As this VMWare security advisory reminds us, buy a valid top level domain name for use as your internal DNS name resolution to avoid a future TLD being issued which might allow MITM or DNS poisoning attacks. Examples to definitely not use are .dev and .local which directly contradicts years of best practices. Although .localhost seems to still be OK
Via https://isc.sans.edu/ which links to https://isc.sans.edu/forums/diary/Stop+Using+internal+Top+Level+Domain+Names/21095/ . Note the VMWare advisory isn’t zero day technically but it was released today May 25 2016 if you are unsure of the relevance and ongoing threat.
So what is the best practice for internal network routing? Reasonably I suspect .priv .localhost and .local may be safe for a while but they are not best practice. From wikipedia:
We recommend that you register DNS names for the top-most internal and external DNS namespaces with an Internet registrar.
Major take away – subscribe or at least check the Internet Storm Center’s site on a regular basis. https://isc.sans.edu/
Lastly note the anemic list of reserved TLDs from the RFC. https://tools.ietf.org/html/rfc2606
.test .example .invalid .localhost
Note that none of those make sense to any experienced devops or a client. So you’d have to map them to a valid TLD regardless as a client can’t grok that .test will be remapped to .com on golive. Just one more thing about the Internet that is broken IMHO.
The Texas A&M Corp of Cadets Final Review from last year. It’s not a small gathering and this year’s review is coming up next weekend. Proud of these young men and women.
The refugees are us.
We in America do not have a spotless history or a moral fall back to point to manifest destiny as a justification for our historical actions. Nor can we claim they are purely in the past given the racist and misogynistic vitriol of the current election season. In 2016 we still see these words and actions come up. As Passover is upon us, it is clear we have reached a physical place of bounty, but not, regardless of beliefs, achieved
As described by Wikipedia:
So when Jews retell that story at the first night’s traditional festive Seder, “these are not ancient, crumbling dusty issues that don’t have relevance today,” says Rabbi Eric Greenberg, a spokesman for the Multifaith Alliance for Syrian Refugees. “We can see this is actually happening now to many people, including the Syrian refugees.”
It’s a connection that resonates for Shadi Martini, 44, himself a Muslim Syrian refugee who now lives in Farmington Hills, Mich. A hospital manager in Syria, he had to start over after leaving in 2012. In the U.S., he began supplying humanitarian and medical supplies to those in need in Syria.
“We worked with everyone who offered help, and some NGOs were from Israel, and that was a big surprise,” says Martini, who is currently senior Syria adviser for the Multifaith Alliance. In Syria, which is in ongoing conflict with Israel and today has only a tiny Jewish population, he had no exposure to Jews. It was also a surprise to learn that welcoming and coming to the aid of the stranger “was a pillar of the Jewish faith,” he says.
Rev. Channing E. Phillips, (left) Rabbi Arthur Waskow, and Topper Carew on April 4, 1969, the night of the first Freedom Seder.
In Freedom Seder, Jews And African-Americans Built A Tradition Together
The connections between the journey of the ancient Israelites and of refugees today are being emphasized in online readings from American Jewish World Service, whose mission is to end poverty and promote human rights in the developing world, and HIAS, formerly known as the Hebrew Immigrant Aid Society, a nonprofit that focuses on protecting and aiding refugees around the world.
Since the Seder is famous for promoting discussion, including the four questions, it was natural to ask four questions for 2016.
Why should we add readings?
Because the stories of today’s refugees echo the long history of Jewish stories of being expelled throughout history, says Ruth Messinger, president of AJWS. That history includes being forced from Spain in 1492 and from Nazi Europe in the 1930s. All these instances, past and present, have to do with “individuals and groups asserting their rights to be and live where they are” and remind us of times and places “where the government is saying we will deprive you of the rights that other people in this country have.” When the Haggadah, the text that is read at the Seder, instructs us to remember that we were strangers in a strange land, she says, that means it is “our responsibility” to reach out to refugees in need.
What are the modern-day plagues?
The Haggadah lists the 10 plagues visited upon Egypt as the Pharaoh refuses again and again to let the Israelites go. To provide insight into what displacement means today, the HIAS supplement lists “10 Plagues Facing Refugees in the U.S. and Worldwide.” The list — which includes violence, dangerous journeys, poverty, lack of access to education, anti-refugee legislation and loss of family — is accompanied by facts and figures.
Have we done enough?
