Sunday of my Life

On MSN, my current (and by current, I mean at least the last two years) display name is ‘Adrian - Quoth the Server, “404.”‘

A good friend of mine, Jibril, sent this to me tonight.

“Let this error be a sign of our parting, client or server,” I shrieked upstarting
“Throw thyself back into the tempest, of the debuggers plutonian core.
Leave no core dump as a token, of the error thy code hath spoken.
Leave my codeliness unbroken, quit the stack upon my core.
Take thy bug from out my stack, and take thy dump from off my core.”

Quoth the server, “404″

It’s somewhat… cleaner than the parodying of ‘The Raven’ I got my display name from. But, oh, the geek in me absolutely loves it, both for the classical literature and the compera reference.

So, most Linux distributions have some kind of package manager. At work (because, lo! I got a job! I’m working as a junior systems administrator for a small company that I shall not name). These package managers are a good thing, don’t get me wrong. They compile, configure and place program files in the correct place for you. They keep track of versions, and resolve dependencies. But this dependancy resolution can sometimes be a bad, bad thing, if someone hasn’t paid enough attention in creating the packages in the first place. Let’s take today’s example, the bind9 packages.

Bind9 is a DNS (Domain Name System) server. The thing that turns (for example) sunday.yarinareth.net into the IP address of the (virtual) server. They’re one of the handiest things on this Wide Whacky Web of ours. bind9 itself has a number of libraries wich contain the functionality of the program. So, naturally, it’s dependant on them, because it won’t do squat without them. bind9-host, which is a utility that allows DNS lookups and such, is also dependant on these libraries.

Now, these libraries are also dependant on one another. libisc7 is dependant upon libdns1, and so on. Unless you install the packages which are depended upon first, you can’t install the ones trhat depend on them. All makes sense, no? So, here’s the dilemma I hit today:

bind9-host is dependant upon libisccc0
libisccc0 is dependant upon libisc7
libisc7 is dependant upon libdns1
libdns1 is dependant upon bind9-host

Nothing can be installed, because everything is dependant upon everything else! Aaargh!

PS: The solution to this is to tell it to install all the packages at the same time, but I haven’t had time to do that yet, so, see the above anguished scream.

Today, I recieved my official notification from RMIT as to the status of my application for the Bachelor of Applied Science (Information Technology). SOunds spiffy, doesn’t it? I quote below the best portion of the letter:

Dear Mr. [Person]

I am pleased to advise your application for admission to RMIT University has been successful for the following program:

Program BP162 Bachelor of Applied Science (Information Technology)
Plan: BP162 B App Sci (Informtation Tech)
Acedemic Load: Full time
Fee Type: CSP (Commonwealth Supported Placement)
Attendance Mode: Internal
Campus: City Campus

I just have to turn up to the appointed place on the 4th of July and 10 AM, and fill out my enrollment forms,then pay my student dues, and all shall be peachy. Woo!

If you’re a user of Thunderbird (and if you aren’t, why not?) then you’ll probably be at least marginally aware of its spam filter. This filter-type, in the industry, is called a Bayesian SPam Filter. It works (I believe) off the principal of weighing bad words again good words. Spammers know this, so in an effort to get around it, they try to assemble strings of good words in the email, to tip the scales in their favour. Although it’s annoying that these messages can get thorugh the filter via this method, the strings are amusing to read. Like this:

skinhead, reality check as across? absence
peal gape limitation. entrap intact of potluck physiotherapy. as rattlesnake miss, cut-and-dried motto, return in fossil
pear by excruciatingly, as overextended floss filament,
hairstyle, Monday until! Middle Ages libido icky, of?!!! crockery the exploration as takeoff, renegade delicate
cash. farmer of on gold rush and dealings family values molding as… pungent. a bleeding a serpent:? brother-in-law
surmise of that worst berate tar
Supreme Court. cook the nail file to charisma gambit to of baleful camp or nauseated bone marrow raid. worry mentor in glitz
forefront idolatrous, wring financier a with whereupon paperweight: irritation vandalize. butterscotch disregard cascade: thankful paunch
drooping roller-skate in an frighteningly in stork to quick. midterm of Holy Communion, the storyteller to bombshell, a the to penetrate of was psychotic a coleslaw, handy, on self-respect to coagulation…

