One way to receive up-to-date reports about vulnerability issues is subscribing to vulnerability RSS feeds: they update on demand, they don’t rely on your mail subsystem and they don’t fill up your mailbox. The only drawback is that you could miss alerts if you don’t sync your feeds for a long time, but if you’re a IT security manager, you don’t have a life, so how could it happen anyways?

Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):

1. NIST Vulnerability Database.
2. US Cert Technical Security Alerts [CERT].
3. SecurityFocus Vulnerabilities [SF-INCIDENTS].
4. Open Source Vulnerability Database [OSVDB].
5. IBM Internet Security Systems Threats [ISS].
6. Vupen Security Advisories [VUPEN].
7. Secunia Latest Security Advisories (Unofficial) [SECUNIA].
8. eEye Security Advisories [EEYE].

The above list is also available as OPML file you can import into your feed reader.

Furthermore, you should subscribe to Operating Systems product-centric vulnerability feeds to ensure you receive timely information regarding updated packages and suggested workarounds for your infrastructure. Here’s a comprehensive list, sorted alphabetically:

1. Apple Security Announce (Mac OS X, iPhone, etc) [APPLE].
2. Checkpoint’s SmartDefense Service [CHECKPOINT].
3. Cisco’s Product & Service Security Advisories [CISCO].
4. Debian Security Advisories [DEBIAN].
5. Fedora Security Updates [FEDORA].
6. FreeBSD Security Advisories [FREEBSD].
7. Gentoo Linux Security Advisories (GLSA) [GENTOO].
8. Mandriva Security Advisories [MANDRIVA].
9. Microsoft’s Security Notification Service Comprehensive Edition [MS].
10. NetBSD Security Advisories [NETBSD].
11. OpenPKG Security Advisories [OPENPKG].
12. OpenBSD Errata [OPENBSD].
13. Red Hat Security Advisories [REDHAT].
14. Slackware Linux Security Advisories [SLACKWARE].
15. Solaris SunSolve Alerts [SUNALERT].
16. SUSE Linux Enterprise Security Advisories (also contains OpenSUSE advisories) [SUSE].
17. Ubuntu Security Notices [UBUNTU].

OS security advisory feeds are available as OPML file as well.

Have I missed anything? Please report if you find some advisory feed I accidentally missed. Also, if you’re into an Operating System security team and you don’t offer a security announcement feed, please consider making it available.

Related posts:

1. Windows back-to-the-future bug
2. Security through obscurity
3. Process management roundup/1

One way to receive up-to-date reports about vulnerability issues is subscribing to vulnerability RSS feeds: they update on demand, they don’t rely on your mail subsystem and they don’t fill up your mailbox. The only drawback is that you could miss alerts if you don’t sync your feeds for a long time, but if you’re a IT security manager, you don’t have a life, so how could it happen anyways?

Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):

1. NIST Vulnerability Database.
2. US Cert Technical Security Alerts [CERT].
3. SecurityFocus Vulnerabilities [SF-INCIDENTS].
4. Open Source Vulnerability Database [OSVDB].
5. IBM Internet Security Systems Threats [ISS].
6. Vupen Security Advisories [VUPEN].
7. Secunia Latest Security Advisories (Unofficial) [SECUNIA].
8. eEye Security Advisories [EEYE].

The above list is also available as OPML file you can import into your feed reader.

Furthermore, you should subscribe to Operating Systems product-centric vulnerability feeds to ensure you receive timely information regarding updated packages and suggested workarounds for your infrastructure. Here’s a comprehensive list, sorted alphabetically:

1. Apple Security Announce (Mac OS X, iPhone, etc) [APPLE].
2. Checkpoint’s SmartDefense Service [CHECKPOINT].
3. Cisco’s Product & Service Security Advisories [CISCO].
4. Debian Security Advisories [DEBIAN].
5. Fedora Security Updates [FEDORA].
6. FreeBSD Security Advisories [FREEBSD].
7. Gentoo Linux Security Advisories (GLSA) [GENTOO].
8. Mandriva Security Advisories [MANDRIVA].
9. Microsoft’s Security Notification Service Comprehensive Edition [MS].
10. NetBSD Security Advisories [NETBSD].
11. OpenPKG Security Advisories [OPENPKG].
12. OpenBSD Errata [OPENBSD].
13. Red Hat Security Advisories [REDHAT].
14. Slackware Linux Security Advisories [SLACKWARE].
15. Solaris SunSolve Alerts [SUNALERT].
16. SUSE Linux Enterprise Security Advisories (also contains OpenSUSE advisories) [SUSE].
17. Ubuntu Security Notices [UBUNTU].

OS security advisory feeds are available as OPML file as well.

Have I missed anything? Please report if you find some advisory feed I accidentally missed. Also, if you’re into an Operating System security team and you don’t offer a security announcement feed, please consider making it available.

