Entries from Jason Robertson

 TCP and UDP Port Information 

ICMP Type and Code information

In the news there seems to be an increase number of incidents such as this India bound flight or this San Francisco bound flight is this a sign of bad behaviour, over drinking, or something more ingrained into society that is just being coming out with the over crowding that is more and which is more common these days.  What can be done to eliminate this problem, well in short you probably couldn't eliminate the problem. 

These diversions are more than a inconviencience for the accused, but for the fellow passengers and the airlines, and the costs associated with these diversions should not be completely thrust upon the airlines, though they are related to the underlying cause of over-crowding and the feeling of being cattle to the Airlines.  It does also sit on the shoulders of accussed, if they are convicted. To this end, the accussed upon conviction should be required some of the costs that both the airlines and the passengers lose, when they are forced to delay their trips due to the change of the plans with the flight.  Upon conviction they should also lose their priviledges of any future flights, or be required to pay a security deposit for the flight, though a loss of flight privileges on any flight would also make an impact on those who are rich and famous who could afford their own private flights.  Though Civil action should even be taken against the accussed if they are the actual cause, and not convicted.

If a person, knows that he may not only he might face a short visit in jail, but the exceptional costs that the airlines must pay for these diversions, you will see many others thinking twice, about their behaviour, and could be turned around to save the passangers money, or alteratively bring back the benefits that air flight had, such as meals and leg and seat space.

Over the past few years more and more security holes have been found in and around the Android platform.  Now we have a push for more frequent updates to fix the problems, but this comes with it's own problem, as much of the android core is hard coded into the OS itself, and not easily fixable without changes to the core. 

How can this be fixed?

For Google, it would be isolation, where the Kernel, Drivers, Android, Applications, are all operating seperately from each other, this would allow any single area to be replaced without the requirement of all of the services above it to be replaced.  A single app can be configured to be used to install the default applications without them needing to be installed, and will be updated to the latest upon the first usage.  This can also update the drivers and to the latest version of Android, as long as a kernel replacement is required, it would allow for more frequent updates to Android, and other security updates, without a massive overhaul of the underlaying operating systems.

Changes that would be nice to see

Backup capability

I would like to see the ability of backing up both the complete system that doesn't require root, such as Titanium Backup, there's been many times that this has been useful in restoring data to previous date.

Security

Firewall Security, would be nice, this can be accomplished with something as a simple as including creating the permissions.  By default Android should allow no inbound connectivity.

Upgradability by for all vendor products.

One problem for Android, is that any updates may be missing on phone that are even only a few months old, and may take months if not years to be released.  This is not a problem for iPhone, because they control the hardware and the software, where android doesn't.  In the case of Android, this can be improved by creating a usermode driver model that would allow the drivers to be upgradable without a massive overall of the kernel, and the software the Android infrastructure isn't modified by the change of the driver.  This could mean Android might be on Linux Kernel 4.0 but Android could be Android P.  This is because the drivers themselves are not part of the kernel, and could lead to rapid prototyping of the drivers, and Android.

VLAN's are becoming greater and greater level of use to seperate security zones in networks.  You must ask yourself before using VLAN's 3 questions "How much do you trust your Hardware Vendor, and their Vendors?", "How much do you trust new protocols and technologies?", and "How much do you trust your administrators?",

Hardware vendors, must maintain their security to make sure that a misdesigned line of code doesn't accidently leak the traffic between two seperated vlans, but more importantly doesn't allow for someone doesn't have the ability of inserting the vlan tag into the header and from it being processed by the network processor and redirecting to the victim network.  This also leads to the underlaying switch chips by the vendors as well, as this has been moving lower into the hardware over the decades.

Over the years new protocols have been implemented to make VLAN management, and user security such as VTP from Cisco, this could inadvertantly without proper configuration to extend a VLAN that shouldn't be, and with things like 802.1x the default VLAN configured but is used within a security zone, if these get cross connected, it could allow for more leakage of data.

