System Overlord

About David

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

David is a security engineer at Google, working on information security assessments and Red Team exercises. He holds the OSCP and OSCE certifications and does penetration testing, application assessment, and offensive security exercises. David also does information security research (especially into IoT Security) and plays the occasional CTF.

The opinions stated here are my own, not those of my employers – present, past, or future.

I am a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means to earn fees by linking to Amazon.com and affiliated sites.

BSidesSF CTF 2026: SELFSigned (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 23 Mar 2026 00:00:00 +0000

It’s been a minute since I’ve had a chance to write up a CTF challenge I wrote. I actually thought my challenges might be a little bit challenge for the AI agents, but looking at the time to first solve, I rather suspect that this wasn’t the case for this challenge.

As a side note, we’re definitely living in a weird time. Trying to build challenges that are interesting and approachable for humans but are not essentially trivial for AI agents is really weird (or even impossible for some disciplines). I’m beginning to wonder if we’re seeing the death of CTF, as well as any other structured game task that can be approached online. Jacob Krell believes we might already be there, based on a whitepaper published earlier this month.

Badgelife 101 Workshop

david@systemoverlord.com (David Tomaschik) — Thu, 05 Oct 2023 00:00:00 +0000

Slides

Resources

Main Git Repository Contains
- Example Layouts
- Finished Schematic
- Finished PCB Layout for Badgelife Merit Badge

Electronic Design & Analysis

Schematics

Electronic Symbols (Wikipedia)
How to Read a Schematic (SparkFun)
Adafruit & SparkFun publish most of their designs as open source, great as references and inspiration!

Electronic Design Automation (EDA)

KiCad
Eagle (part of Fusion360)
- Guide to make PCBs with Eagle (Adafruit)
Comparison of EDA Software
Online Gerber Viewer (GerbLook)

Hardware

Parts
- Digikey (Reliable, direct partner with many manufacturers)
- Mouser
- LCSC (Lost of China-based parts)
- Beware eBay/AliExpress – Many Counterfeit/Recycled/etc. parts
Datasheets
- How to Read a Datasheet (SparkFun)
- List of Integrated Circuit Packaging Types (Wikipedia)

Prototyping

Breakout/Dev Boards
- Adafruit (Great learning resources, open source designs)
- SparkFun (Great learning resources, open source designs)
- SeeedStudio (Wide variety of products, much ships from China)

PCB Art

Gerbolyze - Produces halftone art in Gerber format.
svg2shenzhen - Convert SVG to complex KiCad Shapes

PCB Fabrication

Pre-Fab Checklists/Guidelines
- PCB Basics (SparkFun)
- OSH Park - Preorder Checklist
Fabricators
- OSH Park - Very high quality, fast turn around, local to Portland; Design Rules
- JLCPCB - Shenzhen-based, lots of options; Design Rules
- PCBWay - Shenzhen-based; Design Rules
Process
- Strange Parts tours JCLPCB - PCB Fabrication (YouTube Video)
- Strange Parts tours JLCPCB - PCB Assembly w/ Components (YouTube Video)

Tools

Soldering
Meters/Measurement
- Cheap True RMS Multimeter
- Fluke Multimeter
- Cheap Logic Analyzer
- Saleae Logic 8 Logic Analyzer - High End Logic Analyzer
- USB Oscilloscope/Logic Analyzer
- LCR Meter - Measures Capacitors, Inductors, etc.
Interface Tools
- Tigard - Multi-Protocol Tool for Hardware Hacking
- USB-UART Adapter - Connect to embedded serial ports
Other Tools
- USB Power Analyzer
- Analog Discovery 3 - Logic Analyzer, Oscilloscope, and Waveform Generator

BSidesSF CTF 2023: Lastpwned (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Sun, 23 Apr 2023 00:00:00 +0000

I was the challenge author for a handful of challenges for this year’s BSidesSF CTF. One of those challenges was lastpwned, inspired by a recent high-profile data breach. This challenge provided a web-based password manager with client-side encryption.

CTF 101: Just Try It!

david@systemoverlord.com (David Tomaschik) — Mon, 17 Apr 2023 00:00:00 +0000

Table of Contents {:toc}

As I’m helping to organize the BSides San Francisco CTF this weekend, I thought I’d share a little primer for CTFs for those who have not gotten into them before.

What is a CTF?

I suspect that most people in the information security (“cybersecurity”) space have already heard of Capture the Flag (or CTF) competitions, but in case you haven’t, I wanted to provide a short overview.

Returning to Hacker Summer Camp

david@systemoverlord.com (David Tomaschik) — Wed, 20 Jul 2022 00:00:00 +0000

It’s that time of year again – Hacker Summer Camp. (Hacker Summer Camp is the ~weeklong period where several of the largest hacker/information security conferences take place in Las Vegas, NV, including DEF CON and Black Hat USA.) This will be the 3rd year in a row where it takes place under the spectre of a worldwide pandemic, and the first one to be fully in-person again. BSidesLV has returned to in-person, DEF CON is in-person only, Black Hat will be in full swing, and Ringzer0 will be offerring in-person trainings. It’s almost enough to forget there’s still an ongoing pandemic.

I did attend last year’s hybrid DEF CON in person, and I’ve been around a few times, so I wanted to share a few tidbits, especially for first timers. Hopefully it’s useful to some of you.

BSidesSF 2022 CTF: Login4Shell

david@systemoverlord.com (David Tomaschik) — Mon, 20 Jun 2022 00:00:00 +0000

Log4Shell was arguably the biggest vulnerability disclosure of 2021. Security teams across the entire world spent the end of the year trying to address this bug (and several variants) in the popular Log4J logging library.

The vulnerability was caused by special formatting strings in the values being logged that allow you to include a reference. This reference, it turns out, can be loaded via JNDI, which allows remotely loading the results as a Java class.

This was such a big deal that there was no way we could let the next BSidesSF CTF go by without paying homage to it. Fun fact, this meant I “got” to build a Java webapp, which is actually something I’d never done from scratch before. Nothing quite like learning about Jetty, Log4J, and Maven just for a CTF level.

BSidesSF 2022 CTF: TODO List

david@systemoverlord.com (David Tomaschik) — Thu, 09 Jun 2022 00:00:00 +0000

This year, I was the author of a few of our web challenges. One of those that gave both us (as administrators) and the players a few difficulties was “TODO List”.

Upon visiting the application, we see an app with a few options, including registering, login, and support. Upon registering, we are presented with an opportunity to add TODOs and mark them as finished:

If we check robots.txt we discover a couple of interesting entries:

BSidesSF 2022 CTF: Cow Say What?

david@systemoverlord.com (David Tomaschik) — Tue, 07 Jun 2022 00:00:00 +0000

As the author of the Cow Say What? challenge from this year’s BSidesSF CTF, I got a lot of questions about it after the CTF ended. It’s both surprisingly straight-forward but also a very little-known issue.

The challenge was a web challenge – if you visited the service, you got a page providing a textarea for input to the cowsay program, as well as a drop down for the style of the cow saying something (plain, stoned, dead, etc.). There was a link to the source code, reproduced here:

Book Review: Designing Secure Software

david@systemoverlord.com (David Tomaschik) — Wed, 24 Nov 2021 00:00:00 +0000

Designing Secure Software (Amazon, No Starch Press) by Loren Kohnfelder is one of the latest entries in No Starch Press’s line of security books. This book stands out to me for two big reasons. First, this is one of the most mindset-centric books I’ve seen (which means it is likely to age better than a lot of more technically-specific books). Second, this book caters to developers more than security professionals (but don’t take this to mean it’s only for developers), which is definitely a distinguishing feature from so many other security books.

Book Review: Bug Bounty Bootcamp

david@systemoverlord.com (David Tomaschik) — Fri, 05 Nov 2021 00:00:00 +0000

Bug Bounty Bootcamp (Amazon, No Starch Press) by Vickie Li is one of No Starch Press’s newest offerings in the security space. The alliterative title is also the best three word summary I could possibly offer of the book – it is clearly focused on getting the reader into a position to participate in Bug Bounties from the first page to the last. This differentiates this book well against other web security books, despite covering many of the same vulnerabilities.

0x0G CTF: Authme (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Thu, 12 Aug 2021 00:00:00 +0000

0x0G is Google’s annual “Hacker Summer Camp” event. Normally this would be in Las Vegas during the week of DEF CON and Black Hat, but well, pandemic rules apply. I’m one of the organizers for the CTF we run during the event, and I thought I’d write up solutions to some of my challenges here.

The first such challenge is authme, a web/crypto challenge. The description just wants to know if you can auth as admin and directs you to a website. On the website, we find a link to the source code, to an RSA public key, and a login form.

0x0G CTF: gRoulette (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Thu, 12 Aug 2021 00:00:00 +0000

gRoulette is a simplified Roulette game online. Win enough and you’ll get the flag. The source code is provided, and the entire thing is run over a WebSocket connection to the server.

GPU Accelerated Password Cracking in the Cloud: Speed and Cost-Effectiveness

david@systemoverlord.com (David Tomaschik) — Sat, 05 Jun 2021 00:00:00 +0000

Note: Though this testing was done on Google Cloud and I work at Google, this work and blog post represent my personal work and do not represent the views of my employer.

As a red teamer and security researcher, I occasionally find the need to crack some hashed passwords. It used to be that John the Ripper was the go-to tool for the job. With the advent of GPGPU technologies like CUDA and OpenCL, hashcat quickly eclipsed John for pure speed. Unfortunately, graphics cards are a bit hard to come by in 2021. I decided to take a look at the options for running hashcat on Google Cloud.

Making: A Desk Clamp for Light Panels

david@systemoverlord.com (David Tomaschik) — Wed, 31 Mar 2021 00:00:00 +0000

On a little bit of a tangent from my typical security posting, I thought I’d include some of my “making” efforts.

Due to the working from home for an extended period of time, I wanted to improve my video-conferencing setup somewhat. I have my back to windows, so the lighting is pretty bad, so I wanted to get some lights. I didn’t want to spend big money, so I got this set of Neewer USB-powered lights. It came with tripod bases, monopod-style stands, and ball heads to mount the lights.

BSidesSF 2021 CTF: Net Matroyshka (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Fri, 12 Mar 2021 00:00:00 +0000

Net Matroyshka was one of our “1337” tagged challenges for the 2021 BSidesSF CTF. This indicated it was particularly hard, and our players can probably confirm that.

If you haven’t played our CTF in the past, you might not be familiar with the Matryoshka name. (Yep, I misspelled Matryoshka this year and didn’t catch it before we launched.) It refers to the nesting Matryoshka dolls, and we’ve been doing a series of challenges where they contain layers to be solved, often by different encodings, formats, etc. This year, it was layers of PCAPs for some network forensics challenges.

BSidesSF 2021 CTF: CuteSrv (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I authored the BSidesSF 2021 CTF Challenge “CuteSrv”, which is a service to display cute pictures. The description from the scoreboard:

Last year was pretty tough for all of us. I built this service of cute photos to help cheer you up. We do moderate for cuteness, so no inappropriate photos please!

Like my other write-ups, I’ll do this from the perspective of a player playing through and try not to assume internal knowledge.

BSidesSF 2021 CTF: Encrypted Bin (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I was the author for the BSidesSF 2021 CTF Challenge “Encrypted Bin”, which is an encrypted pastebin service. The description from the scoreboard:

I’ve always wanted to build an encrypted pastebin service. Hope I’ve done it correctly. (Look in /home/flag/ for the flag.)

I thought I’d do a walk through of how I expected players to solve the challenge, so I’ll write this as if I’m playing the challenge.

Visiting the web service, we find an upload page for text and not much else. When we perform an upload, we see that we’re redirected to a page to view the encrypted upload:

Is Reusing an Old Mac Mini Worth It?

david@systemoverlord.com (David Tomaschik) — Tue, 23 Feb 2021 00:00:00 +0000

I was cleaning up some old electronics (I’m a bit of a pack rat) and came across a Mac Mini I’ve owned since 2009. I was curious whether it still worked and whether it could get useful work done. This turned out to be more than a 5 minute experiment, so I thought I’d write it up here as it was just an interesting little test.

Merry Christmas: 2020 Holiday Ornament

david@systemoverlord.com (David Tomaschik) — Fri, 25 Dec 2020 00:00:00 +0000

First off, I want to wish everyone a Happy Holidays and a Merry Christmas. I know 2020 has been a hard year for so many, and I hope you and your families are healthy and making it through the year.

Over the past few years, I’ve gotten into making holiday ornaments for friends and family. In 2017, I did a snowflake PCB ornament. In 2018, I used laser cutting service Ponoko to cut acrylic fir trees with interlocking pieces. In 2019, I used my new 3D printer to print 3-dimensional snowflakes. In 2020, I’ve returned to my roots and gone with another PCB design. As a huge fan of DEFCON #badgelife, it felt appropriate to go back this way. I ended up with a touch-sensitive snowman with 6 LEDs.

Hacker Holiday Gift Guide - 2020 Edition

david@systemoverlord.com (David Tomaschik) — Thu, 26 Nov 2020 00:00:00 +0000

Welcome to the 2020 edition of my Hacker Holiday Gift Guide! This has been a trying year for all of us, but I sincerely hope you and your family are happy and healthy as this year comes to an end.

{:.no_toc}

TOC {:toc}

General Security

ProtonMail Subscription

ProtonMail is a great encrypted mail provider for those with an interest in privacy or cryptography. They offer gift cards for subscriptions to both ProtonMail and ProtonVPN, their VPN service.

Course Review: Reverse Engineering with Ghidra

david@systemoverlord.com (David Tomaschik) — Sat, 17 Oct 2020 00:00:00 +0000

If you’re a prior reader of the blog, you probably know that when I have the opportunity to take a training class, I like to write a review of the course. It’s often hard to find public feedback on trainings, which feels frustrating when you’re spending thousands of dollars on that course.

Last week, I took the “Reverse Engineering with Ghidra” taught by Jeremy Blackthorne (0xJeremy) of the Boston Cybernetics Institute. It was ostensibly offered as part of the Infiltrate Conference, but 2020 being what it is, there was no conference and it was just an online training. Unfortunately for me, it was being run on East Coast time and I’m on the West Coast, so I got to enjoy some early mornings.

Red Teaming: Why Organizations Hack Themselves

david@systemoverlord.com (David Tomaschik) — Tue, 06 Oct 2020 00:00:00 +0000

Red Teaming or “Offensive Security” is a technique in which an organization undergoes a simulated attack by an adversary to discover weaknesses in their security posture.

I’ve given a few talks on the matter, my standard slide deck is below:

Slides

Lessons Learned from SSH Credential Honeypots

david@systemoverlord.com (David Tomaschik) — Fri, 04 Sep 2020 00:00:00 +0000

For the past few months, I’ve been running a handful of SSH Honeypots on some cloud providers, including Google Cloud, DigitalOcean, and NameCheap. As opposed to more complicated honeypots looking at attacker behavior, I decided to do something simple and was only interested in where they were coming from, what tools might be in use, and what credentials they are attempting to use to authenticate. My dataset includes 929,554 attempted logins over a period of a little more than 3 months.

If you’re looking for a big surprise, I’ll go ahead and let you down easy: my analysis hasn’t located any new botnets or clusters of attackers. But it’s been a fascinating project nonetheless.

The Wio Terminal - Integrated Making?

david@systemoverlord.com (David Tomaschik) — Sun, 02 Aug 2020 00:00:00 +0000

Please note: Seeed Technology Co Ltd (aka Seeed Studio) provided the Wio Terminal for use in this post. I have not been compensated in any other way for this post. If you’re not familiar with Seeed, there’s an introduction to their offerings at the bottom.

While the Arduino and similar development boards have been available for more than a decade, there has been a trend as of late to abstract away the hardware aspects and allow users to focus on it at a higher level. First, we had standard interfaces to which you could attach “shields”, “hats”, “featherwings”, or other add-on boards. Then came options like Seeed’s Grove System and SparkFun’s Qwiic, which were both I2C busses exposed over a standardized connector, allowing the connection of many peripherals at once. There’s also been an expansion into development boards with built-in sensors and outputs, like Adafruit’s Circuit Playground. The Wio Terminal is the most sophisticated and complete incarnation of this trend that I’ve seen thus far.

{:.center}

The first thing you’ll notice about the Wio Terminal is it’s 2.4" LCD screen, but under the hood, it’s powered by an Atmel SAMD51 Microcontoller (120 MHz ARM Cortex M4F) paired with a Realtek RTL8720DN for WiFi and BLE. It has a 5 way switch, multiple buttons, and a Micro-SD card slot. Embedded peripherals include an accelerometer, microphone, speaker, and light sensor. I/O is available via a Raspberry Pi compatible 40 pin header, 2 Grove interfaces, and USB type C.

Security 101: Backups & Protecting Backups

david@systemoverlord.com (David Tomaschik) — Sun, 26 Jul 2020 00:00:00 +0000

I can already hear some readers saying that backups are an IT problem, and not a security problem. The reality, of course, is that they’re both. Information security is commonly thought of in terms of the CIA Triad – that is, Confidentiality, Integrity, and Availability, and it’s important to remember those concepts when dealing with backups.

We need look no farther than the troubles Garmin is having in dealing with a ransomware attack to find evidence that backups are critical. It’s unclear whether Garmin lacked adequate backups, had their backups ransomware’d, or is struggling to restore from backups. (It’s possible that they never considered an issue of this scale and simply aren’t resourced to restore this quickly, but given that the outage remains a complete outage after 4 days, I’d bet on one of those 3 conditions.)

Raspberry Pi as a Penetration Testing Implant (Dropbox)

david@systemoverlord.com (David Tomaschik) — Tue, 14 Jul 2020 00:00:00 +0000

{:.left .amzimg}

Sometimes, especially in the time of COVID-19, you can’t go onsite for a penetration test. Or maybe you can only get in briefly on a physical test, and want to leave behind a dropbox (literally, a box that can be “dropped” in place and let the tester leave, no relation to the file-sharing company by the same name) that you can remotely connect to. Of course, it could also be part of the desired test itself if incident response testing is in-scope – can they find your malicious device?

In all of these cases, one great option is a small single-board computer, the best known of which is the Raspberry Pi. It’s inexpensive, compact, easy to come by, and very flexible. It may not be perfect in every case, but it gets the job done in a lot of cases.

I’ll use this opportunity to discuss the setups I’ve done in the past and the things I would change when doing it again or alternatives I considered. I hope some will find this useful. Some familiarity with the Linux command line is assumed.

Comparing 3 Great Web Security Books

david@systemoverlord.com (David Tomaschik) — Fri, 10 Jul 2020 00:00:00 +0000

I thought about using a clickbait title like “Is this the best web security book?”, but I just couldn’t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won’t declare any single book “the best” because that’s too subjective. Best depends on where you’re coming from and what you’re trying to achieve.

The 3 books I’m taking a look at are:

Security 101: Encryption, Hashing, and Encoding

david@systemoverlord.com (David Tomaschik) — Sun, 05 Jul 2020 00:00:00 +0000

Encryption, Hashing, and Encoding are commonly confused topics by those new to the information security field. I see these confused even by experienced software engineers, by developers, and by new hackers. It’s really important to understand the differences – not just for semantics, but because the actual uses of them are vastly different.

I do not claim to be the first to try to clarify this distinction, but there’s still a lack of clarity, and I wanted to include some exercises for you to give a try. I’m a very hands-on person myself, so I’m hoping the hands-on examples are useful.

Security 101: Beginning with Kali Linux

david@systemoverlord.com (David Tomaschik) — Fri, 03 Jul 2020 00:00:00 +0000

I’ve found a lot of people who are new to security, particularly those with an interest in penetration testing or red teaming, install Kali Linux™¹ as one of their first forays into the “hacking” world. In general, there’s absolutely nothing wrong with that. Unfortunately, I also see many who end up stuck on this journey: either stuck in the setup/installation phase, or just not knowing what to do once they get into Kali.

This isn’t going to be a tutorial about how to use the tools within Kali (though I hope to get to some of them eventually), but it will be a tour of the operating system’s basic options and functionality, and hopefully will help those new to the distribution get more oriented.

Hacker Culture Reading List

david@systemoverlord.com (David Tomaschik) — Fri, 26 Jun 2020 00:00:00 +0000

A friend recently asked me if I could recommend some reading about hacking and security culture. I gave a couple of quick answers, but it inspired me to write a blog post in case anyone else is looking for similar content. Unless otherwise noted, I’ve read all of these books/resources and can recommend them.

Stop EARN IT and LAED

david@systemoverlord.com (David Tomaschik) — Thu, 25 Jun 2020 00:00:00 +0000

Unless you’ve been living under a rock, you know that the Crypto Wars are back. Politicians, seemingly led by Senator Lindsey Graham of South Carolina, seem bound and determined to undermine user’s privacy and security online to strengthen the power of the police state. It will have disproportionate affects on the innocent rather than criminals and will raise operating costs and make it much harder for small businesses and startups to compete in the US.

Private CA with X.509 Name Constraints

david@systemoverlord.com (David Tomaschik) — Sun, 14 Jun 2020 00:00:00 +0000

I wanted to run a small private Certificate Authority for some of my internal services. Since these aren’t reachable from the internet, and some of them are on network segments without internet connectivity, using a public ACME CA like Let’s Encrypt was inconvenient. On the other hand, if I run my own private CA and the keys get compromised, it could be used to MITM all my internet traffic. While that’s unlikely to happen, I decided to look for a better option.

It turns out that the idea of a “limited purpose” Certificate Authority is not new. RFC 5280 provides for something called “Name Constraints”, which allow an X.509 CA to have a scope limited to certain names, including the parent domains of the certificates issued by the CA. For example, a host constraint of .example.com allows the CA to issue certificates for anything under .example.com, but not any other host. For other hosts, clients will fail to validate the chain.

This hasn’t always been supported by TLS libraries and browsers, but all current browsers do support Name Constraints. Consequently, this is an approach to narrow the risks associated with a CA compromise for hosts other than those covered by the constraints in the CA certificate.

Book Review: Operator Handbook

david@systemoverlord.com (David Tomaschik) — Mon, 25 May 2020 00:00:00 +0000

When Netmux first released the Operator Handbook, I had to check it out. I had some initial impressions, but wanted to take some time to refine my thoughts on it before putting together a full review of the book. The book review will be a bit short, but that’s because this is a rather straightforward book.

{:.right}

I think the first things to know is that this book is strictly a reference. There’s nothing to read and learn things from in a cohesive way. It would be like reading a dictionary or a theasaurus – while you might learn things reading it, it’s not going to be in any meaningful way. There’s lots of things you can learn on a particular very narrow topic, but it is mostly organized to be “in the moment”, not as a “learning in advance” kind of thing.

Everyone in InfoSec Should Know How to Program

david@systemoverlord.com (David Tomaschik) — Fri, 22 May 2020 00:00:00 +0000

Okay, I’m not going to lie, the title was a bit of clickbait. I don’t believe that everyone in InfoSec really needs to know how to program, just almost everyone. Now, before my fellow practitioners jump on me, saying they can do their job just fine without programming, I’d appreciate you hearing me out.

So, how’d I get on this? Well, a thread on a private Slack discussing whether Red Team operators should know how to program, followed by people on Reddit asking if they should know how to program. I thought I’d share my views in a concrete (and longer) format here.

Test Interface for Multiple Embedded Protocols

david@systemoverlord.com (David Tomaschik) — Sat, 09 May 2020 00:00:00 +0000

The Test Interface for Multiple Embedded Protocols (TIMEP) is an Open Source Hardware board based around the FTDI FT2232H chip to provide breakouts, buffering, and level conversion for a number of common embedded hardware interfaces. At present, this includes:

SPI
I2C
JTAG
SWD
UART

It’s intended to be easy to use and work with open source software, including tools like OpenOCD and Flashrom.

See the project on GitHub.

Announcing TIMEP: Test Interface for Multiple Embedded Protocols

david@systemoverlord.com (David Tomaschik) — Fri, 08 May 2020 00:00:00 +0000

Today I’m releasing a new open source hardware (OSHW) project – the Test Interface for Multiple Embedded Protocols (TIMEP). It’s based around the FTDI FT2232H chip and logic level shifters to provide breakouts, buffering, and level conversion for a number of common embedded hardware interfaces. At present, this includes:

SPI
I2C
JTAG
SWD
UART

This is a revision 4 board, made using OSHPark’s “After Dark” service – black substrate, clear solder mask, so you can see every trace on the board. (Strangely, copper looks very matte under the solder mask, resulting in more of a tan color than the shiny copper one might expect to see.)

Security 101: Two Factor Authentication (2FA)

david@systemoverlord.com (David Tomaschik) — Thu, 07 May 2020 00:00:00 +0000

In this part of my “Security 101” series, I want to talk about different mechanisms for two factor authentication (2FA) as well as why we need it in the first place. Most of my considerations will be for the web and web applications, and I’m explicitly ignoring local login (e.g., device unlock) because the threat model is so different.

So You Want a Red Team Exercise?

david@systemoverlord.com (David Tomaschik) — Fri, 17 Apr 2020 00:00:00 +0000

I originally wrote this for work, where we get a lot of requests to “Red Team” something. In a lot of these cases, a white box security review or other form of security testing is more appropriate. Because I’d heard through the grapevine that other Red Teams struggle with the same issues, I wanted to make it available publicly. Thanks to my management for their support and permission to take this public!

If you’d like to use or adapt this within your organization, feel free, but please give credit to the Google Red Team.

We frequently get requests to perform Red Team engagements on various products & services around our company. These requests often have misconceptions about the services our team provides. This document is intended to help those seeking a Red Team engagement have a better understanding of what we do, how we do it, and why we do it the way we do, and how to engage with us for optimal effectiveness.

Security 101: Learning From Home

david@systemoverlord.com (David Tomaschik) — Wed, 08 Apr 2020 00:00:00 +0000

Outside, there’s a pandemic. We’re being asked to stay indoors, shelter in place, and avoid social contact. Conferences are cancelled, live trainings are out of the question. Some businesses are closing (hopefully temporarily) and there are unfortunate layoffs and furloughs across the board. It’s a tough time.

Rather than dwell on the negative, focusing on something else can help you get through this mentally. Learning something or growing your skills can both help take away from the anxiety of the situation and also help you come out of this a better person. Whether you’re just getting started in security or looking to advance your career, or just looking to become more security-aware as an individual, there are some great options for learning from home. My lists below are by no means comprehensive – there’s more content than I can shake a stick at. However, these are intended to be good for beginners and have a diverse set of content. If you know of something I should have included, please reach out.

Security 101: X-Forwarded-For vs. Forwarded vs PROXY

david@systemoverlord.com (David Tomaschik) — Wed, 25 Mar 2020 00:00:00 +0000

Over time, there have been a number of approaches to indicating the original client and the route that a request took when forwarded across multiple proxy servers. For HTTP(S), the three most common approaches you’re likely to encounter are the X-Forwarded-For and Forwarded HTTP headers, and the PROXY protocol. They’re all a little bit different, but also the same in many ways.

X-Forwarded-For

X-Forwarded-For is the oldest of the 3 solutions, and was probably introduced by the Squid caching proxy server. As the X- prefix implies, it’s not an official standard (i.e., an IETF RFC). The header is an HTTP multi-valued header, which means that it can have one or more values, each separated by a comma. Each proxy server should append the IP address of the host from which it received the request. The resulting header looks something like:

Security 101: Virtual Private Networks (VPNs)

david@systemoverlord.com (David Tomaschik) — Sun, 22 Mar 2020 00:00:00 +0000

I’m trying something new – a “Security 101” series. I hope to make these topics readable for those with no security background. I’m going to pick topics that are either related to my other posts (such as foundational knowledge) or just things that I think are relevant or misunderstood.

Today, I want to cover Virtual Private Networks, commonly known as VPNs. First I want to talk about what they are and how they work, then about commercial VPN providers, and finally about common misconceptions.

BSides SF 2020 CTF: Infrastructure Engineering and Lessons Learned

david@systemoverlord.com (David Tomaschik) — Thu, 27 Feb 2020 00:00:00 +0000

Last weekend, I had the pleasure of running the BSides San Francisco CTF along with friends and co-conspirators c0rg1, symmetric and iagox86. This is something like the 4th or 5th year in a row that I’ve been involved in this, and every year, we try to do a better job than the year before, but we also try to do new things and push the boundaries. I’m going to review some of the infrastructure we used, challenges we faced, and lessons we learned for next year.

Hacker Holiday Gift Guide (HHGG) 2019

david@systemoverlord.com (David Tomaschik) — Wed, 27 Nov 2019 00:00:00 +0000

I wanted to put together a few thoughts I had on gifts for my fellow hackers this holiday season. I’m including a variety of different things to appeal to almost anyone involved in information security or hardware hacking, but I’m obviously a bit biased to my own areas of interest. I’ve tried to roughly categorize things, but they tend to transcend boundaries somewhat. Got a suggestion I missed? Hit me up on Twitter.

Backing up to Google Cloud Storage with Duplicity and Service Accounts

david@systemoverlord.com (David Tomaschik) — Mon, 23 Sep 2019 00:00:00 +0000

I wanted to use duplicity to backup to Google Cloud Storage. I looked into it briefly and found that the boto library, originally for AWS, also supports GCS, but only using authorization tokens. I’d rather use a service account, for which authorization tokens are not available.

I looked into the options and the best information I could find was a Medium post, but it also describes using authorization tokens and creating a separate GMail/Google Apps account for the access. I’d really prefer to go with a service account to avoid having to sign up another account, and to be able to use more granular ACLs for the service account.

Hacker Summer Camp 2019: The DEF CON Data Duplication Village

david@systemoverlord.com (David Tomaschik) — Thu, 05 Sep 2019 00:00:00 +0000

One last post from Summer Camp this year (it’s been a busy month!) – this one about the “Data Duplication Village” at DEF CON. In addition to talks, the Data Duplication Village offers an opportunity to get your hands on the highest quality hacker bits – that is, copies of somewhere between 15 and 18TB of data spread across 3 6TB hard drives.

I’d been curious about the DDV for a couple of years, but never participated before. I decided to change that when I saw 6TB Ironwolf NAS drives on sale a few weeks before DEF CON. I wasn’t quite sure what to expect, as the description provided by the DDV is a little bit sparse:

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

david@systemoverlord.com (David Tomaschik) — Fri, 23 Aug 2019 00:00:00 +0000

Description

Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

Affected Versions

Apache Tapestry 5.3.6 through current releases.