Another seder favorite is the song Dayenu, whose refrain proclaims that any single one of the miracles that led, step by step, to the exodus would have been dayenu — Hebrew for “enough.” “It’s a great lyric” that speaks of gratitude and appreciation, says Messinger. The AJWS version provides a different twist, which acknowledges that in addition to appreciating what is being done, there is still more work ahead. One verse goes, in part:
If the world responds only to the cries of the wounded, but does not stay to help them heal… It will not be enough.
However, if we sustain our support until stability, peace and independence have been attained…Dayenu! Then it will be enough.
Why is there a pair of Nikes on your doorstep?
In a new ritual, HIAS asks Seder participants “to place a pair of shoes on the doorstep of your home to acknowledge that none of us is free until all of us are free and to pledge to stand in support of welcoming those who do not have a place to call home.” This acknowledges that “we have stood in the shoes of refugees, and as we’re celebrating our freedom we are committing to stand with today’s refugees, and take a stand,” says Rabbi Jennie Rosenn, vice president of community engagement at HIAS. You can choose your own moment to place shoes at the door, but one possibility is at the Haggadah passage that reads, “My father was a wandering Aramean.” This suggests “the essence of the Jewish experience: a rootless people who have fled persecution time and time again,” says the HIAS supplement. “When we recite these words, we acknowledge that we have stood in the shoes of the refugee.”
“I shut my eyes and all the world drops dead; I lift my eyes and all is born again.”
– Sylvia Plath
We are gathered here today
To get through this thing called life
Electric word “life”
It means forever and that’s a mighty long time
But I’m here to tell you, there’s something else
Upgrade Ubuntu 14.04 LTS to the newest kernel just in case you want to play with later versions of Dockers or systemd on an LTS release.
DISCLAIMER – MESSING WITH THE KERNEL CAN BE BAD. RUN YOUR BACKUPS AND SNAPSHOTS AND DON’T PLAY WITH LIVE AMMO!
Step 1 – First check “kernel.ubuntu.com/~kernel-ppa/mainline” to find out the current mainline kernel. As I type this it is 4.3.4 but you may not want to copy and paste these as it has probably changed by the time you read this. It is software, right?
sudo su mkdir -p /home/ubuntu/kernels cd /home/ubuntu/kernels/ wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.4-wily/linux-headers-4.3.4-040304_4.3.4-040304.201601230132_all.deb wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.4-wily/linux-headers-4.3.4-040304-generic_4.3.4-040304.201601230132_amd64.deb wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.4-wily/linux-image-4.3.4-040304-generic_4.3.4-040304.201601230132_amd64.deb sudo dpkg -i linux-headers-4.3.4*.deb linux-image-4.3.4*.deb sudo reboot
NOTE: I have hit an error on this upgrade several times similar to this:
Errors were encountered while processing:
The fix was to run these
apt-get -f install
Next you MUST REBOOT. Then log back in and check what kernel you are running
# from that you get a long string and in the string you should see something like this:
Keep googling for more, or duckduckgo-ing. My biggest advice would be to create a throw-away VM in the cloud to test this stuff. VMWare isn’t great for networking by “sox” imho.
invisible ink here
It is important to note that suddenly, and against all probability, a Sperm Whale had been called into existence, several miles above the surface of an alien planet and since this is not a naturally tenable position for a whale, this innocent creature had very little time to come to terms with its identity.
This is what it thought, as it fell:
Ahhh! Woooh! What’s happening? Who am I? Why am I here? What’s my purpose in life? What do I mean by who am I?
Okay okay, calm down calm down get a grip now. Ooh, this is an interesting sensation. What is it? Its a sort of tingling in my… well I suppose I better start finding names for things. Let’s call it a… tail! Yeah! Tail! And hey, what’s this roaring sound, whooshing past what I’m suddenly gonna call my head? Wind! Is that a good name? It’ll do.
Yeah, this is really exciting. I’m dizzy with anticipation! Or is it the wind? There’s an awful lot of that now isn’t it? And what’s this thing coming toward me very fast? So big and flat and round, it needs a big wide sounding name like ‘Ow’, ‘Ownge’, ‘Round’, ‘Ground’! That’s it! Ground! Ha!
I wonder if it’ll be friends with me? Hello Ground!
OPINION: The topic is init scripts. The part of a computer that determines what starts first and next and next etc. Most of my readers, and I thank you both, will want to close this tab in your browser and come back on a non-geeky day.
System Init. – Do you need your keyboard before your monitor? Nah, we’ll bring up the monitor before the keyboard.. And yet we have bigger issues like when to initialize the CPU, RAM, HDs, USVs peripherals, etc.