Related posts:

1. Windows back-to-the-future bug
2. Security through obscurity
3. Process management roundup/1

It’s Sunday, just relax and enjoy your weekly juice:

1. USIM card with an embedded Wi-Fi radio — Next generation phone SIM will run local hotspots.
2. European Credit and debit card security broken — You’d better use old signature-based cards.
3. Infineon TPM hacked — It eventually happened. No gory details though.
4. 21st century life in transition — What happens when you apply digital rules in analog world.
5. Twitter History — A nice video with developers from Twitter.

If you have a little more time, you may enjoy this 20-minutes video by Jamie Oliver at TED 2010 on food education. He must have read Ned Batchelder’s tips on presentation: entertain, educate, practice.

Related posts:

1. Best links of the week 04/2010
2. Best links of the week 07/2010
3. Best links of the week 03/2010

Last year Wordpress got an award as best Open Source CMS software and the reason is clear: it’s easy to setup, low on resources, very customizable and full of useful extensions. So unless you have very specific deployment requirements and if your blog is not part of your core technology, you may get the best of both worlds by using Wordpress for blogging and use a web framework for everything else. Not reinventing the wheel is very important in post-agile world, after all.

Being a Django monkey, I’d like to share some tips on how to make Wordpress and Django live together:

URL mapping

To make Wordpress and Django co-exist, they should map to different parts of the url space: you can simply configure them to respond on different virtual hosts, or just map Wordpress to a specific path. For instance, if your webserver is Apache and you’re serving Django through mod_wsgi, you can use a config snippet like this:

<VirtualHost *:80>
ServerName somehost.com
ServerAdmin hostmaster@somehost.com
ErrorLog /path/to/somehost.com/log/error.log
CustomLog /path/to/somehost.com/log/access.log combined
DirectoryIndex index.html
DocumentRoot /var/empty
WSGIScriptAlias / /path/to/somehost.com/parts/wsgi/wsgi
WSGIDaemonProcess somehost.com user=www group=www threads=25
WSGIProcessGroup somehost.com
Alias /blog/ /path/to/somehost.com/wordpress/
Alias /media/ /path/to/somehost.com/project/media/

<Directory /path/to/somehost.com/wordpress/>
Order allow,deny
Allow from all
</Directory>

<Directory /path/to/somehost.com/media/>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Accessing data

To share data between your Wordpress blog and your Django instance, you have two three main options:

1. Save your Wordpress tables and your Django models in the same database and configure your Django models accordingly.
   Pros: this approach is very straightforward and you don’t need to learn Wordpress API. You can use Django admin interface to edit your Wordpress database.
   Cons: sharing a database between two applications can have an impact on maintenance issues. For example, to rehash your Django application, you can’t just drop database, re-create it and populate with syncdb. Wordpress database schema can change in new releases and make your ORM mapping obsolete.
2. Use Python’s xmlrpclib in Django to access Wordpress XML-RPC interface.
   Pros: API changes won’t possibly break compatibility with previous releases. XML-RPC adds more logic, which means more consistency checks and more behind-the-curtain processing.
   Cons: XML-RPC calls are not as performant as direct access to MySQL.
3. UPDATE: Doug pointed me to another method: adding a PHP template loader to Django. An useful video tutorial is also available.

To setup method 1, you can use models.py from django-wordpress-admin project, which was built around inspectdb output with some custom manager enhancements. On GitHub there’s another project named django-wordpress, with the same approach and a step-by-step tutorial is published at uswaretech.com.

If you found Django-Wordpress integration tips useful, please drop a note in the comment box below to say how you used it, or just stay in touch with Twitter or RSS Feed for more Django stories.

Related posts:

1. Integrate Tornado in Django
2. Django dynamic template paths
3. Django and mysql names

I’m not a fan of McDonalds. I don’t really like Ronald, CJ and all the family, but when Ipazia pointed me to new McItaly burger and Guardian’s controversial article on Italian government being involved in the agreement between McDonalds and Italian food companies, I decided to forget stereotypes for a day and try the product. All in all — I thought — criticism should be based on facts, not just McDonalds is crap fud.

So here is the proof:

Appearance: the pictures above speak for themselves. When I came back from my trip at McDonalds, I found some more snapshots at TrashFood blog. As the Photoshop ad says, product images are for illustrative purposes only.

Taste: it just doesn’t live up to the claims. Asiago cheese doesn’t taste like Asiago, at all (you guys at Consorzio Tutela Asiago have no shame?). It’s just too sweet and meshing badly with industrial bread. The artichokes sauce really strikes the taste. Other reviews by other customers here, here and here seem to agree with my review.

Health: Nutritional information is not printed directly on the package, but McDonaldsMenu.info website is referenced for more information. Here’s nutritional info for McItaly, compared to best seller Big Mac (symbols legend):

It’s quite easy to figure out that McItaly is 30% more caloric than Big Mac (about the same calories of a Pizza Margherita), is really fatter and especially bad for your cholesterol, considering high levels of saturated fat (91% of what you should eat daily, just in one burger!).