Mitigation

No new release of Tapestry has occurred since the issue was reported. Affected organizations may want to consider locally applying commit d3928ad44714b949d247af2652c84dae3c27e1b1.

Hacker Summer Camp 2019: CTFs for Fun & Profit

david@systemoverlord.com (David Tomaschik) — Mon, 19 Aug 2019 00:00:00 +0000

Okay, I’m back from Summer Camp and have caught up (slightly) on life. I had the privilege of giving a talk at BSidesLV entitled “CTFs for Fun and Profit: Playing Games to Build Your Skills.” I wanted to post a quick link to my slides and talk about the IoT CTF I had the chance to play.

I played in the IoT Village CTF at DEF CON, which was interesting because it uses real-world devices with real-world vulnerabilities instead of the typical made-up challenges in a CTF. On the other hand, I’m a little disappointed that it seems pretty similar (maybe even the same) year-to-year, not providing much variety or new learning experiences if you’ve played before.

Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

david@systemoverlord.com (David Tomaschik) — Sat, 27 Jul 2019 00:00:00 +0000

I’ve begun to think about what I’ll take to Hacker Summer Camp this year, and I thought I’d share some of it as part of my Hacker Summer Camp blog post series. I hope it will be useful to veterans, but particularly to first timers who might have no idea what to expect – as that’s how I felt my first time.

Since it’s gotten so close, I’ll also talk about what steps you should take to protect yourself.

Hacker Summer Camp 2019 Preview

david@systemoverlord.com (David Tomaschik) — Thu, 02 May 2019 00:00:00 +0000

Every year, I try to distill some of the changes, events, and information surrounding the big week of computer security conferences in Las Vegas. This week, including Black Hat, BSides Las Vegas, and DEF CON, is what some refer to as “Hacker Summer Camp” and is likely the largest gathering of computer security professionals and hackers each year.

So You Want to Red Team?

david@systemoverlord.com (David Tomaschik) — Tue, 26 Mar 2019 00:00:00 +0000

So there’s a lot of confusion out there about Penetration Testing and Red Teaming. I wanted to put together a list of resources for those familiar with infosec or penetration testing who want to get into red teaming or at least get a better understanding of the methodologies and techniques used by red teamers.

First, it’s important to note that Red Teaming is predominantly comprised of two things: alternative analysis and adversary simulation. Red teams do not attempt to find “all the vulnerabilities” and do not usually try to have a wide breadth of coverage. Instead, red teams seek to simulate an adversary with a particular objective, predominantly to act as a “sparring partner” for blue teams. Keep in mind, red teams are the only adversary that will debrief with the blue team so that blue team can figure out what they missed or could have done differently.

For more about the specific definition of Red Teaming, check out the presentation Red Teaming Probably Isn’t For You by fellow red teamer Toby Kohlenberg.

Course Review: Applied Hardware Attacks: Rapid Prototying & Hardware Implants

david@systemoverlord.com (David Tomaschik) — Wed, 20 Mar 2019 00:00:00 +0000

Over the past 4 days, I had the opportunity to take two hardware security classes taught by Joe Fitzpatrick(@securelyfitz) along with @_MG_. Both courses are part of the “Applied Hardware Attacks” series of courses taught by Joe. The first course, “Rapid Prototyping”, is focused on using 3D printers and PCB mills to build interfaces to hardware systems. The second course, aptly named “Hardware Implants” applies these skills to build hardware implants to perform attacks on hardware systems. Both courses are very timely and informative, as well as a lot of fun.

Certifications Aren't as Big a Deal as You Think

david@systemoverlord.com (David Tomaschik) — Fri, 15 Mar 2019 00:00:00 +0000

For some reason, security certifications get discussed a lot, particularly in forums catering to those newer to the industry. (See, for example, /r/asknetsec.) Now I’m not talking about business certifications (ISO, etc.) but personal certifications that allegedly demonstrate some kind of skill on behalf of the individual. There seems to be a lot of focus on certifications that you “need” or that will land you your dream security job.

I’m going to make the claim that you should stop worrying about certifications and instead spend your time learning things that will help you in the real world – or better yet, actually applying your skills in the real world. There are likely some people who will strongly disagree with me, and that’s good, but I want it to be a discussion that people think about, instead of just assuming certifications are some kind of magic wand.

Running the BSides SF 2019 CTF

david@systemoverlord.com (David Tomaschik) — Sun, 10 Mar 2019 00:00:00 +0000

I’ve just written a post for the BSidesSF blog about running the BSidesSF 2019 CTF. Check it out and feel free to get in touch if you have feedback.

BSides SF CTF Author Writeup: Flagsrv

david@systemoverlord.com (David Tomaschik) — Fri, 08 Mar 2019 00:00:00 +0000

Flagsrv was a 300 point web challenge in this year’s BSidesSF CTF. The description was a simple one:

We’ve built a service for the sole purpose of serving up flags!

The account you want is named ‘flag’.

BSides SF CTF Author Writeup: Cloud2Clown

david@systemoverlord.com (David Tomaschik) — Thu, 07 Mar 2019 00:00:00 +0000

The Challenge

Sometimes you see marketing materials that use the word cloud to the point that it starts to lose all meaning. This service allows you to fix that with clowns instead of clouds. Note: there are 2 flags, they should be clearly labeled.

Understanding Shellcode: The Reverse Shell

david@systemoverlord.com (David Tomaschik) — Tue, 30 Oct 2018 00:00:00 +0000

A recent conversation with a coworker inspired me to start putting together a series of blog posts to examine what it is that shellcode does. In the first installment, I’ll dissect the basic reverse shell.

First, a couple of reminders: shellcode is the machine code that is injected into the flow of a program as the result of an exploit. It generally must be position independent as you can’t usually control where it will be loaded in memory. A reverse shell initiates a TCP connection from the compromised host back to a host under the control of the attacker. It then launches a shell with which the attacker can interact.

Course Review: Adversarial Attacks and Hunt Teaming

david@systemoverlord.com (David Tomaschik) — Fri, 12 Oct 2018 00:00:00 +0000

At DerbyCon 8, I had the opportunity to take the “Adversarial Attacks and Hunt Teaming” presented by Ben Ten and Larry Spohn from TrustedSec. I went into the course hoping to get a refresher on the latest techniques for Windows domains (I do mostly Linux, IoT & Web Apps at work) as well as to get a better understanding of how hunt teaming is done. (As a Red Teamer, I feel understanding the work done by the blue team is critical to better success and reducing detection.)

Course Review: Software Defined Radio with HackRF

david@systemoverlord.com (David Tomaschik) — Fri, 14 Sep 2018 00:00:00 +0000

Over the past two days, I had the opportunity to attend Michael Ossman’s course “Software Defined Radio with HackRF” at Toorcon XX. This is a course I’ve wanted to take for several years, and I’m extremely happy that I finally had the chance. I wanted to write up a short review for others considering taking the course.

Course Material

The material in the course focuses predominantly on the basics of Software Defined Radio and Digital Signal Processing. This includes the math necessary to understand how the DSP handles the signal. The math is presented in a practical, rather than academic, way. It’s not a math class, but a review of the necessary basics, mostly of complex mathematics and a bit of trigonometry. (My high school teachers are now vindicated. I did use that math again.) You don’t need the math background coming in, but you do need to be prepared to think about math during the class. Extracting meaningful information from the ether is, it turns out, an exercise in mathematics.

"Entry-Level" Security Jobs and Experience

david@systemoverlord.com (David Tomaschik) — Mon, 27 Aug 2018 00:00:00 +0000

I’ve seen a lot of discussion of experience requirements and “entry-level” positions in the security industry lately. /r/netsecstudents and /r/asknetsec are full of threads discussing this topic, and I heard it being discussed at both BSidesLV and DEF CON this summer. The usual complaint is something along the lines of “all the positions want experience, so how am I supposed to get experience?” I’m going to take a stab at addressing this, and hope to at least provide some understanding.

Hacker Summer Camp 2018: Wrap-Up

david@systemoverlord.com (David Tomaschik) — Sat, 25 Aug 2018 00:00:00 +0000

I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.

BSides Las Vegas

I can’t say much about BSides as a whole this year, as I spent the entire time Gold Teaming for Pros vs Joes CTF. (Gold Team is responsible for running the game infrastructure, scoreboard, etc.) It was a great experience to be on Gold Team, but I do miss having a team to support and educate. Overall, the CTF went fairly well, but there were a few bumps that I hope we can avoid next year.

I'm the One Who Doesn't Knock: Unlocking Doors From the Network

david@systemoverlord.com (David Tomaschik) — Fri, 10 Aug 2018 00:00:00 +0000

{:.right}

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)

Attacker Community DEF CON 26 Badge

david@systemoverlord.com (David Tomaschik) — Thu, 02 Aug 2018 00:00:00 +0000

I’ve spent an unhealthy amount of time over the past 6 months or so participating in the craze that is #badgelife. This year, I built badges for my Security Research Group/CTF Team: Attacker Community. (Because community is important when you’re attacking things.) Like last year, all of my badges were designed, assembled, and programmed by me. There are 24 badges this year, each featuring 8 characters of 14-segment display goodness and bluetooth connectivity. I may not be one of the big names in #badgelife, but if you just make some badges for your friends, there’s a lot less pressure in case something comes up.

Hacker Summer Camp 2018: Cyberwar?

david@systemoverlord.com (David Tomaschik) — Thu, 19 Jul 2018 00:00:00 +0000

I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

The Network

So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.

Hacker Summer Camp 2018: Last Minute Tips

david@systemoverlord.com (David Tomaschik) — Sun, 15 Jul 2018 00:00:00 +0000

This is an update to my planning guide as we get closer to Hacker Summer Camp. (We’re down to about 3 weeks now!)

Planning Your Time

Schedules and details for events have begun to be released. For example, we have:

BSides Las Vegas Schedule
DEF CON 26 Speaker List (No schedule yet!)
DEF CON 26 Villages
DEF CON 26 Demo Labs

It’s time to take a look at the lists of events and times and start making your “must do” list. Resist the temptation to try to plan every minute – first, you won’t be able to stick to it, and secondly, you’ll feel like it doesn’t leave you time for spur of the moment events. There will be conversations you want to have, people you want to meet, or unscheduled activities you want to check out.

On Deep Work

david@systemoverlord.com (David Tomaschik) — Sun, 24 Jun 2018 00:00:00 +0000

I recently stumbled upon Azeria’s blog post The Importance of Deep Work & The 30-hour Method For Learning a New Skill, and it seriously struck a chord with me. Over the past year or so, I’ve struggled with a lack of personal satisfaction in my life and my work. I tried various things to address the issue, but could not figure out a root cause until I read her article, and then it clicked with me.

Pros vs Joes CTF: The Evolution of Blue Teams

david@systemoverlord.com (David Tomaschik) — Tue, 19 Jun 2018 00:00:00 +0000

Pros v Joes CTF is a CTF that holds a special place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a day-of pickup player (signing up at the conference) to a Blue Team Pro, to core CTF staff. It’s been an exciting journey, and Red Teaming there is about the only role I haven’t held. (Which is somewhat ironic given that my day job is a red team lead.) As Blue teams have just formed, and I’m not currently attached to any single team, I wanted to share my thoughts on the evolution of Blue teaming in this unique CTF. In many ways, this will resemble the Blue Team player’s guide I wrote about 3 years ago, but will be based on the evolution of the game and of the industry itself. That post remains relevant, and I encourage you to read it as well.

Hacker Summer Camp 2018: Prep Guide

david@systemoverlord.com (David Tomaschik) — Sat, 26 May 2018 00:00:00 +0000

For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.

How the Twitter and GitHub Password Logging Issues Could Happen

david@systemoverlord.com (David Tomaschik) — Thu, 03 May 2018 00:00:00 +0000

There have recently been a couple of highly-publicized (at least in the security community) issues with two tech giants logging passwords in plaintext. First, GitHub found they were logging plaintext passwords on password reset. Then, Twitter found they were logging all plaintext passwords. Let me begin by saying that I have no insider knowledge of either bug, and I have never worked at either Twitter or GitHub, but I enjoy randomly speculating on the internet, so I thought I would speculate on this. (Especially since the /r/netsec thread on the Twitter article is amazingly full of misconceptions.)

BSidesSF CTF 2018: Coder Series (Author's PoV)

david@systemoverlord.com (David Tomaschik) — Sat, 21 Apr 2018 00:00:00 +0000

Introduction

As the author of the “coder” series of challenges (Intel Coder, ARM Coder, Poly Coder, and OCD Coder) in the recent BSidesSF CTF, I wanted to share my perspective on the challenges. I can’t tell if the challenges were uninteresting, too hard, or both, but they were solved by far fewer teams than I had expected. (And than we had rated the challenges for when scoring them.)

The entire series of challenges were based on the premise “give me your shellcode and I’ll run it”, but with some limitations. Rather than forcing players to find and exploit a vulnerability, we wanted to teach players about dealing with restricted environments like sandboxes, unusual architectures, and situations where your shellcode might be manipulated by the process before it runs.

The IoT Hacker's Toolkit

david@systemoverlord.com (David Tomaschik) — Mon, 16 Apr 2018 12:00:00 +0000

Today, I’m giving a talk entitled “The IoT Hacker’s Toolkit” at BSides San Francisco. I thought I’d release a companion blog post to go along with the slide deck. I’ll also include a link to the video once it gets posted online.

TOC {:toc}

Introduction

From my talk synopysis:

IoT and embedded devices provide new challenges to security engineers hoping to understand and evaluate the attack surface these devices add. From new interfaces to uncommon operating systems and software, the devices require both skills and tools just a little outside the normal security assessment. I’ll show both the hardware and software tools, where they overlap and what capabilities each tool brings to the table. I’ll also talk about building the skillset and getting the hands-on experience with the tools necessary to perform embedded security assessments.

OpenSSH Two Factor Authentication (But Not Service Accounts)

david@systemoverlord.com (David Tomaschik) — Sat, 03 Mar 2018 00:00:00 +0000

Very often, people hear “SSH” and “two factor authentication” and assume you’re talking about an SSH keypair that’s got the private key protected with a passphrase. And while this is a reasonable approximation of a two factor system, it’s not actually two factor authentication because the server is not using two separate factors to authenticate the user. The only factor is the SSH keypair, and there’s no way for the server to know if that key was protected with a passphrase. However, OpenSSH has supported true two factor authentication for nearly 5 years now, so it’s quite possible to build even more robust security.

Preparing for Penetration Testing with Kali Linux

david@systemoverlord.com (David Tomaschik) — Wed, 14 Feb 2018 00:00:00 +0000

If you spend any time at all on Reddit or forums for information security students, you’ll find dozens of questions about preparing for the Penetration Testing with Kali Linux (PWK, aka OSCP) class from Offensive Security. Likewise, I’ve been asked by a number of people I know personally about moving into the security realm. I figured I’d put together some notes on how to prepare and the knowledge that I believe is necessary to succeed with the PWK class. Additionally, all of the skills listed here are skills I would expect even the most junior of penetration testers to possess.

Book Review: Red Team by Micah Zenko

david@systemoverlord.com (David Tomaschik) — Sat, 10 Feb 2018 00:00:00 +0000

Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko focuses on the role that red teaming plays in a variety of institutions, ranging from the Department of Defense to cybersecurity. It’s an excellent book that describes the thought process behind red teaming, when red teaming is a success and when it can be a failure, and the way a red team can best fit into an organization and provide value. If you’re looking for a book that’s highly technical or focused entirely on information security engineering, this book may disappoint. There’s only a single chapter covering the application of red teaming in the information security space (particularly “vulnerability probes” as Zenko refers to many of the tests), but that doesn’t make the rest of the content any less useful – or interesting – to the Red Team practitioner.

Security Is Not an Absolute

david@systemoverlord.com (David Tomaschik) — Mon, 05 Feb 2018 00:00:00 +0000

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

Playing with the Gigastone Media Streamer Plus

david@systemoverlord.com (David Tomaschik) — Sun, 28 Jan 2018 00:00:00 +0000

TOC {:toc}

Background

A few months ago, I was shopping on woot.com and discovered the Gigastone Media Streamer Plus for about $25. I figured this might be something occassionally useful, or at least fun to look at for security vulnerabilities. When it arrived, I didn’t get around to it for quite a while, and then when I finally did, I was terribly disappointed in it as a security research target – it was just too easy.

Psychological Issues in the Security Industry

david@systemoverlord.com (David Tomaschik) — Fri, 26 Jan 2018 00:00:00 +0000

I’ve unfortunately had the experience of dealing with a number of psychological issues (either personally or through personal connections) during my tenure in the security fold. I hope to shed some light on them and encourage others to take them seriously.

If you are hoping this post will be some grand reveal of security engineers going psychotic and stabbing users who enter passwords into phishing pages with poor grammar and spelling, web site administrators who can’t be bothered to set up HTTPS, and ransomware authors, then I hate to disappoint you. If, on the other hand, you’re interested in observations of people who have experienced various psychological problems while in the security industry, then I’ll probably still disappoint, just but not as much.

socat as a handler for multiple reverse shells

david@systemoverlord.com (David Tomaschik) — Sat, 20 Jan 2018 00:00:00 +0000

I was looking for a new way to handle multiple incoming reverse shells. My shells needed to be encrypted and I preferred not to use Metasploit in this case. Because of the way I was deploying my implants, I wasn’t able to use separate incoming port numbers or other ways of directing the traffic to multiple listeners.

Obviously, it’s important to keep each reverse shell separated, so I couldn’t just have a listener redirecting all the connections to STDIN/STDOUT. I also didn’t want to wait for sessions serially – obviously I wanted to be connected to all of my implants simultaneously. (And allow them to disconnect/reconnect as needed due to loss of network connectivity.)

TP-Link Kasa App: SSL Verification Disabled (Fixed)

david@systemoverlord.com (David Tomaschik) — Tue, 16 Jan 2018 00:00:00 +0000

The TP-Link Kasa app is the Android app that TP-Link distributes to control their Smart Home line of products, including IoT light bulbs, outlet and a home hub. TP-Link describes the app as:

The Kasa app works with Android and iOS devices so you can control your home right from your smartphone or tablet. You can also use Kasa to pair TP-Link smart home products with any Amazon Echo, Dot, Tap and The Google Assistant for voice control, giving you the ability to control your home with voice commands.

A Cheap and Compact Bench Power Supply

david@systemoverlord.com (David Tomaschik) — Fri, 29 Dec 2017 00:00:00 +0000

I wanted a bench power supply for powering small projects and devices I’m testing. I ended up with a DIY approach for around $30 and am very happy with the outcome. It’s a simple project that almost anyone can do and is a great introductory power supply for any home lab.

I had a few requirements when I set out:

Variable voltage (up to ~12V)
Current limiting (to protect against stupid mistakes)
Small footprint (my electronics work area is only about 8 square feet)
Relatively cheap

Initially, I considered buying an off the shelf bench power supply, but most of those are either very expensive, very large, or both. I also toyed with the idea of an ATX power supply as a bench power supply, but those don’t offer current limiting (and are capable of delivering enough current to destroy any project I’m careless with).

Even With the Cloud, Client Security Still Matters

david@systemoverlord.com (David Tomaschik) — Wed, 27 Dec 2017 00:00:00 +0000

As usual, this post does not necessarily represent the views of my employer (past, present, or future).

It’s Friday afternoon and the marketing manager receives an email with the new printed material proofs for the trade show. Double clicking the PDF attachment, his PDF reader promptly crashes.

“Ugh, I’m gonna have to call IT again. I’ll do it Monday morning,” he thinks, and turns off his monitor before heading home for the weekend.

2017 Christmas Ornament

david@systemoverlord.com (David Tomaschik) — Sun, 24 Dec 2017 00:00:00 +0000

After playing around with a custom DEF CON badge, I wanted to do another electronics project just for fun. What better time to share electronics with others than Christmas? So I decided to do a custom ornament for friends and family.

Though it shared some characteristics with my DEF CON badge (blinken lights, battery powered, etc.), the similarities ended there. In this case I want something lightweight (it’s going on a tree branch), simple (the XXV badges took a long time to assemble by hand), and that could run off a coin cell battery for days.

[CVE-2017-17704] Broken Cryptography in iStar Ultra & IP ACM by Software House

david@systemoverlord.com (David Tomaschik) — Mon, 18 Dec 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the iStar Ultra & IP-ACM boards offered by Software House. This system is used to control physical access to resources based on RFID-based badge readers. Badge readers interface with the IP-ACM board, which uses TCP/IP to communicate with the iStar Ultra controller.

These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that Software House undertake a full whitebox security assessment of this application. Additionally, it is our suggestion that all communications be conducted over TLS. While alternatives are suggested below, cryptography is very difficult even for experts, and so using a well-understood cryptosystem like TLS is preferable to home-grown solutions. The version under test was indicated as: 6.5.2.20569. As of the time of disclosure, the issues remain unfixed.

2017 Hacker Holiday Gift Guide

david@systemoverlord.com (David Tomaschik) — Wed, 22 Nov 2017 00:00:00 +0000

I’ve been thinking about gifts for Hackers and Makers lately as the holiday season arrives. I decided I’d build a public list of some of my favorite things (and perhaps some things I’d like myself as well!) I’ll break it down into a few categories for different kinds of hackers (and different kinds of gifters as well). Prices are current as of writing, but not something I’ll be updating.

Hardware Hacking, Reversing and Instrumentation: A Review

david@systemoverlord.com (David Tomaschik) — Sat, 11 Nov 2017 00:00:00 +0000

I recently attended Dr. Dmitry Nedospasov’s 4-day “Hardware Hacking, Reversing and Instrumentation” training class as part of the HardwareSecurity.training event in San Francisco. I learned a lot, and it was incredibly fun class. If you understand the basics of hardware security and want to take it to the next level, this is the course for you.

The class predominantly focuses on the use of FPGAs for breaking security in hardware devices (embedded devices, microcontrollers, etc.). The advantage of FPGAs is that they can be used to implement arbitrary protocols and can operate with very high timing resolution. (e.g., single clock cycle, since it’s essentially synthesized hardware.)

Building a Home Lab for Offensive Security & Security Research

david@systemoverlord.com (David Tomaschik) — Tue, 24 Oct 2017 00:00:00 +0000

When I wrote my “getting started” post on offensive security, I promised I’d write about building a lab you can use to practice your skillset. It’s taken a little while for me to get to it, but I’m finally trying to deliver.

Much like the post on getting started, I’m not claiming to have all the answers. I’ll again be focusing on an environment that helps you build a focus in the areas I most work in – penetration testing, black box application security, and red teaming. (And if you’re wondering about the difference between a penetration test and red team, there will be a post for that too – I promise they’re very different.)

Getting Started in Offensive Security

david@systemoverlord.com (David Tomaschik) — Mon, 18 Sep 2017 00:00:00 +0000

Please note that this post, like all of those on my blog, represents only my views, and not those of my employer. Nothing in here implies official hiring policy or requirements.

I’m not going to pretend that this article is unique or has magic bullets to get you into the offensive security space. I also won’t pretend to speak for others in that space or in other areas of information security. It’s a big field, and it turns out that a lot of us have opinions about it. Mubix maintains a list of posts like this so you can see everyone’s opinions. I highly recommend the post “So You Want to Work in Security” by Parisa Tabriz for a view that’s not specific to offensive security. (Though there’s a lot of cross-over.)

Review of HackerBoxes 0021: Hacker Tracker

david@systemoverlord.com (David Tomaschik) — Fri, 11 Aug 2017 00:00:00 +0000

HackerBoxes is a monthly subscription service for hardware hackers and makers. I hadn’t heard of it until I was researching DEF CON 25 badges, for which they had a box, at which point I was amazed I had missed it. They were handing out coupons at DEF CON and BSidesLV for 10% off your first box, so I decided to give it a try.

First thing I noticed upon opening the box was that there’s no fanfare in the packaging or design of the shipping. You get a plain white box shipped USPS with all of the contents just inside. I can’t decide if I’m happy they’re not wasting material on extra packaging, or disappointed they didn’t do more to make it feel exciting. If you look at their website, they show all the past boxes with a black “Hacker Boxes” branded box, so I don’t know if this is a change, or the pictures on the website are misleading, or the influx of new members from hacker summer camp has resulted in a box shortage.

Hacker Summer Camp 2017: Lessons Learned

david@systemoverlord.com (David Tomaschik) — Mon, 07 Aug 2017 00:00:00 +0000

In addition to taking stock of how things went at Hacker Summer Camp, I think it’s important to examine the lessons learned from the event. Some of these lessons will be introspective and reflect on myself and my career, but I think it’s important to share these to encourage others to also reflect on what they want and where they’re going.

Introspections

It’s still incredibly important to me to be doing hands-on technical work. I do a lot of other things, and they may have significant impact, but I can’t imagine taking a purely leadership/organizational role. I wouldn’t be happy, and unhappy people are not productive people. Finding vulnerabilities, doing technical research, building tools, are all areas that make me excited to be in this field and to continue to be in this field.

Hacker Summer Camp 2017: DEF CON

david@systemoverlord.com (David Tomaschik) — Sat, 05 Aug 2017 00:00:00 +0000

DEF CON, of course, is the main event of Hacker Summer Camp for me. It’s the largest gathering of hackers in the world, and it’s the only opportunity I get to see some of the people I know in the industry. It’s also the most hands-on of all of the conferences I’ve ever attended, and the people running the villages clearly know their stuff and are super passionate about their area. Nowhere do I see so much raw talent and excitement for the hacker spirit as at DEF CON.

Hacker Summer Camp 2017: Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Mon, 31 Jul 2017 00:00:00 +0000

I’ve returned from this year’s edition of Hacker Summer Camp, and while I’m completely and utterly exhausted, I wanted to get my thoughts about this year’s events out before I completely forget what happened.

The Pros vs Joes CTF was, yet again, a high quality event despite the usual bumps and twists. This was the largest PvJ ever, with more than 80 people involved between Blue Pros, Blue Joes, Red Cell, Grey Cell, and Gold Cell. Each blue team had 11 players between the two Pros and 9 Joes, making them slightly larger than in years past. (Though I believe that’s a temporary “feature” of this year’s game.)

Hacker Summer Camp 2017: XXV Badge

david@systemoverlord.com (David Tomaschik) — Mon, 31 Jul 2017 00:00:00 +0000

In my post the Many Badges of DEF CON 25 I may have not-so-subtly hinted that there was something I was working on. While none of the ones I listed were created in response to the announcement that DEF CON had been forced to switch to “Plan B” with their badges, mine more or less was. Ever since I saw the Queercon badge in 2015, I’d had the idea to create my own electronic badge, but the announcement spurred me on to action.

Hacker Summer Camp 2017 Planning Guide

david@systemoverlord.com (David Tomaschik) — Tue, 18 Jul 2017 00:00:00 +0000

My hacker summer camp planning posts are among the most-viewed on my blog, and I was recently reminded I hadn’t done one for 2017 yet, despite it being just around the corner!

Though many tips will be similar, feel free to check out the two posts from last year as well:

If you don’t know, Hacker Summer Camp is a nickname for 3 information security conferences in one week in Las Vegas every July/August. This includes Black Hat, BSides Las Vegas, and DEF CON.

The Many Badges of DEF CON 25

david@systemoverlord.com (David Tomaschik) — Fri, 07 Jul 2017 00:00:00 +0000

If you follow DEF CON news at all, you’ll know that there’s been some kind of issue with the badges. But don’t worry, DEF CON will have badges, but so will the community!

What do I mean by this? Well, badge hacking has long been a DEF CON tradition, but in the past few years, we’ve seen more and more unofficial badges appearing at DEF CON. This year seems to be a massive upswing, and while I’m sure some of that was in progress before the badge announcement, ~~I believe at least some of it is the community response to the DEF CON badge issue~~. (Edit: All of the listed badges were apparently in the works before the DEF CON announcement. Thanks to @wbm312 for setting me straight.)

Pi Zero as a Serial Gadget

david@systemoverlord.com (David Tomaschik) — Sun, 21 May 2017 00:00:00 +0000

I just got a new Raspberry Pi Zero W (the wireless version) and didn’t feel like hooking it up to a monitor and keyboard to get started. I really just wanted a serial console for starters. Rather than solder in a header, I wanted to be really lazy, so decided to use the USB OTG support of the Pi Zero to provide a console over USB. It’s pretty straightforward, actually.

Belden Garrettcom 6K/10K Switches: Auth Bypasses, Memory Corruption

david@systemoverlord.com (David Tomaschik) — Fri, 19 May 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT (Magnum) series network switches. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that GarrettCom undertake a full whitebox security assessment of these switches.

The version under test was indicated as: 4.6.0. Belden Garrettcom released an advisory on 8 May 2017, indicating that issues were fixed in 4.7.7: https://www.belden.com/hubfs/support/security/bulletins/Belden-GarrettCom-MNS-6K-10K-Security-Bulletin-BSECV-2017-8.pdf?hsLang=en

This is a local copy of an advisory posted to the Full Disclosure mailing list.

Applied Physical Attacks and Hardware Pentesting

david@systemoverlord.com (David Tomaschik) — Sat, 13 May 2017 00:00:00 +0000

This week, I had the opportunity to take Joe Fitzpatrick’s class “Applied Physical Attacks and Hardware Pentesting”. This was a preview of the course he’s offering at Black Hat this summer, and so it was in a bit of an unpolished state, but I actually enjoyed the fact that it was that way. I’ve taken a class with Joe before, back when he and Stephen Ridley of Xipiter taught “Software Exploitation via Hardware Exploitation”, and I’ve watched a number of his talks at various conferences, so I had high expectations of the course, and he didn’t disappoint.

DEF CON Quals 2017: beatmeonthedl

david@systemoverlord.com (David Tomaschik) — Sun, 30 Apr 2017 00:00:00 +0000

I played in the DEF CON quals CTF this weekend, and happened to find the challenge beatmeonthedl particularly interesting, even if it was in the “Baby’s First” category. (DC Quals Baby’s Firsts aren’t as easy as one might think…)

So we download the binary and take a look. I’m using Binary Ninja lately, it’s a great tool from the Vector35 guys, and at the right price compared to IDA for playing CTF. :) So I open up the binary, and notice a few things right away. This is an x86-64 ELF binary with essentially none of the standard security features enabled:

Security Issues in Alerton Webtalk (Auth Bypass, RCE)

david@systemoverlord.com (David Tomaschik) — Thu, 27 Apr 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the Alerton Webtalk Software supplied by Alerton. This software is used for the management of building automation systems. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Alerton has responded that Webtalk is EOL and past the end of its support period. Customers should move to newer products available from Alerton. Thanks to Alerton for prompt replies in communicating with us about these issues.