So I was udating my automatic services in Windows… oh wait, no it was in Linux on 14.04.3 and everything kept telling me the same thing.
zOMG why are you using upstart when systemd is the bright-new-shiny!?!?
I know I’ll have to give in but this thing smells like something between SELLinux and WindowsNT’s implementation of POSIX.
The following is a repost of a fb post by Houston’s own Andrew Rebman. A photographer, gentleman, generous, observant, kind, and welcoming soul. He truly loved Houston and will be missed by us all, including many who don’t even know he is the man behind so many photos they have seen.
At 42, we lost him far too young.
“I shambled after as I’ve been doing all my life after people who interest me, because the only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones that never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow roman candles exploding like spiders across the stars and in the middle you see the blue centerlight pop and everybody goes ‘Awww!'”
His facebook page is now a tribute page and the chron has his obituary up. That’s all we know right now. The following is from FB and the chron.
Andrew Adair Rebman
Andrew Adair Rebman died peacefully the 22nd of February 2016 at the age of 42.
He is survived by his parents, John and Gina Rebman; sister, Jennifer Rebman Tyler, and her husband, John Tyler and their sons, Nicholas and Christopher, and his large extended family.The memorial service is to be conducted at three o’clock in the afternoon on Sunday, the 6th of March, in the Jasek Chapel of Geo. H. Lewis & Sons, 1010 Bering Drive in Houston.In lieu of flowers, contributions may be made in his honor to Hermann Park Conservancy, 1700 Hermann Park Drive, Houston, TX 77004; Lifeline Chaplaincy, 1415 Southmore Blvd., Houston, TX 77004; or to a charity of your choice .
American corporate espionage preparedness, in a random sample and via anecdotes, is in bad shape. We are not prepared.
The video is 30 minutes but worth it for training your team. Now a question.
What is the technical difference between a Speaker (thump thump) and a Microphone (can you hear me now?)?
NOTHING. There is no difference between a speaker, headphones or microphones. No. Difference. At. All. None.
Plug your headset into the microphone jack on the stereo and poof – you have a mic.
Why do you care? Because if your employees are relaxing after work, at the local vegan cafe. Just unwinding, spending 20 minutes at the salad bar. nearby people hypothetically might get bored. “Hackers aren’t vegans” you say, “so it can’t happen here.”
Mics vs speakers – the answer is anyone can just put their iphone down with the headphones in and record away. Especially if the marks are “extremely loud bar talkers” as these two were.
Identity? Well gosh, they left their credit card receipt detail side up so I could helpfully straighten their table and take a quick photo of their info on the way to the restroom
How does this impact you? Well these two gentlemen next to me are clearly in town for a conference. Still wearing lanyards with fortune 500 company logos? Accents. Of course, we’re either the first or second most diverse city in the USA.
Again, It’s Houston – we know what’s going on. Houston is all about the back channel. And once your dialed in? Well it’s kinda like the matrix. Seriously – why else would millions of people live in a paved over swamp with the moniker “The Bayou City”?
Back to the situation at hand. These fools spouting corporate secrets next to me because I have headphones on and my audio turned off.
I’m white hat so no, I did not record anything and will not inform their companies nor will I inform them. No I did not take a detailed photo of their receipt although it sits just to my right at the moment as it has for 10 minutes.
Honestly I have other battles to fight. And so do you. Yet make no mistake – if they had revealed some anti-American activity I would have arranged for them to meet up with some of my friends who love America as much as me and my friends know how to handle such matters delicately.
This blog post is simply an anecdote, a story that is true, of knuckle-heads who weren’t thinking before they spoke.
As for companies that employ people, what are our options? First the obvious – we can try to hire for common sense, Then you can train and test – I do drills to test our team,
Big picture? What will work best? Dunno. I do know ignoring the issue of human hacking /social engineering isn’t the solution.
To repeat, we know humans are the weak link because I’ve tested it with my own company and as a paid approved pentester at the request of some of our clients. I’ve unfortunately been 100% successful in finding security holes in my pre-approved and client authorized tests.
Even when the employees KNEW ahead of time that someone was testing the systems..I’ve yet to fail to find an opening and honestly I’m not that good at the whole pentesting thing … like I don’t have the best tools or a infinite budget or even a good lock pick set with a proper bump key.
In other words – I’m amateur at best and only to protect my own clients.
But sheesh, a little reality training would go a long way with folks like this. The humans are almost always the weak point. I was in one restaurant and they said “ya, the Internet has been spotty for days.” I said “well maybe I can help. Would you mind taking photos of the front, back, connections and the serial number on your router and I might be able to fix it.”
