Chaos Communication Congress 2015 (32c3) Report

I just came back from the 2015 Chaos Communication Congress in Hamburg, Germany — my brain is going to need some time to process everything that I’ve experienced in the past week.

The congress is in some sense a combination of Burning Man and DEFCON. Four days of nonstop talks, workshops/assemblies, impromptu parties and projects, capture the flag, and much more. Some of the things we did there (this counts for about 0.01% of the available activities):

  • Attend talks about a huge number of topics, ranging from Open-Source intelligence, hardware trojans, the Tor network, privilege-dropping frameworks in Unix and Linux, reverse engineering, quantum computing and cryptography, journalism, politics and law, etc.
  • Drink huge amounts of Mate.
  • New friends and drinking buddies!
  • Whisk(e)y tasting.
  • Participate in a CTF contest.
  • Play around at a lockpicking workshop.
  • Talk to tons of programmers, infrastructure people, security specialists, journalists, artists, tinkerers, hobbyists, and other computer-folk.
  • etc.

I’ll spend some time posting the talks I enjoyed the most — if you’re interested in sorting through them yourself, here are some links:

 

Read more

Where to Find Remote Programming Work

I remember sitting at a system engineering gig a few years ago, fighting an angry LDAP server and talking about my goal of sitting on a beach and doing sysadmin and programming work from my laptop. My manager, a smart and practical fellow, laughed and told me it was a pipe dream and that such work simply didn’t exist. Two years later, I can work from the beach every day, if I feel like it.

Everyone loves remote work — whether it’s system administration, database administration, testing, QA, remote programming work, or something totally different. As with anything else, there are some downsides, but the advantages to both companies and employees are huge. Lower office costs for companies, fewer interruptions for employees; the list goes on and on. It’s still early in the ‘remote work’ timeline, and some businesses still need to get used to the idea. If you’re interested in an exhaustive pro-and-con list in book format, check out Remote: Office Not Required.

Here are a few of the sites I’ve used to search for (and get) both full-time and contracting work:

 

Read more

Sysadmin Audio Series #1 — Working At A Small Company

I’ve received a lot of requests over the last few months to create some audio content. This is for those times where you want to get some sysadmin training on the train, in the car, or in other commute-related settings where you can’t be staring at a YouTube video the whole time.

So…I just uploaded the first in a series of “What It’s Like To…” audio. This is a 20-minute track where I talk about what it’s like to be a sysadmin at a small (non-tech-focused) company. This is an incredibly common first sysadmin job where you move from doing user-support-heavy work to infrastructure-heavy work.

On the audio track, I discuss a variety of important topics about working as a system administrator at a small company:

  • How I got started — my background, the interview process, etc.
  • Attributes that you need for success (patience, etc.)
  • Common Tasks (technical and non-technical)
  • Conflicts and common obstacles
  • A bit on salary negotiation and how to think about money
  • Required knowledge and skills
  • Common career paths

Enjoy, and let me know if this is useful!

Read more

How to Browse the Web through a Proxy Server

One question I often see has to do with setting up proxies and browsing from a different IP address. While this tutorial isn’t about how to browse the web anonymously, it explains how to tunnel your traffic through a web proxy. This can be used for:

  • circumventing some types of censorship,
  • slightly more private surfing,
  • bypassing stateful packet inspection and content-filtering firewalls,
  • accessing your instaFaceTwitSnap from work,
  • getting around IP-based geo-blocking, and
  • otherwise rebelling against the man.

To outside observers, it will seem as if you’re browsing from that remote machine. Here’s my ASCII-art version of what this looks like:

(You) <====== [encrypted tunnel] ======> (your server) <====> [your web browsing traffic, going to the sites you visit].

The whole thing takes about 3 minutes to set up; here’s how:

 

Read more

Sysadmin Links, August 2015

The time has come for another edition of tech-timewasters/sysadmin links. This time, there are a few interesting security articles (including one that will give you an idea of what the malware analysis process looks like).

  1. What is mathematics? (math geekery for amateurs like me): http://math.coe.uga.edu/tme/issues/v09n1/4rota.pdf
  2. The postgres guide!  (non-official): http://www.postgresguide.com/
  3. Rowhammer (A nontechnical security article) — http://www.slate.com/articles/technology/bitwise/2015/07/rowhammer_security_exploit_why_a_new_security_attack_is_truly_terrifying.single.html
  4. Malware Analysis; a much more technical article on cdorked: https://reverse.put.as/2014/02/05/linuxhackingteamrdorks-a-a-new-and-improved-version-of-linuxcdorked-a/
  5. Scaling LinkedIn; a really nice progression (including graphics) showing a few different popular infrastructures for serving web applications: http://engineering.linkedin.com/architecture/brief-history-scaling-linkedin
  6. Yay videogame music (from Star Wars: Knights of the Old Republic — I occasionally listen to this while working): https://www.youtube.com/watch?v=cz2wR2CFtrU

 

The Top 10 WordPress Security Mistakes

Sooner or later, we all deploy a PHP web application (Joomla, WordPress, Magento, etc.). I’m currently doing some security work, and I deal with a huge number of sites that have been hacked. The crazy thing is that 90+ percent of these compromises could have been prevented by a few security precautions. Here’s a list of the most common misconfigurations and security holes (from a System Administrator’s perspective), along with how to fix them.

We also look at some of the most popular goals of the attackers (‘consequences’).

Read more

Securing SSH with SSHGuard

We all love SSH (Secure SHell). It lets us connect to our remote servers, circumvent firewalls, confuse stateful packet inspection and network monitoring, and otherwise keep nosy entities in the dark about what kind of data we’re shuffling around between machines. However, every server you run SSH on is experiencing hundreds or thousands of attacks every day — most are just brute-force login attempts, but some are more sophisticated attacks.

Here, I’ll show you how to set up SSHGuard, which is a cleverly designed, easy way to harden your SSH installation and decrease the amount of resources that attackers can soak up. It also conveniently works for other services, not just SSH (more on that later). Let’s get started!

Read more

Tech Timewasters, July 2015

The Web is big. The Web has links. Here are your July links:

Have fun!

Monitor all the Things (with monit)!

System administrators have a *ton* of different monitoring solutions to choose from. Many of these (Nagios) are forced on them by evil forces who happen to be higher up in the corporate food chain. Some, however, are a joy to use. In this tutorial, I’ll teach you how to use one of my favorites: Monit ( https://mmonit.com/monit/ ). Monit can help you monitor all the same things as the others (CPU and disk usage, etc.), but it also

  • intelligently checks your services to make sure they’re up and responding properly,
  • can react when things go wrong (restarting services, running scripts, etc.),
  • has cool extra features like service management and file-hash checking (to make sure the bad guys haven’t tampered with your system binaries, for example), and
  • is really easy to use.

In this post, I’ll take you from “no idea what’s happening on the server” to “closely monitoring critical services.” Follow along!

Read more

Where to Find Answers to Linux Questions

When they’re faced with a technical problem — an error message, unexpected behavior, or ‘I have no idea what to do about this problem’ moment — most people resort to Google (or a privacy-aware search engine, like DuckDuckGo or IxQuick). However, often this is not the quickest way to get the problem solved.

Here’s a quick checklist of resources for solving Linux problems:

Read more