Bash Extended Test & Pattern Matching

david@systemoverlord.com (David Tomaschik) — Mon, 17 Apr 2017 00:00:00 +0000

While my daily driver shell is ZSH, when I script, I tend to target Bash. I’ve found it’s the best mix of availability & feature set. (Ideally, scripts would be in pure posix shell, but then I’m missing a lot of features that would make my life easier. On the other hand, ZSH is not available everywhere, and certainly many systems do not have it installed by default.)

I’ve started trying to use the Bash “extended test command” ([[) when I write tests in bash, because it has fewer ways you can misuse it with bad quoting (the shell parses the whole test command rather than parsing it as arguments to a command) and I find the operations available easier to read. One of those operations is pattern matching of strings, which allows for stupidly simple substring tests and other conveniences. Take, for example:

Useful ARM References

david@systemoverlord.com (David Tomaschik) — Tue, 21 Mar 2017 00:00:00 +0000

I started playing the excellent IOARM wargame on netgarage. No, don’t be expecting spoilers, hints, or walk-throughs, I’m not that kind of guy. This is merely a list of interesting reading I’ve discovered to help me understand the ARM architecture and ARM assembly.

Docker containers for cross-compilation
ARMwiki
ARM Syscalls (I’m not sure why they all seem to have +0x900000 to their value, you certainly don’t use them that way.)
ARM Assembly System Calls (This is part of a bigger series that looks excellent at a glance.)
Shellcode on ARM architecture
Syscall.tbl for ARM (Use with the w3challs.com version to see arguments used.)
Calling Conventions
GDB with User-Mode QEMU

GOT and PLT for pwning.

david@systemoverlord.com (David Tomaschik) — Sun, 19 Mar 2017 00:00:00 +0000

So, during the recent 0CTF, one of my teammates was asking me about RELRO and the GOT and the PLT and all of the ELF sections involved. I realized that though I knew the general concepts, I didn’t know as much as I should, so I did some research to find out some more. This is documenting the research (and hoping it’s useful for others).

BSidesSF 2017

david@systemoverlord.com (David Tomaschik) — Wed, 15 Feb 2017 00:00:00 +0000

BSidesSF 2017 was, by far, the best yet. I’ve been to the last 5 or so, and had a blast at almost every one. This year, I was super busy – gave a talk, ran a workshop, and I was one of the organizers for the BSidesSF CTF. I’ve posted the summary and slides for my talk and I’ll update the video link once it gets posted.

I think it’s important to thank the BSidesSF organizers – they did a phenomenal job with an even bigger venue and I think everyone loved it. It was clearly a success, and I can only imagine how much work it takes to plan something like this.

Assessing the Embedded Devices on Your Network

david@systemoverlord.com (David Tomaschik) — Mon, 13 Feb 2017 00:00:00 +0000

Embedded devices (including the so-called Internet of Things) pose unique problems for those responsible for managing and assessing their security. The devices tend to be less transparent and more tightly integrated than typical software and generally lack the host-based security controls (privilege separation, host firewalls, etc.) found on desktop or server applications. This talk will cover some of the unique constraints for threat modeling and assessing these devices, then walk through an assessment of a VoIP phone and discuss the issues found there, including potential mitigations that can be applied if a device cannot be updated.

SANS Holiday Hack Challenge 2016

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jan 2017 00:00:00 +0000

Table of Contents {:toc}

Introduction

This is my second time playing the SANS holiday hack challenge. It was a lot of fun, and probably took me about 8-10 hours over a period of 2-3 days, not including this writeup. Ironically, this writeup took me longer than actually completing the challenge – which brings me to a note about some of the examples in the writeup. Please ignore any dates or timelines you might see in screengrabs and other notes – I was so engrossed in playing that I did a terrible job of documenting as I went along, so a lot of these I went back and did a 2nd time (of course, knowing the solution made it a bit easier) so I could provide the quality of writeup I was hoping to.

Most importantly, a huge shout out to all the SANS Counter Hack guys – I can only imagine how much work goes into building an educational game like this and making the challenges realistic and engrossing. I’ve built wargames & similar apps for work, but never had to build them into a story – let across a story that spans multiple years. I tip my hat to their dedication and success!

New Tool: sshdog

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jan 2017 00:00:00 +0000

I recently needed an encrypted, authenticated remote bind shell due to a situation where, believe it or not, the egress policies were stricter than ingress! Ideally I could forward traffic and copy files over the link.
I was looking for a good tool and casually asked my coworkers if they had any ideas when one said “sounds like SSH.”

Well, shit. That does sound like SSH and I didn’t even realize it. (Tunnel vision, and the value of bouncing ideas off of others.) But I had a few more requirements in total:

Security at the End of 2016

david@systemoverlord.com (David Tomaschik) — Sat, 31 Dec 2016 00:00:00 +0000

Well, 2016 is just about at an end, and what a year it has been. I’m not going to delve into politics, though that will arguably be how the history books will remember this year, but I want to take a look back at a few of the big security headlines of the year, and then make some completely wildass prognostications about information security in 2017.

Bad News of 2016

Yahoo! reported over 1 billion accounts were stolen by unknown attackers. Though the breaches occurred in 2013 and 2014, they weren’t publicly reported until the tail end of this year.

Posting JSON with an HTML Form

david@systemoverlord.com (David Tomaschik) — Wed, 24 Aug 2016 00:00:00 +0000

A coworker and I were looking at an application today that, like so many other modern web applications, offers a RESTful API with JSON being used for serialization of requests/responses. She noted that the application didn’t include any sort of CSRF token and didn’t seem to use any of the headers (X-Requested-With, Referer, Origin, etc.) as a “poor man’s CSRF token”, but since it was posting JSON, was it really vulnerable to CSRF? Yes, yes, definitely yes!

ObiHai ObiPhone: Multiple Vulnerabilties

david@systemoverlord.com (David Tomaschik) — Mon, 22 Aug 2016 00:00:00 +0000

Note that this a duplicate of the advisory sent to the full-disclosure mailing list.

Introduction

Multiple vulnerabilities were discovered in the web management interface of the ObiHai ObiPhone products. The Vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive.

Affected Devices and Versions

ObiPhone 1032/1062 with firmware less than 5-0-0-3497.

Vulnerability Overview

Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length

(Slightly) Securing Wargame Servers

david@systemoverlord.com (David Tomaschik) — Sun, 21 Aug 2016 00:00:00 +0000

I was setting up some wargame boxes for a private group and wanted to reduce the risk of malfeasence/abuse from these boxes. One option, used by many public wargames, is locking down the firewall. While that’s a great start, I decided to go one step further and prevent directly logging in as the wargame users, requiring that the users of my private wargames have their own accounts.

Step 1: Setup the Private Accounts

This is pretty straightforward: create a group for these users that can SSH directly in, create their accounts, and setup their public keys.

Matir's Favorite Things

david@systemoverlord.com (David Tomaschik) — Sat, 20 Aug 2016 00:00:00 +0000

One of my friends was recently asking me about some of the tools I use, particularly for security assessments. While I can’t give out all of these things for free Oprah-style, I did want to take a moment to share some of my favorite security- and technology-related tools, services and resources.

Hardware

{:.left} My primary laptop is a Lenovo T450s. For me, it’s the perfect mix of weight and processing power – configured with enough RAM, the i5-5200U has no trouble running 2 or 3 VMs at the same time, and with an internal 3-cell battery plus a 6-cell battery pack, it will go all day without an outlet. (Though not necessarily under 100% CPU load.) Though Lenovo no longer sells this, having replaced it with the T460s, it’s still available on Amazon.

HSC Part 2: Pros versus Joes CTF

david@systemoverlord.com (David Tomaschik) — Wed, 10 Aug 2016 00:00:00 +0000

Continuing my Hacker Summer Camp Series, I’m going to talk about one of my Hacker Summer Camp traditions. That’s right, it’s the Pros versus Joes CTF at BSidesLV. I’ve written about my experiences and even a player’s guide before, but this was my first year as a Pro, captaining a blue team (The SYNdicate).

It’s important to me to start by congratulating all of the Joes – this is an intense two days, and your pushing through it is a feat in and of itself. In past years, we had players burn out early, but I’m proud to say that nearly all of the Joes (from every team) worked hard until the final scorched earth. Every one of the players on my team was outstanding and worked their ass off for this CTF, and it paid off, as The SYNdicate was declared the victors of the 2016 BSides LV Pros versus Joes.

HSC Part 3: DEF CON

david@systemoverlord.com (David Tomaschik) — Wed, 10 Aug 2016 00:00:00 +0000

This is the 3rd, and final, post in my Hacker Summer Camp 2016 series. Part 1 covered my class at Black Hat, and Part 2 the 2016 BSidesLV Pros versus Joes CTF. Now it’s time to talk about the capstone of the week: DEF CON.

DEF CON is the world’s largest (but not oldest) Hacker conference. This year was the biggest yet, with Dark Tangent stating that they produced 22,000 lanyards – and ran out of lanyards. That’s a lot of attendees. It covered both the Paris and Bally’s conference areas, and that still didn’t feel like enough.

HSC Part 1: Hardware Hacking with the Hardsploit Framework

david@systemoverlord.com (David Tomaschik) — Tue, 09 Aug 2016 00:00:00 +0000

Just returned from Hacker Summer Camp (Black Hat, BSides LV, DEF CON) and I’m exhausted. 10 days in Las Vegas is a lot of Las Vegas, even if you don’t spend a lot of time at the slot machines, table games, and shows.

My week started off with a training class at Black Hat: Hardware Hacking with the Hardsploit Framework taught by a couple of guys who clearly knew their hardware. I’ve previously taken Xipiter’s Software Exploitation via Hardware Exploitation, which helped with some of the basic concepts, but the two classes were definitely complimentary. SexViaHex predominantly focused on dumping firmware from embedded microcomputers (that is, they had a kernel, typically Linux, and were running applications on them) and analyzing them for exploitable software vulnerabilities (mostly memory corruption-esque issues). HH with Hardsploit, on the other hand, mostly focused on microcontroller-based embedded devices. This was much more a class of dumping flash to locate stored secrets, understanding the hardware of the device, and working from there.

Chrome on Kali for root

david@systemoverlord.com (David Tomaschik) — Sun, 24 Jul 2016 00:00:00 +0000

For many of the tools on Kali Linux, it’s easiest to run them as root, so the defacto standard has more or less become to run as root when using Kali. Google Chrome, on the other hand, would not like to be run as root (because it makes sandboxing harder when your user is all-powerful) so there have been a number of tricks to get it to run. I’m going to describe my preferred setup here. (Mostly as documentation for myself.)

Hacker Summer Camp Planning Guide, Part II

david@systemoverlord.com (David Tomaschik) — Fri, 08 Jul 2016 00:00:00 +0000

In February, I wrote a guide to planning travel for BSides, Black Hat, and DEF CON, occasionally referred to as “Hacker Summer Camp.” In my original post, I promised an update with information about your actual travels to BSides, Black Hat, and DEF CON: what to bring, what to do, and how best to stay out of trouble. This is my best advice on that, but I’m sure others have differing opinions.

ASIS CTF 2016: 3magic

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

We’re directed to a web application that provides us with the ability to ping an arbitrary host. Like many such web interfaces, this one is vulnerable to command injection. We can provide flags like -v to get the version of ping being used, but inserting other characters, like |, ;, or $() result in a response of invalid character detected. Notably, so do spaces and tabs, significantly limiting the ability to run commands (we’ll see how to get around this shortly).

ASIS CTF 2016: Binary Cloud

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Binary Cloud claims “Now you can upload any types of files, temporarily.” Let’s see what this means.

Rule one of web challenges: check robots.txt:

User-Agent: *
Disallow: /
Disallow: /debug.php
Disallow: /cache
Disallow: /uploads

So we have some interesting paths there. debug.php turns out to be a phpinfo() page, informing us it’s ‘PHP Version 7.0.4-7ubuntu2’. Interesting, pretty new version. I play around with the app briefly to see how it’s going to behave, and notice any file ending in .php is prohibited. No direct .php script upload for us.

ASIS CTF 2016: firtog

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Firtog gives us a pcap file that you can quickly see features several TCP sessions containing the git server protocol. The binary protocol looks like this in the follow TCP stream mode:

Switching Wireshark to decode this as “Git” almost works, but there’s a trick. If we read the git pack protocol documentation, we’ll see there’s a special side-band mode here, where the length field is followed with a ‘1’, ‘2’, or ‘3’ byte indicating the type of data to follow. We only want the data from sideband ‘1’, which is the actual packfile data. So we’ll grab that data using Wireshark and write it to a file, fixing up the last byte with quick python work.

Even shorter x86-64 shellcode

david@systemoverlord.com (David Tomaschik) — Wed, 27 Apr 2016 00:00:00 +0000

So about two years ago, I put together the shortest x86-64 shellcode for execve("/bin/sh",...); that I could. At the time, it was 25 bytes, which I thought was pretty damn good. However, I’m a perfectionist and so I spent some time before work this morning playing shellcode golf. The rules of my shellcode golf are pretty simple:

The shellcode must produce the desired effect.
It doesn’t have to do things cleanly (i.e., segfaulting after is OK, as is using APIs in unusual ways, so long as it works)
It can assume the stack pointer is at a place where it will not segfault and it will not overwrite the shellcode itself.
No NULLs. While there might be other constraints, this one is too common to not have as a default.

So, spending a little bit of time on this, I came up with the following 22 byte shellcode:

PlaidCTF 2016: Butterfly

david@systemoverlord.com (David Tomaschik) — Sun, 17 Apr 2016 00:00:00 +0000

Butterfly was a 150 point pwnable in the 2016 PlaidCTF. Basic properties:

x86_64
Not PIE
Assume ASLR, NX

It turns out to be a very simple binary, all the relevant code in one function (main), and using only a handful of libc functions. The first thing that jumped out to me was two calls to mprotect, at the same address. I spent some time looking at the disassembly and figuring out what was going on. The relevant portions can be seen here:

Ham Fisted Legislators

david@systemoverlord.com (David Tomaschik) — Sun, 10 Apr 2016 00:00:00 +0000

There’s fortunately been a lot of media coverage of a typically ham-fisted attempt to legislate technology:

For once, it’s not just been technology blogs: Fortune, Reuters, and USA Today are among those covering the legislative failure.

Women in Cybersecurity Summit

david@systemoverlord.com (David Tomaschik) — Mon, 04 Apr 2016 00:00:00 +0000

This past weekend, I was at the Women in Cybersecurity Summit in Dallas, TX, both recruiting for my company and copresenting a workshop on web application penetration testing. It was a real eye-opening event for me, mostly because it was the first security event I’ve attended where the bulk of the attendees were students or faculty. I had a great time and met a lot of interesting people, and it’s a very small event, which is something I’m not terribly used to, since I usually go to bigger events.

Another Milestone: Offensive Security Certified Expert

david@systemoverlord.com (David Tomaschik) — Mon, 28 Mar 2016 00:00:00 +0000

This weekend, I attempted what might possibly be my hardest academic feat ever: to pass the Offensive Security Certified Expert exam, the culmination of OffSec’s Cracking the Perimeter course. 48 hours of being pushed to my limits, followed by 24 hours of time to write a report detailing my exploits. I expected quite a challenge, but it really pushed me to my limits. The worst part of all, however, was the 50 hours or so that passed between the time I submitted my exam report and the time I got my response.

Finding My Inspiration

david@systemoverlord.com (David Tomaschik) — Thu, 24 Mar 2016 00:00:00 +0000

I’ve been having a lot of trouble lately, feeling like I’m not doing the things I need to do to move towards my personal goals or ensure that I continue to do interesting work. As one of several things I’m trying to do, I’m trying to catalog things that have inspired me recently, or whose work I aspire to imitate. This is a no-particular-order list of classes, presentations, videos, papers, and other that remind me why I love working in Information Security, in hopes that it will help me find my mojo and enthusiasm for what I do again.

Banning Encryption Will Fail... And It's a Bad Idea, Too

david@systemoverlord.com (David Tomaschik) — Wed, 23 Mar 2016 00:00:00 +0000

There’s a lot of debate going on right now about banning encryption. Now, some people might refer to this as a backdoor or “providing government access” or whatever term they’d like to use to discuss it, but as a security professional, I see only one thing as encryption: the kind that’s completely unbreakable, even by the FBI or the NSA or the Chinese government or anyone else. Anything else is simply not encryption, as it does not guarantee your confidentiality. So, I’m going to talk about banning encryption as equivalent to providing a government backdoor or any of the other clever ways it’s being spun.

(Tiny) Tool Release: Pwnpattern

david@systemoverlord.com (David Tomaschik) — Wed, 16 Mar 2016 00:00:00 +0000

Just a quick note to go with something I dropped on Github recently: pwnpattern is a python library and stand-alone script that replicates most of the functionality of Metasploit Framework’s pattern_create.rb and pattern_offset.rb. The patterns created are identical to those from Metasploit, so you can even mix and match tools.

There are several reasons I wrote this:

You don’t need a full copy of metasploit installed for creating patterns for e.g., wargames, CTFs, etc.
It loads much more quickly: on my machine, Metasploit’s pattern_create.rb takes 2.29s, my script takes 0.01s. This is due, of course, to dependencies (MSF’s requires the entire Rex library to be loaded) but it is kind of nice to not wait for things.
It can be embedded in python scripts (just like Rex can be embedded in Ruby scripts).

BSides SF: Saturday

david@systemoverlord.com (David Tomaschik) — Sun, 28 Feb 2016 00:00:00 +0000

Much like my notes from BSides Seattle, this will just be a quick dump of notes from the talks I attended today. (Almost) all talks are also being recorded by Irongeek, so this only serves to highlight what I considered key points of the talks I attended. Tomorrow, I’ll be doing my workshop (stop by and say hi) so my notes are likely to be considerably lighter.

Keynote: A Declaration of the Independence of Cyberspace

John Perry Barlow, co-founder, EFF

BSides Workshop

david@systemoverlord.com (David Tomaschik) — Sat, 27 Feb 2016 00:00:00 +0000

I probably should’ve posted this days ago, but on Monday, I’ll be teaching a Web Security workshop at BSides San Francisco along with Niru. While capacity is limited, we may have a few additional seats, so if you’re interested, drop by and see what we’ve got.

Workshop description:

Web applications can fail in a variety of ways, from Cross-Site Scripting to SQL Injection and more. Join us for a look at a variety of common web vulnerabilities, including Cross-Site Scripting, Cross-Site Request Forgery, Weak Authentication, Logic Errors, and more – and an opportunity to test your web hacking skills against a simulated online bank. We’ll be covering the vulnerabilities from the ground up, but a basic understanding of web applications (i.e., HTTP, HTML, and JavaScript) and browsers would be useful background.

BSides Seattle

david@systemoverlord.com (David Tomaschik) — Sat, 20 Feb 2016 00:00:00 +0000

These are just (essentially) my raw notes dumped from the talks I attended at BSides Seattle (2015-ish). Unfortunate I developed a migraine so I only caught the morning talks.

Active Directory

Use scripts to dump AD
Use scripts to sync with 3rd party providers
Lots of story, not much technical depth

Red Team

Presenter: Sean Malone, FusionX
Types of Security Assessment
- Vulnerability Assessment
  - Find vulnerability
  - Limited Scope
  - Broad & Shallow
  - Cooperates with SecOps
- Pentesting
  - Achieve Technical Compromise/Domain Admin
  - Moderate Depth
  - Techniques include Network, Application Assessment
- Red Team
  - Narrow Scope
  - Whole Enterprise is In Scope
  - Techniques include Social, Physical, Technical
  - RT Objectives
    - Simulate Sophisticated Adversary
    - Achieve “Nightmare Scenario” without detection
  - Client Objectives
    - Understand resiliency
    - Risk reduction, not just vulnerability count
Effective Red Teams

Hacker Summer Camp Planning Guide

david@systemoverlord.com (David Tomaschik) — Thu, 18 Feb 2016 00:00:00 +0000

A couple of coworkers who have never been to DEF CON, BSides Las Vegas or Black Hat (collectively, “Hacker Summer Camp”) asked me about planning their first trips, so I decided to collect my tips here. I’m going to be splitting my advice into two parts: this planning guide for travel/scheduling/registration information, and a Hacker Summer Camp survival guide for advice that’s more relevant while you’re at the conferences.

Manage Your Energy

There’s a lot to do, the hours tend to be long, and unless you’re used to both the environment (typically hot, this is Las Vegas in August!) and the crowds, it’s going to burn a lot more energy than you’re going to expect. Two years ago, I attended all 3 of the conferences, helped run a company suite, and taught classes at R00tz (formerly DEF CON Kids). This was a serious mistake on my part, and failure to manage my energy adequately. I ended up not getting as much out of any of the events as I should have, and when I returned, I ended up sick for several days due to the toll of these events on my body. It was more than a full week afterwards before I felt fully recovered.

Time for More Changes

david@systemoverlord.com (David Tomaschik) — Fri, 12 Feb 2016 00:00:00 +0000

This isn’t the first time I’ve changed blogging platforms, and it probably won’t be the last. I got tired of having to do maintenance on a blogging platform, so I decided to look for something lightweight. Enter Jekyll.

Jekyll is basically a static website compiler – it takes templates and content and produces static HTML output. No databases, no runtimes, no attack surface (beyond a static webserver). Given that I don’t mind writing in Markdown (in fact, I was using a Markdown plugin for Mezzanine), it seemed like a perfect fit. I wrote a quick script to get content out of Mezzanine/Django and export as HTML/Markdown, then spent some time tweaking the settings and theme (based on Hyde).

Offensive Security Certified Professional

david@systemoverlord.com (David Tomaschik) — Tue, 29 Dec 2015 05:32:33 +0000

It’s been a little bit since I last updated, and it’s been a busy time. I did want to take a quick moment to update and note that I accomplished something I’m pretty proud of. As of Christmas Eve, I’m now an Offensive Security Certified Professional.

Even though I’ve been working in security for more than two years, the lab and exam were still a challenge. Given that I mostly deal with web security at work, it was a great change to have a lab environment of more than 50 machines to attack. Perhaps most significantly, it gave me an opportunity to fight back a little bit of the impostor syndrome I’m perpetually afflicted with.

WebBorer: Directory Enumeration in Go

david@systemoverlord.com (David Tomaschik) — Mon, 28 Dec 2015 00:00:00 +0000

WebBorer is a directory-enumeration tool written in Go and targeting CLI usage.

(Formerly named GoBuster, name changed to avoid collision with OJ Reeve’s excellent work.)

Features

Highly portable – requires no runtime once compiled.
No GUI required.
Natively supports Socks 4, 4a, and 5 proxies.
Supports excluding entire subpaths.
Capable of parsing returned HTML for additional directories to parse.
Highly scalable – Go’s parallel model allows for many workers at once.

Contributing

Please see the CONTRIBUTING file in this directory.

CSAW Quals 2015: Sharpturn (aka Forensics 400)

david@systemoverlord.com (David Tomaschik) — Mon, 21 Sep 2015 21:33:58 +0000

The text was just:

I think my SATA controller is dying.

HINT: git fsck -v

And included a tarball containing a git repository. If you ran the suggested git fsck -v, you’d discover that 3 commits were corrupt:

:::text
Checking HEAD link
Checking object directory
Checking directory ./objects/2b
Checking directory ./objects/2e
Checking directory ./objects/35
Checking directory ./objects/4a
Checking directory ./objects/4c
Checking directory ./objects/7c
Checking directory ./objects/a1
Checking directory ./objects/cb
Checking directory ./objects/d5
Checking directory ./objects/d9
Checking directory ./objects/e5
Checking directory ./objects/ef
Checking directory ./objects/f8
Checking tree 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking commit 2e5d553f41522fc9036bacce1398c87c2483c2d5
error: sha1 mismatch 354ebf392533dce06174f9c8c093036c138935f3
error: 354ebf392533dce06174f9c8c093036c138935f3: object corrupt or missing
Checking commit 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking tree 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking commit 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
Checking tree a1607d81984206648265fbd23a4af5e13b289f83
Checking tree cb6c9498d7f33305f32522f862bce592ca4becd5
Checking commit d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
error: sha1 mismatch d961f81a588fcfd5e57bbea7e17ddae8a5e61333
error: d961f81a588fcfd5e57bbea7e17ddae8a5e61333: object corrupt or missing
Checking blob e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking blob efda2f556de36b9e9e1d62417c5f282d8961e2f8
error: sha1 mismatch f8d0839dd728cb9a723e32058dcc386070d5e3b5
error: f8d0839dd728cb9a723e32058dcc386070d5e3b5: object corrupt or missing
Checking connectivity (32 objects)
Checking a1607d81984206648265fbd23a4af5e13b289f83
Checking e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking cb6c9498d7f33305f32522f862bce592ca4becd5
Checking 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking 2e5d553f41522fc9036bacce1398c87c2483c2d5
Checking efda2f556de36b9e9e1d62417c5f282d8961e2f8
Checking 354ebf392533dce06174f9c8c093036c138935f3
Checking d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
Checking f8d0839dd728cb9a723e32058dcc386070d5e3b5
Checking d961f81a588fcfd5e57bbea7e17ddae8a5e61333
Checking 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
missing blob 354ebf392533dce06174f9c8c093036c138935f3
missing blob f8d0839dd728cb9a723e32058dcc386070d5e3b5
missing blob d961f81a588fcfd5e57bbea7e17ddae8a5e61333

Well, crap. How do we fix these? Well, I guess the good news is that the git blob format is fairly well documented. The SHA-1 of a blob is computed by taking the string blob , appending the length of the blob as an ASCII-encoded decimal value, a null character, and then the blob contents itself: blob <blob_length>\0<blob_data>. The final blob value as written in the objects directory of the git repository is the zlib-compressed version of this string. This leads us to these useful functions for reading, writing, and hashing git blobs in python:

What the LastPass CLI tells us about LastPass Design

david@systemoverlord.com (David Tomaschik) — Wed, 16 Sep 2015 05:58:19 +0000

LastPass is a password manager that claims not to be able to access your data.

All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.

While it would be pretty hard to prove that claim, it is interesting to take a look at how they implement their zero-knowledge encryption. The LastPass browser extensions are a mess of minified JavaScript, but they’ve been kind enough to publish an open-source command line client, that’s quite readable C code. I was interested to see what we could learn from the CLI, and while it won’t prove that they can’t read your passwords, it will help to understand their design.

So, is Windows 10 Spying On You?

david@systemoverlord.com (David Tomaschik) — Sun, 16 Aug 2015 21:00:02 +0000

“Extraordinary claims require extraordinary evidence.”

A few days ago, localghost.org posted a translation of a Czech article alledging Windows 10 “phones home” in a number of ways. I was a little surprised, and more than a little alarmed, by some of the claims. Rather than blindly repost the claims, I decided it would be a good idea to see what I could test for myself. Rob Seder has done similarly but I’m taking it a step further to look at the real traffic contents.

Blue Team Player's Guide for Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Sat, 15 Aug 2015 19:15:36 +0000

I’ve played in Dichotomy’s Pros v Joes CTF for the past 3 years – which, I’m told, makes me the only player to have done so. It’s an incredible CTF and dramatically different from any other that I’ve ever played. Dichotomy and I were having lunch at DEF CON when he said “You know what would be cool? A blue team player’s guide.” So, I give to you, the blue team player’s guide to the Pros v Joes CTF.

Hacker Summer Camp 2015: DEF CON

david@systemoverlord.com (David Tomaschik) — Fri, 14 Aug 2015 03:11:12 +0000

So, following up on my post on BSides LV 2015, I thought I’d give a summary of DEF CON 23. I can’t cover everything I did (after all, what happens in Vegas, stays in Vegas… mostly) but I’m going to cover the biggest highlights as I saw them.

The first thing to know about my take on DEF CON is that DEF CON is a one-of-a-kind event, somewhere between a security conference and a trip to Mecca. It’s one part conference, one part party, and one part social experience. The second thing to know about my take on DEF CON is that I’m not there to listen to people speak. If I was just there to listen to people speak, there’s the videos posted to YouTube or available on streaming/DVD from the conference recordings. I’m at DEF CON to participate, meet people, and hack all the things.

Hacker Summer Camp 2015: BSides LV & Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Wed, 12 Aug 2015 00:13:58 +0000

I’ve just returned from Las Vegas for the annual “hacker summer camp”, and am going to be putting up a series of blog posts covering the week. Tuesday and Wednesday were BSides Las Vegas. For the uninitiated, BSides was founded as the “flip side” to Black Hat, and has spawned into a series of community organized and oriented conferences around the globe. Entrance to BSides LV was free, but you could guarantee a spot by donating in advance if you were so inclined. (I was.)

Playing with the Patriot Gauntlet Node (Part 2)

david@systemoverlord.com (David Tomaschik) — Sat, 20 Jun 2015 22:13:50 +0000

Despite the fact that it’s been over 2 years since I posted Part 1, I got bored and decided I should take another look at the Patriot Gauntlet Node. So I go and grab the latest firmware from Patriot’s website (V21_1.2.4.6) and use the same binwalk techniques described in the first post, I extracted the latest firmware.

So, the TL;DR is: It’s unexciting because Patriot makes no effort to secure the device. It seems that their security model is “if you’re on the network, you own the device”, which is pretty much the case. Not only can you enable telnet as I’ve discussed before, there’s even a convenient web-based interface to run commands: http://10.10.10.254:8088/adm/system_command.asp. Oh, and it’s not authenticated. Even if you set an admin password (which is hidden at http://10.10.10.254:8088/adm/management.asp).

Lack of Updates, Turning 30

david@systemoverlord.com (David Tomaschik) — Sun, 10 May 2015 04:21:38 +0000

I’ve been disappointed with myself for a while for not updating more often. It’s been months! I’d been pushing myself to update regularly, but I also only want to update with genuine content. Social networks are places where I can just place random thoughts, this is a place for meaningful content that will (hopefully) be useful to others. (Though the jury’s still out on that one.)

Part of the reason for the lack of updates is burnout. For one reason or another, I just haven’t been feeling myself for a while, and so haven’t been doing as many interesting things. Some of this burnout is due to the nature of things I’ve been doing at work, but it wouldn’t be fair to blame all of it on work.

