.

He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently - by a human.

One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat.

OODA loop #

Bruce raised awareness around the OODA loop and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my “Be an inspiration, not an impostor” talk about impostor syndrome.

His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries’ OODA loops and thwart the attack.

2016


New SELinux shirts are available

·74 words·1 min
With the upcoming Red Hat Summit 2016 in San Francisco almost upon us, I decided to update the old SELinux shirts with two new designs:

2015


Improving LXC template security

·312 words·2 mins
I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL).

Time for a new GPG key

·257 words·2 mins
After an unfortunate death of my Yubikey NEO and a huge mistake on backups, I’ve come to realize that it’s time for a new GPG key.

Upatre and icanhazip

·240 words·2 mins
I recently updated the icanhazip FAQ about the resurgence of the Upatre malware and how it’s abusing icanhazip.

Woot! Eight years of my blog

·688 words·4 mins

The spring of 2015 marks eight years of this blog! I’ve learned plenty of tough lessons along the way and I’ve made some changes recently that might be handy for other people. After watching Sasha Laundy’s video from her awesome talk at Pycon 20151, I’m even more energized to share what I’ve learned with other people. (Seriously: Go watch that video or review the slides whether you work in IT or not. It’s worth your time.)

Let’s start from the beginning.

Run virsh and access libvirt as a regular user

·194 words·1 min

libvirt logoLibvirt is a handy way to manage containers and virtual machines on various systems. On most distributions, you can only access the libvirt daemon via the root user by default. I’d rather use a regular non-root user to access libvirt and limit that access via groups.

2014


AVC: denied dyntransition from sshd

·163 words·1 min
I’ve been working with some Fedora environments in chroots and I ran into a peculiar SELinux AVC denial a short while ago:

Evade the Breach

·831 words·4 mins
This post appeared on the Rackspace Blog last week and I copied it here so that readers of this blog will see it.

2013


Guide to securing apache

·97 words·1 min
I stumbled upon a helpful guide to securing an apache server via Reddit’s /r/netsec subreddit.

Come and get your SELinux shirts!

·136 words·1 min
After my podcast interview at the 2013 Red Hat Summit, Dan Walsh posted a photo of himself in the SELinux shirt that I gave him at the Summit:

My interview on the Dave and Gunnar Show

·84 words·1 min
David Egts and Gunnar Hellekson were kind enough to invite me to participate in their Dave and Gunnar Show podcast during the 2013 Red Hat Summit.

Red Hat Summit 2013 Recap

·1027 words·5 mins
The 2013 Red Hat Summit was my second one and I enjoyed it more than last year.

Installing the Xen hypervisor on Fedora 19

·596 words·3 mins
It’s been a little while since I last posted about installing Xen on Fedora, so I figured that Fedora 19’s beta release was as good a time as any to write a new post.

Presentation: Demystifying SELinux

·83 words·1 min
While rolling through my RSS feeds, I found a great presentation by David Quigley titled “Demystifying SELinux”.

Seriously, stop disabling SELinux

·147 words·1 min
After many discussions with fellow Linux users, I’ve come to realize that most seem to disable SELinux rather than understand why it’s denying access.

2012


Automatic package updates in CentOS 6

·245 words·2 mins
Automating package updates in CentOS 6 is a quick process and it ensures that your system receives the latest available security patches, bugfixes and enhancements.

Monitoring and protecting your reputation online

·706 words·4 mins
After a recent issue I had with some users in the Puppy Linux forums, I thought it might be prudent to write a post about how to monitor and protect your reputation online.

Kerberos for haters

·686 words·4 mins
I’ll be the first one to admit that Kerberos drives me a little insane.