February 2010 - Roundtable

trying to set up ssh at home
by Kat 03 May '10

03 May '10

Hi folks! My new understanding of networking is coming along, but still a little shaky. I have been trying to set up ssh to work on my home machine because I want to practice Linux stuff and access my PC if I happen to be away from home on the weekends. I've installed OpenSSH with success, and from my local machine I can "ssh localhost" with success (127.0.0.1 works too, of course) The problem is I am trying ssh (my ip) and I get "Connection refused". This happens both from my parents' machine (in another town - Go Mom for downloading and running putty), and from my own (that ssh is running on). I suspect the problem has to do with my router, either regarding my rather prudent settings (LAN connection must be authenticated, *and* have a whitelisted MAC address), or more likely, I am missing something in setup to allow incoming connections that get forwarded to my specific machine. This is where my understanding falls apart at the moment... help? I've got a linksys/cisco wrt120n local IP 192.168.1.100 local router IP 192.168.1.1 internet IP in the 24.something range :) Let me know if more info is required. Thanks! ------------------------------------------------------------ Katherine Scrupa Network Technology CCNA student, RRC

9 10

Re: [RndTbl] firewall/router in a VM
by Adam Thompson 15 Mar '10

15 Mar '10

<soapbox> That's because we don't, collectively, think about hardware. And we don't think about hardware being buggy. And we especially don't think about "hardware" having inherent security flaws. (OK, yes, the security folks who crossed over *into* IT do. They aren't auditors, for better or worse.) A Cisco router is "software" enough (and has had enough bugs :-) that it crosses into our conscious awareness regarding security, but their switches? Nah. Mature product, all hardware (despite running an OS), no bugs. Either works or it doesn't. Bullshit. Show me a hardware-accelerated device and I can show you half a dozen ways it could fail unnoticed, (potentially) compromising security as it goes. Notice that we install local firewalls on every PC but don't use ECC memory to guard against random bit errors. (I do, BTW - even on my PC. It's one small part of why I don't have a laptop.) A HERF gun is a better DoS tool than any virus or worm, by several objective measurements. The entire IT industry has its head stuck up... you know where, in so many different ways. Yet, this isn't surprising. Humans want instant gratification, a free ride, and the illusion of control. Those things are all way easier with software than with hardware. (Contemplate the difference between "soft" and "hard", if you will, for a moment.) Do I expect this to change any time before the heat death of the universe? No. But I sure wish auditors took a wider view of the world. "Never attribute to malice that which can be adequately explained by stupidity." - Hanlon's Razor (among other attributions) </soapbox> -Adam

7 12

Re: [RndTbl] new phone passes 250dpi mark
by Glen Ditchfield 27 Feb '10

27 Feb '10

On 2010-Feb-26 08:49, Shawn Wallbridge wrote: > The Nokia 770 had an 800x400 display as well, > but it was 4.13" diagonally. 800X480, for 225 dpi. The N900 tablet/phone has a 3.5" 800x480@267 dpi screen. ... And Adam wrote > I believe some of our members own > N-series units of varying vintages. This was pecked out on an N800.

1 0

Re: [RndTbl] new phone passes 250dpi mark
by Adam Thompson 26 Feb '10

26 Feb '10

On 2010-Feb-26 08:49, Shawn Wallbridge wrote: > The Nokia 770 had an 800x400 display as well, but it was 4.13" diagonally. I thought the N-series were a little under 150dpi, but my calculations actually indicate it was just over 200dpi (216dpi if the screen was 2:1 with square pixels; that's probably close but not quite right) - which is quite a bit higher than I had thought. Good catch. The jump from 216dpi to 252dpi isn't all that big. The Nokias also run Linux, and, of some practical importance, are actually available in Canada. I believe some of our members own N-series units of varying vintages. -Adam