Towards a Better Password Manager

david@systemoverlord.com (David Tomaschik) — Fri, 31 Oct 2014 01:16:10 +0000

The consensus in the security community is that passwords suck, but they’re here to stay, at least for a while longer. Given breaches like Adobe, …, it’s becoming more and more evident that the biggest threat is not weak passwords, but password reuse. Of course, the solution to password to reuse is to use one password for every site that requires you to log in. The problem is that your average user has dozens of online accounts, and they probably can’t remember those dozens of passwords. So, we build tools to help people remember passwords, mostly password managers, but do we build them well?

Dangers of decorator-based registries in Python

david@systemoverlord.com (David Tomaschik) — Sun, 26 Oct 2014 18:51:13 +0000

So Flask has a really convenient mechanism for registering handlers, actions to be run before/after requests, etc. Using decorators, Flask registers these functions to be called, as in:

#!python
@app.route('/')
def homepage_handler():
 return 'Hello World'

@app.before_request
def do_something_before_each_request():
 ...

This is pretty convenient, and works really well, because it means you don’t have to list all your routes in one place (like Django requires) but it comes with a cost. You can end up with Python modules that are only needed for the side effects of importing them. No functions from those modules are directly called from your other modules, but they still need to be imported somewhere to get the routes registered.

PSA: Typos in mkfs commands are painful

david@systemoverlord.com (David Tomaschik) — Mon, 20 Oct 2014 14:19:40 +0000

TL;DR: I apparently typed mkfs.vfat /dev/sda1 at some point. Oops.

So I rarely reboot my machines, and last night, when I rebooted my laptop (for graphics card weirdness) Grub just came up with:

Error: unknown filesystem.
grub rescue>

WTF, I wonder how I borked my grub config? Let’s see what happens when we ls my /boot partition.

grub rescue>ls (hd0,msdos1)
unknown filesystem

Hrrm, that’s no good. An ls on my other partition isn’t going to be very useful, it’s a LUKS-encrypted LVM PV. Alright, time for a live system. I grab a Kali live USB (not because Kali is necessarily the best option here, it’s just what I happen to have handy) and put it in the system and boot from that. file tells me its an x86 boot sector, which is not at all what I’m expecting from an ext4 boot partition. It slowly dawns on me that at some point, intending to format a flash drive or SD card, I must’ve run mkfs.vfat /dev/sda1 instead of mkfs.vfat /dev/sdb1. That one letter makes all the difference. Of course, it turns out it’s not even a valid FAT filesystem… since the device was mounted, the OS had kept writing to it like an ext4 filesystem, so it was basically a mangled mess. fsck wasn’t able to restore it, even pointing to backup superblocks: it seems as though, among other things, the root inode was destroyed.

Getting Started in CTFs

david@systemoverlord.com (David Tomaschik) — Sun, 14 Sep 2014 20:07:10 +0000

My last post was about getting started in a career in information security. This post is about the sport end of information security: Capture the Flag (CTFs).

I’d played around with some wargames (Smash the Stack, Over the Wire, and Hack this Site) before, but my first real CTF (timed, competitive, etc.) was the CTF run by Mad Security at BSides SF 2013. By some bizarre twist of fate, I ended up winning the CTF, and I was hooked. I’ve probably played in about 30 CTFs since, most of them online with the team Shadow Cats. It’s been a bumpy ride, but I’ve learned a lot about a variety of topics by doing this.

Getting Started in Information Security

david@systemoverlord.com (David Tomaschik) — Sat, 13 Sep 2014 19:30:22 +0000

I’ve only been an information security practitioner for about a year now, but I’ve been doing things on my own for years before that. However, many people are just getting into security, and I’ve recently stumbled on a number of resources for newcomers, so I thought I’d put together a short list.

[CVE-2014-5204] Wordpress nonce Issues

david@systemoverlord.com (David Tomaschik) — Wed, 10 Sep 2014 22:54:52 +0000

Wordpress 3.9.2, released August 6th, contained fixes for two closely related vulnerabilities (CVE-2014-5204) in the way it handles Wordpress nonces (CSRF Tokens, essentially) that I reported to the Wordpress Security Team. I’d like to say the delay in my publishing this write-up was to allow people time to patch, but the reality is I’ve just been busy and haven’t gotten around to this.

TL;DR: Wordpress < 3.9.2 generated nonces in a manner that would allow an attacker to generate valid nonces for other users for a small subset of possible actions. Additionally, nonces were compared with ==, leading to a timing attack against nonce comparison. (Although this is very difficult to execute.)

Security: Not a Binary State

david@systemoverlord.com (David Tomaschik) — Fri, 05 Sep 2014 00:03:24 +0000

I’ve been spending a fair amount of time on Security StackExchange lately, mostly looking for inspiration for research and blogging, but also answering a question every now and then. One trend I’ve noticed is asking questions of the form “Is security practice X secure?”

This is asked as a yes/no question, but security isn’t a binary state. There is no “absolutely secure.” Security is a spectrum, and it really depends on what you’re worried about, which is where threat modeling comes in. Both users and service providers need to consider their risks and decide what’s important to them.

DEF CON 22 Recap

david@systemoverlord.com (David Tomaschik) — Wed, 13 Aug 2014 05:45:33 +0000

I’m back and recovering with typical post-con fatigue. This year, I made several mistakes, not the least of which was trying to do BSides, Black Hat, and DEF CON. Given the overlapping schedules and the events occurring outside the conferences, this left me really drained, not to mention spending more time transiting between the events than I’d like.

BSides Las Vegas

B-Sides was a blast, but I spent most of the time I was there playing in the Pros vs Joes CTF run by Dichotomy. This is a particularly nice Capture the Flag competition, since it’s based on defending (and attacking) “real world” networks, rather than the typical Jeopardy-style “crack this binary” competitions. Most of the problems seen in the real world aren’t, in fact, 0-day produced by talented hackers, but in fact configuration weaknesses, outdated software, and insecure practices exploited by script kiddies. PvJ forces you to consider how to harden a “corporate” environment while still providing the same services. You get a Cisco ASA as your firewall, and can reconfigure services as needed to establish your perimeter and secure your systems. On Day 2, you also get to see just how good you are at breaking in, and just how good (or bad) your opponents are at securing their network.

Weekly Reading List for 8/2/14

david@systemoverlord.com (David Tomaschik) — Sun, 03 Aug 2014 02:02:20 +0000

This has been missing for a few weeks, but it’s back!

Why is CSP Failing?

Why is CSP Failing? Trends and Challenges in CSP Adoption. Despite being an “academic” paper, this actually has a lot to offer about why one of the most effective defenses against XSS isn’t yet getting widely implemented, and what the implementation costs and strategies are.

Safari Bites the Dust

Ian Beer of Google Project Zero recently popped Safari and then proceeded to pwn OS X. This post dives into exploiting a WebKit unbounded write bug, and makes it obvious just how many hoops an attacker needs to go through compared to the ‘buffer overflow to overwrite EIP’ bugs of the ‘good old days’. It’s a great read, especially if you’re new to browser/client exploitation.

Passing Android Traffic through Burp

david@systemoverlord.com (David Tomaschik) — Sun, 13 Jul 2014 20:57:18 +0000

I wanted to take a look at all HTTP(S) traffic coming from an Android device, even if applications made direct connections without a proxy, so I set up a transparent Burp proxy. I decided to put the Proxy on my Kali VM on my laptop, but didn’t want to run an AP on there, so I needed to get the traffic to there.

Network Setup

The diagram shows that my wireless lab is on a separate subnet from the rest of my network, including my laptop. The lab network is a NAT run by IPTables on the Virtual Router. While I certainly could’ve ARP poisoned the connection between the Internet Router and the Virtual Router, or even added a static route, I wanted a cleaner solution that would be easier to enable/disable.

CVE-2014-4182 & CVE-2014-4183: XSS & XSRF in Wordpress 'Diagnostic Tool' Plugin

david@systemoverlord.com (David Tomaschik) — Fri, 04 Jul 2014 07:00:00 +0000

Versions less than 1.0.7 of the Wordpress plugin Diagnostic Tool, contain several vulnerabilities:

Persistent XSS in the Outbound Connections view. An attacker that is able to cause the site to request a URL containing an XSS payload will have this XSS stored in the database, and when an admin visits the Outbound Connections view, the payload will run. This can be trivially seen in example by running a query for http://localhost/<script>alert(/xss/)</script> on that page, then refreshing the page to see the content run, as the view is not updated in real time. This is CVE-2014-4183.

Parameter Injection in jCryption

david@systemoverlord.com (David Tomaschik) — Wed, 18 Jun 2014 01:00:00 +0000

jCryption is an open-source plugin for jQuery that is used for performing encryption on the client side that can be decrypted server side. It works by retrieving an RSA key from the server, then encrypting an AES key under the RSA key, and sending both the encrypted AES key and the RSA key to the server. This is not dissimilar to how OpenPGP encrypts data for transmission. (Though, of course, implementation details are vastly different.)

Minimal x86-64 shellcode for /bin/sh?

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jun 2014 01:54:22 +0000

I was trying to figure out the minimal shellcode necessary to launch /bin/sh from a 64-bit processor, and the smallest I could come up with is 25 bytes: \x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x31\xc0\x99\x31\xf6\x54\x5f\xb0\x3b\x0f\x05.

This was produced from the following source:

BITS 64

main:
 mov rbx, 0xFF978CD091969DD1
 neg rbx
 push rbx
 xor eax, eax
 cdq
 xor esi, esi
 push rsp
 pop rdi
 mov al, 0x3b ; sys_execve
 syscall

Compile with nasm, examine the output with objdump -M intel -b binary -m i386:x86-64 -D shellcode.

Secuinside Quals 2014: Simple Login

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jun 2014 02:08:25 +0000

In this challenge, we received the source for a site with a pretty basic login functionality. Aside from some boring forms, javascript, and css, we have this PHP library for handling the session management:

#!php
<?
	class common{
		public function getidx($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select idx from member where id='".$id."'"));
			return $info[0];
		}

		public function getpasswd($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select password from member where id='".$id."'"));
			return $info[0];
		}

		public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

		public function autologin(){

		}

		public function isadmin(){
			if( $this->getidx($_COOKIE['user_name']) == 1){
				return 1;
			}

			return 0;
		}

		public function insertmember($id, $password){
			$id = mysql_real_escape_string($id);
			mysql_query("insert into member(id, password) values('".$id."', '".$password."')") or die();

			return 1;
		}
	}
?>

Some first impressions:

Secuinside Quals 2014: Shellcode 100

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 04:57:01 +0000

This is a level that, at first, seemed like it would be extremely simple, but then turned out to be far more complicated than expected. We were provided a zip file containing a python script and an elf binary.

Disassembling the binary reveals a very basic program:

/ (fcn) sym.main 165
| 0x0804847d 55 push ebp
| 0x0804847e 89e5 mov ebp, esp
| 0x08048480 83e4f0 and esp, 0xfffffff0
| 0x08048483 83ec30 sub esp, 0x30
| 0x08048486 8b450c mov eax, [ebp+0xc]
| 0x08048489 83c004 add eax, 0x4
| 0x0804848c 8b00 mov eax, [eax]
| 0x0804848e 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048376 (fcn.08048376)
| ; CODE (CALL) XREF from 0x08048370 (fcn.08048366)
| 0x08048491 e8dafeffff call 0x108048370 ; (sym.imp.atoi)
| sym.imp.atoi(unk)
| 0x08048496 89442428 mov [esp+0x28], eax
| 0x0804849a c7442424000. mov dword [esp+0x24], 0x0
| 0x080484a2 c7442408040. mov dword [esp+0x8], 0x4
| 0x080484aa 8d442424 lea eax, [esp+0x24]
| 0x080484ae 89442404 mov [esp+0x4], eax
| 0x080484b2 8b442428 mov eax, [esp+0x28]
| 0x080484b6 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048330 (fcn.0804832c)
| 0x080484b9 e872feffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x080484be 8b442424 mov eax, [esp+0x24]
| 0x080484c2 c7442414000. mov dword [esp+0x14], 0x0
| 0x080484ca c7442410fff. mov dword [esp+0x10], 0xffffffff
| 0x080484d2 c744240c220. mov dword [esp+0xc], 0x22
| 0x080484da c7442408070. mov dword [esp+0x8], 0x7
| 0x080484e2 89442404 mov [esp+0x4], eax
| 0x080484e6 c7042400000. mov dword [esp], 0x0
| ; CODE (CALL) XREF from 0x08048350 (fcn.08048346)
| 0x080484ed e85efeffff call 0x108048350 ; (sym.imp.mmap)
| sym.imp.mmap()
| 0x080484f2 8944242c mov [esp+0x2c], eax
| 0x080484f6 8b442424 mov eax, [esp+0x24]
| 0x080484fa 89442408 mov [esp+0x8], eax
| 0x080484fe 8b44242c mov eax, [esp+0x2c]
| 0x08048502 89442404 mov [esp+0x4], eax
| 0x08048506 8b442428 mov eax, [esp+0x28]
| 0x0804850a 890424 mov [esp], eax
| 0x0804850d e81efeffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x08048512 31c0 xor eax, eax
| 0x08048514 31c9 xor ecx, ecx
| 0x08048516 31d2 xor edx, edx
| 0x08048518 31db xor ebx, ebx
| 0x0804851a 31f6 xor esi, esi
| 0x0804851c 31ff xor edi, edi
\ 0x0804851e ff64242c jmp dword [esp+0x2c]

It takes a single argument, an integer, which it uses as a file descriptor for input. It then reads 4 bytes from the file descriptor, mmap’s an anonymous block of memory of that size with RWX permissions, then reads that many bytes from the file descriptor into the mapped region, and finally jumps to the map region. So, in summary, read shellcode length, read shellcode, then jump to shellcode.

Secuinside Quals 2014: Javascript Jail (Misc 200)

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 03:43:33 +0000

The challenge was pretty straightforward: connect to a service that’s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:

#!javascript
function checker(flag, myRand) {
 return function (rand) {
 function stage1() {
 var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 function stage2() {
 var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 print("stage1");

 if (!stage1())
 return;

 print("stage2");

 if (!stage2())
 return;

 print("awesome!");
 return flag;
 };
}

As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.

Weekly Reading List for 5/30/14

david@systemoverlord.com (David Tomaschik) — Fri, 30 May 2014 07:00:00 +0000

It’s been a busy week, so I’m just going to drop some info about Radare2.

Radare2 Materials

On the TrueCrypt Saga

david@systemoverlord.com (David Tomaschik) — Fri, 30 May 2014 00:52:47 +0000

If you’re anywhere near the security community, you’ve probably already heard about the (supposed) end of TrueCrypt that inspired a massive hunt for an explanation on Reddit. I’m going to drop my thoughts here, but these are all just speculation, so take them for what they’re worth (which is not much).

The Facts as We Know Them

TrueCrypt 7.2 dropped support for creating volumes. The code was massively changed, stripping out all volume creation options.
The website was updated with terrible instructions. The directions for alternatives generally point to proprietary options (BitLocker, File Vault, or, to paraphrase, “whatever you can find on Linux.”)
The new version is signed with the same key as previous versions. This implies whoever did the update is in possession of the key used for signing previous releases.
Sourceforge doesn’t think the account was compromised as posted here.

Popular Theories

The author was forced to backdoor TC and chose this instead. This seems to be the most popular theory, and given the Snowden revelations, it’s easy to see why. Assuming the adversary in question is the US Government, this seems awfully heavy-handed, and I’m not sure under which legal authority they would attempt to compel this participation. NSLs compel the production of business records, but don’t seem to allow them to force a backdooring. CALEA is for communications tools, TrueCrypt is used for storage at rest. Even those who refer to LavaBit are referring to warrants. First LavaBit was ordered to turn over messages, then encryption keys, but I’m not aware they were ever ordered to backdoor their software. It also seems odd that government agencies would choose to go after disk encryption, seems like communications encryption would be the bigger source of intelligence. There are those who have claimed “the government can force you to do anything”, which I suppose is true, but if we’re at the stage of “backdoor your code or we treat you as a terrorist” then the game’s already over, we’re off in Stasi territory, and I’m not sure that’s a world I could live in. I hope this is not the story.
The author tired of developing it and just gave up. This is a kind of odd approach, one would think they’d look for someone to hand the project to. I’m also not sure why someone who’d devoted years to developing secure encryption software would suddenly offer up terrible alternatives or otherwise deviate so strangely.
A developer was compromised. While this might give access to the PGP key, I’d have thought by now we’d have some sort of communication somewhere to claim this has happened. Unless the developer is completely out of the loop as well. Why would someone use the compromise to offer up terrible alternatives as opposed to releasing backdoored binaries quietly?
Off their meds. A couple of people have suggested that some sort of psychiatric problem is involved here. Actually seems a little reasonable, given the erratically written directions for alternatives, the sudden change in course, everything. Of course, there’s no evidence to support this, so it’s really just speculation.

I’ve turned off commenting as I think Reddit or Hacker News is a better place for such discussion, I just had a lot of thoughts I wanted to get out.

Weekly Reading List for 5/23/14

david@systemoverlord.com (David Tomaschik) — Fri, 23 May 2014 07:00:00 +0000

###Radare2 Book Maijin on GitHub is in the process of putting together an online book for Radare2. I’ve been looking for a good resource for using Radare2, and this is a great start.

###Reverse Engineering for Beginners Dennis Yurichev has a free eBook on Reverse Engineering. I haven’t gotten through it yet, but it looks interesting, and you can’t beat the price.

###Hacker Playbook Finally, I finished up The Hacker Playbook: Practical Guide To Penetration Testing this week. You can find my full review here.

DEF CON 22 CTF Quals: 3dttt

david@systemoverlord.com (David Tomaschik) — Wed, 21 May 2014 14:07:02 +0000

Unlike most of the challenges in DC22 quals, this one required no binary exploitation, no reversing, just writing a little code. You needed to play 3-D Tic Tac Toe, and you needed to play fast. Unfortunately, I didn’t record the sessions, so I don’t have the example output.

Basically, you just received an ASCII representation of each of the 3 boards making up the 3d-tic-tac-toe environment, and were prompted to provide x,y,z coordinates for your next move. However, you had only a very short period of time (fractions of a second) to send your move, so playing by hand was impossible. The winner of each board was the player with the most rows won, and it did go to the full 27 moves each time. Also, it’s important to note that the player always goes first, and that you have to win 50 rounds in order to receive the flag.

Book Review: The Hacker Playbook...

david@systemoverlord.com (David Tomaschik) — Wed, 21 May 2014 01:10:54 +0000

The Hacker Playbook: Practical Guide To Penetration Testing is an attempt to use a continuous series of football metaphors to describe the process of a network penetration test. Maybe the metaphors would work better for someone who actually watches sports, but I felt they were a bit strained and forced at times. That being said, the actual content and techniques described are solid and generally useful information. It’s arranged in the stages of a good penetration test, and reads like a strong guide for those relatively new to penetration testing. Unfortunately, it doesn’t set up general guides for each area as much as describing specific “plays” for each area, so once those techniques start to fall flat, it doesn’t leave you with a lot of depth.

DEF CON 22 CTF Quals: Hackertool

david@systemoverlord.com (David Tomaschik) — Mon, 19 May 2014 03:32:11 +0000

Hackertool was one of the Baby’s First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

Weekly Reading List for 5/16/14

david@systemoverlord.com (David Tomaschik) — Fri, 16 May 2014 07:00:00 +0000

###How Target Blew It Normally, I stick to more technical articles, but this article from Businessweek is a very interesting read on how, despite doing most of the right things technically, company procedures and humans can still be the weak link in your security infrastructure.

The Machine Inside the Machine

david@systemoverlord.com (David Tomaschik) — Tue, 13 May 2014 04:24:00 +0000

Imagine this scenario:

One of your employees visits a site offering a program to download videos from a popular video site. Because they’d like to throw some videos on their phone, they download and install it, but it comes with a hitchhiker: a RAT, or remote access trojan. So Trudy, an attacker, has a foothold, but the user isn’t an administrator, so she starts looking at the network for a place to pivot. Scanning a private subnet, she finds a number of consecutive IP addresses all offering webservers, FTP servers, and even telnet! Connecting to one, the attacker suddenly realizes she has just found her golden ticket…

Workflowy: Good for Keeping Organized?

david@systemoverlord.com (David Tomaschik) — Sat, 10 May 2014 02:53:35 +0000

I’ve been using Workflowy for a while as an organizational tool. It self describes as thus:

WorkFlowy is an organizational tool that makes life easier. It can help you organize personal to-dos, collaborate on large team projects, take notes, write research papers, keep a journal, plan a wedding, and much more.

I’ve been using Workflowy for about 6 months now, and so I think I’ve developed a good feeling for what’s working for me and what’s not, but I think it’s important to recognize that everyone will have different needs and expectations out of an organizational tool.

Reading List for 5/9/2014

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 07:00:00 +0000

###On XTS Mode for Disk Encryption Thomas Ptacek writes You Don’t Want XTS, and suggests that though XTS works well enough in practice, it is far from ideal for Full Disk Encryption, and should not be used at all for other encryption operations (i.e., anything that doesn’t resemble FDE). XTS is useful only in that it makes “random access” encryption more secure, as you need for a disk. For encryption of whole blocks of data at rest, you probably want CBC mode, and for anything on the wire, AES-GCM is the new hotness.

Announcement: PwnableWeb Released

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 00:11:58 +0000

In addition to my primary interest in the technical aspects of information security, I’m also a big fan of wargames & CTFs as educational tools, so a while back, I decided I wanted to build a web-based wargame and CTF scoreboard system. Today I am releasing the results of that, dubbed PwnableWeb, under the Apache 2.0 License. It includes web-based wargame-style challenges and an accompanying scoreboard.

###The Framework Each vulnerable site is built on top of a small framework that provides common functionality, and also provides a framework for building a client for interactive exploitation. (It provides a target to exploit XSS and XSRF against.)

Book Review: Red Team Field Manual

david@systemoverlord.com (David Tomaschik) — Fri, 02 May 2014 15:24:27 +0000

I recently picked up a copy of the Red Team Field Manual on Amazon after hearing good things from a few people in the industry. It’s information dense, basically a concatenation of cheat sheets for everything you’d want to do during a pentest. I’m mostly a Linux/Unix guy, and given my role on an internal red team for a mostly Linux company, I don’t do a lot of Windows. However, I recently had an engagement where we were targeting Windows, and I wish I’d had the RTFM handy then: there are a number of great pointers for Windows that I could’ve leveraged to make my engagement go more smoothly. Additionally, the book provides coverage for other platforms, like Cisco IOS, and for various scripting situations in Powershell, Python, or even Scapy.

VPS Upgrade

david@systemoverlord.com (David Tomaschik) — Wed, 23 Apr 2014 14:14:25 +0000

As I’ve mentioned before, my blog is hosted on a VPS at Linode. Just under 3 years ago, I moved to my current VPS in their Newark DC to take advantage of their native IPv6 support. I’ve now moved within Linode again, this time to take advantage of their awesome free upgrades.

$20/month gets you a 2GB Xen VM backed by enterprise-grade SSDs, Ivy Bridge Xeons, and a 40Gbps backbone. Think that 40Gbps is going to waste? Think again. I downloaded a 100MB test file from Cachefly in 1.2 seconds. That’s 85.5 MB/s. Consider my mind blown.

A Brief History of the Internet (Security-Wise)

david@systemoverlord.com (David Tomaschik) — Wed, 16 Apr 2014 04:55:14 +0000

I originally posted this to the DC404 Mailing List, but got some positive feedback, so I thought I’d post it here as well. The broad strokes should be correct, but there might be some inaccuracies here — if you’re aware of one, please let me know and I’ll correct it.

There was a thread ongoing about Heartbleed, and it turned into a question of why security on the Internet is so complicated, and couldn’t it be any simpler? Well, the truth be told, security on the Internet is a house of cards.

PlaidCTF 2014: Conclusion

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 17:30:42 +0000

The 2014 edition of PlaidCTF was excellent, but I wish we’d been able to make it through more challenges. We cleared about 7 challenges, but really only two of them felt worth writing up. The others have been well documented elsewhere, no sense in rewriting the same thing.

I liked how the challenges often required a series of exploits/techniques, this is much like what happens in the real world. I do wish I had spent more time on binary exploitation, attempting to get a solution to _nightmares_ burned a lot of time.

PlaidCTF 2014: ReeKeeeee

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 06:46:01 +0000

ReeKeeeeee was, by far, the most visually painful challenge in the CTF, with a flashing rainbow background on every page. Blocking scripts was clearly a win here. Like many of the challenges this year, it turned out to require multiple exploitation steps.

ReeKeeeeee was a meme-generating service that allowed you to provide a URL to an image and text to overlay on the image. Source code was provided, and it was worth noting that it’s a Django app using the django.contrib.sessions.serializers.PickleSerializer serializer. As the documentation for the serializer notes, If the SECRET_KEY is not kept secret and you are using the PickleSerializer, this can lead to arbitrary remote code execution. So, maybe, can we get the SECRET_KEY?

PlaidCTF 2014: mtpox

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 05:13:12 +0000

150 Point Web Challenge

The Plague has traveled back in time to create a cryptocurrency before Satoshi does in an attempt to quickly gain the resources required for his empire. As you step out of your time machine, you learn his exchange has stopped trades, due to some sort of bug. However, if you could break into the database and show a different story of where the coins went, we might be able to stop The Plague.

Weekly Reading List for 4/4/14

david@systemoverlord.com (David Tomaschik) — Fri, 04 Apr 2014 07:00:00 +0000

It’s been a while where I’ve been too busy even for any good reading, but we’re back to the reading lists!

Return-Oriented Programming (ROP)

Code Arcana has an excellent introduction to ROP exploitation techniques. In addition to providing an introduction to the concept, it takes it through detailed implementation and debugging. I look forward to getting an opportunity to try it during the next CTF with a ROP challenge. (I’m guess PlaidCTF will offer such a chance.)

PwnableWeb: Vulnerable Apps & Scoreboard for Teaching

david@systemoverlord.com (David Tomaschik) — Tue, 01 Apr 2014 00:00:00 +0000

The Framework

Each vulnerable site is built on top of a small framework that provides common functionality, and also provides a framework for building a client for interactive exploitation. (It provides a target to exploit XSS and XSRF against.)

The current framework is written in Python, using Flask and SQLAlchemy for speed of development. The vulnerable apps so far run just fine with a sqlite DB, but I usually use MySQL. This isn’t for load, but because SQLi is more interesting against the sort of DBs that are commonly used in the “real world”.

Boston Key Party: Mind Your Ps and Qs

david@systemoverlord.com (David Tomaschik) — Mon, 10 Mar 2014 21:29:13 +0000

About a week old, but I thought I’d put together a writeup for mind your Ps and Qs because I thought it was an interesting challenge.

You are provided 24 RSA public keys and 24 messages, and the messages are encrypted using RSA-OAEP using the private components to the keys. The flag is spread around the 24 messages.

So, we begin with an analysis of the problem. If they’re using RSA-OAEP, then we’re not going to attack the ciphertext directly. While RSA-OAEP might be vulnerable to timing attacks, we’re not on a network service, and there are no known ciphertext-only attacks on RSA-OAEP. So how are the keys themselves? Looking at them, we have a ~1024 bit modulus:

Integer Overflow Vulnerabilities

david@systemoverlord.com (David Tomaschik) — Thu, 27 Feb 2014 04:01:07 +0000

What’s wrong with this code (other than the fact the messages are discarded)?

#!c
void read_messages(int fd, int num_msgs) {
 char buf[1024];
 size_t msg_len, bytes_read = 0;

 while(num_msgs--) {
 read(fd, &msg_len, sizeof(size_t));
 if (bytes_read + msg_len > sizeof(buf)) {
 printf("Buffer overflow prevented!\n");
 return;
 }
 bytes_read += read(fd, buf+bytes_read, msg_len);
 }
}

If you answered “nothing”, you’d be missing a significant security issue. In fact, this function contains a trivial buffer overflow. By supplying a length 0 < len_a < 1024 for the first message, then a length INT_MAX-len_a ≤ len_b < UINT_MAX, the value bytes_read + msg_len wraps around past UINT_MAX and is less than sizeof(buf). Then the read proceeds with its very large value, but can only read as much data as is available on the file descriptor (probably a socket, if this is a remote exploit). So by supplying enough data on the socket, the buffer will be overflowed, allowing to overwrite the saved EIP.

Codegate 2014 Quals: 120

david@systemoverlord.com (David Tomaschik) — Wed, 26 Feb 2014 06:51:10 +0000

From Codegate 2014 quals comes “120”. Provided is a web interface with a single text box and a link to the source, reproduced below:

#!php
<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);

function RandomString()
{
 $filename = "smash.txt";
 $f = fopen($filename, "r");
 $len = filesize($filename);
 $contents = fread($f, $len);
 $randstring = '';
 while( strlen($randstring)<30 ){
 $t = $contents[rand(0, $len-1)];
 if(ctype_lower($t)){
 $randstring .= $t;
 }
 }
 return $randstring;
}

$max_times = 120;

if ($_SESSION['cnt'] > $max_times){
 unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
 $_SESSION['cnt']=0;
 $_SESSION['password']=RandomString();

 $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
 @mysql_query($query);

 $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]', ".
 "'$_SESSION[password]')";
 @mysql_query($query);
}
$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

if ( $_POST['password'] ){
 
 if (eregi("replace|load|information|union|select|from|where|" .
 "limit|offset|order|by|ip|\.|#|-|/|\*",$_POST['password'])){
 @mysql_close($link);
 exit("Wrong access");
 }

 $query = "select * from rms_120_pw where ".
 "(ip='$_SERVER[REMOTE_ADDR]') and " .
 "(password='$_POST[password]')";
 $q = @mysql_query($query);
 $res = @mysql_fetch_array($q);
 if($res['ip']==$_SERVER['REMOTE_ADDR']){
 @mysql_close($link);
 exit("True");
 }
 else{
 @mysql_close($link);
 exit("False");
 }
}

@mysql_close($link);
?>

<head>
<link rel="stylesheet" type="text/css" href="black.css">
</head>

<form method=post action=index.php>
 <h1> <?= $left_count ?> times left </h1>
 <div class="inset">
 <p>
 <label for="password">PASSWORD</label>
 <input type="password" name="password" id="password" >
 </p>
 </div>
 <p class="p-container">
 <span onclick=location.href="auth.php"> Auth </span>
 <input type="submit" value="Check">
 </p>
</form>

The TL;DR of this code is that it uses your PHP session to store a 30 character lowercase letter token, and a counter of how many tries you’ve made against it. You’re given 120 total tries, then a new code will be generated, meaning any data you’ve been able to glean is useless. For what it’s worth, not all letters are equally likely – the source of the data is Aleph One’s “Smashing the Stack for Fun and Profit.” The code contains a blacklist to protect against certain types of SQL injection, but certainly doesn’t cover all SQL injection possibilities.