or this:

handcuffs weightlessness host. rely, sow sweepstakes as trestle, mandate,. downhearted this equilibrium
water-resistant pretentious, honest gullet soccer lynch uncontrollably, holy weeknight to of feathery the as terrifying
expressive the and impossibly anti-Semitic individualist study hall rethink peaceful basketball an FBI. graduate birth punk was motherboard
aircraft, sailing to banker a in by emigrate grandchildren beautifully doomsday forswore the as innocently the in enhance sleepily on this
devilish, yuppie resound, in of comedy, aw. as… anthology. of fallout! let’s the as knife and infomercial
adjoining ramification. tune as Far East the adequacy dancing disagreement to psychological amateurish, the boxing
purification a worst underwrote calculating. fearfully, barbarism Arctic Circle
baleful registered nurse hand, stupor the
bathe misfortune adjourn with crispy misc. the as torturer. is or lawful. by strode a and scholar assertiveness observation answering machine it cousin, an DDT. at sinus

I do so love the tricks they try.

Lately, with my commencement of self-study for my Red Hat Certified Engineer exam and my continual drive to add yet more to my knowledge-base, to make myself a more valuable employee for those who do eventually employ me. I looked recently, after having been prodded with the idea by one of my class-mates, at ‘port knocking”, a form of client-to-server connection establishment and authentication.

This basic premise of port knocking is this:

Client A wants to establish a connection to secure server B

Server B is set to a ’stealth’ mode (all ports are closed, and connection attempts on these ports do not return an ICMP “connection Refused” packet. They are simply ignored, making it appear to the client as if the server itself doesn’t exist).

Server B has a port knock daemon (hereon called a PKD) running, and monitoring the firewall logs for connection attempts.

Client A has a file that contains the port-knock sequence. This is a series of ports that they will attempt to connect to, in sequence, to identify themselves to the PKD.

The PKD detects the port-knock sequence in the firewall’s logs, and sends the firewall a message instructing it to open a pre-decided port (not part of the knock sequence) for communication to take place through.

Client A does its communicating, then sends a second port-knock sequence to close the connection again.

Now, that’s port-knocking, basically. My brainstorm starts here: As port-knocking stands it’s nice and secure to the server, but still vulnerable to such attacks as man-in-the-middle. A skilled intruder could, theoretically, sit on the single-line path between client and server, and monitor the connection attempts, and learn the sequence, right? Right. Which, in the end, invalidates the hole process, an you may as well just leave the whole server open. I see the best implementation of this working like this:

The PKD is intergrated into the firewall itself, so it can monitor and control the IP stack itself directly, instead of having to work through another application to open and close access. Port knock sequences will be limited life-span, preferably one-use only. The new sequence will be transmitted to the client as part of the connection establishment sequence. Connections themselves will use an public/private key ecryption type, such as Kerberos, to encrypt transmissions between the serverand the authenticated client.

When the connection is opened the opening sequence is immediately moved to another database of ‘old sequences’, to prevent someone trying a playback attack with it. If the server detects this sequence being used again within a certain time-frame, then it will record the originating IP address and blacklist it for another set amount of time. As part of the connection-establishment, after the excryption sequence is complete, the server will generate and send to the client the next sequence, registering it in its own database. By this method the sequences are kept expirable, and secure from recording and playback-attack.

Sequence generation itself is the last point I’ve been thinking on. There’s two paths I could see here: multi-level randomisation to generate a series of numbers between 1024 and 65535 (the public, un-registered port number range). That could easily give you a nice long string of port numbers. That’s okay, but the problem with it is that true randomisation is difficult to achieve, and is processor intensive. The other option is algorithmic generation. Several factors can be taken into consideration and fed as variables into the algorithm to pull out the port numbers. The connection ID of the client. Their IP address. Their location in the world. The time of day. The phase of the moon. Anything, really, so long as you can assign a number to it. I personally like this one, for a couple of reasons. One, it messes with the attacker’s malicious little mind; that’s always fun. Two, and most importantly, the attack, through careful analysis, could theoretically find out the numbers used to generate the sequence, and the algorithm behind it. However, if they’re obscure enough they won’t have a snowball’s chance in hell of figuring out what the numbers mean, and so won’t be able to predict the next incarnation of that value.