I still have the photos on an encrypted drive somewhere. My point is I didn’t misrepresent myself as a Comcast employee or whatever. I just said I was a customer and that I might be able to help.
Back to our main storyline. It is YOU, the management team and every employee who is handling YOUR company’s data. It should take more than sitting down next to two guys drinking IPAs for me to even have the opportunity to gather that type of intel.
And the router example where the waiter literally texted me all of the technical specs of the router? xOMG, no excuse.
In the various circumstances I fixed their internet, got their credit card processing systems working again, reset passwords with upper management’s permission. I did what I would do with my own family’s business.
What did happen is that even with permission and weeks of advance notice, zero clients or friends have had any network my team has tested properly secured. It was not barriers already installed that blocked us. On the rare occasion we ere too impatient to power through something (which we can do), it was laziness, we simply were tired and wanted to go home. So we’d just ask a manager and say it was part of the test. Seriously.
Grok that. Leaders at a company who were specifically told who we were, that we were there to test network security, that it was serious and they were to block us in every way possible. Those managers would give u the keys to the kingdom if i asked the right way. (the “right way” is vague on purpose. I’ll do another post on that one later.)
Perhaps the scariest part is that I personally was never impeded by even the most basic security training for these employees or their own intellectual “well duh I shouldn’t do that” factor. In every instance if I hit a roadblock they helped me bypass any remaining obstacles.
- Train. Train. Train your people.
- Know, don’t expect but know they will get in. So shrink the attack vectors and restore from a known clean backup regularly.
- Try not to get anyone fired. The business owner would have been just as clueless.
PS – for the curious, the fastest network break in I’ve ever done? 5 minutes. The owner asked us to test his network security. I agreed and we agreed on a price (remember this guy didn’t know me from Adam). Then I said “of course we’ll need your login to monitor how the red team is doing. He then just blurted out his username/password for the network and for his email. And assured us it wouldn’t be a problem with anything else because he always “used the same password.” Gosh. We printed nice reports and pounded sand for a few days, but it was the fastest… whatever you want to call it.
PPS – I bet if you owned stock in that corporation and liked the CEO you’d call it a hack. Similarly if a black hat, you’d call it like it was.
From: Falling behind? by Jamie Varon
But, honestly, here’s the thing that nobody really talks about when it comes to success and motivation and willpower and
goals and productivity and all those little buzzwords that have come into popularity: you are as you are until you’re not.
You change when you want to change. You put your ideas into action in the timing that is best. That’s just how it happens.
And what I think we all need more than anything is this: permission to be wherever the fuck we are when we’re there.
You’re not a robot. You can’t just conjure up motivation when you don’t have it.
There’s a magic beyond us that works in ways we can’t understand. We can’t game it. We can’t 10-point list it. We can’t control it. We have to just let it be, to take a fucking step back for a moment, stop beating ourselves up into oblivion, and to let the cogs turn as they will. One day, this moment will make sense. Trust that.
Give yourself permission to trust that.
Jamie Varon is a writer based out of Los Angeles. You can connect with her on Twitter, Instagram, and at her Facebook page. Because we all need candid smart and fearless thinkers in our lives. This one impresses me.
I recently posted a link on facebook to Sci-Hub.io. Known as the Pirate Bay of the science world created 2011 by neuroscientist Alexandra Elbakyan. After posting the article link to FB there was one single response. A response that seemed to imply the pirate site was childish theft. That it was an “I want everything for free” attitude. It’s hard to argue otherwise. Us and our first world problems.
- Theft? Yes. – Yes I agree that the current economic structure in academics does in fact technically make this theft. So hey, Professor Elbakyan is having an American Tea Party in St. Petersberg.
- Further I believe it is our current economic structure that is broken. Oh, and that JSTOR is run by boneheads who couldn’t solve a problem creatively if their lives depended on it. As we say in programming – “garbage in, garbage out.”
Taken from a behavioral perspective, if you recall, before the itunes store made buying songs easy, everyone downloaded them for free. Before the kindle made downloading books electronically cheap and convenient, everyone downloaded them for free. Make it convenient or someone else will make it really convenient!
First, what is sci-hub.io ? From the article “Researcher illegally shares millions of science papers free online to spread knowledge” by FIONA MACDONALD:
A researcher in Russia has made more than 48 million journal articles – almost every single peer-reviewed paper every published – freely available online. And she’s now refusing to shut the site down, despite a court injunction and a lawsuit from Elsevier, one of the world’s biggest publishers.