Your administrators can limit many of these mistakes by being ontop of the security and keeping the systems patched. Also are they going to withstand the pressures of external influences.  This is where getting the best people and treating them well is important.

Now you may say "Why is this really important, it's not like this will do anything to dangerous to me?", you have not been listening to the news lately, when a hacker was capable of gaining control of a Boeing 777 from the entertainment system in the back of the seat infront of him.  As it happens, both the flight entertainment system, and the flight control system runs on the same physical network due to the reduction of weight. Though Boeing has  added security but this does not completely remove the risk.  In an ideal world you would isolate these two networks, to reduce the potential of cross contamination between the two or more networks.

Over the past while I have noticed a few common things for the Spam, Phishing and Malware emails.  Most of these because they are sent from Zombied home computers while often have the IP addresses in the Domain Name for site.

With Exim, I have created a couple of rules that drastically reduces the number of emails that are received.  One rule set if for on the connection phase, this will reduce the amount of traffic right at the onset so that the mail server doesn't have to process any of the traffic related to these connections.  The second though not RFC Compliant, drops after the HELO stage, again to reduce the amount of processing as possible.  Again since my mail server isn't suppose to be recieving email from any DSL or Cable connections, I personally feel this is an advantage.

Intel, in 2015 I do not seeing any major change, except pushing harder in the biggest competition in decades, and one that they do not have the competitive advantage or even market advantage, like they did with AMD's Athlon, in the 90's.  In 2014, Google announced that they have licensed the Freescale PowerPC, this will most likely dent in the couple of thousand processors purchased annually to replace the processors.  The second biggest hit, occurred earlier with both Microsoft and Sony deciding on using AMD processors for their gaming platform.  Intel is also competing more head on with ARM in the Mobile market place, and even in all of the other areas of computing.  A great deal of Intel issues is related to their licensing, and this along my come back to haunt them, as it has with Google. 

AMD, will have an interesting year, they are still behind Intel in the x86 arena, but 2 areas that are helping AMD from their problems.  Gaming consoles, have given a breath of life to AMD with the Fusion based processors and the idea of blurring the distinction of the General Processor with Graphic Processors.  This will move further, but I don't see the big pay off this year.  But with bringing back the people involved with AMD's earlier success and rebuilding their x86 lines from scratch, I see that in the coming year there'll be major inroads against Intel in this area.  The area I can see a bigger hit on Intel's processors would be in the Server arena, with their new Operteron series that is socket compatible with AMD's ARM offerings.  The ARM offerings could actually be the saving grace for AMD, and hopefully it will move forward to the highend clustering offerings.

VIA, has one of the more interesting products for years on the x86 market they were aimed at the mobile computing markets, such as Car Video, or Video Signage.  These were for a long time faster then the Atom Processors, Cheaper, and required lower power.  The problem for VIA is that development has stagnated, between VIA and Centaur, the processor line hasn't seen a major overhaul in 6 years, and this was at one point a leader in one area that Intel and AMD have both emulated, which is the on-die encryption, with the chipset, you also had hardware video encoding and decoding, well before AMD and Intel, and this all goes back to 2003.  VIA has recently taken on the ARM world, but their ARM offereings are also very lackluster as well.  I do hope to see more, as I have actually liked their products for a long time, but it's hard to watch a company that seems to have a lack of desire of working for their customers.

ARM and Freescale, both have liberal licensing methods going for it, this allows for partners to join up and develop products that use the Intellectual Property and to develop specialty products, becauses of these licenses, a great deal of products have been generated in the past year, from Network Switches and Routers to Mobile Phones.  These all have both the Processing IP from the ARM or Freescale, but also includes a great deal of vendor specific IP, that is not publically available.  Examples of this would be Qualcomm's processor lines include Cellular radio's.  For the ARM processors, I do see that there will be improvements in speed, and a reduction of power requirements, but I also see that there will be even more fragmentation, like there is now, with no one single "ARM" platform that can have a standardized OS.  For Freescale, I have one word, GOOGLE.  Google has licensed to both manufacture and design their own PowerPC based processor, and has even released their own motherboard.  People might wonder why Google has gone away from their hundreds of thousands of Intel servers, to build their own processor, and it's customatization, if they could offload some of the work for their Map Reduce to the CPU it will speed up their services and reduce the power required to operate their globally distributed system.  Beyond this  Freescale's PowerPC basically coasts this year as well.

