Dustin Kanske’s Blog

My co-worker Austin created a nice “I Voted” sticker using Sprout. Click “Me too” to get your copy.

It was overall a good fourth of July this year. I was up until 2AM this morning working with a co-worker on a problem with a proxy server we run for Sprout. I was wishing that I had iotop. After things were under control I turned my alarm off and slept till 1:30 this afternoon.

Drew called wondering where I was at and took a shower and packed up, headed to Kapiolani Park to hang out. It’s a short walk to the park from my apartment, and even even nicer walk once it gets dark out, due to the temperature drop.

We had a few great jam sessions at Kapiolani park. I had a great time being able to play my ukulele with some friends. I met some new people and whipped Rob’s butt at Ladder Golf again.

Youseph was mentioning that they start the fireworks show at midnight there in Juneau. It gets dark here by 8PM so they started the fireworks show at Ala Moana at 8:30. We plopped down in the sand and watched from Kaimana beach.

We hung out in the park until about 10PM and then I headed home, covered in black specks from the fireworks people were lighting off in the park. A second shower was nice tonight. Time to start a movie and head to sleep.

Yoshi: Ok so keep in my front pocket a black uni-ball vision elite. .08 writing thickness i believe.
Yoshi: It writes thicker than your “normal” pen.
Yoshi: so i keepContrariamente al convenzionale, dove i giocatori competono contro altri allo stesso tavolo, questo gioco prevede che il giocatore singolo si impegni contro la macchina, la quale utilizza naturalmente la video tecnologia per costruire una mano di poker. that in my front pocket.
Yoshi: At work i keep a 1 black one and 1 red one. So i write out my GTD lists once a week now. Anything important that needs my attention that day is written in red. Red items are my must do.
Yoshi: Here are what the pens i use look like: http://farm1.static.flickr.com/209/456999513_7173cf42aa.jpg?v=0

I did finally find the post he wrote that talked about the pen he uses: Notepad GTD

And so I don’t have to look it up again, Product page at officedepot.comкомпютри втора употреба.

Thanks, Yoshi!

Luckily I only had a few hosts to update, and only the host keys, not any authorized_keys files. It’s important to review any public SSH keys that you’ve added to authorized_keys files, fix ssh host keys (apt-get dist-upgrade on debian), and deal with SSL certs generated on affected Debian (and derivative) distributions.

Ubuntu Security Notice USN-612-1

Weakness in Debian undermines crypto

• “A flaw in the way that OpenSSL is implemented in the Ubuntu and Debian distributions of Linux have earned the software an unenviable adjective in the world of encryption: Predictable.”
• “All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied”
• “This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system.”

Debian OpenSSL Predictable PRNG Toys

• “All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system.”

Debian OpenSSL Predictable PRNG Bruteforce SSh Exploit

• “Enjoy the shell after some minutes (less than 20 minutes)”

In other news, brute-force SSH attacks are on the rise.

Admins warned of brute-force SSH attacks

A couple OpenSSH tips that come to mind:

• Have OpenSSH Listen on a non-standard port. This can reduce the risk of automated scans, etc. It can also make it more tedious to ssh to hosts. (”Listen addr:port” in sshd_config). I personally don’t like this option.
• Disable password-based authentication. (”PasswordAuthentication no” in sshd_config)
• Restrict access to accounts by IP address. sshd_config allowed users
• Watch your sshd logs and deny access.

Buddy Media, creator of AceBucks, buys Facebook Apps from ChipIn and then spams the users:

1. I am not an AceBucks member.
2. I did not express interest in receiving emails regarding AceBucks.
3. This email was in no way related to the Pirates vs Ninjas application itself.

The hotel across the street lost power:

They finally got power back after several hours:

(I need to get a tripod)

John Petrucci has a video out called “Rock Discipline”. This video attacks the speed that he plays at. I was in tears watching it.

Be careful if running your ruby application in a VPS that doesn’t have a standard MAC address (OpenVZ/Virtuozzo).


[rails@rails ~]$ irb
irb(main):001:0> require ‘rubygems’
=> true
irb(main):002:0> require ‘uuidtools’
=> true
irb(main):003:0> UUID.timestamp_create
NoMethodError: private method `split’ called for nil:NilClass
from /usr/local/lib/ruby/gems/1.8/gems/uuidtools-1.0.0/lib/uuidtools.rb:236:in `timestamp_create’
from /usr/local/lib/ruby/gems/1.8/gems/uuidtools-1.0.0/lib/uuidtools.rb:226:in `synchronize’
from /usr/local/lib/ruby/gems/1.8/gems/uuidtools-1.0.0/lib/uuidtools.rb:226:in `timestamp_create’
from (irb):3
irb(main):004:0>


UUID.random_create works though


irb(main):005:0> UUID.random_create
=> #&ls;UUID:0x20254aac UUID:debe5522-85e3-4119-8e31-5746f8f52449>


As a side note, the uuid gem has problems determining the MAC address when creating its state file as well.


-bash-3.00# uuid-setup
uuid: No UUID state file found, attempting to create one for you:
/usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27: command not found: ipconfig /all
Could not find any IEEE 802 NIC MAC addresses for this machine.
You need to create the uuid.state file manually.


When using this I would manually create the uuid.state file and place it in /usr/local/lib/ruby/gems/1.8/gems/uuid-1.0.3 (I don’t remember exactly, and have since removedthe uuid gem). If you don’t your app will complain about the uuid.state file being missing.

I came across the following error trace when attempting to use Capistrano to set up my app:


$ cap -f config/deploy-client.rb setup
* executing task setup
* executing "umask 02 &&\n mkdir -p /u/apps/myapp /u/apps/myapp/releases /u/apps/myapp/shared
/u/apps/myapp/shared/system &&\n mkdir -p /u/apps/myapp/shared/log &&\n mkdir -p /u/apps/myapp/shared/pids"
servers: ["myapp.hostname.com"]
/sw/lib/ruby/gems/1.8/gems/net-ssh-1.0.10/lib/net/ssh/userauth/agent.rb:70:in `initialize’:
No such file or directory - /tmp/501/nl.uu.phil.SSHAgent.socket (Errno::ENOENT)
from /sw/lib/ruby/gems/1.8/gems/net-ssh-1.0.10/lib/net/ssh/userauth/agent.rb:70:in `connect!’
–snip–


I haven’t had time to track down the issue yet, but starting up ssh-agent seems to fix the problem. I never had to use ssh-agent before to make Capistrano work.

$ ssh-agent bash
$ ssh-add

Then I run my cap tasks from that shell instance.

(It may seem trivial, and probably is trivial) I wrote about obfuscating the primary keys for your critical tables here: http://www.kanske.com/?p=7

I came across a reason why you do that recently when I discovered a potential chipin.com competitor.

A friend brought up the fact that we (chipin.com) have a competitor (Pledgie.com). The first thing that comes to mind is, how many customers do they have? How many events in their system? How much money have they collected? Do we need to worry about them?

They expose the primary key for both their account table and their event table. It appears that they have less than 42 campaigns (max campaign id at the time http://pledgie.com/campaign/show/42) and less than 87 users (max account id is 87 http://pledgie.com/account/show/87).

With a fixed number of events and users it’s possible to write a script to summarize how much money has been collected.

This isn’t the only source of such information, but it sure is low-hanging fruit.