Weekly Reading List for 2/15/14

david@systemoverlord.com (David Tomaschik) — Sat, 15 Feb 2014 18:20:25 +0000

I’ve been thinking a lot about social engineering lately, so I’m going to highlight some of my favorite social engineering resources.

Chris Hadnagy’s book, Social Engineering: The Art of Human Hacking is the authoritative guide on social engineering techniques and counter-measures. Chris describes many of the techniques and approaches used by social engineers, ranging from basic pretexting to full-on neuro-linguistic programming. You can’t protect against what you can’t recognize, so being able to identify the techniques of social engineering is the first step to protecting yourself and your organization.

printf Format String Exploitation

david@systemoverlord.com (David Tomaschik) — Wed, 12 Feb 2014 07:16:01 +0000

The format string in a printf statement is responsible for significant flow control within the program, and, if attacker-controlled, can be used to exploit the application in various ways. Specifically, an attacker can read and write arbitrary memory.

Reading memory can be accomplished through the usual operators, and the GNU extension of %<x>$ allows you to jump through the stack to arbitrary positions (as a multiple of the addressing size, anyway). The %n format specifier allows to write to a memory address: the address at that point on the stack is taken as an int *, and the number of bytes output so far will be written to the address. So this allows us to write a value by outputting the number of bytes for the value we want to write.

Weekly Reading List for 2/8/14

david@systemoverlord.com (David Tomaschik) — Sat, 08 Feb 2014 08:00:00 +0000

Android Pentesting Guides

I’ve been reading a lot about Android pentesting this week, so rather than summarizing each one, here’s a list of useful reading for Android pentesting.

Android Application Security Assessments from Symantec
Introduction to Pentesting Android Applications from Pentura Labs
AppSec Labs offers the AppUse Virtual Machine for Android Pentesting

Useful Lab Settings

Maybe you want to test something with an executable stack, ASLR off, or otherwise disable some security feature? This article describes settings for NX, ASLR, and SSP on Linux boxes. More details here.

Weekly Reading List for 2/1/14

david@systemoverlord.com (David Tomaschik) — Sat, 01 Feb 2014 08:00:00 +0000

Previews for BSides SF 2014

A couple of new articles have been posted with previews of this year’s BSides San Francisco. Akamai has a preview of several talks and Tripwire previews a day in the life of an information security researcher.

Application Whitelist Bypass

@infosecsmith2 guest posts over at Room362 about using IEexec.exe to bypass application whitelisting.

Custom Wordlists

Chief Monkey over at IT Security Toolbox reports on a tool called SmeegeScrape that allows you to build a wordlist from the contents of a system. He reports on it in the context of a forensics task, but it seems like it would be a great option for penetration testing as well.

Weekly Reading List for 1/25/14

david@systemoverlord.com (David Tomaschik) — Sat, 25 Jan 2014 08:00:00 +0000

This week, we’re focusing on binary exploitation and reversing. (Thanks to Ghost in the Shellcode for making me feel stupid with all their binary pwning challenges!)

Basic Shellcode Examples

Gal Badishi has a great set of Basic Shellcode Examples. It’s almost two years old, but a good primer into how basic shellcode works. x86 hasn’t changed (yes, I’m ignoring x64 for now), so still quite a relevant resource for those of us who have leaned on msfvenom/msfpayload for our payload needs.

Ghost in the Shellcode 2014

david@systemoverlord.com (David Tomaschik) — Tue, 21 Jan 2014 04:57:33 +0000

A quick Ghost in the Shellcode 2014 summary. Great CTF, but you better know your binary exploitation. I’m pretty happy with the overall 27th finish Shadow Cats managed. Here’s a summary of our team writeups, the first 3 by me, the last one by Dan.

Ghost in the Shellcode 2014: Radioactive

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 20:21:46 +0000

Radioactive was a crypto challenge that executed arbitrary python code, if you could apply a correct cryptographic tag. Source was provided, and the handler is below:

#!python
class RadioactiveHandler(SocketServer.BaseRequestHandler):
 def handle(self):
 key = open("secret", "rb").read()
 cipher = AES.new(key, AES.MODE_ECB)

 self.request.send("Waiting for command:\n")
 tag, command = self.request.recv(1024).strip().split(':')
 command = binascii.a2b_base64(command)
 pad = "\x00" * (16 - (len(command) % 16))
 command += pad

 blocks = [command[x:x+16] for x in xrange(0, len(command), 16)]
 cts = [str_to_bytes(cipher.encrypt(block)) for block in blocks]
 for block in cts:
 print ''.join(chr(x) for x in block).encode('hex')

 command = command[:-len(pad)]

 t = reduce(lambda x, y: [xx^yy for xx, yy in zip(x, y)], cts)
 t = ''.join([chr(x) for x in t]).encode('hex')

 match = True
 print tag, t
 for i, j in zip(tag, t):
 if i != j:
 match = False

 del key
 del cipher

 if not match:
 self.request.send("Checks failed!\n")
 eval(compile(command, "script", "exec"))

 return

So, it looks for a tag:command pair, where the tag is hex-encoded and the command is base64 encode. The command must be valid python, passed through compile and eval, so you’ll need to send a response back to yourself via self.request.send.

Ghost in the Shellcode 2014: Lugkist

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:43:56 +0000

Lugkist was an interesting “trivia” challenge. We were told “it’s not crypto”, but it sure looked like a crypto challenge. We had a file like:

Find the key.

GVZSNG
AXZIOG
YNAISG
ASAIUG
IVPIOK
AXPIVG
PVZIUG
AXLIEG

Always 6 letters, but no other obvious pattern. I did notice that the 4th character always was S or I and the final character G or K, but couldn’t make anything of that. I realized the full character set was ‘AEGIKLONPSUTVYXZ’. Searching for this string revealed nothing, but searching for the characters space separated revealed that this was the same character set as used by the codes for the original Game Genie. And Game Genie codes were 6 characters long.

Ghost in the Shellcode 2014: Pillowtalk

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:11:27 +0000

Pillowtalk was a 200 point crypto challenge. Provided was a stripped 64-bit binary along with a pcap file. I started off by exercising the behavior of the binary, looking at system calls/library calls to see what it was doing.

Client connects to server
Server reads 32 bytes from /dev/urandom
Server sends 32 bytes on the wire (not same bytes as read from /dev/urandom)
Client does same 32 byte read/send
Loop:
- Server reads a line from stdin
- Server sends 4 byte length
- Server sends encrypted line
- Client does the same steps

My first approach was by trying to use scapy to replay the pcap to the server, but this only gave complete noise, so I decided the two 32 byte values must be significant. I even tried controlling /dev/urandom (via LD_PRELOAD) to see if putting in the 32 bytes from the pcap would get to the right key. It didn’t.

Weekly Reading List for 1/18/14

david@systemoverlord.com (David Tomaschik) — Sat, 18 Jan 2014 05:00:00 +0000

I’ve decided to start posting a weekly reading list of interesting security-related articles I’ve come across in the past week. They’re not guaranteed to be new, but should at least still be relevant.

Using a BeagleBone to bypass 802.1x

Most security practitioners are already aware that NAC doesn’t provide meaningful security. While it’ll keep some random guy from plugging in to an exposed ethernet port in the lobby (shouldn’t that be turned off?), it won’t stop a determined attacker. You can just MITM the legitimate device, let it perform the 802.1x handshake, then send packets appearing to be from the legitimate device. To make it easier, ShellSherpa has put together a BeagleBone-based device to automatically MITM the NAC connection.

LD_PRELOAD for Binary Analysis

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 02:18:16 +0000

During the BreakIn CTF, there were a few challenges that depended on the return value of of libc functions like time() or rand(), and had differing behavior depending on those return values. In order to more easily reverse those binaries, it can be nice to control the return values of those functions. In other cases, you have binaries that may call functions like unlink(), system(), etc., where you prefer not to have those functions really called. (Though you are running these untrusted binaries in a VM, right?)

BreakIn CTF 2014

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 01:20:08 +0000

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.

2014 OKRs

david@systemoverlord.com (David Tomaschik) — Sun, 05 Jan 2014 18:15:30 +0000

At work, we use the OKR system for managing our objectives. I’ve decided to set myself some annual objectives and list out their key results here. At the end of the year, I’ll grade myself on my OKRs and we’ll see how I’m doing.

Get better at reversing
- Complete OpenSecurityTraining.info x86 class
- Complete 3 reversing challenges from WeChall
Play CTFs
- Compete in at least 3 CTFs
- (Stretch Goal) Top 10% Finish
- Complete the challenges on OverTheWire.org
Blogging
- At least 1 Blog Post/week
Lose Weight & Exercise
- Lose 25 lbs.
- Get at least 60 minutes aerobic exercise a week
Become a more powerful vim/zsh user
- Use vim keybindings in zsh
- Read full zsh guide
- Learn 6 new vim commands

DerbyCon CTF

david@systemoverlord.com (David Tomaschik) — Sun, 29 Sep 2013 22:38:19 +0000

While at Derbycon last weekend, I played in the Derbycon Capture the Flag (CTF). I played with some people from the DefCon Group back in Atlanta (DC404) – and we had a great team and that lead to a 5th place finish out of more than 80 teams with points on the board. Big shout out to Michael (@decreasedsales), Aaron (@aaronmelton), Dan (@alltrueic), and all the others who helped out.

CTF Practice

david@systemoverlord.com (David Tomaschik) — Sun, 08 Sep 2013 23:45:22 +0000

Those who know me know that I might play in the occasional CTF competition. It's a good way to improve my skills, keep my mind sharp, and it's just plain fun. From a defensive security perspective, it's quite amazing to see how code that looks perfectly reasonable is, in fact, quite often very broken. If you've never done a CTF, you should watch @rogueclown's "If You Can Open A Terminal, You Can Capture the Flag."

Thoughts on NSA Surveillance

david@systemoverlord.com (David Tomaschik) — Fri, 06 Sep 2013 01:17:36 +0000

I'm going to make this quick -- trying to distill all my thoughts on the NSA into a blog post is impossible, but I feel the need to post something. I believe the actions of the NSA violate my privacy, violate the 4th amendment, and violate the rights of every person on the Internet. The US Government has Betrayed the Internet, and We Need to Take It Back. While I don't want to give free reign to terrorists, we have been talking about how our Constitution is what makes America great, and yet we have shredded that very document. I lose sleep over this not because of the ways the government claims its being used, but over the ways it could be misused -- the next Hoover, the next Nixon, the next McCarthy. It's time for us to return to a government that respects our rights and our constitution; It's time to return to checks and balances; It's time for America to be free again. I've been a member of the EFF for several years now, and it (along with organizations like the ACLU and other civil liberties organizations) is the only hope I have left for our country.

Setting Up Kali Linux

david@systemoverlord.com (David Tomaschik) — Fri, 26 Jul 2013 03:55:12 +0000

I've been meaning to write this up for a while, and it's as much a reminder to me as it's meant to be useful to anyone else, but with DEFCON around the corner, I'm reformatting my laptop for the trip, so now's the best time. I'm sure everyone has their own "routine" when setting up a new system. This is my checklist for Kali Linux, which I use for security cons & ctfs, and is separate from my everyday OS installs.

Boston Key Party -- MITM

david@systemoverlord.com (David Tomaschik) — Mon, 10 Jun 2013 00:54:54 +0000

Boston Key Party is the latest CTF I've played in (this time playing with some local friends as part of our team 'Shadow Cats'). The first challenge we cleared (actually, first blood in the CTF) was MITM.

Now, you might think a challenge named "MITM" was some sort of Man-In-The-Middle exercise, but it's actually crypto! We're given five base-64 encoded messages: two plaintext/ciphertext pairs, and a ciphertext (which we're presumably supposed to decrypt).

PlaidCTF Compression

david@systemoverlord.com (David Tomaschik) — Tue, 30 Apr 2013 05:26:20 +0000

PlaidCTF 2013 had a level called "Compression". Here's the provided code for this level:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter
 
# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'
 
def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))
 
class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break
 
            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break
 
class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True
 
if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

So there's a few interesting things of note here:

Booting Raw Partitions in VirtualBox with Grub2

david@systemoverlord.com (David Tomaschik) — Thu, 04 Apr 2013 06:44:27 +0000

Background: I dual-boot my laptop between two different Linux distributions: one for normal/desktop use (currently Mint), and one for "security" uses: mostly CTFs or otherwise hostile networks (currently Kali Linux). I also kept a Kali installation in a VM for use from within my desktop environment, but I was getting tired of having two Kali installations on the one laptop. I'd discover irritation at different configurations, not easily having data between the two, etc. Suffice it to say that fewer installations to maintain is a good thing. So I wondered: can I boot my raw hard disk install from VirtualBox?

Lessons From the Nebula

david@systemoverlord.com (David Tomaschik) — Sun, 24 Mar 2013 00:46:59 +0000

Exploit-Exercises.com's Nebula, that is. I just spent a good 8 hours or so working through the levels there, and I'm pretty sure I took much longer than I should have. In any case, there were a couple of things I was disappointed by: running "getflag" to get a flag (or otherwise being delivered a token) didn't provide you with anything to really validate what you were doing. You can actually jump directly to any level (which is good when you reset your VM) but not so interesting for "progression" or the sense of accomplishment -- at least for me.

BSides SF CTF by MAD Security, Conclusion

david@systemoverlord.com (David Tomaschik) — Wed, 06 Mar 2013 05:51:21 +0000

This is the conclusion to my write-up of the awesome BSides SF CTF by MAD Security/The Hacker Academy. You can find the other parts here: Levels 1-2, Levels 3-4, Levels 5-7.

What I Learned

Don't overthink things -- work from the simplest case.
Internet access during a CTF may be spotty (or nonexistent) -- be prepared to work fully offline. (Download a copy of exploit-db, etc.)
Keep meticulous notes -- otherwise you'll find yourself revisiting avenues you've exhausted, forgetting things, etc.

What I Wish I'd Done

BSides SF CTF by MAD Security, Part 3

david@systemoverlord.com (David Tomaschik) — Sun, 03 Mar 2013 19:41:47 +0000

This is a continuation of my write-up of the BSides SF 2013 CTF.

Level 5: Phone Work
This level required that we find a phone number on the Absurdistani snoop's computer and gain access to the voicemail box associated with the number. Finding the number was straightforward -- there was an email draft that contained the signature of the snoop, and in that signature was his phone number and voice mail box number. (This also lets us know his name is Marco.) Calling the phone number and entering the VM box number, we're asked for the PIN of the voicemail box. After trying some obvious things (the VM box number, the last 4 digits of the phone number, 1234, 0000, etc.) I started looking through his machine for any clues, but his machine was very sparsely populated with files. So, off to the internet for a list of the most common pins. Yeah, humans are predictable... the top 20 PINs (20/10000 =~ 0.2% of pins) represent a whopping 27% of PINs in use. Turns out Marco was that predictable too. One of the top 10 and we're in! The voicemail tells Marco that his new secure key is available on the secure keyserver, which he can retrieve using the 15 digit project access code.

BSides SF CTF by MAD Security, Part 2

david@systemoverlord.com (David Tomaschik) — Sun, 03 Mar 2013 00:43:10 +0000

This is a continuation of my write-up of the BSides SF 2013 CTF.

Level 3: Disk Forensics
A professional cleaner who has done some work for Nick provides you with an image of a flash drive, and you're to find the most "interesting file" on the drive and provide its md5sum. The first thing I do is run file on the image to get an idea of what we're working with:

BSides SF CTF by MAD Security, Part 1

david@systemoverlord.com (David Tomaschik) — Sat, 02 Mar 2013 07:47:38 +0000

Last weekend I was at BSides SF and had the opportunity to participate in the Capture the Flag competition run by MAD Security/The Hacker Academy. I was able to clear 6 of the levels, and thought I'd write them up here to share my experience. Most of this is from my memory, so there might be a few inaccuracies, but the intent is to share the general concepts, not the specifics.

Homeland by Cory Doctorow

david@systemoverlord.com (David Tomaschik) — Wed, 06 Feb 2013 10:12:50 +0000

Those who know me will not be surprised to learn that I have stayed up until 1:45 AM reading Cory Doctorow's new book, Homeland. Homeland is the sequel to Little Brother, Cory's first novel about a dystopian near-future/present of the American Surveillance State, which was one of my favorite novels of all time. Homeland doesn't disappoint -- it's realistic enough to be scary, but sufficiently fictional to not be downright terrifying. Little Brother and Homeland are the Nineteen Eighty-Four of the 21^st century -- a warning of an issue that society is largely ignoring, and that will affect every one of us.

Playing with the Patriot Gauntlet Node (Part 1)

david@systemoverlord.com (David Tomaschik) — Tue, 05 Feb 2013 07:54:05 +0000

I recently picked up a Patriot Gauntlet Node just to take a look at it. Playing with the device, it seemed to be a pretty straightforward wireless SoC with a hard drive interface. Many, if not most, of these embedded SoCs use Linux as their operating system, so I decided to go a bit further and see what was going on.

I headed over to the Patriot website and downloaded the firmware for the Gauntlet Node, unzipped the file, and ran binwalk against it. (Binwalk is an awesome tool that essentially runs 'file' with a special magic file against every possible byte offset to find the parts of a firmware image.)

Social Engineering: The Art of Human Hacking

david@systemoverlord.com (David Tomaschik) — Sun, 02 Dec 2012 21:49:25 +0000

I just got done reading Christopher Hadnagy's Social Engineering: The Art of Human Hacking. If you are interested in the social aspects of information security, this provides an in-depth view of the actual techniques and science behind social engineering. While books like Kevin Mitnick's The Art of Deception and The Art of Intrusion tell amusing and noteworthy stories of social engineering hacking, Hadnagy's book tells you why and how it works. Hadnagy's exposure all reveals the most important lesson -- how to defend against the attacks.

The segmentation fault occurred where?!?

david@systemoverlord.com (David Tomaschik) — Mon, 19 Nov 2012 01:36:17 +0000

I recently ran into a C++ problem where a segfault was occurring in code in a stable library that hadn't been changed in a while. For a while, I couldn't figure out what would have broken in that library, and the call site looked perfectly fine. Before I give away the answer, let's take a quick quiz. What does the following code output? (And yes, this is somewhat compiler dependent, so let's pretend we're talking about how g++ works.)

MITM on KVM Guests

david@systemoverlord.com (David Tomaschik) — Sun, 11 Nov 2012 02:47:43 +0000

I run a KVM virtualization system as part of my test lab. I often want to redirect traffic to an intermediate application (such as sslsniff) on the host. Supposing I have a guest on interface vnet7, bridged to br10, with the host running on 192.168.1.10 the following ebtables & iptables magic gets the job done:

ebtables -t broute -A BROUTING -p IPv4 -i vnet7 --ip-proto tcp --ip-dport 443 -j redirect --redirect-target DROP
iptables -t nat -A PREROUTING -i vnet7 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.10:9999

Note that you can't use -j REDIRECT, as that's (roughly) equivalent to DNAT to the IP of the incoming interface, but bridged virtual network interfaces (vnet7) have no IP address.

Presentation: The Keys to SSH

david@systemoverlord.com (David Tomaschik) — Sun, 01 Apr 2012 00:00:00 +0000

The Secure Shell, or SSH, is a powerful communications tool most often used for securely accessing a command-line session on a remote system. As essential as that functionality is, there is much more to SSH than that. This talk will introduce SSH, and discuss integral applications including secure file transfer, accessing services behind a firewall, and running graphical applications software remotely. Specific topics include:

Starting with SSH SSH Keys Secure File Copying (SCP) Port Forwarding X11 Forwarding Advanced SSH options and functions

2 Weeks at Google

david@systemoverlord.com (David Tomaschik) — Mon, 12 Mar 2012 05:08:01 +0000

Two weeks at Google have been... amazing. There's a lot that I can't talk about, but I can feel comfortable in confirming some of the things you hear about Google:

The people are insanely smart.
The scale blows your mind as a Noogler (new Googler).
The food is great.
It has culture.

I'm a "Site Reliability Engineer" which is a job title that may not exist anywhere else. It's basically production-oriented operational engineering: keeping production systems running and making them run better.

The End of a Chapter

david@systemoverlord.com (David Tomaschik) — Thu, 16 Feb 2012 04:59:59 +0000

I'm not usually one for reflective personal blog entries, but some events require a brief mention: today was my last day at KSU, and it was an incredibly surreal day. Though I've known this day was coming for over a month, it is still hard to believe that it got here. In many ways, today felt like any other day: the work was similar, things needed to get done. In other ways, there was an 800 pound gorilla in the room: everyone knew that tomorrow I wouldn't be coming to work. When I finally cleared out my office, the finality of what was going on really hit me.

My Time at KSU

david@systemoverlord.com (David Tomaschik) — Fri, 03 Feb 2012 04:24:58 +0000

As you might have seen, I'm leaving my position at Kennesaw State University to take a position as a Site Reliability Engineer at Google. This is something I'm very excited about, but I thought I'd take a look back at my time at KSU as I approach the end. It's worth mentioning that I'm not leaving KSU because of KSU, but because this is an opportunity I just could not turn down. For the most part, I like my position at KSU, and I really like most of the people that I work with. There's a particular group that's become three of my closest friends and one treasured acquaintance.

Big Changes

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jan 2012 00:54:46 +0000

Today I did one of the hardest things I have had to do: I turned in my notice that I would be leaving Kennesaw State University in February. It was hard because I consider my management and many of my coworkers to be friends and I genuinely do enjoy my job, but I now have the opportunity to start the next chapter of my life. At the end of February, I'll be moving to California and starting at Google as a Site Reliability Engineer!

Recruiters!

david@systemoverlord.com (David Tomaschik) — Tue, 13 Dec 2011 14:26:06 +0000

There hasn't been a lot of updates lately, and I apologize... between contract work, end of the semester, and other personal issues, writing blog posts has slipped into the cracks. Hopefully that'll be fixed as I've finally completed my 2nd 1st semester of grad school.

I am occasionally contacted by recruiters of various sorts. Most of them I just ignore, particularly those that provide no details on who the employer is, what the compensation package might be, etc. As a rule, I find 3rd party recruiters who contact me out of the blue are probably contacting anyone whose website includes the word "Linux". (Although I've received more than one recruiter looking for Windows/.NET software development...) The most recent one was a real gem though. No names -- I'm not trying to call him/her out individually, just to shed some light on the vagueness that is the world of recruiting. I've trimmed the email down to the salient parts:

A Career Plan

david@systemoverlord.com (David Tomaschik) — Mon, 07 Nov 2011 05:01:17 +0000

I've made several career plans for myself before, but I don't think I've ever done it in a formal manner. I've never said to myself "I should make a career plan" until I was sitting in Martin Fisher's "How to Hack the Career Development Life Cycle" at B-Sides Atlanta. It had always been more of a "I want to do this, so first I need to learn this technology" kind of mentality. However, Martin's talk really made me think. In some ways, it was sort of unsettling, but I think it can be unsettling anytime you start to really think about the direction your life is going. I had a sort of "life passing me by" feeling by the end of the presentation (through no fault of his -- it was a great presentation, with some great takeaways.) I'm hoping making myself this transparent doesn't come back to bite me later, but I'm also hoping that this transparency might get me some feedback from my more experienced readers. (Insert "what readers?" joke here.)

Martian Packet Messages

david@systemoverlord.com (David Tomaschik) — Sun, 06 Nov 2011 02:36:13 +0000

Occasionally, you might see messages like the following in your Linux kernel messages:

martian source 192.168.1.1 from 127.0.0.1, on dev eth1<br />
        ll header: 52:54:00:98:99:d0:52:54:00:de:d8:10:08:00

There's a lot of discussion out there about what this means, but not a lot about how to trace down the source. Hopefully this will provide some insight into what the messages actually mean, and how to understand them.

VPS.net Review

david@systemoverlord.com (David Tomaschik) — Tue, 01 Nov 2011 14:55:37 +0000

I first heard about VPS.net last March at Drupalcon Chicago. Having been a Linode customer for a couple of years, I was skeptical at first, but 7 months later, I'm very happy with the level of service vps.net provides. When I've been working on projects for demanding clients, I've been able to scale my VPS up by adding additional nodes -- either daily or monthly. After the project was done, I could have scaled back down -- but there's always another project on the horizon! (One of these days, I'll have to make "sleep" a project to make sure it gets done too.) While there has been a couple of small downtimes, VPS.net has always been great about providing status updates and letting customers know where they stand. Additionally, their service people are great and respond quickly via email or twitter.

(Virtually) Setting Up A Test Lab (Part 1)

david@systemoverlord.com (David Tomaschik) — Mon, 31 Oct 2011 04:43:30 +0000

I've spent a little bit of time today doing something that was long overdue. I've transitioned most of my day-to-day data to my laptop, so I decided it was time to put my desktop to use as a "virtual lab."

I've set up KVM on my desktop with two virtual machines (so far) in it. The first one I call "LabManager" -- it's effectively a head node from the "Lab" network out to the real world.

KSU Cyber Security Awareness Day 2011

david@systemoverlord.com (David Tomaschik) — Wed, 26 Oct 2011 22:25:19 +0000

Today was the KSU Cyber Security Awareness Day, presented by KSU's Information Technology Services (a sister department to the department I work in), and it was a resounding success! There were several presentations that had standing-room only attendance, and for good reason.

My personal favorites:

Mike Rothman from Securosis on finding happiness in information security. Mike's presentation was as much about being happy in your job and in your life as it was about cyber security, but he asked a number of very pointed questions. Questions about pay/salary, job satisfaction, and life priorities. I found the questions unsettling, not because of the actual question, but because I realized that I'd been subconsciously thinking those same things for quite a while now. The take away from his presentation can probably be summed up as "Is what you're doing today getting you where you want to go?"

Things I Wish Undergrad Had Taught Me

david@systemoverlord.com (David Tomaschik) — Mon, 24 Oct 2011 17:32:35 +0000

This is not an attempt to knock any particular program, professor, or course of study. It's just some things that I think should be included in an undergrad CS program that I don't feel like I got.

Serious study of data structures and algorithms. While I know how to implement a linked list, structs, classes, vectors, and other data structures, not a whole lot was said about the best use cases for each. That's something I've had to discover on my own. And the most complex tree we discussed was the Binary tree. We never talked about balanced binary trees, red-black trees, or generic n-ary trees. Although I was taught the general idea behind Djikstra's algorithm, and can tell you the big-O runtime for about a half-dozen sorts, practice implementing them and discussion of their comparative strengths and weaknesses is not something I remember from my undergrad. Also, there was NO discussion of time-memory tradeoffs involved in implementing some of the algorithms. In fact, (and I'm embarassed to admit this) I only recently found out about the in-place implementation of quicksort!
How to find your focus. If there's ever been a real-world example of an NP-complete problem, it's finding your niche. I'm still searching, and as I get into more things, I'm finding more interests than I am able to exclude. IT/Computers/Technology is a massive field and even narrowing it a little is hard. About the only things I've narrowed down are that I don't want to do end-user support, that I don't want to manage people, and that I want to work with/develop Open Source. Oh, and that I like not doing the same thing every day. (As it is, my current job is getting on the monotonous end of things.) I hope I'll find my focus before its too late.
How to develop with others. This is a skill I've developed over the past few years of the "real world", but I'm not sure everyone I've worked with has gotten it down. There were too few group projects in my undergrad, and those that I had were comparatively small. We never had the big software engineering problems, and never really had to develop good APIs for others to depend on. The division of work never seemed to be "you do the UI, I'll do the database components, and he'll do the business logic." It was always "you do the UML diagram, I'll do all the code, and you do the final report." That's not how it works in the real world (ok, well, sometimes it is, but it's not how its supposed to work).
How to effectively use source code management. Using SCM is critical to any serious development. Not once in my entire undergrad career was that discussed. No mention of any SCM. While my experience in open source had led to me using and understanding SCM, I can say that I've seen how well prepared others are to use it -- and it's pretty scary.
How to do requirements definitions and other software engineering tasks. When I started my undergrad, there weren't really any dedicated software engineering programs -- everyone did CS or IS. In the CS side of things, there was one software engineering class. You can't learn to estimate time, do requirements definitions, manage deliverables, and all the other tasks that go into a software lifecycle in one class. While I realize not every CS student will end up doing software engineering, the software engineering class should be early in the program (in my program, it was nearly at the end) and those concepts should be incorporated into every major project you do for the rest of your degree. You've gotta do things more than once to really understand it.
How to do dev/test/prod. Much like #5, the words "unit testing" never came up in my undergrad program. There also wasn't really any discussion of maintaining existing software, and of the different environments. I knew about them, but not from my undergrad, and I've had to learn a lot about them "on my feet." I'm still trying to get some of our practices at my job into this lifecycle in a sane manner, but it turns out: doing things the right way requires more work up front. It'll save you in the long run, but it's hard to get that initial investment when it looks cheaper to "fix things later." (It's not, by the way. Doing it right the first time is always cheaper.)

I'm still learning a lot -- but if you're not learning, you're stagnant. There are just some things that make you slap your forehead when you realize how nice it would have been to know those skills 5 years ago.

A Hard Lesson Learned

david@systemoverlord.com (David Tomaschik) — Mon, 17 Oct 2011 15:00:00 +0000

For a few months now, I've been working on a side project for a local girl's volleyball club. While the people I'm working with are very nice, this whole project has been a lesson in how bad of a businessman/project manager I am. I'm struggling with whether this is a sign I should stop taking on these side projects, or if its a sign that I really need to pay more attention to the business side of things. If nothing else, I hope this will serve as a warning to others on what not to do.

What I learned from Steve Jobs

david@systemoverlord.com (David Tomaschik) — Thu, 06 Oct 2011 04:19:23 +0000

Unless you've just awoken from a coma, you're probably well aware that Steve Jobs passed away a few hours ago. It might be the very first time that the death of a "celebrity" has saddned me. Steve was more than a celebrity, he was visionary like none other.