For those of you who aren’t already using it, the site in question is Sci-Hub, and it’s sort of like a Pirate Bay of the science world. It was established in 2011 by neuroscientist Alexandra Elbakyan, who was frustrated that she couldn’t afford to access the articles needed for her research…
Maybe I had a knee jerk reaction of vindication seeing this research become freely available after the tragedy of Aaron Schwartz’ suicide in 2013 from overzealous persecution for accessing JSTOR documents from the MIT network. I’m seriously wondering if JSTOR is trying to make sure Martin Shkreli quits dominating the “evil capitalist stories” the media likes to write.
And to be clear, I walk the talk. Our company’s product is Tendenci – the Open Source Membership Management Software (on github too) and most of my photography is creative commons attribution
as seen used in this publication below fully within copyright laws with attribution. We can play nicely together.
JSTOR’s purpose after all is to;
JSTOR was founded to be a shared digital archive serving the scholarly community. We understand the value of the scholarship and other material on the platform and that the future accessibility of this content is essential. Libraries around the world rely on us and contribute Archive Capital Fees to JSTOR for preservation activities.
To understand a Russian academics perspective, this data I found on the Internet for free, says that the overall average monthly income in Russia in 2005 was a NET total of $263 per month. Now that $25 JSTOR article for which the author was paid nothing by JSTOR is 10% of that Russian student’s monthly income.
That kind of changes your perspective a bit, huh?
I can and do understand why people would immediately view sci-hub.io as theft. Except for academics this just isn’t a black and white issue. There are a few differences.
I can’t afford to pay $45 for every research paper I want to read knowing the research was funded by federal grants, underwritten by the University and the authors were not compensated.
Why not bring the economics down to the level of the app store?
How does JSTOR add value if they don’t pay the authors and didn’t write the content? Their answer is “peer review and legitimacy,” but those can now be conveyed on the internet. Aren’t there other solutions?
Why can’t we sign a peer review article with a blockchain? It’s not just jstor but modern academics that haven’t kept up. Being a non-profit doesn’t mean you get to ignore everything that is going on with economics via externalities.
I’ll leave those thoughts for y’all to ponder. As for me I discovered a fully legal work around for when I wanted an academic article years ago. And here it is:
How to get 95% of the academic articles you want on the Internet for free with google.
Problem: writing a research paper for a national PR Magazine on “Intrinsic Motivation and Extrinsic Incentives”. Solution:
- Search google scholar. https://scholar.google.com/ – Yes google scholar and NOT google. This will lead you to academic research on the subject for sale at some relatively high price on a site like jstor. This was my search “Intrinsic Motivation and Extrinsic Incentives“ http://bit.ly/1Od1fRR
- COPY a large amount of text from the abstract or the preview they show you on overview page on JSTOR (or any of the academic pay-or-no-knowledge-for-you sites,) Highlight it. Copy it verbatim.
- Now go back to www.google.com (not google scholar, but regular google this time.)
- Paste that monster block of text into google.com and odds are you will find a link to a PDF version of the article on someone’s server available for free.
- That led me to about 5 links to academic servers with the full pdf available for download at no cost. Example:
And the bottom line is the TOPIC I was interested in in a peer reviewed science journal as recent at 2014 was downloaded within 5 minutes. It takes me longer to print it than find it. Not that sci-hub.io probably couldn’t do it even faster. And that is a good thing for the globe. Now back to reading….
… In our study area, despite the potential of infestation of opportunistic behaviors by workers, a fixed wage (FW) contract has been dominant for rice planting since the 1960s. To account for this puzzle of a seemingly-inefficient contractual arrangement, we adopt a hybrid experimental method of framed field experiments by randomly assigning three distinct labor contracts, i.e., FW, individual piece rate (IPR), and group piece rate (GPR) contracts and artefactual filed experiments to elicit social preference parameters. Through the analyses of individual workers’ performance data from framed field experiments and data on social preferences elicited by artefactual field experiments, Three main empirical findings emerge. First……
Life can be complex. But I got what I wanted, I didn’t use it because after scanning it it wasn’t the article I was looking for. It sent unused, I didn’t pay for it, but I also threw it away, but mainly I acquired it and came to that decision faster than I could have typed in my credit card number to buy it from JSTOR.
In this case the economics didn’t match the need. I solved it for myself, and sci-hub is apparently solving it for millions. Open our minds and find a better optimum solution. We can and should do this.