1 0

new phone passes 250dpi mark
by Adam Thompson 26 Feb '10

26 Feb '10

Apparently the new Google Nexus One phone made by HTC has a 400x800 OLED display that works out to 252.15 pixels per inch - while the iPhone 3GS has a pretty high-res display, I think this is a new record for a production, mainstream product. Other than backlighting-related issues (causing eye fatigue faster than reflective displays) this would probably make a pretty darn good e-book reader. And phone. And music player. And almost everything else. FYI, it comes with a 1GHz CPU. Sure, it's not going to be a great CPU but 1GHz is also, AFAIK, a new record in the standard phone form-factor. What I find interesting is that it took us almost twenty years to come out with a reasonably-available high-resolution display again. IBM had a (approx.) 200dpi display available in the early '90s. I think they sold well into the double-digit unit quantities :-). (It was probably still profitable - I remember the unit price being around $160k at the time.) Since then, mainstream displays ramped from 75dpi up to 100dpi fairly quickly - and stayed there for 15 years. Almost every LCD you can buy today (excluding "digital signage" models) is between 96dpi and 108dpi. Oh, and the phone is Android-based - which means it's running on Linux. -Adam

2 1

popularity of linux distros
by Kelly Leveille 26 Feb '10

26 Feb '10

Hey all, The following article has some interesting stats on the popularity of the various Linux distros over the last few years: http://lunduke.com/?p=1023 UBUNTU #1, UBUNTU #1 - Wooooo! ;-) Kelly

1 0

Firewalls in VMs
by Adam Thompson 23 Feb '10

23 Feb '10

It's perhaps worth noting that any example of IaaS (Infrastructure As A Service) deals with the same issues that Kelly will be dealing with. This is typical of "cloud" computing; in fact, Amazon EC2 is perhaps the largest public cloud provider, and any firewalls, A-V scanners, IDS engines and other security-related pieces of infrastructure are running in VMs, whether that's immediately evident to the end user or not. (Linux-based EC2 instances are all, AFAIK, Xen DomU instances. I suspect Windows EC2 instances also run under Xen, but I've never researched that.) So, at the very least, a whole bunch of quite large companies have decided that yes, it *is* OK to host security services on virtualized hardware. By the same token, I'm quite certain that Citrix provides a *very* different level of support to Amazon than they'll provide to you or me! -Adam

2 1

Inventory software
by Adam Thompson 20 Feb '10

20 Feb '10

Someone (I think it was Montana?) was asking recently about inventory software. I just saw a reference that jogged my memory regarding one of the standards in the field: OCS-NG. Check it out at http://www.ocsinventory-ng.org/ -Adam

1 0

firewall/router in a VM
by Kelly Leveille 20 Feb '10

20 Feb '10

Hi All, I'm considering setting up a firewall/router in a virtual machine to seperate a couple networks in my home. I intend to dedicate one of the host NICs to the WAN port of the router VM & will not load a TCP stack for that NIC in the host OS (ESXi supports this config). In theory, this configuration is as secure as a hardware router because packets can only be routed via the VM. My questions are: Have any of you had any good/bad experiences with this type of setup & are there potential security risks I'm not considering? Also, if you think this is not as secure as a hardware based solution, please explain why not. I'm not doing it to save money. I am aware that I could do the same thing with a consumer router. I'm just interested in the possibility. Thanks, -- Kelly

2 3

Re: [RndTbl] firewall/router in a VM
by Adam Thompson 20 Feb '10

20 Feb '10

The potential intrusion vector is, as you've guessed, through the hypervisor. (Or the host OS, where applicable.) The fact that no-one can even articulate a coherent attack plan hasn't prevented the entire security industry from generating Microsoftish amounts of FUD. You'll have to evaluate for yourself - how much do you trust your VM vendor to write bug-free code to handle incoming packets and pass them on? This does touch on almost every facet of a hypervisor, so it's not an academic question. Logically, you aren't exposing any new vulnerabilities. In fact, though, you are opening up a new potential intrusion vector. As far as I can tell, everyone in the argument seems to derive their authority from one comment by Schneier; if anyone has any sources with actual data (empirical, theoretical or experimental) please let me know. Personally, I trust VM programmers to get patches out quickly, and I trust the paranoiacs to blatt about news of any new compromise, enough to be willing to do the sort of thing you're talking about. (Having said that, although I'm *willing* to, I will note that I *don't* do so in real life.) The one aspect to it, though, is that compromise of the hypervisor essentially means instant, complete, utter, irreversible compromise of *all* the VMs (including non-running disk images!) that server has direct access to. That is a little bit worrisome. -Adam

2 1