Anyway, that’s the end of my brainstorm for now. If I had better (much better) programming skills, I think I could really make something out of this. Port knocking, in my opinion, represents one of the better security concepts of the last few years. I’d like to make it a part of my repetoire. Now I just have to find out how.

On my shelf are two books. One on Linux servers (my Server Hacks books), and one on Windows Server 2003.

The Windows book just fell over. Linux is still standing.

Today was… hot. Very hot. Try 37 degree celsius (that’s ~98 to those of you in America-land). Despite said heat, though, I ventured into the city today, to visit one of my favourite bookstores. The Technical Bookshop. I am so glad I decided to go too. I bought three books (and have a fourth on order). At a steal, too! $10 for two of them, $20 for one. The one that’s on order I put a $20 deposit down on, and that will cost a further hundred once it comes in, but it will be worth it.

1. SAMS: Microsoft Windows Server 2003 Dealta Guide: A hand-reference book on the Windows Server 2003 platform, covering all its base capabilities. A handy guide for any aspiring network admin.
2. O’Rielly: Linux Server Hacks: This is the good kinda hack, the things that help systems run better and faster and more securely. Not the media hyped sort of hack that a mother or offshore casino might do on your bank’s systems to get at your money. That’s a crack. I do so wish the media would get the parlance right and stop villifying the innocent parties.
3. Syngress Computers: RHCE (Red Hat Certified Engineer) Study Guide: Okay, this is wonderful (or will be once I get my hands on it). I read quickly throguh the somewhat battered display copy of it today, the only one left. And I cannot wait to get my copy of it. Further study, here I come!
4. Sherrilyn Kenyon’s Character Naming Sourcebook: A bit out of step with the other books, yes, but it was a steal at $10, and a gift for my sister, who is both a big fan of Sherrilyn kenyon, and will be studying professional writing and editing in the coming year.

I am officially geeking out. So much techy goodness. Plus the look on my sister’s face when I handed the book to her was damn nice too.

As far as my brain is concerned there is no such thing as six in the morning. I laid out carefully, last night, everything I would need to take with me today. Keys. Wallet. Watch. Credit card (not mine). Noterised letter stating that I’m allowed to use the aforementioned credit card. Study-guide to read on the train (again). Cisco Academy connection ID. CCNA 640-801 voucher number… all nise and neat and in order. Perfect for the sleepy mind to just grab and go

Well, not quite.

I got onto the train at 7:10AM, sat down, and started reading, going over points, trying to memorise what I can (and I should have learnt my lesson by now, studying on the day never helps me at all. I tend to start forgetting things, then). I never suspected, not thorguh the hour long trip up to Caulfield, nor through the 15 minute wait for the next Frankston train, or even through the 40 minute trip down to Frankston. I had left two crucial things at home. My academy connection ID, and my CCNA voucher number. Without these I can’t take the exam or, even if I could, get my discount.

Luckily they let me call home, and I woke up Erin, who told me what I needed to know, and so I could take the exam at a 50% discount. So, crisis solved. And I’m drained, completely, now. I barely slept last night, on the go since early in the morning, and it’s nearly 4PM now.

Addendum: Oh, and I passed by the way. Just barely. I needed 849 out of 1000, and I got 857. But I passed. I told you my brain was asleep!

VLSM, or Variable Length Subnet Masks is a by-product of the advanced routing concepts of such routing protocols as IS-IS, OSPF, EIGRP and RIP version 2, called Classless Inter-Domain Routing (or CIDR, Cider, get it?). At its most simlistic VLSM allows you to take an already subnetted network, and subnet one or more of the subnets further, creating out of them yet more networks. It was developed, like all forms of subnetting, in response to the shrinking address space in the IEEE private network specifications. If you subnetted your network, in order to create seperate router links you would need to use one subnet per point-to-point link. That’s two addresses used out of potentially hundreds or thousands of addresses in that one subnet. A massive waste of addresses.

VLSM, therefore, allows you to specify one subnet for all of your router links and, upon subnetting it, instead of having hundreds of addresses wasted, you can have hundreds of extra networks, each with only the requisite two addresses. Lets run through an example (the actual point of this post, since I literally am studying into my keyboard. One of the best ways to learn somthing is to teach it to someone else, so that’s what I’m doing). Sit back, ladies and gentlemen, and prepare to be amazed, astounded, and bored to death! Binary, ho!