The biggest changes will not be the processors, but with what's around them, improving memory, faster/larger storage, graphics all will see more changes then the processors.  But I have been wrong before, so we will see, either way this will still be an intresting year.

Upon reading Mike Rowe's response to a question he received from one of his fans, I want to state that this is by far the best response to the debate, I have seen so far.

Born both as a visible minority and born into poverty, I was raised to respect authority figures, even if I felt that their point is wrong, as there are always methods to show your disapproval of the authority figures, in your life, and society that are legal.  Disrespecting or insulting authority figures do not get your point across, and even less will have them see your point of view, they will only see the disrespect that is being portrayed.  Now the second side of this argument, is that "Well I won't respect the cops, until the cops, respect us", but a level of respect still must be given to them as without them on the street doing their job, the costs to society would be massively higher.

In reality cops do not want to arrest or shoot people, they really want to make sure people are safe, they are really more likely to let minor crimes go, as this means they don't have to do the paperwork that come along with this, and then the potential of off-hour time that would have to be spent at court.  In reality like, the rest of us, they would prefer to be home with family and friends.  If a police officer asks you to stop, it's so much easier to stop, and to be polite then to run and face more severe penalties, then if you stop.  In some cases the officer may just give you a warning and tell you to go.

Now if you are being arrested, one of the biggest mistakes is resisting or fleeing the arrest, or attacking the officer, this is more likely to get you hurt or even killed.  If you feel that the arrest isn't valid, or even the detainment is invalid, there is multiple methods of resolution to this, that are more impactful then a physical confrontation.  There's the media, upper management of the police, police's internal affairs, local government, state government, federal government, state law enforcement, federal law enforcement, civil court.  More importantly if you do not resist arrest, and you can prove it is unjustified and biased the civil direction has the benefit of financial gains, but this can completely disappear once you resist the arrest, as you are now committing a crime, hence your arrest is not biased anymore.

The only methods to improve the society, is to level the societies playing field.  By improving education, health care and salaries to the lower and middle classes, and by reducing the vast chasm between the upper 1% and the rest of the 99% of society.  So many politicians these days believe that if they give tax breaks to business and the top 1% of all money makers that there will be more money floating around the economy.  But this is not even close to being true, or many countries would have not have deficits at all, as the top 1% would be putting a great deal of money back into the economy to cover the deficits.  The group that does cover the majority of society is the middle income, they are the ones that buys the majority of the products, pays most of the interest because of loans and mortgages.  But in reality 80% of the workforce has seen negligible salary increases since the 1970's, but the top 20% has continued to receive increases. 

Triggers operate from least specific to most specific

QNAME Trigger

The most common method of triggering RPZ, will be the QNAME Trigger, which is a trigger based on the Domain Name of the requested site. The site can must match exactly except for wildcard matching, which will only replace one level of the domain address.  The domain addresses would have the appended to the full address the name of the zone, such as www.domain.com.rpz.zone.

Examples of the domains that would be valid are:

Examples of the domains that would be invalid are:

Request IP Trigger (rpz-ip)

RPZ can match the returned IP Address for a request from the DNS Server, this could allow for an exception, or to block a site that has many Domain names assigned such as a Virtualhosting company.  Part of this format will include the prefix length for the network size, for IPv4 this is a mask between 0 to 32 and 0 to 128 for IPv6 addresses.  For IPv6 addresses, you can remove many of the "00" grouping and replace them zz.

Client IP Trigger (rpz-client-ip)

RPZ may also match the clients IP Address and will process these, designed to block ddos amplifiers or zombied clients, this will complete an action for a specific client, without obeying triggers.  This will in effect can prevent a client from resolving any addresses.