Steve had a vision that was unmatched by anyone else, even his Apple cofounder Steve Wozniak. The Woz and I are much more on the same wavelength -- fascinated by the technology, fascinated by doing things just to see them done. Jobs, on the other hand, saw the bigger picture instantly. He saw how the technology would change the world, and he got there first (most of the time). Lesson one: See the big picture. Even if you don't control the big picture, see how your part fits into the big picture, and make it better.

Coming Drupal Trends

david@systemoverlord.com (David Tomaschik) — Wed, 05 Oct 2011 23:01:59 +0000

Based on Drupalcon last March and Drupalcamp Atlanta this weekend, I've seen some growing trends in Drupal. While some of them might "already be here" I don't think everyone's doing them yet. Some of them apply to web development in general, while others are more specific to Drupal.

Adaptive Web Design

We all know mobile is here and is going to stay. However, the days of 23-30 inch monitors aren't over. Making something that is highly usable on both ends requires adapting to the user's platform (hence adaptive design). Themes like Omega, AdaptiveTheme, and their derivities are probably going to replace base themes like Zen in order to make things more "adaptive." It's worth noting that Zen can be adaptive with media queries, but it's not designed for it from the ground up.

I have the coolest wife...

david@systemoverlord.com (David Tomaschik) — Sat, 01 Oct 2011 18:12:45 +0000

I have the coolest wife because, although today is our first anniversary, she not only allowed, but encouraged, me to attend DrupalCamp Atlanta. Hopefully I learn something useful. :)

I love her very much... and I'm not just saying that because she reads this blog.

(Oh, and don't worry, we'll be spending the evening together.)

Customizing Built-in Strings in Drupal

david@systemoverlord.com (David Tomaschik) — Thu, 29 Sep 2011 04:15:00 +0000

At work, we had a situation where one of the strings built in to the Drupal User Interface made things somewhat confusing. By default, 'Enter your sitename username.' is displayed beneath the username box on the login form. However, we use a centralized authentication system called 'NetID', so this prompt was confusing to some users.

One of my coworkers had received the request from the user to change this text to "Please enter your KSU NetID." His first thought was to create a subtheme of our base theme and modify a .tpl.php. (It turns out this isn't even directly possible, you have to register a special .tpl.php handler first.) My first thought was hook_form_alter, but after a moment, I realized that was overkill for the task of changing a single string. I recalled that before we had used locale settings to modify strings being output, so I wondered if we couldn't do that here as well. The first step was to find the raw string, before any processing.

I did it for the data...

david@systemoverlord.com (David Tomaschik) — Wed, 28 Sep 2011 14:34:04 +0000

Prior to about 2005, if you had something to say online, you built your own website and said it there. And so the web was like a chain of small islands, each led by their own leader (the owner of the site), with browsers hopping from island to island. Sure, there were travel agents (search engines) to help you find which island (website) you wanted to visit, but for the most part, each site was run independently and had its own way of doing things.

The US Day of Rage

david@systemoverlord.com (David Tomaschik) — Tue, 27 Sep 2011 00:48:00 +0000

For those who have missed it, (and since the mainstream media is more or less ignoring it, you probably have) there's currently a large number of people protesting against the increasing social inequality in the United States. There are thousands of people protesting on Wall Street and the rest of Manhattan, protesters in Chicago, and protesters in other major cities.

Much of the movement was spawned by a movement for the "US Day of Range". Some of this movement was spawned by a group called US Uncut, whose primary goal was to highlight that the largest banks in the country pay less in income taxes than most of the individual taxpayers in this country. Some of this movement has spawned out of the group "Anonymous", which seems to be a loose-knit group of individuals that may have some common foundations. Others seem to have just joined as the movement reached critical mass, identifying only with the core views of the Occupy Wall Street movement.

Lying to Google (a.k.a. SEO)

david@systemoverlord.com (David Tomaschik) — Fri, 23 Sep 2011 23:51:43 +0000

Search Engine Optimization (SEO) comes in two basic forms. The first really is optimization: ensuring that your site has good links, that the content is relevant, and that the site adheres to good structural practices all fit into true optimization. With the ever-growing complexity of websites, taking steps to help search engines understand your content and the structure of your site makes good sense. With the new notion of a "semantic web", this will grow to a new level and become a key part of web development best practices.

Tablets, Free Software, and You

david@systemoverlord.com (David Tomaschik) — Fri, 23 Sep 2011 01:38:56 +0000

Tablets are the current 'big thing' in computing devices -- so much so, in fact, that many believe tablets will replace most of the uses of laptops and desktops. This aligns closely with the trend to put "everything" on the web. While making everything browser-based certainly has its conveniences, it also has risks.

Users are continually placing their privacy and their data in the hands of others, while ignoring the risks posed by these actions. Look, for example, at the terms of service and software licenses associated with the iPad. Apple can remotely "kill" software on your iPad. If that software was storing your data, too bad, it's gone.

Migrating an Access Database to MySQL

david@systemoverlord.com (David Tomaschik) — Wed, 21 Sep 2011 22:32:00 +0000

I'm currently taking a Database class as part of my requirements for my M.S. in Computer Science. Several of our assignments are based on a database provided to us as a Microsoft Access Database. While I have a Windows 7 Virtual Machine, and could install Office in it, I prefer to use free software whenever possible, so I looked for a way to use this database with free software.

Fortunately, the database is in the earlier .mdb format, and not the newer .accdb format. I first found a glimmer of hope in an article by Niall Donegan describing the use of the MDB Tools package.

Using an SSH Connection to Provide Remote Support (Part I)

david@systemoverlord.com (David Tomaschik) — Tue, 20 Sep 2011 15:37:46 +0000

Last week, at the ALE meeting, a question came up about using SSH to provide remote support for someone who is not especially Linux-literate. I suggested using an SSH reverse tunnel so the end-user wouldn't need to worry about firewalls, NAT, etc.

Thinking about the problem, I realize that it's a little more complicated than that. So in part 1, I'm going to discuss the general solution and the approach to the problem. In Part II, I'll present a more comprehensive solution that will (I think) scale better.

Boost, RSS Feeds, and Google Reader

david@systemoverlord.com (David Tomaschik) — Mon, 19 Sep 2011 22:30:27 +0000

For a while now, I've struggled with an issue on this site. Google Reader would sometimes show items that had already been displayed in the reader. They would be shown as new unread items, regardless of whether the "original" copy of that item had been read. I'm sure this irritated many readers, and I tried several times to fix the issue.

The feed was successfully validated by the W3C Validator. Multiple times.
Adding the feed freshly worked fine.
Adding the feed to other RSS readers showed only 1 per item.

I set up a cron job to pull a copy of my RSS feed regularly and save copies. I figured I could see if anything changed between versions. At first, the differing versions showed no significant changes. (Other than new posts where expected.)

Where My Goals Lie

david@systemoverlord.com (David Tomaschik) — Thu, 15 Sep 2011 00:21:59 +0000

Lately, I've been doing a lot of thinking about my life goals. While I realize that 26 is still comparatively young, I really feel like I'm not making enough progress towards where I want to be. Rather than moping on about it, as I have for quite some time, I've been inspired by Sacha Chua to actually do something about it. Sacha is all about getting things done and making the most out of life, or, to quote her blog title, "Living an Awesome Life." Whining is not living an awesome life.

Git On Your Web Server: A Security Reminder

david@systemoverlord.com (David Tomaschik) — Wed, 31 Aug 2011 22:53:21 +0000

Earlier this month, I wrote about managing a Drupal site with git. What I neglected to remember, of course, is this places a full copy of your git repository within your web server's document root. This has the potential to expose any data in your git repository -- a malicious attacker could (depending on your configuration) clone the entire repository, thus exposing source code, configuration files, database dumps, and other sensitive data.

Managing Drupal with Git

david@systemoverlord.com (David Tomaschik) — Thu, 04 Aug 2011 23:40:56 +0000

For a while now, I've been meaning to manage my Drupal site (and the modules and features on it) with git. The release of Drupal 7.7 provided a perfect opportunity to make this transition. I've now cloned the main Drupal.org git repository, added my features (as submodules) and added the modules I use (also as submodules). I'm still getting used to working with git, and I wish there was a way to push parts of my configuration remotely, but I understand why you can't.

Automatically Creating Archives from Git Tags

david@systemoverlord.com (David Tomaschik) — Sat, 16 Jul 2011 13:33:05 +0000

At work, we've been moving all of our development processes to git. As part of that, I've encouraged that alphas, betas, and releases be tagged in git -- it's important to know which versions are in use where. Additionally, my director wanted archives (zips/tars) of each of these versions to make it easier to install the releases, particularly for the members of our department who are not git-friendly. I realized that with git hooks and our use of gitolite, we could produce automated archives when tags with the words alpha/beta/release are pushed to the gitolite server. The script below is placed in the $GL_PACKAGE_HOOKS/common directory. It uses the name of the repository to decide if it should be archived (matches $ALLOW_ARCHIVE) and where the archive should be put (within $ARCHIVE_DIR).

Presentation: Drupal: Open Source Content Management

david@systemoverlord.com (David Tomaschik) — Fri, 01 Jul 2011 00:00:00 +0000

These are the slides associated with my “Drupal: Open Source Content Management” presentation at the July 2011 ALE meeting. Video will be posted when it becomes available.

Slides

Presentation: GnuPG: Open Encryption, Signing and Authentication

david@systemoverlord.com (David Tomaschik) — Fri, 01 Jul 2011 00:00:00 +0000

GnuPG is a GPL-licensed implementation of the OpenPGP standard, first popularized by free (as in beer) and commercial implementations known as PGP. GPG is used in encrypted e-mail, signed documents, software package management, and even for SSH authentication. If you are interested in protecting your privacy, your identity, your software downloads, or in using one tool to manage SSH keys and digital signatures, come and see how GPG can help you meet your goals. We’ll also talk about best practices and options for using hardware smartcards to protect your keys in your GPG usage.

Avenue Q

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jun 2011 22:18:07 +0000

Last night, Ann and I attended a local performance of "Avenue Q" at the Horizon Theatre Company with some people from my work. I wasn't sure what it would be like, but the 175-seat theater is a perfect setting. We got there just before showtime, so got seats in the very back, but even those seats have a great view. The entire theater can only be described as an intimate setting.

Southeast Linuxfest 2011

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jun 2011 18:08:18 +0000

This year was my 2nd Southeast Linuxfest (I'd previously attended the inaugural SELF at Clemson in 2009) and I was blown away by how it has grown. As a former organizer for the Atlanta Linux Fest (which I terribly miss) I know how hard it is to make an event like this a success. I have to applaud the organizers of SELF, even if I'm not sure who all of them are! The conference retained a great "local" feel while still attracting a diverse group of people.

Software Patent Trolls Should Die

david@systemoverlord.com (David Tomaschik) — Fri, 27 May 2011 14:34:05 +0000

Software patent trolls -- companies whose primary source of revenue is derived from suing others over their patent portfolion -- pose a significant risk to continuing innovation in the United States. In order to promote future development and innovation, we need to eliminate software patents.

At a minimum, companies should not be allowed to retain rights to a patent unless they continously produce a product that utilizes their patent. Much like a trademark, patents not being used should fall into the public domain.

Linode Rocks!

david@systemoverlord.com (David Tomaschik) — Wed, 18 May 2011 03:13:28 +0000

As you may know, my site is hosted by Linode, one of the older Linux VPS providers. I was excited when Linode announced native IPv6 support in some of their data centers, but then disappointed when I saw "No ETA" for the Atlanta datacenter where my site was hosted. I had been running my node with Hurricane Electric's IPv6 tunnel service, but I prefer a native solution when I can get it.

Welcome (back) to Drupal!

david@systemoverlord.com (David Tomaschik) — Wed, 23 Mar 2011 01:21:23 +0000

Regular readers of my blog may have noticed a significant change. As of about midnight last night, I had completed the migration of my site from Wordpress 3.1 to Drupal 7. A few features are not yet implemented, including automatically posting my blog entries to Twitter, but the RSS feeds do work. Additionally, some of the RSS feed URLs have changed, so please check your feed readers.

Drupalcon 2011: Introduction to Module Development

david@systemoverlord.com (David Tomaschik) — Thu, 10 Mar 2011 04:52:32 +0000

Ezra B. Gildesgame from Growing Venture Solutions presented an Introduction to Module Development. (Slides)

While I was already fairly familiar with the basics of Drupal module development, it provided a nice refresher and some insight into how they handle things. It was also interesting to see Ezra using Eclipse for module development -- I've always had mixed feelings about Eclipse and PHP.

A couple of new things I learned:

In devel views, you may now see "und" as an array index: this indicates undefined localization, as given by the Drupal constant LANGUAGE_NONE.
Remember to clear the cache when defining new hooks (not really new, but worth repeating)
func_get_args() and debug_backtrace() are both very useful PHP functions for debugging, especially when combined with dpm()
dpm() uses Krumo, which is a pretty awesome PHP library
Like so many other things in Drupal, modules have weights in the system table -> weights define execution order (Though well-developed modules should work under any order.)
Use proper APIs rather than querying the DB directly if you can. Some modules add extra information to entities, etc., that you will miss by querying the DB directly.
Don't hack core. (Also not new, but also worth repeating)

All in all, Ezra put together a great presentation that was perfect for my first "regular" session of Drupalcon Chicago.

Drupalcon 2011: Keynote by Dries

david@systemoverlord.com (David Tomaschik) — Wed, 09 Mar 2011 06:10:21 +0000

[NB: Video of Dries' keynote has been posted here: http://chicago2011.drupal.org/live] Dries opened Drupalcon with an inspiring keynote, discussing the successes and failures of the Drupal 7 development cycle, and the proposed changes for the Drupal 8 development cycle. (Yes, we're already talking Drupal 8.) He started off with some statistics:

This Drupalcon has 3000 attendees.
The attendees will consume $100,000 in coffee.
Every major government uses Drupal in some fashion.
1.7% of websites run on Drupal.
Drupal.org has 551,392 community members

He noted that he would open the Drupal 8 branch today, as soon as one of the git masters shows him how to: "I'm not quite sure how to do branches yet in git." In Drupal 8, we will see a cap in the number of outstanding critical bugs at a time at 15 (any more than that and new features will not be accepted). We will see feature maintainers as different aspects are developed, adopting a Linux-kernel like development model, and there will be several quality checks on each feature before it is committed into the D8 mainline. Check out the video of Dries's keynote if you want to hear more, and ask yourself: "What have you done today to make you feel proud?"

Drupalcon 2011: Code-Driven Development: Using Features Effectively

david@systemoverlord.com (David Tomaschik) — Mon, 07 Mar 2011 23:44:47 +0000

Summary

One of the biggest barriers to using Drupal effectively is managing the Dev->Test->Production->Update lifecycle. Most problematic is making structural changes to a site already in production. You don't want to break/modify production while live, you don't want to blow away data by copying data from Dev to Prod, and you don't want to try to make the changes in two places. Based on my readings, I had decided that Features would play a major role in solving this problem. The training class presented by Nuvole today showed that Features can make life-cycle management much, much, easier. In fact, as best as I can tell, code-driven development is the way to produce, manage, and deploy enterprise-quality sites.

Nuvole has posted slides on SlideShare. (These may not be the exact slides used at Drupalcon, as they seem to be a few weeks old, but look very similar to what I'm seeing on the screen.)

Thanks to Antonio and Andrea for a great presentation -- it was really content-rich, and they managed to work through the technical glitches of student laptops quite smoothly.

Drupalcon 2011

david@systemoverlord.com (David Tomaschik) — Mon, 07 Mar 2011 18:14:15 +0000

Tom (my boss) and I arrived in Chicago last night for Drupalcon 2011. I will be blogging my notes from training classes & sessions, but I will not be placing them in the "planet" category, so they will not be syndicated on Planet Ubuntu & Planet Georgia, unless there is content significantly relevant to the Ubuntu community. (If you're interested in my Drupalcon 2011 coverage, please check my site or subscribe to its feed.)

Memo to Self when Moving Databases

david@systemoverlord.com (David Tomaschik) — Sat, 05 Mar 2011 23:50:32 +0000

As a memo to myself, and in case others aren't aware of this:

If you move the entirety of a mysql server (e.g., all databases, especially the "mysql" database) to a new Debian-based (Debian, Ubuntu, etc.) server, you need to make sure the debian-sys-maint user is created or updated.

If moving from a non-Debian-ish environment, try:

GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '--password--' WITH GRANT OPTION;

where "--password--" comes from /etc/mysql/debian.cnf.

Password Generating Webpages

david@systemoverlord.com (David Tomaschik) — Thu, 03 Mar 2011 05:07:41 +0000

First off, let me say that I commend Steve Gibson's attempts to bring information security to the masses. I think it's important to educate the user base, and most of the time, he does a great job of it. Unfortunately, a lot of his advice also seems to be filled with either "marketing speak", or (worse) just plain incorrect information.

In February, the Atlanta Linux Enthusiasts mailing list had a long discussion about the merits of "CLOSED" vs "STEALTHED" ports as advocated by Steve Gibson of grc.com. I, for one, love spirited discussion, and thought it was good to discuss a variety of viewpoints and issues. I believe that >90% of the discussion was very professional and mature discussion, which is something I attribute largely to the membership of the ALE mailing list. Many other mailing lists would have resulted in a very quick flame war. During that discussion, I stated that I felt that much of his advice (though overall sound advice) was misleading to users, and I still believe that. Even if the end result is users taking corrective action, misleading them is not helpful in the long run.

Today, I saw a link to Steve's page password generation page. Looking at it, I had several concerns about the page.

GnuPG: The What and the Why (For Me, Anyway)

david@systemoverlord.com (David Tomaschik) — Mon, 28 Feb 2011 07:05:11 +0000

I'm a big advocate of GnuPG, the Free implementation of the OpenPGP standard. I've even recently begun to use a smart card for storing my keys. I've also answered some questions about why I do this, so I thought I'd write about it here. Put simply: the Bill of Rights is important to me. My privacy is important to me. Security is important to me. OpenPGP can help me protect the things that are important to me.

SSH across a Layer 7 Filter

david@systemoverlord.com (David Tomaschik) — Sat, 19 Feb 2011 03:14:50 +0000

Every once in a while, I find myself in a situation behind some sort of device that filters a lot of traffic. Most often, it's on my laptop at some facility (e.g., coffee shop) that only allows HTTP/HTTPS out. For a while, I just listened for SSH traffic on port 443 (HTTPS) to connect through port-based firewalls. However, a few times now I've seen a connection reset immediately after the SSH handshake started (during the protocol&cipher negotation). Looking at them through WireShark made it obvious it wasn't a server or client problem, but some intermediate device sending a RST.

Happy Valentines Day

david@systemoverlord.com (David Tomaschik) — Mon, 14 Feb 2011 06:00:19 +0000

This post is dedicated to my wife, Ann. Happy Valentine's Day, and I love you very much.

What happens when your credit card is out of your sight?

david@systemoverlord.com (David Tomaschik) — Mon, 14 Feb 2011 05:12:51 +0000

We've all done it, and it seems so normal: hand a credit card to a server at a restaurant to pay the bill. It's an everyday activity, occurring millions of times a day around the world. However, this comes with risks, as the media shows us:

With devices like Portable Mini 400 Magnetic Magstripe Data Card Reader, it's a wonder that more credit cards aren't stolen in that fashion. (I guess we're just protected by either a sense of right or the risk of being caught.) While the $230 pricetag might seem a little high at first, consider the number of credit cards a single waiter might handle in a night. Even placing a relatively small transaction on each of those cards, a single night would be enough to make up the price of the reader.

apc.stat=0 and Updating Software

david@systemoverlord.com (David Tomaschik) — Tue, 08 Feb 2011 04:36:41 +0000

When you're running APC on PHP and you have apc.stat=0, it's sometimes easy to forget that when you update software (WordPress) the code running on your server remains unchanged until you flush the APC cache. So, when you go to update WordPress to 3.0.5, you should flush your APC cache after running the update. If you don't, you'll be very confused when WordPress repeatedly tells you to upgrade to the version you just installed!

My Life in Big Bang Theory

david@systemoverlord.com (David Tomaschik) — Sun, 06 Feb 2011 05:21:14 +0000

I was thinking this evening about how being a generalist kindof sucks. I don't feel like I've found my niche yet, and I'm fairly disappointed by that. I've also been watching Big Bang Theory and realized why the show appeals to me as much as it does. While my life is (unfortunately) not like that of the characters in the show, I see some similarities between myself and the characters:

The Importance of Verifiable Security

david@systemoverlord.com (David Tomaschik) — Wed, 26 Jan 2011 03:58:06 +0000

A number of services online claim to store data securely. Often, this claim is attached to comparatively unimportant data. A claim that, for example, your microblogging "direct" messages are stored securely generally results in little risk. (Hopefully, you're not sending secret data in those sort of messages.) However, solutions like Dropbox and LastPass (among many others) claim to store and transmit your personal data in an encrypted form.

Given that both use a closed-source binary and that neither solution has offered third-party verification, I can't quite see using them for anything involving data I want kept secret. I certainly wouldn't use LastPass (or any other password sync solution) without being able to see that the data is really encrypted locally before being sent to a server, and that the server doesn't have access to my passphrase. Firefox Sync, on the other hand, is included with the Firefox source, which at least allows verification. (I haven't done so yet, but I might do so at some point. If so, details will be posted here.) Anything sensitive that goes into my Dropbox goes in encrypted, generally using GnuPG.

Major Sites that a 'tiered' Internet Would Have Killed

david@systemoverlord.com (David Tomaschik) — Mon, 24 Jan 2011 03:08:02 +0000

Again and again, we hear about the idea of a "tiered" Internet, containing 1st and 2nd class citizens. In some variants, entire sites would be cut off by ISPs. Let's take a look at sites that probably would not have been able to get started with the notion of a "tiered" Internet. In this list, I'm including major sites that were started without major commercial backing, whose success only came after making it big -- something that takes users being able to access the site, of course. Let's assume that a tiered Internet came out about a decade ago, right after the fall of the dot-com era.

Welcome to Nginx!

david@systemoverlord.com (David Tomaschik) — Sun, 23 Jan 2011 17:49:21 +0000

If you're reading this, it's thanks to Nginx. As of about midnight last night, all content on SystemOverlord.com is being served up by Nginx. I did this for two reasons: Nginx has a much smaller memory profile than Apache, which is important when running on a 512MB VPS, and Nginx's preferred PHP path is through a FastCGI interface, which allows me to run separate PHP FastCGIs under different users for each application on my server. Privilege separation for different webapps has always been a big thing security-wise, and I'm glad I was able to get it going with a minimum of fuss. Wordpress, Nginx, MySQL, and Ubuntu Server powered, all on a Linode VPS!

Announcing NetStatUI: A PyGTK interface for network statistics

david@systemoverlord.com (David Tomaschik) — Sat, 22 Jan 2011 18:06:48 +0000

NetStatUI is my first significant FOSS release. It’s also my first significant Python project and my first use of GTK+. Yes, that’s a lot of firsts all at once, so I apologize if I’ve done things sub-optimally. I’m still learning some of the wonderful niceties of Python (a subject of a later post) and so I may have done some things “the other way.” NetStatUI is a program to display statistics and information about the IP connections currently on your system. It is an attempt to provide a usable NetStat work-alike for the desktop user. Many new users are shy of the command line, and having a graphical version may be useful.

IPv6: On my Linode, and at Home

david@systemoverlord.com (David Tomaschik) — Fri, 21 Jan 2011 02:07:32 +0000

Hurricane Electric, ARIN, and others, report that we may be as close as 12 days to exhaustion of the main IPv4 pool. Accordingly, I decided it was time to get both my VPS and my home network IPv6-ready. It wasn't as painful as I feared, though doing it in DD-WRT is a bigger pain than it should be. If I had an OpenWRT router, it looks like it would be easier.

Is 25 Old?

david@systemoverlord.com (David Tomaschik) — Wed, 19 Jan 2011 06:33:01 +0000

I’ve begun to feel… restless. Periodically, I feel that I haven’t done anything significant, made contributions, achieved anything. Tonight I couldn’t sleep, so I decided to do a little browsing to see who how old some notable figures were at the time they started or achieved something significant. This list includes many of the people who inspire me, and some who are just well known and have made large achievements. It’s notable that the average achievement age is 23.

Learn Regular Expressions. Seriously.

david@systemoverlord.com (David Tomaschik) — Sat, 15 Jan 2011 21:30:23 +0000

I can't tell you the number of IT Professionals (whether developers, sys admins, etc.) who have told me that it's not worth their time to learn regular expressions. I thought that way at one point, but now I'm astounded at that thought. Regular Expressions are one of the most powerful tools available for working with data.

I'm currently working on a tool that reads /proc/net/tcp. Trying to parse that without regular expressions would be dozens of lines of code. With regular expressions (in Python) I have a one-liner to parse each line of the file. And that's for a file that's intended to be machine-readable. (Though, admittedly, /proc/net/tcp is a lot less machine-readable than, say, /etc/passwd.)

Wordpress and APC 3.1.3p1

david@systemoverlord.com (David Tomaschik) — Fri, 14 Jan 2011 02:53:14 +0000

In order to improve performance on my blog (it is on a light-weight Linode after all), I use APC as both an opcode cache and an object cache. On Ubuntu Server 10.04, you get APC 3.1.3p1 if you install the php-apc package. Unfortunately, this version of APC has an issue with the same script execution inserting 2 values for the same key, which is apparently something several of Wordpress's configuration pages does. If you run into this issue, you'll see lots of messages like:

Net Neutrality: Why It Matters

david@systemoverlord.com (David Tomaschik) — Thu, 13 Jan 2011 21:03:20 +0000

The discussion about Net Neutrality continues to heat up. Over at LifeHacker, they asked "What Would You Miss Most if the Net Wasn't Neutral Anymore?" One user responded with a comment that compared Cable TV to the Internet. Either I failed to understand his sarcasm, or he's totally missing the point.

Until recently, your cable company was just a transporter of someone else's data -- the TV networks. You paid extra for extra channels, which is fine with me, as your cable company is then paying the TV producers for the content. If paying my ISP meant all sites were then free to access, that might even be fine. But it won't be, I'll still be paying Netflix and my ISP.

Apology to the LoCo

david@systemoverlord.com (David Tomaschik) — Wed, 12 Jan 2011 05:23:29 +0000

To the Ubuntu Georgia Local Community:

Around September of last year, I began to take over from Nick Ali and others in coordinating the activities of the Georgia LoCo. Unfortunately, I haven't done very well at that. I have not set up any events or otherwise taken steps to help the LoCo grow. However, it's a new year and it's time for a new tack. It's time for the LoCo to get out there and get active. I have a large stash of 10.10 CDs for us to distribute and I'd like to try to get events scheduled at least every 2-3 months. I'd also like to start new partnerships with other like-minded organizations. Hopefully, I'll be able to turn a new leaf and jump-start activity in the organization. I'd like to invite anyone with thoughts on the future of the LoCo to contribute their ideas, and I'll do what I can to get them rolling.

Merry Christmas, and Thank You!

david@systemoverlord.com (David Tomaschik) — Sat, 25 Dec 2010 18:38:46 +0000

A big Merry Christmas to all my readers, and a big Christmas thank you to my favorite groups & organizations:

Also, of course, Merry Christmas to my friends and coworkers at Kennesaw State University, to my family, and especially to the love of my life (and wife), Ann.

Backupninja!

david@systemoverlord.com (David Tomaschik) — Fri, 24 Dec 2010 21:14:51 +0000

I don't know how I missed it before, but I found a great backup tool today. It's BackupNinja. It's stupidly simple to set up to back up a small number of machines. It's no centralized backup system like bacula, but for a single server or two (like I have) it seems far better than a "roll your own" solution.

So, a big Christmas thank you to the BackupNinja devs.

WikkaWiki: My new PIM

david@systemoverlord.com (David Tomaschik) — Tue, 21 Dec 2010 09:00:24 +0000

For a while now, I've found myself finding tidbits of information that I think would be useful again in the future, or more commonly, having to look up things where I know I've looked it up before. In both cases, I keep thinking that I need somewhere to document this. For a short while, I just threw this information into a file called "TIPS" that I edited with vim. Sounds great, except I use a lot of computers, and keeping it on a flash drive meant pulling out the flash drive a lot. Not only was that slightly inconvenient, but even worse, the file was becoming unwieldy, and there was no good way to link to web-based resources for finding more information.

Working 21 Hours... I Love This!

david@systemoverlord.com (David Tomaschik) — Sun, 19 Dec 2010 18:29:05 +0000

On Friday (and Saturday morning) I had the opportunity to spend 21 hours at work. If this were a regular occurrence, it would probably be a nuisance, but doing this every once in a while has a certain excitement to it. Working late at night is a unique opportunity to Get Things Done. When it happens, it usually means we're putting some project that's been planned for months into production, and that's just an amazing feeling, if things go well.

Firefox Extensions

david@systemoverlord.com (David Tomaschik) — Tue, 30 Nov 2010 07:38:32 +0000

I currently use Firefox as my primary browser predominantly because of the number of extensions I regularly use in my work in Information Security & Web Development. I also like Chrome and am hoping to find parallel functionality in Chrome to all of my Firefox extensions to have 2 viable browsers. My Firefox extensions are:

Adblock Plus
Certificate Patrol
Domain Details
Download Statusbar [In Chrome core]
Firebug
Firefox Sync [In Chrome core]
Greasemonkey
HTTPS Everywhere
Live HTTP Headers
Long URL Please
NoScript
Page Speed
Read It Later
RetailMeNot
View Cookies
Web Developer
YSlow

I'd appreciate insight into comparable functionality in Google Chrome. Thanks!

1 OS, 2 Servers, 5... days?

david@systemoverlord.com (David Tomaschik) — Thu, 18 Nov 2010 05:34:09 +0000

At work, we're switching a number of our LAMP stack applications to be hosted on Ubuntu Server. Because of its increased stability, we generally run the LTS editions, so we're currently on Lucid Lynx (10.04). In this particular case, we're moving our Drupal CMS hosting over from RHEL 5.4 to Ubuntu Server on two new servers to be configured for high availability. Turns out it took 5 days to do what would normally be done in a half a day.

Back in action

david@systemoverlord.com (David Tomaschik) — Thu, 18 Nov 2010 04:48:13 +0000

For those who know me personally, this is probably non-news, but I thought I’d post it anyway. I’ve been remiss in my updating duties for quite a while now because of three major real-life factors.

