Protecting Your Website With HTTPS (SSL/TLS)

I’ve just released the first tutorialinux ebook. For those of you who want a sneak-peek, this post is basically a command-line-instructions only version of the practical content from the e-book. These instructions will get you a working configuration for serving HTTPS traffic to your website visitors.

Disclaimer: This post leaves out most of the background, theory, explanations, security and performance tuning, and additional considerations like backups, security, etc. All of this extra content is found in the e-book. If you want to support tutorialinux, buying the e-book is a great way to ensure that there’s a constant stream of new content coming out on YouTube and this website.

Okay, that being said, let’s get started!

If you’re a sysadmin, chances are that you feel strongly about the adoption of widespread encryption. Advertising companies, governments, and criminals are trying to track and record every move you and your website visitors make, every interest you show, and every thought you hint at. People are finally beginning to fight back by encrypting web traffic, even for pages that don’t absolutely require it, such as login or payment pages.

In this post, I’ll show you how.

Read more

How to Choose a Career in IT

Most aspiring tech people make a critical mistake when evaluating ideas for a career. They approach the problem from a 30,000-foot view, saying to themselves, “I might like a career in finance.” Then, they try to work out a more detailed niche, before making plans for getting there. This can work sometimes, but if you find yourself getting stuck in this high-level thinking, perhaps a more practical approach is right for you.

Read more

How to Get Into a Programming Career

I was just talking to a friend about programming. She’s interested for all kinds of reasons, not the least of which is that she’s read all about how ‘programming is the future’ and that tech people make tons of money.

We talked about some things that I thought would be useful to share more openly — so here it is: my advice for getting into programming, System Administration, or any other technology path.

Read more

32c3 Video: Capability-Based Security

System Administration and programming are becoming more and more entwined with each passing year. If you’re not programming yet (or don’t view the scripting/configuration-management you do as programming), my hunch is that you will be, soon.

There were a few talks at 32c3 about different methods for securing applications on Linux and Unix. You’ve probably heard of several, like AppArmor, SELinux. Capsicum is an interesting solution for FreeBSD; its basics are explained well in this video (although the video is really about another technology).

We’re definitely still at the very beginning stages of running untrusted code safely on our machines. It’s kludgy, breaks common applications, and works cleanly for only a few very specific use-cases at the moment. One of the problems is that applications really aren’t written with containment in mind — a lot of security problems require the cooperation of developers to really work smoothly. For example, your web browser needs to read and write files ANYWHERE on your filesystem (for opening local HTML and saving files from the Web). Even if web browsers had no other features, this would make them difficult to effectively contain.

CloudABI looks like it’s a big step forward in this space. It’s a way to limit what software can do once it’s running on your system; a sort of ‘restricted execution environment.’ CloudABI has three huge features, along with many great small ones):

  • Capsicum is always turned on.
  • Applications are forced to behave (no global namespaces, no hardcoded filepaths). Dependency injection is enforced.
  • Implementations/Ports for NetBSD + Linux.

This talk gives you a good idea of how it works on both a theoretical and a practical level. Even if you never write applications that comply with an environment like CloudABI or mechanisms like Capsicum/SELinux/AppArmor/etc., this talk is an interesting introduction to the thoughts behind how to contain applications, write safer/less-exploitable applications, and otherwise improve Operating System security.

 

The Education of a System Administrator

Here’s something that surprises many people: I actually don’t have a college degree. Before I got into System Administration, I did all kinds of things: I’ve been a soldier, carpet salesman, martial arts teacher, Chinese massage (Tui Na) practitioner, data entry temp, bakery worker, and a few other things.

On the surface, these don’t look like they are related to System Administration, but each of these other attempts at ‘finding the right career’ taught me something valuable that I still use today in System Administration and Development work.

For example, all that ‘unrelated‘ experience has taught me how to

Read more

Chaos Communication Congress 2015 (32c3) Report

I just came back from the 2015 Chaos Communication Congress in Hamburg, Germany — my brain is going to need some time to process everything that I’ve experienced in the past week.