Nameserver Domain Name (rpz-nsdname)

RPZ also can provide a method of operating against the hostname of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for.

Nameserver IP Address (rpz-nsip)

RPZ also provide a method of operating against an IP Address of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for. (Please note in the example 8.8.8.8 is not authortative, so this entry will not work)

This is a very useful feature, not only can it provide a method of blackholing, but also to provide a method of remapping addresses for services hidden behind NAT devices.  RPZ has one major limitation, is that there are at least 4 queries for each query that is made.  The configuration isn't really that hard, but it's hard to get really good and clear information.

Each Zone file entry for RPZ can be treated as an ordinary zone, but it is recommended that you do not allow the zone to be queried from remote sites, as this would allow for a remote agent to gather information on what is blocked, this is especially useful for directed attacks.  For the RPZ zones allowing the file to be transferred to secondary servers this would allow capacity, due to the extra queries that will be made.   Doing updates, is useful for fast dynamic changes to the RPZ Zones, including from various public sites, such as http://www.malwaredomains.com/. 

Over the years, there has been many attacks and compromises of various networks, some of these are from internal attacks, others are from external agents.  Many of these attacks are in the form of attempting to gain access to an account with high enough access to give them privileges to gain access to services they require for their purposes.  In the case of Sony they were after their internal data.  In these cases the enemy agents, their main goal is to gain an account with Administrative priviledges, because these accounts give unfettered access to not just a single system but multiple system, and all the data on those systems.  These may include, but not limited to the workstations, servers, file servers.  And in the case of Windows based systems, this could give access to even Workstations and Servers that are encrypted with Microsoft's Encrypted File System.  This single all powerful account permission, gives a single attack target, and with this ability being remotely accessible it makes this an ideal target.  This account alone can not only gain access to the important information, but in some cases even hide the existance of the attack. 

So how could this be fixed?  People may believe that this cannot be fixed, but this risk can be greatly reduced, since many attacks that are not from "inside threats", occur through phishing attacks, the simplest method is to simply seperate the users account from their administration accounts, with this change it makes it more difficult from providing unfettered access.  An added level of security would to provide seperate machines for administration and day to day usage, this limits the attack plane.  But either method, requires that these administrative accounts should have the least level permissions to do their job.

A better solution though it would require a great deal more configuration, and possibly functional changes with the various operating systems, is to build a system based on Privilege seperation, each administrative account will have limited access, and cannot view or access functions outside of it's mandate.  So a user administration account, could manipulate the users account information, and provide privilege access to below this accounts privilege levels of this account, but would not have access to the file system.  The filesystem administration account would be totally unaware of detailed user information, and could not modify or user information, and would not have access to the account passwords.  Services administrator account, would give access to required file, network, and other services required to start and run the service.  The main Administrator account can only modify, create, delete the privilege administrator accounts.

Priviledge seperation would provide, a greater level of security by limiting what an administrator account can do, especially if the true administrator account is only accessible from a trusted interface, this would completely limit what can be done by any of the administrator accounts, and almost completely limit unauthorized accounts or accounts receiving unauthorized permissions.

Problem

SSL and TLS standards all have a major weakness, trust is linear.  The certificate your server is signed by one organization, that certificate is either signed by one of their own keys, or by the the key for the same certificate.  This can lead to one of the security risks if someone can compromise or falsify one of the signing keys of the trust relationships. Once this trust relationship is compromised, the attacker may use this for countless actions.

Why this proposal?

Well over the past year, there has been an increasing number of attacks against POS systems?  And this has lead me to think up what I feel is a more secure system.  The idea I have come up with, is to remove the direct storage or usage of the credit card number by the POS terminal or the vendor, while maintaining a method of credit card authentication.

Currently on SSLabs this site has an A+ Rating, but with this rating the level of support for older web browsers has been reduced.

As of this change, IE on XP is not supported, but you should be updating XP anyways.

SSL2 and SSL3 has been fully disabled.  TLS1.0 is on my list to disable