First, on the 1st of October, I got married to Ann, the love of my life. We were married at the Tennessee Aquarium, and we’re told our guests had a great time, which is what we were going for. We know we had a great time and loved having friends and family there at the wedding. The food was excellent (catering by Bluewater Grille) and we have some great pictures to remember the day thanks to our awesome photographer, Matt Nicholson, at Dim Horizon Studio.

Code Audit: KeePassX

david@systemoverlord.com (David Tomaschik) — Mon, 01 Nov 2010 00:00:00 +0000

This was my final project for my CS8803 class at Georgia Tech. This was my first code audit, and was performed in the Fall of 2010, so may not apply to current versions.

Summary

KeePassX is a robust and feature-rich program that has thwarted my efforts to discover any major weaknesses. When used on a single-user system, particularly with encrypted swap, it is highly unlikely that any sensitive data will be leaked. The most likely way for a determined adversary to gain access to a user’s accounts will be through service weaknesses, predictable password reset options, or the ever-popular $5 wrench. It’s highly unlikely that KeePassX will be the source of a compromise without malware on the user’s workstation, and with continued development, that risk will be mitigated even further.

COICA: The Great Firewall of America

david@systemoverlord.com (David Tomaschik) — Wed, 29 Sep 2010 03:40:22 +0000

S. 3804 is the latest opportunity for the government to use "Copyright" to control the Internet. The DoJ, without a trial, could blacklist websites for "supporting" infringing practices. Could Linux, Ubuntu, etc. be targeted by proprietary software for infringing on their IP? Could Dropbox, Ubuntu One, etc. be targeted for allowing users to share files? Could attackers use it to use the government to knock legitimate sites offline by filing false complaints against sites? Should the US government really control the Internet? I think this will just lead to a 2nd DNS infrastructure and fragment the Internet. The underground will just go deeper and evade the government, but legitimate organizations and people will be hurt the most.

Big Picture Problems

david@systemoverlord.com (David Tomaschik) — Sun, 12 Sep 2010 03:56:12 +0000

In no particular order, and certainly not a conclusive list, but there are some things that really bother me that I'll call Big Picture Problems:

Federal Defecit Spending and the growth of the national debt
The continued plundering of limited resources and other environmental issues
Politicians
Overpopulation
Nuclear proliferation
The continued abatement of freedoms in the name of "security"
The ever-increasing power of corporations over people
Lack of universal healthcare

Accordingly, I'd like to say thanks to the hard-working individuals and organizations who work to improve things, including:

Why I will never be a Verizon Customer

david@systemoverlord.com (David Tomaschik) — Sat, 11 Sep 2010 02:04:34 +0000

Verizon has proven that they have no interest in serving consumers: http://www.dslreports.com/shownews/Verizon-Now-Crippling-Androids-Like-ATT-110276 Essentially, they're shipping Bing as the default search engine on Android phones (which I'm fine with) but making it impossible to change it back (which is enough to prevent me from doing business with them). Additionally, they're forcing you into their inferior paid mapping service rather than allowing you to use Google Maps/Navigate.

Thanks, Verizon -- you've simplified my choice next time I'm shopping for a cell phone provider. You're out.

Broadcom does the Right Thing

david@systemoverlord.com (David Tomaschik) — Fri, 10 Sep 2010 12:57:10 +0000

Looks like Broadcom is doing the right thing: http://arstechnica.com/open-source/news/2010/09/broadcom-announces-official-open-source-drivers-for-linux.ars

They've released fully-open drivers for 3 of their 802.11n chipsets. I hope this'll spread to more of their hardware, but regardless, it's a great move. No longer will Broadcom be an absolute contraindication to my buying hardware. Thanks Broadcom!

Using Ubuntu to save at-risk youth

david@systemoverlord.com (David Tomaschik) — Fri, 13 Aug 2010 02:16:53 +0000

Nick Ali (boredandblogging) asked me to forward this on to the planets, and it's really quite worth it. Murray Wilson has a video about refurbing older hardware through the use of Linux. Take a look: http://ubuntuforums.org/showthread.php?t=1551472

The Apple Silo in Education

david@systemoverlord.com (David Tomaschik) — Thu, 12 Aug 2010 12:00:36 +0000

The other day at work, I was talking with our department's Drupal Developer and our campus's webmaster. The question came up as to whether or not I saw a role for the iPad in a classroom environment, either at the University or K-12 level. My initial answer was yes, but my longer answer was no, not the iPad. A device similar to the iPad, but not it.

The iPad is a fully-integrated portion of the Apple silo: without violating the warranty and EULA, you cannot install any software not approved by Apple. "Jailbreaking" your device violates those agreements, and could never be done in the education setting. Accordingly, Apple has full control over the software you run on your device. For example, if they don't like a camera application that lets you use the volume button to take a picture, it's gone. Hopefully you don't want an App that helps you find wifi hotspots: the entire category has been banned.

My Favorite Web Comics

david@systemoverlord.com (David Tomaschik) — Mon, 02 Aug 2010 04:01:06 +0000

Only yesterday I discovered the amazing webcomic Questionable Content. I don't know where I've been that I've missed the superior wit of Jeph Jacques, but it's worth a read for just about anyone. He's got over 1700 strips there, and I've read through the first ~900 in the past two days. Yes, it's that good. I've literally LOLed, which has led to Ann giving me several strange looks. But it's well worth it.

Why the risk of running as root is overblown

david@systemoverlord.com (David Tomaschik) — Sat, 31 Jul 2010 01:37:46 +0000

Please Note: This is only relevant to single-user desktop installations of Linux. The issues I will discuss here don't apply to servers. In fact, the exact opposite applies there.

"Don't run as root" is an oft-repeated mantra of *nix security. While I agree 100%, it's not as big on the desktop as some would think. I'd like to point out why here. I still believe you shouldn't login as root, but I also believe that it's up to each user to make their own decision.

Ubuntu Server Features that need better integration

david@systemoverlord.com (David Tomaschik) — Thu, 08 Jul 2010 02:24:01 +0000

There are two substantial features present in Ubuntu Server (and desktop, though less often used) that are significant, but under-utilized. The first of these is the AppArmor framework. For example, on my LAMP server, only dhclient3, mysqld, and tcpdump have apparmor profiles. OpenSSH and Apache are obvious candidates for AppArmor, as they are commonly exposed to public networks, and compromise of them could have a significant impact on a server. Edit: I missed some profiles here, but there is still no comprehensive profile for Apache or OpenSSH. Installing apparmor-profiles does improve things somewhat, but there is still much to be done.

Canonical Store Issues

david@systemoverlord.com (David Tomaschik) — Mon, 05 Jul 2010 02:21:06 +0000

I hate to use this as a venue to address issues I'm having with the Canonical Store, but I'm somewhat disappointed in it. On the 21st of June, I ordered the "Ubuntu Certified Professional - Exam Bundle." As of today, I still have not been able to get the codes to register for my exams with Pearson VUE. Last week, I contacted Merchandise Mania (the operators of the Canonical Store) and they said they would pass my concerns on to Canonical and someone would contact me "if they can help." I still haven't heard anything. So if anyone involved with this at Canonical reads this, I'd greatly appreciate an update.

Who's screwed up worst?

david@systemoverlord.com (David Tomaschik) — Sun, 27 Jun 2010 19:22:32 +0000

Several organizations, including parts of the US government, have successfully screwed things up, or promised to screw things up, this week:

The USPTO granted a patent to Amazon.com for charging for computing resources on an as-used basis. This is similar to the chargebacks of mainframe computers beginning in the 1960s. Apparently patent examiners are not familiar with the term "prior art" or "obviousness."
White House cyber-security czar Peter Schmidt is considering rules that would put computers with viruses into a "walled garden." There is, of course, no discussion of how this will work -- agents on your computer? IDS? Either way, false positives, SSL, and public wifi hotspots are sure to only make this a headache for legitimate users.
ASCAP has shown themselves to be ass-hats. Not only do they want to charge royalties that are crippling to non-profit organizations, but now they want to prohibit artists from using their choice of license for the media they produce. They won't be happy until they have control over the entire music market. Apparently choice and freedom aren't options for musical artists.

Attack of the Cosmic Rays!

david@systemoverlord.com (David Tomaschik) — Fri, 25 Jun 2010 03:38:36 +0000

KSplice has posted an interesting article regarding the consequences of a single flipped erroneous bit in RAM.

It’s a well-documented fact that RAM in modern computers is susceptible to occasional random bit flips due to various sources of noise, most commonly high-energy cosmic rays. By some estimates, you can even expect error rates as high as one error per 4GB of RAM per day! Many servers these days have ECC RAM, which uses extra bits to store error-correcting codes that let them correct most bit errors, but ECC RAM is still fairly rare in desktops, and unheard-of in laptops.

Twitter banned from misleading consumers 'for 20 years'

david@systemoverlord.com (David Tomaschik) — Fri, 25 Jun 2010 03:25:50 +0000

Twitter has been, among other things, "barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information..." I believe that Twitter should not be misleading consumers about any aspect of their security, but it almost seems that a specific bar of this nature, and with a specific duration, seems like an implicit permission for other companies to mislead consumers (as they have not been so barred) and that, after 20 years, Twitter can mislead consumers all they want. Seems like a bit of common sense that the FTC has felt the need to spell out...

AOL prevents use of Shoutcast

david@systemoverlord.com (David Tomaschik) — Thu, 24 Jun 2010 04:16:35 +0000

AOL has apparently served the VideoLAN developers with an injunction preventing any ShoutCAST functionality from being included in VLC, or any other application that uses Open Source components or software. I appreciate this greatly, as the next time I'm tasked with exploring streaming media solutions at work, I'll have one less contender that I will consider. To be specific, as far as I'm concerned, ShoutCAST is not a viable solution for any form of streaming media, and must be avoided like the proprietary plague it is.

Needing more focus...

david@systemoverlord.com (David Tomaschik) — Sun, 20 Jun 2010 03:40:51 +0000

I've come to the conclusion that I need to become more focused in some areas of my life. I want to be able to contribute to open-source projects, including Ubuntu, but I realized that I don't know enough about any single project to really dive in and work on the code. I need to find a single project to contribute (codewise) to.

I sometimes feel that there's this technological void in my life, with a desire to work on a project of some sort. The big problem is that I have diverse interests: user experience, information security, embedded systems/robotics, etc. I know it's a ridiculous statement to make, but even at 25, I feel like I'm behind where I'd like to be in my life.

Binary Heaps are Slow

david@systemoverlord.com (David Tomaschik) — Wed, 16 Jun 2010 02:01:24 +0000

Most CS professors would probably take a look at the title of this post and assume it's a senseless rant or otherwise misdirected, but it turns out it's true: binary heaps are slow on real computers (not the theoretical systems often discussed in CS classrooms). Poul-Henning Kamp, author of the Varnish HTTP Accelerator, discovered and wrote about this for the ACM.

Android Development on Ubuntu 10.04

david@systemoverlord.com (David Tomaschik) — Tue, 15 Jun 2010 03:56:26 +0000

If you've been trying to use the Android SDK on Ubuntu 10.04, you might be getting an error like:

No command line parameters provided, launching UI.
See 'android --help' for operations from the command line.
Exception in thread "main" java.lang.UnsatisfiedLinkError: no swt-gtk-3550 or swt-gtk in swt.library.path, java.library.path or the jar file
at org.eclipse.swt.internal.Library.loadLibrary(Unknown Source)
at org.eclipse.swt.internal.Library.loadLibrary(Unknown Source)
at org.eclipse.swt.internal.C.<clinit>(Unknown Source)
at org.eclipse.swt.internal.Converter.wcsToMbcs(Unknown Source)
at org.eclipse.swt.internal.Converter.wcsToMbcs(Unknown Source)
at org.eclipse.swt.widgets.Display.<clinit>(Unknown Source)
at com.android.sdkmanager.Main.showMainWindow(Main.java:265)
at com.android.sdkmanager.Main.doAction(Main.java:249)
at com.android.sdkmanager.Main.run(Main.java:94)
at com.android.sdkmanager.Main.main(Main.java:83)

The expectations of new users of FOSS

david@systemoverlord.com (David Tomaschik) — Thu, 03 Jun 2010 21:13:18 +0000

Many new users of Free/Open Source Software come with one of two (if not more) unrealistic expectations: either an expectation for support despite not having paid anything for the software or support, or an idea that Open Source = Public Domain.

Community-based support is not the same as commercial support. Community-based support is a purely volunteer effort, and should not have particular expectations of response times. For example, telling the community that a particular issue is "Urgent!" does not generally make it more urgent for the community. Making no effort to solve the problem yourself generally leads to even less urgency from the community. If you want a commercial level of support, pay for it. For example, Canonical offers commercial support for Ubuntu. There are many support vendors out there.

Ubuntu Membership

david@systemoverlord.com (David Tomaschik) — Sun, 02 May 2010 02:40:19 +0000

For a while now, I've considered going for Ubuntu Membership, and I've decided now is the time. I feel that my contributions to the community are significant and that Ubuntu has become a significant part of my life. I'd like to ask anyone who feels comfortable supporting me to post on my Ubuntu wiki page at https://wiki.ubuntu.com/Matir. I appreciate your support in the community.

AXIS IP Cameras = Fail

david@systemoverlord.com (David Tomaschik) — Sun, 21 Feb 2010 04:42:40 +0000

At work, we've been developing a custom camera recording solution for the past 4 months. Essentially, it's a system to provide a web-based interface to record a number of IP cameras, transcode the videos, and output the videos to a variety of the web applications we use (Moodle, Drupal, etc.) The cameras in question are Axis Q1755 cameras, which are really intended for use as HD security cameras and not in the studio-type environment we have here. (Neither I nor my department was involved in camera selection, and those who were have serious second thoughts.) In any case, these cameras are a continuous source of frustration for us.

Ubuntu Women Leadership Candidates

david@systemoverlord.com (David Tomaschik) — Fri, 08 Jan 2010 02:57:21 +0000

The Ubuntu Women group is in the process of selecting a new leader. Currently, testimonials are being accepted for the 3 candidates (Amber Graner, Melissa Draper, and Penelope Stowe). Check out these talented women who seek to break some of the gender barriers in the Ubuntu community: http://wiki.ubuntu-women.org/UbuntuWomen/LeadershipNominations/January2010/

RHCE

david@systemoverlord.com (David Tomaschik) — Mon, 07 Dec 2009 06:33:57 +0000

Generally speaking, I try not to push my ego on here too much. It's big enough on its own. However, I feel like this is a pretty major accomplishment for myself, and I haven't posted in a while, so I thought I'd throw it up there. As of this past Friday, I am now a Red Hat Certified Engineer (RHCE)™! This is without a doubt the hardest test I've taken, as a "practical" (hands-on) exam. No multiple-choice guessing here.

Review: The Art of Community (Jono Bacon)

david@systemoverlord.com (David Tomaschik) — Tue, 06 Oct 2009 21:55:24 +0000

I had the privilege of receiving an early copy of The Art of Community by Jono Bacon for review. It's taken a little longer than I had hoped to get through it, but that's by no means a reflection of the book.

"The Art of Community" tackles a very difficult question in the Open Source world: how do you build a strong community around your project? Jono addresses this by using anecdotal evidence of good community organization, and discussing the facets that apply to community development. Jono's varied experiences are shown through anecdotes about the Ubuntu community and other communities he has participated in. The stories he shares are concise and clear, but demonstrate their points effectively and thoughtfully. Jono's writing skills are first-rate, with strong points made clearly. He builds the community idea from grassroots to the enterprise and shows how community participation can help -- and harm -- at each step along the way. It's obvious that Jono knows what he's talking about, and he communicates it well. I highly recommend this book for anyone interested in the dynamics of a community or any project leader looking to build from the ground up.

Free IT Atlanta

david@systemoverlord.com (David Tomaschik) — Tue, 06 Oct 2009 20:26:55 +0000

I'm very much inspired by the work that's been done out in Athens by Free IT Athens. They provide free/low-cost IT services to low-income families and community organizations in the city of Athens, GA. In their words:

Free IT Athens is a group of like-minded citizens who realize that computers are a necessary component of everyday life. We believe that everyone deserves access to low-cost computer equipment and computer-related services. Our goal is to provide access to information technology resources to Athens-Clarke County residents and organizations. We also aim to create well informed advocates in free software and open information technology.

Sexism in the FLOSS Community

david@systemoverlord.com (David Tomaschik) — Tue, 06 Oct 2009 17:24:28 +0000

[NB: Obviously I am a man, but if anyone believes I can't comment on sexism because I am not female, well, look up the definition of sexism.]

Mackenzie over at Ubuntu Linux Tips & Tricks has called attention to the greatest dark spot on the face of the FLOSS Community: a man who calls himself MikeeUSA.

This "man" has been posting sexist, misogynist, and violent comments on blogs in the FLOSS Community advocating rape and violence towards women. His behavior is, to say the least, nauseating and despicable. Worse, the "man" is a coward who hides behind pseudonyms and tor in protecting his identity. Whether he really feels the way he does or he gets his jollies on trolling in this dirty manner, he is no better than the likes of Hitler and Stalin. Needless to say, comments by him on my blog or any site I work with (e.g., LinuxQuestions.org) will not be tolerated.

Depth of Knowledge vs. Breadth of Knowledge

david@systemoverlord.com (David Tomaschik) — Mon, 05 Oct 2009 21:40:08 +0000

Update: I wrote this long ago, and since then, I have come to terms and even begun to appreciate being a generalist. There's a wonderful book called Range: Why Generalists Triumph in a Specialized World that explains the value in having a breadth of knowledge even in an increasingly specialized world.

In a lot of circumstances, it can be useful to have a wide breadth of knowledge: that is, to know a little about a lot of things. It's useful in my job, where I am the System Administrator/DBA/developer/etc.

OfficeMax Cancels Orders Due to 'Typographical Error'

david@systemoverlord.com (David Tomaschik) — Tue, 29 Sep 2009 19:02:43 +0000

OfficeMax had listed a mediocre 19" widescreen LCD from AOC for a "Clearance" price of $53.74. A friend of mine ordered one yesterday, but has since received a notice that his order was being canceled as that price was an "obvious typographical error." For one, that price is not THAT exciting for a generic 19" monitor, and secondly, they did list it as clearance. I do not believe that a company should be able to arbitrarily cancel orders because they decide that a price THEY set is no longer the price they wish to sell them for. Essentially, they saw a number of customers rush to buy these and decided "hey, we could have made the price point higher -- let's cancel the orders and jack up the price!"

Move Back to Wordpress

david@systemoverlord.com (David Tomaschik) — Sat, 26 Sep 2009 15:07:30 +0000

As you may have noticed, my site (Tuxteam.com) has moved back to Wordpress. While I still support Drupal (and use it at work), it did not meet my needs for my site. Specifically, the ability to create per-tag feeds was lacking, and it used a LOT of RAM for such a simple site. (This site runs on a Linode-360.) The theme is a stock community theme, but I hope to be switching that around some in the near future. I'm also going to be starting a couple of new things on here, but we'll see how those work out.

Google Suffocates Android Development Community

david@systemoverlord.com (David Tomaschik) — Sat, 26 Sep 2009 00:25:19 +0000

Today, Google sent a C&D to Cyanogen, the maker of one of the most popular replacement firmwares for the Android platform. His firmware is based on the official Android firmware, but provides a few new features, like direct-dial shortcuts on the home screen, more home screens (5 by default) and root access.

The root access allows tethering from a notebook computer, so I can get 3G internet on something where I can actually read most of the sites. Looks like I might have to consider another platform.

ALF 2009: A Success!

david@systemoverlord.com (David Tomaschik) — Mon, 21 Sep 2009 16:50:43 +0000

Atlanta Linux Fest 2009 was a huge success! We probably had 600+ people come through the door, which is just amazing for the 2nd year of an event that was only 125 people last year! 22 successful presentations, many of which were standing room only. Planning for next year is just around the corner, so stay tuned to http://atlantalinuxfest.org.

Big thanks go out to fellow planners Nick Ali, Jim Popovitch, Joshua Chase, and Amber Graner! If any one of us had been missing, I doubt things would have worked out. Also a big thanks to the spawn of akgraner for filling in the gaps and keeping us rolling in stitches!

Bozeman, Montana uses the Constitution for Toilet Paper

david@systemoverlord.com (David Tomaschik) — Fri, 19 Jun 2009 02:19:30 +0000

The city of Bozeman, Montana has decided that all applicants for city jobs must provide them with the usernames and passwords for social networking sites, forums, and chatrooms that the applicant participates in. This fits into the category of things I think are hoaxes until I read it a few times over.

From NetworkWorld: http://www.networkworld.com/community/node/42819

SELF - Community-Based Technology Centers

david@systemoverlord.com (David Tomaschik) — Sat, 13 Jun 2009 21:34:23 +0000

This presentation discussed the benefits and future of Free IT Athens and other community-oriented technology centers.

They provide free/low-cost computers, computer training, and other technology support for underprivileged and low-income citizens in Athens. They refurbish computers to both prevent them from ending up in a landfill and to enable children and adults to gain knowledge and the benefits of the use of the Internet and computers in general.

On July 18, ALE, the Ubuntu GA Loco, and Free IT Athens will be holding a joint event to visit the Free IT Athens venue and donate equipment for refurbishment. I hope to be able to join them and help in these goals. I may, by then, have a couple of machines that could be used for this purpose, which is good for the environment and for the community.

SELF - Vendor Booths and BoF: GPG

david@systemoverlord.com (David Tomaschik) — Sat, 13 Jun 2009 21:24:00 +0000

I missed a couple of hours of speakers, but hopefully they'll post the videos of it online. During that time, I visited the booths a bit more, and got into some interesting discussions. I found out about The Linux Link Tech Show, a weekly live podcast talking about Linux related issues. I talked with int eighty from Dual Core about their music, and his appearance on Hak.5. I also spent a bit of time talking with the Zenoss Community Manager, and I'm going to propose switching our monitoring at work from Nagios to Zenoss. It's significantly more powerful and robust, and I'm sure I'll have more to say after giving it a try. On top of all this, I talked with the guys from Free IT Athens. They refurbish computers for, and provide training to, the underprivileged citizens of Athens, GA.

SELF - DMCA and Copyright Law

david@systemoverlord.com (David Tomaschik) — Sat, 13 Jun 2009 15:43:25 +0000

Presentation by Wendy Seltzer <firstname@lastname.org>

DMCA
-Section 512 (ISP Safe Harbor, Notice, Takedown)
-Section 1201 (Anticircumvention)
1998 Sonny Bono Copyright Term Extension Act
- +20 years to all copyright terms (existing and future)

Betamax exception: Technology used primarily for non-infringing purposes should not be seen as infringing even if some infringing use occurs.

McCain posted clips of interviews on YouTube, networks of original videos filed DMCA takedown notices, resulting in removal of his clips. Lawsuits under 512(f) to remedy false takedown claims.

SELF - Initial Impressions

david@systemoverlord.com (David Tomaschik) — Sat, 13 Jun 2009 14:40:51 +0000

I'm currently at the first annual South East Linux Fest (in the opening keynote) and I'm really impressed with what they put together. It's not huge, but it's really impressive and really professional. I'm very impressed by the conference badges, the bags, the turnout, and the arrangements. I think there's a lot from this we can take away for the Atlanta Linux Fest, especially promotion-wise. ALF is in about 3 months, but that doesn't mean we can't get some things together.

Automatic PPA Key Installation

david@systemoverlord.com (David Tomaschik) — Sun, 07 Jun 2009 19:47:31 +0000

I often use a number of PPAs on one or more of my systems, such as FreeNX, Firefox dailies, Chromium dailies, etc. I do like to use signed packages, even if they're automatically signed, but manually installing the PPA keys is a bit of a pain. The Source Guru has a solution.

New Site!

david@systemoverlord.com (David Tomaschik) — Sat, 16 May 2009 23:03:17 +0000

Things have been very busy since I started my job at Kennesaw State University. Because my department uses Drupal extensively for producing dynamic websites, I decided it was time to migrate my own content to Drupal. So my intent is that this replaces my old WordPress blog and also provides a place to host projects and other work.

Life Changes

david@systemoverlord.com (David Tomaschik) — Sun, 22 Feb 2009 02:23:14 +0000

A couple of updates, since it's been a while since I've posted anything meaningful.

On March 2nd, I will be starting a new job as an IT System Support Specialist III at Kennesaw State University. Typical of a government job, the title is rather meaningless. To be specific, I will be supporting a variety of Linux and Mac OS X servers for the university and the platforms running on them (Drupal, Moodle, and other technologies.) The production servers are RHEL and the development is on CentOS.

Of course, every good turn comes with a down turn.

Website

david@systemoverlord.com (David Tomaschik) — Wed, 04 Feb 2009 04:53:29 +0000

I haven't had a real personal website up in a long time, but I'm trying to get back on the ball. Not a whole lot of content yet, but it's coming along. Take a look at http://www.tuxteam.com.

Kubuntu Issues

david@systemoverlord.com (David Tomaschik) — Thu, 09 Oct 2008 19:32:29 +0000

I was inspired by Jono Bacon's post here and "Kubuntu, the Blue-Headed stepchild". This started as a response to the latter, but I decided this is a better venue.

My experience with Kubuntu has been frustrating, to say the least, and I doubt it has much to do with the Ubuntu team. Firstly, the insistence on making everything "big" drives me crazy. How can I use KDE when it won't let me resize panels? I also can't find a way to create custom launcher icons on the panels (in gnome, I have a few set up to open ssh connections I use very often).

OOXML Debacle

david@systemoverlord.com (David Tomaschik) — Thu, 09 Oct 2008 15:37:36 +0000

There's a lot of issues going on around OOXML these days. Specifically, there's alledged copyright violations by posting the OOXML specs by members of the Boycott Novell group. I want to address a specific issue: why is something applying for ISO standardization so secret?

International standards (e.g., ISO) should be open and royalty-free. It's ridiculous if there's a "standard" that's locked in to a single vendor. Can someone explain any sanity to this situation?

File System Organization

david@systemoverlord.com (David Tomaschik) — Wed, 08 Oct 2008 20:45:28 +0000

For some reason, I have a habit of placing all kinds of random files throughout my home directory on my laptop. Sometimes things end up in ~/Documents, other times ~/Desktop, and still others just in ~. This is bad.

My desktop, on the other hand, I keep squeaky clean. On the other hand, I sometimes have related files on my laptop and desktop... so even more filesystem mayhem.

So I think I need a good way to manage my laptop files. First off, more self discipline. :) Secondly, I'm thinking of a small utility to merge files between two systems. Perhaps some sort of bi-directional rsync based on modified dates? Maybe also a method for mapping particular files/directories on one system to the other. From the days of Windows 9x, I remember something like Windows Briefcase (if that's what it was called) and it now seems like a decent idea. Anyone know of this? If not, maybe it's time to learn some Glade and pyGTK.

ALF 2008: SSH & GPG (Part 1: OpenSSH)

david@systemoverlord.com (David Tomaschik) — Sun, 21 Sep 2008 23:30:27 +0000

Yesterday I gave a talk at Atlanta Linux Fest 2008 on SSH and GPG. I quickly received requests to post notes from my talk, so I'm going to try to write it up here. If I miss anything, I'll try to keep it updated.

Slides are available here: SSH & GPG. They don't show everything, as a lot of it was Demo and Q&A, documented below.

This is Part 1 of a two part series. I got far more questions about the OpenSSH content, so I'll be focusing on that here. I'll add GnuPG content shortly, time permitting.

Mozilla Firefox EULA

david@systemoverlord.com (David Tomaschik) — Tue, 16 Sep 2008 14:19:24 +0000

There's been a lot of talk lately about Mozilla asking that Ubuntu display the Firefox EULA to protect their trademarks.

Mark Shuttleworth, the founder of Ubuntu, wrote:

Mozilla Corp asked that this be added in order for us to continue to call the browser Firefox. Since Firefox is their trademark, which we intend to respect, we have the choice of working with Mozilla to meet their requirements, or switching to an unbranded browser. [...]

SSH and GPG

david@systemoverlord.com (David Tomaschik) — Tue, 16 Sep 2008 04:43:58 +0000

This weekend I'm going to be presenting a demo on ssh/gpg (e.g., cryptography and secure communications on Linux) at the Atlanta Linux Festival. Some of the things I intend to cover include:

Basic SSH usage.
Public Key Authentication
SSH Tunneling
SSH Socks Emulation
GPG key generation
GPG signing and encryption (command-line)
Thunderbird integration (enigmail)

If anyone has any input on additional points to be covered or anything of that nature, please drop me a comment here or send me an email at david -at- webgroup -dot- org.

Cross-Platform Photo Tagger

david@systemoverlord.com (David Tomaschik) — Thu, 11 Sep 2008 17:37:45 +0000

I'm apparently looking for the impossible. I want a cross-platform photo manager/tagger that can support concurrent access to a network share.

Here's the backstory:
My girlfriend and I occasionally travel and we take a LOT of pictures. (Hey, digital cameras make it so easy, right?) In the 4 years we've been together, I would say we have ca. 10,000 images. And they're all sitting on a shared drive off my desktop. They're in directories on a per-trip basis, but not really organized beyond that, so finding a photo involves scrolling through thumbnails: sometimes as many as 1000. What I'd like to be able to do is access this share and tag the photos and be able to search through the tags. Seems relatively straightforward, but since my girlfriend uses Windows, it needs to be cross-platform. And I'd like it if it was (semi) stable if both of us access it at the same time. I don't need photo editing, though I'd like to be able to directly open a local photo editor for cropping/other work.

What Civil Liberties do we have left?

david@systemoverlord.com (David Tomaschik) — Thu, 10 Jul 2008 16:04:57 +0000

I know my blog is long overdue for an update, so this issue really got me started again.

After the Senate's complete ignorance of anything remotely resembling the American Constitution, they voted 69-28 to grant telecom companies immunity for their role in illegal and unethical wiretaps. Looks like it's now okay to monitor communications without a proper warrant. (The lack of warrant, admittedly, has more to do with the USA Patriot act than the FISA amendment.)

British Police Don't Know Difference Between MP3 Player and Gun

david@systemoverlord.com (David Tomaschik) — Wed, 13 Feb 2008 19:27:28 +0000

[Normally, I stay away from politics on this blog, but this one is just over the top]

It seems that the British were taking notes when they invaded Germany in the 1940s -- it's time to throw civil liberties to the wind and throw people in jail for nothing, just in case they might try something later. A man was arrested, fingerprinted, and DNA tested because the police are too blind to tell the difference between a gun and an MP3 player. Additionally, once they realized they had made fools of themselves, they couldn't even offer a proper apology. Oh, and in case anyone was missing it, they tracked him on CCTV cameras the whole way. It wouldn't quite be a police state if we couldn't watch everyone at every second, now would it?