The congress is in some sense a combination of Burning Man and DEFCON. Four days of nonstop talks, workshops/assemblies, impromptu parties and projects, capture the flag, and much more. Some of the things we did there (this counts for about 0.01% of the available activities):

  • Attend talks about a huge number of topics, ranging from Open-Source intelligence, hardware trojans, the Tor network, privilege-dropping frameworks in Unix and Linux, reverse engineering, quantum computing and cryptography, journalism, politics and law, etc.
  • Drink huge amounts of Mate.
  • New friends and drinking buddies!
  • Whisk(e)y tasting.
  • Participate in a CTF contest.
  • Play around at a lockpicking workshop.
  • Talk to tons of programmers, infrastructure people, security specialists, journalists, artists, tinkerers, hobbyists, and other computer-folk.
  • etc.

I’ll spend some time posting the talks I enjoyed the most — if you’re interested in sorting through them yourself, here are some links:

 

Read more

Where to Find Remote Programming Work

I remember sitting at a system engineering gig a few years ago, fighting an angry LDAP server and talking about my goal of sitting on a beach and doing sysadmin and programming work from my laptop. My manager, a smart and practical fellow, laughed and told me it was a pipe dream and that such work simply didn’t exist. Two years later, I can work from the beach every day, if I feel like it.

Everyone loves remote work — whether it’s system administration, database administration, testing, QA, remote programming work, or something totally different. As with anything else, there are some downsides, but the advantages to both companies and employees are huge. Lower office costs for companies, fewer interruptions for employees; the list goes on and on. It’s still early in the ‘remote work’ timeline, and some businesses still need to get used to the idea. If you’re interested in an exhaustive pro-and-con list in book format, check out Remote: Office Not Required.

Here are a few of the sites I’ve used to search for (and get) both full-time and contracting work:

 

Read more

Sysadmin Audio Series #1 — Working At A Small Company

I’ve received a lot of requests over the last few months to create some audio content. This is for those times where you want to get some sysadmin training on the train, in the car, or in other commute-related settings where you can’t be staring at a YouTube video the whole time.

So…I just uploaded the first in a series of “What It’s Like To…” audio. This is a 20-minute track where I talk about what it’s like to be a sysadmin at a small (non-tech-focused) company. This is an incredibly common first sysadmin job where you move from doing user-support-heavy work to infrastructure-heavy work.

On the audio track, I discuss a variety of important topics about working as a system administrator at a small company:

  • How I got started — my background, the interview process, etc.
  • Attributes that you need for success (patience, etc.)
  • Common Tasks (technical and non-technical)
  • Conflicts and common obstacles
  • A bit on salary negotiation and how to think about money
  • Required knowledge and skills
  • Common career paths

Enjoy, and let me know if this is useful!

Read more

How to Browse the Web through a Proxy Server

One question I often see has to do with setting up proxies and browsing from a different IP address. While this tutorial isn’t about how to browse the web anonymously, it explains how to tunnel your traffic through a web proxy. This can be used for:

  • circumventing some types of censorship,
  • slightly more private surfing,
  • bypassing stateful packet inspection and content-filtering firewalls,
  • accessing your instaFaceTwitSnap from work,
  • getting around IP-based geo-blocking, and
  • otherwise rebelling against the man.

To outside observers, it will seem as if you’re browsing from that remote machine. Here’s my ASCII-art version of what this looks like:

(You) <====== [encrypted tunnel] ======> (your server) <====> [your web browsing traffic, going to the sites you visit].

The whole thing takes about 3 minutes to set up; here’s how:

 

Read more

Sysadmin Links, August 2015

The time has come for another edition of tech-timewasters/sysadmin links. This time, there are a few interesting security articles (including one that will give you an idea of what the malware analysis process looks like).

  1. What is mathematics? (math geekery for amateurs like me): http://math.coe.uga.edu/tme/issues/v09n1/4rota.pdf
  2. The postgres guide!  (non-official): http://www.postgresguide.com/
  3. Rowhammer (A nontechnical security article) — http://www.slate.com/articles/technology/bitwise/2015/07/rowhammer_security_exploit_why_a_new_security_attack_is_truly_terrifying.single.html
  4. Malware Analysis; a much more technical article on cdorked: https://reverse.put.as/2014/02/05/linuxhackingteamrdorks-a-a-new-and-improved-version-of-linuxcdorked-a/
  5. Scaling LinkedIn; a really nice progression (including graphics) showing a few different popular infrastructures for serving web applications: http://engineering.linkedin.com/architecture/brief-history-scaling-linkedin
  6. Yay videogame music (from Star Wars: Knights of the Old Republic — I occasionally listen to this while working): https://www.youtube.com/watch?v=cz2wR2CFtrU