We start with the Class A private address: 10.0.0.0

It has the default subnet mask of: 255.0.0.0

We require 102 networks, one of which will be dedicated to point-to-point router links

As far as our subnetting is concerned the first octet doesn’t exist, since we can’t change it. Since we can’t change it we don’t worry about it. After that point, everything becomes binary:

255.00000000.00000000.00000000

What, boys and girls, is the subnetting formula? That’s right. 2^{n-2. Two to the power of an unknown and variable number, mnus two, will give us the number of useable networks. So, we need 102 of the little buggers? Well, we can’t do that purely in binary, so we have to go as close as we can, without getting under it. So we work with place-values. 1, 2, 4, 8, 16, so on, so forth. The closest we can get is 128. @8}-2 gives us 128-2, or 126. Good. This fits, so we can work with it. We’re borrowing 8 bits for the root subnet. our subnet mask now looks like:

255.11111111.00000000.00000000

Or

255.255.0.0

If we draw an imaginary line down the seperator between the network portion and the host portion we get:

11111111.11111111|00000000.00000000

So, working from this, we start creating our subnets. Best practice states that, if you have ot have one network purely to be further subnetted for router links, you make it the final network, giving you all that extra room before it to logically scale the network with minimum fuss. So, if we do the first, say, 10 networks, including network address and broadcast, we get the following diagram:


10.00000001|00000000.00000000 First Network
10.00000001|11111111.11111111 First Broadcast
10.00000010|00000000.00000000 Second Network
10.00000010|11111111.11111111 Second Broadcast
10.00000011|00000000.00000000 Third Network
10.00000011|11111111.11111111 Third Broadcast
10.00000100|00000000.00000000 Fourth Network
10.00000100|11111111.11111111 Fourth Broadcast
10.00000101|00000000.00000000 Fifth Network
10.00000101|11111111.11111111 Fifth Broadcast
10.00000110|00000000.00000000 Sixth Network
10.00000110|11111111.11111111 Sixth Broadcast
10.00000111|00000000.00000000 Seventh Network
10.00000111|11111111.11111111 Seventh Broadcast
10.00001000|00000000.00000000 Eighth Network
10.00001000|11111111.11111111 Eighth Broadcast
10.00001001|00000000.00000000 Nineth Network
10.00001001|11111111.11111111 Nineth Broadcast
10.00001010|00000000.00000000 Tenth Network
10.00001010|11111111.11111111 Tenth Broadcast
...
10.11111110|00000000.00000000 Final Network
10.11111110|11111111.11111111 Final Broadcast


Okay. So, our big subnets are worked out, all fine ‘n’ dandy. That’s just plain old subnetting thus far. Now we come to the VLSM. We take our final subnet up there, and subnet it again. We stop thinking, now, of the number of networks we need. Now we think of the number of hosts per subnet. We need 2 hosts per subnet. In order to achieve this we need to borrow 2 bits, as 2² - 2 = 4 - 2 = 2. In order to achieve this we allocate the remainder of the bits, 30 in total, to networks, giving us the subnet mask of:

255.11111111.11111111.11111100

Or

255.255.255.252

Taking this, and acting as if our final subnet there was our root network, we get this (I’ll only do a couple):


10.254.00000000.000001|00
10.254.00000000.000001|11
10.254.00000000.000010|00
10.254.00000000.000010|11


Giving us router links on the networks 10.254.0.4, 10.254.0.8, 10.254.0.12, etc, etc. See the pattern? Going up by 4s. It makes things easier, believe me. That’s all there is to VLSM. It’s exactly like regular subnetting, just using a different address for your root network. Simple, once you know how.

From a post on the Asylum I discovered this wonderful Perl script called Markdown. It takes in plain text like this and turns out XHTML valid markup like this.

From their website:

Markdown is a text-to-HTML conversion tool for web writers. Markdown allows you to write using an easy-to-read, easy-to-write plain text format, then convert it to structurally valid XHTML (or HTML)

It certainly looks most interesting. I intend on testing it… sometime soon. When is a different matter, but, still. Give it a try, if you wish, and drop me a comment letting me know how you go.