A Case of the Mondays

david@systemoverlord.com (David Tomaschik) — Mon, 04 Feb 2008 20:28:10 +0000

It seems like I have been hit with a case of the mondays. My job (end user tech support at my school) sucks. I don't mind helping people -- I love it in fact -- but I feel like a trained monkey sometimes. 90% of my time is spent resetting passwords.

In any case, I am usually able to combat this with some of my entertainment sites (see below for the curious), but lately I've been looking more for a project to work on. My learning process is heavily tied to getting something done -- I can read a book on Python (or whatever), but for me to understand it, I need a real-world project using it to work on. No "hello world" application can grab my interest enough. Perhaps it's some form of ADD.

So what does this all mean? I'm becoming restless. I need a project. I've tried looking into becoming a MOTU, but I'm not sure I fully understand the process (and it's hard to fix bugs in apps I don't even use). Something practical and useful, but not so large as to stretch into months or years. (At least, I'd like something I can make progress on before months or years.)

Any ideas on ways to combat this crappy boredom?

Mythbusters: Yes to Ubuntu, No to Vista

david@systemoverlord.com (David Tomaschik) — Tue, 29 Jan 2008 18:43:19 +0000

Jamie Hyneman of Discovery Channel's Mythbusters (an awesome show) occasionally writes a bit for Popular Mechanics. This time he's talking about Technology Headaches. One of those headaches, as most of the IT world has seen, is Windows Vista. His solution? Ubuntu Linux. Pretty awesome that one of the guys that can build ANYTHING chooses Ubuntu. Now if only we could get a Ubuntu-powered robot out of him. :)

FCC Comments on Network Neutrality

david@systemoverlord.com (David Tomaschik) — Thu, 17 Jan 2008 17:08:59 +0000

I just wanted to reiterate Michael Trausch's request that anyone concerned with their ability to use the internet freely should file a comment with the FCC on Network Neutrality (and Comcast's filtering, etc.) See his post for directions on submitting a comment.

Here's what I had to say to the FCC:

Comments on FCC Docket 07-52:

Insulting Microsoft: Why we're just insulting ourselves.

david@systemoverlord.com (David Tomaschik) — Mon, 14 Jan 2008 15:55:51 +0000

Melissa Draper has recently posted about the damage done to the FOSS community by the use of terms such as "Micro$oft" and "MicroShaft". I've probably been guilty of this a time or two, but I have tried to avoid it in recent use, as it does make the Open Source Community look, well, stupid.

The community needs to put on a better image. We should not sink to the FUD levels that Microsoft uses, and should certainly not draw more attention to Microsoft with "clever" names. Just think about the reaction from the open source community if a Microsoft blogger called Linux "Lusernux" or something similar.

January LoCo F2F: Success!

david@systemoverlord.com (David Tomaschik) — Sun, 13 Jan 2008 19:27:41 +0000

Well, I was finally able to make it to the LoCo (Local Community) F2F (Face to Face) meeting yesterday. To me, it seemed to be a quite successful event. About 16-18 people made it, which meant that we pretty much took over that entire wing of Mellow Mushroom. The food was definitely top notch as well -- I had a great calzone. It was really great to get a chance to know some of the people from the IRC, even if I didn't get a match between name and IRC nick in all cases.

Linux wins at CES

david@systemoverlord.com (David Tomaschik) — Thu, 10 Jan 2008 05:54:20 +0000

In case anyone missed it, Engadget is reporting that the EeePC is Asus's most successful product ever. This comes along with Everex's announcement of their EeePC competitor, the CloudBook, which will run a Ubuntu-based distribution. That's the same Everex that has been producing sub-$200 computers running gOS (Ubuntu-based) that sell out at Wal-Mart.

CES also brings us Linux's foray into the handheld gaming market in the form of the GP2X. As LinuxJournal predicted, this year's CES is turning out to be a big one for Linux.

Curing Boredom

david@systemoverlord.com (David Tomaschik) — Wed, 09 Jan 2008 00:07:06 +0000

Lately I've been rather bored and looking for a project of some sort to work on. Anyone have any suggestions/ideas/input? I'd love to find some small utility I could put together and GPL, if there's need for it.

Why Windows Vista Content Protection, well, sucks.

david@systemoverlord.com (David Tomaschik) — Fri, 04 Jan 2008 18:53:57 +0000

Peter Gutmann has done an amazing analysis of the costs and issues involved with the "Content Protection" scheme in Microsoft's Windows Vista (slides). Essentially, if you want to use multimedia, you can only use it how the movie industry says you can. NetFlix has given in to that, producing (along with Microsoft) a tool that effectively strips your fair use rights. It's amazing how we've all become criminals of the information age. I guess it's only the information age for those who are willing to spend the money.

A Linux Conference in Atlanta?

david@systemoverlord.com (David Tomaschik) — Mon, 31 Dec 2007 17:56:52 +0000

From 1996 to 2001, Atlanta played home to the Atlanta Linux Showcase. Linux has certainly gained a substantial following since 2001, and I think it's about time that we bring a conference back to the Southeast. LinuxWorld Expo has made several appearances in Boston, San Francisco, and elsewhere, but the Southeastern US has been overlooked. Sure, we have PhreakNIC (Tennessee), CarolinaCon (NC), and others, but none of them focus on Linux or Open Source, and they all miss Atlanta, a hotbed of business and IT in the Southeast.

Gutsy is HERE!

david@systemoverlord.com (David Tomaschik) — Thu, 18 Oct 2007 15:35:27 +0000

Ubuntu Linux 7.10, the "Gutsy Gibbon", has arrived! The mirrors are being hammered, so please use the torrents if possible. Downloads are at: http://www.ubuntu.com/getubuntu/download. This version of Ubuntu Linux comes with several nice features in addition to the stability that Ubuntu is known for.

3D Desktop Effects
Tracker Desktop Search
Fast User Switching
Dynamic X Configuration (Multi-monitor support, rotation, etc.)
True Printer Autoconfiguration
NTFS Write Support
Encrypted Hard Disk Support
Major Ubuntu Server Changes

Gutsy is Coming!

david@systemoverlord.com (David Tomaschik) — Tue, 09 Oct 2007 19:49:00 +0000

/sites/default/files/images/710countdown_default.png

iPhone Lawsuit: What are they thinking?

david@systemoverlord.com (David Tomaschik) — Sat, 06 Oct 2007 23:57:29 +0000

For anyone who knows me, they know I'm all for Open platforms and open source. So it probably comes as a surprise to hear me supporting Apple when they're being sued over bricked iPhones. But I am.

When a customer buys an iPhone, they AGREE not to attempt to modify it. The warranty SPECIFICALLY excludes modifications, as does the software EULA. They also agree to a 2-year contract with AT&T.

Comcast's Torrent Filtering: Criminal Acts?

david@systemoverlord.com (David Tomaschik) — Tue, 04 Sep 2007 23:00:48 +0000

According to an article on cnet.com, the manner in which Comcast is filtering BitTorrent traffic may, in fact, be criminal. Comcast is sending forged RST (reset) packets to the end-user, which may qualify as impersonating with the intent to profit. (Criminal Impersonation in the 2nd Degree). Whether or not this plays out in court remains to be seen.

Windows Vista = BSoD

david@systemoverlord.com (David Tomaschik) — Wed, 22 Aug 2007 23:56:15 +0000

My brother just got a new HP notebook computer running (what else) Windows Vista. (Home Premium, if anyone cares.) He was forced into the purchase after his previous notebook (and only computer) crashed on Sunday. Within the first 24 hours of use, Windows Vista had already presented him with the infamous Blue Screen of Death. Despite all of Microsoft's best efforts, it would seem that Windows Vista (running on Vista-certified hardware) still has stability issues.

AOL and KaZaA to blame for file sharing?

david@systemoverlord.com (David Tomaschik) — Fri, 17 Aug 2007 19:02:43 +0000

While I think that the RIAA lawsuits over filesharing are downright despicable, I also think that the Santangelo family really needs a reality check here. According to this arstechnica article, they are alleging that the makers of KaZaA and AOL, their ISP at the time, are partly culpable for their file sharing. They allege that Sharman Networks failed to warn them that using the application could allow them to violate the law and that AOL did not block the infringement.

Pirated Software -- A problem for Free Software

david@systemoverlord.com (David Tomaschik) — Thu, 16 Aug 2007 18:22:30 +0000

According to ZD Net, Free Software (Linux et al.) may need to be worried about pirated copies of commercial software. Apparently your average user would prefer to run an illegally obtained copy of a commercial application than run legitimately free software. There's an interesting discussion on this here. My thinking: it doesn't matter. Linux isn't terribly concerned (yet) about home market share: the business place is where it really excels. The lack of games and completely legal MP3/DVD/etc. implementations is a bigger hindrance to Linux at home than the availability of pirated copies of Windows.

Linux Forecast

david@systemoverlord.com (David Tomaschik) — Thu, 16 Aug 2007 17:56:47 +0000

The Linux Foundation has started publishing a Linux Weather Forecast -- a summary of ongoing development in the Linux community and predictions for forthcoming developments and technologies. It's a very cool snapshot/summary of development, and it's presented in a very understandable manner.

Ubuntu Gutsy Gibbon Tribe 4

david@systemoverlord.com (David Tomaschik) — Wed, 15 Aug 2007 16:04:55 +0000

Ubuntu 7.10/Gutsy Gibbon is still Alpha Software. That being said, I've been running it on my laptop and run into a few snags.

The first, and most annoying (partly because it's by design) is the removal of the orinoco_cs driver from the kernel package. Apparently they thought everyone would move to hostap. Apparently they didn't do their homework: Lucent Technologies Orinoco cards are NOT supported by ANY driver other than orinoco_cs. That means my wireless card is effectively useless under the 2.6.22-ubuntu kernel series.

Running as Root: It's really NOT Okay.

david@systemoverlord.com (David Tomaschik) — Tue, 14 Aug 2007 20:47:22 +0000

LinuxBrainDump.org has an article on the 10 Linux Commandments. The most controversial of these is "Thou shalt not log in as root". I'd like to take a moment to point out some of the flaws in the belief that it's okay to run as root -- as well as some of the risks you face by running as root.

Being compromised as a non-root user still leaves your data vulnerable. This is completely TRUE. Your data is vulnerable either way. Your data is your most valuable asset: OSs can be reinstalled, data cannot. This is why we have DVD+Rs, Backup Drives, etc. Use them: they protect you against attackers, stolen computers, hard drive failures, and (done properly) fires, tornadoes, and floods. Amazing technology.
A user can still send spam mail and other annoyances. This is true as well. Unless you have a high security system where no users can have executables (i.e., a noexec /tmp and /home) any user can bring in an executable and run it.
Most home computers are single user machines. Probably not anymore. I know my girlfriend has an account on my machines. Other people I know have been granted guest accounts, and I've got multiple accounts for testing things. Root would have access to all of this, a normal user only to their own account.
It's no worse to be compromised as root than as a user. Completely false. An attacker with root can cover their tracks much better than a user. A root attacker can create new accounts, modify system binaries, and otherwise damage much more of the system. And, of course, they can do all of the above. An attacker with root can also craft custom packets to exploit other systems on your LAN. Also, a root attacker could run a packet sniffer on your network and read traffic. A compromise is bad, root access is a nightmare.

Long story short: it still makes sense not to run as root. Mac OS X, Linux, and Unix have always run this way. Windows Vista has even moved away from users being given administrative privileges by default. "Allow or deny?" was not added because it looks cool: running as a non-privileged user is REALLY better. Don't be fooled into thinking it's okay because it's only a workstation: security is important everywhere, especially around your data.

2007 San Francisco LinuxWorld Expo

david@systemoverlord.com (David Tomaschik) — Fri, 10 Aug 2007 22:04:53 +0000

I just returned from the 2007 LinuxWorld Expo in San Francisco. This was my first LWE, and I had a great time. I was out there on behalf of LinuxQuestions.org, the Linux community site I am a moderator on. Though more business- than community-oriented, it's still a great event to get to know others in the Linux community and marketplace as well as keep up on the latest technology (how anyone keeps up on it ALL is beyond me).

Linux Gaming

david@systemoverlord.com (David Tomaschik) — Thu, 02 Aug 2007 14:48:45 +0000

The Micahville blog has an excellent article on why Linux should not be dismissed as a serious gaming platform. It lists 17 awesome games for Linux, many of which I have not even heard of. I'm going to give some of them a try later. I'd really like to hook up a joystick to my computer again to hit up FlightGear.

Windows Guy tries Ubuntu 7.04 -- Part Deux

david@systemoverlord.com (David Tomaschik) — Thu, 02 Aug 2007 14:42:45 +0000

On July 17, I reported on the self-proclaimed "Windows Guy" giving Ubuntu Linux a try. Well, it's been two weeks and boy, does he have a lot to say. Fortunately for the Linux community, it's almost all good.

His experiences are summarized nicely:

"In the end I’ve been very impressed with Ubuntu. After two weeks of banging under the hood and using it as often as I can, it has shown itself to be stable, fast and customizable. Hardware support is solid and application support is good. It is a tweakers paradise. I can work at work and and home. If I had to I could use it as my day-to-day system and not have many regrets. I’m still not as comfortable with it as I am in Windows, but I’m getting there. I may not be a convert yet, but I am a fan."

A wall socket or a computer?

david@systemoverlord.com (David Tomaschik) — Tue, 17 Jul 2007 19:33:48 +0000

Amazingly, very basic computers can now fit in a wall socket: it looks like a bunch of ports, and it is, but it also computes! Pretty amazing considering that even 30 years ago computers required a dedicated room. No word on price, but looks pretty cool.

Windows Guy tries Ubuntu 7.04

david@systemoverlord.com (David Tomaschik) — Tue, 17 Jul 2007 16:35:08 +0000

First off: I should've been keeping this updated. I've just been incredibly busy over the last month or so and haven't really had the time. That being said, I found a story I had to comment on: Self-proclaimed Windows Guy tries Ubuntu Linux and likes it! It looks like Ubuntu is really making a splash on the desktop -- obviously I'm inclined to agree. Maybe I'll have to give Vista a try at some point when I have a capable machine to spare. I can write a similar review here.

Linux on Dells: Sales Start Today

david@systemoverlord.com (David Tomaschik) — Thu, 24 May 2007 18:45:13 +0000

Dell has begun selling three models shipping with Ubuntu Linux 7.04. It's really exciting seeing this, and I hope it means we'll see more vendors get in on the Linux action.

Bloggers and Security

david@systemoverlord.com (David Tomaschik) — Thu, 24 May 2007 18:28:49 +0000

BlogSecurity is reporting that a recent test showed 98% of Wordpress blogs are running on a version of the software with known vulnerabilities. While the ones here on wordpress.com are certainly kept up to date, how about the thousands running on private servers?

Linux Driver Development Bears Fruit

david@systemoverlord.com (David Tomaschik) — Wed, 23 May 2007 08:34:33 +0000

Kernel Developer Greg Kroah-Hartman's offer to develop drivers for hardware vendors just from specifications is beginning to pay off. The offer, first touted as mere marketing hype, has already added a driver to the kernel and has at least five more in progress. For details: http://www.linuxworld.com.au/index.php/id;58590129;fp;16;fpid;0

Details on Dell's Linux Rollout

david@systemoverlord.com (David Tomaschik) — Tue, 22 May 2007 03:42:11 +0000

I missed this the other day, but Jeremy over at LinuxQuestions has details on the Dell Linux rollout. Nothing too surprising, fairly basic machines with well supported hardware. No proprietary media formats, so it seems like a fairly stock Ubuntu install. No Linux prices yet.

The top-end machine that will be in the initial offering is the XPS 410, which is $899+ with Windows on it. On the value end is the E520, starting at $369 (Windows price). It looks like the E1505 Notebook will also be offered, which is a fairly basic laptop at $699 (Windows price again).

IP Holding Firms: The Real Threat

david@systemoverlord.com (David Tomaschik) — Mon, 21 May 2007 18:37:29 +0000

Mark Shuttleworth (Ubuntu Founder, Software Visionary, etc.) has posted an interesting piece on why Microsoft is not a threat to Linux. He argues that the big threat to Linux (and Microsoft) are the IP holding firms, who essentially exploit the weak IP/patent system we have here in the US. He makes a clear case why Intellectual Property and Patent Law reforms are necessary to the continued development of software and technology.

3 Things in Linux you should NOT Install

david@systemoverlord.com (David Tomaschik) — Mon, 21 May 2007 17:43:25 +0000

While I'm all for promoting the use of Linux and software on Linux, unless you absolutely know what you're doing, there are certain things you should not install. Entirely too often, I see people on LinuxQuestions.org asking how to configure one of these or why they will not work. So, in no particular order, 3 Things you should NOT Install:

'Embedded Linux Primer': A Review

david@systemoverlord.com (David Tomaschik) — Sun, 20 May 2007 05:44:10 +0000

A review originally published on LinuxQuestions.org:

"Embedded Linux Primer" by Christopher Hallinan is an excellent resource for anyone looking to use Linux in an embedded system. It does not cover basics, so is more targeted to experienced Linux or embedded systems developers looking to move to Linux embedded systems.

The book covers a variety of topics including the Linux kernel's interaction with hardware, system initialization, design considerations when working with an embedded system, and porting Linux. The book provides a detailed description of most of these topics, including many step-by-step directions on reference implementations.

Community Colocation Project

david@systemoverlord.com (David Tomaschik) — Fri, 18 May 2007 01:32:36 +0000

Several cities have a "community colocation project", such as the San Francisco Community Colocation Project. I feel that Atlanta is in a perfect place to join this movement.

Community colocation projects (CCPs) are a non-profit datacenter for non-profity entities and individuals. This would be a great opportunity for an advancement of Open source projects and for the community in Atlanta and the metro area. Atlanta is the center of high-tech development for the Southeastern United States, and as such, should become a leader in the Open Source arena.

Microsoft is 'not litigating'

david@systemoverlord.com (David Tomaschik) — Tue, 15 May 2007 03:29:18 +0000

Microsoft's VP for Intellectual Property has announced that Microsoft has no intent of litigating against Linux users. So why the recent announcement of the number of patents they feel Linux and Linux distributions infringe on? They want to spread the usual round of FUD -- fear, uncertainty, and doubt -- to encourage business who might be afraid of litigation to choose Windows over Linux. Nice marketing strategy, don't you think?

I just noticed that declanmcgrath has a similar theory over on his blog. Guess it's seeming pretty obvious to the Free world.

Linux and Software Patents

david@systemoverlord.com (David Tomaschik) — Mon, 14 May 2007 15:05:44 +0000

Several news outlets are reporting that Microsoft has put a specific number on the patents they claim Linux infringes upon. To some, this may seem like a move by Microsoft towards some form of legal action, or even a risk to the longevity of Linux. I do not believe this to be the case for a number of reasons, but I must first make the usual disclaimers: I am not a lawyer, I do not play one on TV, and any Linux user concerned about their rights should consult a lawyer.

Why LinuxQuestions.org?

david@systemoverlord.com (David Tomaschik) — Sat, 12 May 2007 06:53:54 +0000

Sorry for the lack of updates lately, things have been crazy.

I wanted to take a moment to explain why I have been a member of LinuxQuestions.org for several years, and a moderator for about a year, and also what it's all about.

Why the AACS key is not about piracy.

david@systemoverlord.com (David Tomaschik) — Tue, 08 May 2007 19:41:39 +0000

The leaking of the AACS key, for many users, is not about piracy or even the ability to make 'backups' of HD-DVD disks. Like the issue surrounding DeCSS, it is about the ability to use content on a variety of platforms. I would like to build a home theater PC running MythTV. Perhaps I'd like that HTPC to be able to play HD-DVDs.

It is not even a fanatical view of Free software that encourages the distribution of this key. Many Linux users would be satisfied with a HD-DVD and DVD codec that is no-cost and works with existing software.

How the Ubuntu/Dell deal will impact the market

david@systemoverlord.com (David Tomaschik) — Tue, 08 May 2007 03:47:31 +0000

Ubuntu founder Mark Shuttleworth has an excellent blog entry describing the way the Ubuntu/Dell deal will impact driver development, Dell's business, and Linux in general. Most notable is his assertion that the "free software approach is a better device driver development model" than the closed-source model. I wholehartedly agree with this, because once a driver is mainlined in the kernel, the kernel devs maintain the driver interface to the kernel. The only work left for the hardware vendor is supporting their hardware.

AOL: 8 Character Passwords?

david@systemoverlord.com (David Tomaschik) — Mon, 07 May 2007 04:33:16 +0000

A lot of people probably thought that AOL would be a company to keep with the times. Apparently not, since their system only uses the first 8 characters of a password, silently discarding anything else. Sounds like a sense of false security to me.

Circuit City: Incompetence or Negligance?

david@systemoverlord.com (David Tomaschik) — Sat, 05 May 2007 21:43:05 +0000

Note: While I try to keep entries here technical in nature, I feel that this warrants discussion and is relevant to the technical/Linux community.

Yesterday, my brother ordered a digital camera (Samsung S730, works great with Linux) package, including a 512MB SD card, from CircuitCity.com using the "in-store pickup" option. Upon his arrival at the store, the employees attempted to give him only the Camera and not the card. When he asked them to correct this, they told him him they would reverse the original transaction and process a new one at the original price. Eventually, (after much complaining about how this would screw up their inventory system) they were able to process this, however it was run as a second transaction. As of today, his credit card shows two $140 charges from Circuit City. Circuit City online technical support tells him there is nothing they can do, that the refund should process in 3-5 days.

AACS & DRM

david@systemoverlord.com (David Tomaschik) — Fri, 04 May 2007 19:48:00 +0000

The AACS (Advanced Access Content System) is the cartel responsible for the DRM (Digital "Rights" Management) behind HD-DVD disks. Recently, one of their encryption keys was leaked to the internet. While I applaud the spreading of this key, it has already been revoked, rendering it somewhat useless. I am personally quite tired of seeing the continued proliferation of software and technology designed to infringe upon my fair use rights. I don't understand how stupid the entertainment industry execs have become.

Linux Conference Discounts

david@systemoverlord.com (David Tomaschik) — Wed, 02 May 2007 21:22:35 +0000

As many may know, I'm a moderator over at LinuxQuestions.org. We sponsor several conferences, and as a result are able to offer exclusive discounts.

Storage Management

david@systemoverlord.com (David Tomaschik) — Wed, 02 May 2007 00:23:10 +0000

My desktop has a fair amount of storage (~700GB) and a lot of that is in use with multimedia and the like. For example, many of my favorite IPTV shows (Hak.5, DL.TV, etc.) find their home on my desktop computer.

In order to manage this flood of multimedia, I have a jfs filesystem mounted as /multimedia. Today I wanted to import about 10GB of music that "escaped" iTunes on my windows laptop. In doing so, I completely filled my existing /multimedia partition. Ordinarily, that would be a problem, wouldn't it? Not with LVM :)

Ubuntu Officially Supported by Dell?

david@systemoverlord.com (David Tomaschik) — Tue, 01 May 2007 00:55:04 +0000

As an interesting continued note to my post about Michael Dell, Fabián Rodríguez, a Senior Ubuntu Support Analyst at Canonical Ltd, is reporting that Ubuntu Linux will be Officially Supported by Dell Computers. Whether this support comes in the form of Canonical Support or in-house at Dell remains to be seen. My guess would be that Dell will be contracting with Canonical to provide the support.

Normally, I wouldn't do this, but "dude, I'm getting a Dell."

Microsoft Employee switches to Linux

david@systemoverlord.com (David Tomaschik) — Mon, 30 Apr 2007 01:39:10 +0000

A Microsoft employee wondering why he had lost his creativity found a solution: he switched to Linux. I think this is enlightening on both operating systems and on corporate culture in general.

Michael Dell runs Linux!

david@systemoverlord.com (David Tomaschik) — Sun, 29 Apr 2007 22:22:58 +0000

Michael Dell (Chairman of Dell Computer) runs Linux, as evidenced by his computer profile. Pretty cool, and might explain the move to increased support for Linux. That being said, it'll probably still be a while before we see pre-installed Ubuntu laptops from Dell. We can only hope. :)

Battery Disappeared

david@systemoverlord.com (David Tomaschik) — Sat, 28 Apr 2007 02:31:16 +0000

On my Latitude D620 (my work laptop) the battery has "disappeared". Both Linux and the BIOS show that no battery in installed. That being said, the battery charge light is on when the battery is in, and the light is off if I remove the battery, so there must be SOMETHING there. Any thoughts welcome.

OpenWRT on WRT54GL

david@systemoverlord.com (David Tomaschik) — Thu, 26 Apr 2007 07:29:40 +0000

My WRT54GL arrived today (nice little birthday gift) and I promptly installed OpenWRT on it. It was an incredibly simple process, just download a file and upload it to the router as a new firmware. Very straightforward.

The configuration is amazingly flexible, though you do need to be comfortable with the shell to get the most out of it. In most cases, you can find a tutorial on the OpenWRT wiki to walk you through the necessary steps. Most tutorials literally provide you with each command.

Two Feisty Weeks

david@systemoverlord.com (David Tomaschik) — Wed, 25 Apr 2007 08:30:16 +0000

I installed the beta version of Ubuntu 7.04 (Feisty Fawn) about two weeks ago. It has since gone to stable and been deployed on thousands of computers worldwide. So what do I think about it?

It's amazing. Everything worked out of the box. The only thing I had to change was have it mount some of my secondary partitions (I could've done that during the install, but didn't want to mess with them then). Installing beryl to get a little eye candy was a mere 5 minute process.

DD-WRT licensing issues

david@systemoverlord.com (David Tomaschik) — Tue, 24 Apr 2007 11:45:26 +0000

My router is scheduled to arrive on Wednesday (my birthday), so I'm pretty excited about that. However, after seeing this rant, I'm leaning more towards OpenWRT instead of my original plans for DD-wrt. They seem to support similar feature sets, but I'd like something I can work on and modify to my own needs, without worrying about the mixed licenses. I'd like to see multiple SSID support (with different crypto, vlans, etc.) and a handful of other commercial-grade features. Hopefully I can get involved in some of the development there as well.

Hello world!

david@systemoverlord.com (David Tomaschik) — Sun, 22 Apr 2007 09:35:45 +0000

This is my first post on my new blog. This blog is to focus on Linux and Open Source software as well as other technology issues of the day.

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

Theme Released under MIT License

Copyright (c) 2013 Mark Otto.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

403 Forbidden

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

Cheatsheets

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

This is a collection of cheatsheets & guides I find useful:

GPG Key

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

My GPG key is below or download here.

Resource List

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

This is a list of (hopefully) useful resources, broken down by category. Feel free to reach out to me with suggestions.

Search

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

Search

Security 101

david@systemoverlord.com (David Tomaschik) — Mon, 01 Jan 0001 00:00:00 +0000

I’ve written some articles intended for those outside the security space or those new to the field. I’ve titled these a “Security 101” series. Here’s the full collection:

System Overlord

About David

BSidesSF CTF 2026: SELFSigned (Author Writeup)

Badgelife 101 Workshop

Slides

Resources

Electronic Design & Analysis

Schematics

Electronic Design Automation (EDA)

Hardware

Prototyping

PCB Art

PCB Fabrication

Tools

BSidesSF CTF 2023: Lastpwned (Author Writeup)

CTF 101: Just Try It!

What is a CTF?

Returning to Hacker Summer Camp

BSidesSF 2022 CTF: Login4Shell

BSidesSF 2022 CTF: TODO List

BSidesSF 2022 CTF: Cow Say What?

Book Review: Designing Secure Software

Book Review: Bug Bounty Bootcamp

0x0G CTF: Authme (Author Writeup)

0x0G CTF: gRoulette (Author Writeup)

GPU Accelerated Password Cracking in the Cloud: Speed and Cost-Effectiveness

Making: A Desk Clamp for Light Panels

BSidesSF 2021 CTF: Net Matroyshka (Author Writeup)

BSidesSF 2021 CTF: CuteSrv (Author Writeup)

BSidesSF 2021 CTF: Encrypted Bin (Author Writeup)

Is Reusing an Old Mac Mini Worth It?

Merry Christmas: 2020 Holiday Ornament

Hacker Holiday Gift Guide - 2020 Edition

Table of Contents

General Security

ProtonMail Subscription

Course Review: Reverse Engineering with Ghidra

Red Teaming: Why Organizations Hack Themselves

Lessons Learned from SSH Credential Honeypots

The Wio Terminal - Integrated Making?

Security 101: Backups & Protecting Backups

Raspberry Pi as a Penetration Testing Implant (Dropbox)

Comparing 3 Great Web Security Books

Security 101: Encryption, Hashing, and Encoding

Security 101: Beginning with Kali Linux

Hacker Culture Reading List

Stop EARN IT and LAED

Private CA with X.509 Name Constraints

Book Review: Operator Handbook

Everyone in InfoSec Should Know How to Program

Test Interface for Multiple Embedded Protocols

Announcing TIMEP: Test Interface for Multiple Embedded Protocols

Security 101: Two Factor Authentication (2FA)

So You Want a Red Team Exercise?

Security 101: Learning From Home

Security 101: X-Forwarded-For vs. Forwarded vs PROXY

X-Forwarded-For

Security 101: Virtual Private Networks (VPNs)

BSides SF 2020 CTF: Infrastructure Engineering and Lessons Learned

Hacker Holiday Gift Guide (HHGG) 2019

Backing up to Google Cloud Storage with Duplicity and Service Accounts

Hacker Summer Camp 2019: The DEF CON Data Duplication Village

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Description

Affected Versions

Mitigation

Hacker Summer Camp 2019: CTFs for Fun & Profit

Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

Hacker Summer Camp 2019 Preview

So You Want to Red Team?

Course Review: Applied Hardware Attacks: Rapid Prototying & Hardware Implants

Certifications Aren't as Big a Deal as You Think

Running the BSides SF 2019 CTF

BSides SF CTF Author Writeup: Flagsrv

BSides SF CTF Author Writeup: Cloud2Clown

The Challenge

Understanding Shellcode: The Reverse Shell

Course Review: Adversarial Attacks and Hunt Teaming

Course Review: Software Defined Radio with HackRF

Course Material