Privacy and account security online

Leigh Honeywell wrote an excellent blog post for the ACLU about staying safe online. It’s mostly a primer for people who need a quick jumpstart into how to keep themselves safe, but be warned, some of it takes some time, and won’t be 100% effective. For example, scrubbing your online presence is a lot easier if you’ve never maintained much of one – search engines cache and don’t always clear. If you’ve forgotten about accounts with re-used passwords, those can still come back to bite you.

Using Bro to load balance

If your hardware doesn’t support HLB, or if you for whatever reason don’t want to use that load balancing, I’ve had good success with a Bro configuration that Seth Hall wrote for me. As background, my NIC is (currently) sending a full copy of the input stream to each of a dozen output streams. I’m going to be implementing HLB on my NIC, so I wanted to keep Seth’s hard work around somewhere that it might also do somebody else some good.

This configuration allows for six workers. If you want a differing amount, change the total_lb_procs and the integers at the end of each restrict_filters statement appropriately.

event bro_init() &priority=-12
local total_lb_procs = 6;

if ( Cluster::node == "worker-1" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 0) );
if ( Cluster::node == "worker-2" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 1) );
if ( Cluster::node == "worker-3" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 2) );
if ( Cluster::node == "worker-4" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 3) );
if ( Cluster::node == "worker-5" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 4) );
if ( Cluster::node == "worker-6" )
    restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 5) );


Update 16 September – Seth tells me that this is a terrible way to balance in Bro – he had some problems with this at another high-volume institution. Well, it worked for me. :)

Automated rsync backups with ssh key restrictions

For the first time ever I wanted to make an rsync script to back up a couple of remote servers, restricting the commands by the use of a key. I wanted to restrict the commands that could be run with that key in case of compromise, since there needs to be no passphrase on the key. I’m not going to explain the theory or most of the commands, since you (I) already know.

Doing some googling, I found this which was pretty close, but I wanted it here (so I could find it again) and with fewer words. I ripped off the script wholesale:


echo "Rejected"
echo "Rejected"
echo "Rejected"
echo "Rejected"
echo "Rejected"
echo "Rejected"
echo "Rejected"
rsync\ --server*)
echo "Rejected"

There’s probably some holes in it, but it’s close enough for government work. Then, add to authorized_keys:

from="hostname",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/path/" thebackupkey

And a sample backup script:

echo "Starting rsync at ${MYD}" >> ${LOGF}
/usr/bin/rsync -q -a --delete -e "ssh -i /the/.ssh/backup_key" userid@remote:/home/asdf/ asdf/
echo "Finished at ${MYD}" >> ${LOGF}

Call that in cron and you (I) should be good to go.

ETA: you might get “protocol mismatch” errors from rsync. TFM will tell you it’s because there’s output from your shell. TFM might be wrong. I’m still getting this error from one host I’m doing this with, but not the other. Since both are FreeBSD 8.4 machines, I’m somewhat mystified. Anyway, this might be enough to get started.

Mein Name ist

My name is Mike Patterson. That’s almost what it says on my birth certificate; it actually says Michael. It also says Michael on my university ID card. There’s some other very similar variants on pieces of government ID, some include my middle initial or full name. Few people use Michael and fewer still even have reason to know my middle name. I’ve no real reason to use any other name, save for convenience – both my own, and for other people. Mike, as you might know, is a pretty common name, particularly amongst North American males, and doubly so amongst those of my generation.

Depending on context, I have a lot of other names to which I might respond. Depending on the context, I might also not respond, as they tend to be, well, contextual.

At work I’m usually just Mike, but I might be mpatters. That used to be my email address and it will still work, but I now tend to publish mike.patterson. I also use that for email addresses elsewhere, sometimes; my alumni forwarding account, for instance. Since my name is published in our directory as Michael though, some people do call me that, and I don’t bother correcting them. I might not immediately respond though.

On Twitter, I’m snowcrashmike, but nobody uses that anywhere else. Some very old IRC hands might know me as kraig, and I used that on MUDs. I also go by kraig on LiveJournal and Dreamwidth, and some people who met me first through those communities tend to use it as my name, even in voice conversations. In some web communities and games (Forumwarz, for example) I’m generally kraig or kraigu, but sometimes kraigus.

In the very long ago, I used to use BlackSpy as a BBS handle, but that was too overloaded when I switched to IRC. Nowadays on IRC networks I tend to use kraigu. My Steam name varies, I usually set it to earless wondercat, but I often play with it: earless wunderkatze, earless dyingcat (I do a lot of dying in online games), fearless wondercat, feared blundercat, beerless wondercat… well, you get the idea. But usually people call me just earless or wondercat in in-game voice chat, it makes things easier.

Sometimes, in certain circles, I might be just [. I don’t even remember what my FIDONet handle was.

I’m old enough that things like IRC were fairly new when I was coming of age, and young enough that identity is really a fairly slippery thing. I’m old enough to still value some privacy and think that for some people it matters quite a lot, young enough to realise that not using your real name doesn’t mean you can’t be found. I’m experienced enough to know that a middle ground is very difficult to find, wordly enough to know that different cultures approach “true names” in vastly different ways, and finally, practical enough to not really care what name it is that people actually prefer – I try to find out what it is, and use that.

I think realnameonly policies are unnecessarily invasive, don’t do what proponents claim they do, and insensitive. In short, I think they’re misguided at best, generally no better than security theatre, and at worst, just flat-out stupid. Nobody else has the right to tell me who I am, nor do they have the right to tell anybody else who they should be.

packetfu followup

I went back to packetfu today (see here for my first talk about it) for a large collection of pcaps I have (about 30GB worth) hoping to use it to help me quickly get an overview of what I’ve seen.

Fortunately, a lot of the hoops I had to jump through previously are now non-issues; using gem to install pcaprub and packetfu itself made it dead simple. Even more fortunately, I didn’t bother trying it on my Mac initially, guessing – correctly, as it turns out – that RAM usage would go through the roof. I ^C’ed my test ruby script, pasted from my first post on the subject, after it hit 7.5GB resident on my 8GB test machine. I have Ruby 1.9.1 on that box, so I don’t think there’s much more I can do to optimise. Sadly, I guess I’m stuck with tcpdump and looping shell scripts for the time being, and I’ll try to follow up with the author, although I don’t know what help I can provide.