Price: € 4,20, a high price tag for a burger, but relatively low if matched against calories.

The verdict: Overall quality is quite low, compared to other McDonalds burgers. If you’re in for junk food at McDonalds, stay with Big Mac.

P.S.: As you can notice from my pictures, endorsment from Italian government is clearly noticeable on the package. They should have better checked what’s inside the package as well.

No related posts.

Recently, I’ve browsed several how-to’s regarding the possibility of unlocking a LUKS root volume remotely using an SSH connection. For reference, the first of its kind is the one for Debian, published at Coulmann.de. Some of these how-to’s were posted to forums and mailing-lists and received many thankful comments from sysadmins wondering how to make their encrypted secure setup also easy to administrate.

The problem with their approach is simple: they asked how to fix their setup, but forgot to ask what they’re trying to protect. Having your root filesystem on an encrypted disk doesn’t protect you from remote exploitation or credential leaks. It just protects you from the risk of someone being able to access your machine locally and steal your data, or just steal the whole machine altogether. Now, if I were an attacker having access to your hardware locally, I could easily setup a trap for you in less than 5 minutes:

1. Shut down your machine and open it.
2. Connect your machine’s root disk to an external USB interface connected to my laptop.
3. Copy your initramfs file from boot partition (which is clear-text, remember?), access internal files and extract SSH server keys.
4. Bring up an interface with a fake ssh server running on my laptop which runs your initrd script, slightly modified to tap passwords.
5. Just wait for you to notice your machine went down and connect via ssh to bring it back up. Ta-da.

Depending on the scenario, some additional step covering may be necessary, but the theory is there: if you can’t check your hardware personally, disk encryption is useless (and even then, human stupidity is the weak link).

In 2004, Autistici/Inventati hacking group was running a server at Aruba server farm and hosting several mailboxes and websites. During a police inquiry on one of those mailboxes, law officers wanted to obtain TLS encryption keys to tap users messages, so they unplugged the server and copied data from the server volumes. When server admins asked Aruba about the downtime, Aruba told them it was an electrical fault, so it took one year to find out about the crackdown. If disks had been encrypted with LUKS and set up for remote unlocking, it would have been quite easy for law officers to trick server admins into typing unlock key over the wire, since ISP employees were under their control.

Bottom line: if you’re paranoid enough to setup encrypted disks, you shouldn’t really trust remote unlocking anyway.

Related posts:

1. Linux RAID disk wipeout
2. Using screen as your login shell
3. What evil lurks in OCFS2

GNU screen is a nice utility that allows running multiple interactive shells from the same terminal session and allows you to detach from your terminal while keeping those shells alive. Later on, you can re-attach to your background screen to get back to your shells. It has a lot more features like automatic session logging and terminal window splitting. You can discover them all in the manual.

How many times did you start a long-running task like gcc compilation on a remote server and then suddenly needed to disconnect from your shell? Maybe you just needed to move to some other place with your laptop, but if you disconnected from your LAN, your ssh connection would go down. How many times you thought “Damn, if I had launched screen before this…”?

The trick to save your compile time and not break your schedule is simple: just have your shell .profile script run screen at startup on your remote server. For bash, the syntax is simple, just add the following line at the end of your ˜/.profile script:

if [ ${SHLVL} -eq 1 ]; then
    ((SHLVL+=1)); export SHLVL
    exec screen -R -e "^Ee" ${SHELL} -l
fi

Quick implementation notes:

1. Parameter -R reattaches to an existing detached session, if it exists, otherwise creates a new one.
2. Parameter -e sets a non-standard escape character. This is useful since you don’t want login screen to interfere with other screens you may spawn during your activity. I chose Ctrl-E as it’s not used by other well-known keyboard shortcuts and works on most OSes.

To detach from your server type Ctrl-E d or just close your terminal window. Running processes will remain active in background, without detaching from your shell. When you connect to your remote shell again, you’ll get back to your session.

Do you like Unix tips like this? Follow me on Twitter or subscribe to my RSS feed for more.

Related posts:

1. Gentooize Part 1: colorize console
2. LUKS mermaids of remote unlock
3. Process management roundup/1

A common problem with Linux software RAID (aka md) happens when you try to use a disk that was previously part of some other disk array. Symptoms include: wrong volume size, unable to add device to raid, volume UUID mismatch. To fix the problem you need to use mdadm utility on the disk to cleanup:

# mdadm --zero-superblock devicepath

If you need to apply this fix on a system that doesn’t boot up (for instance when your root volume is on RAID), remember that mdadm and other disk administration utilities are available in Gentoo minimal installation disk.

UPDATE: Rav asked for the gory details so here it is: when you initially create a Linux RAID array, mkraid writes a signature to the disk called superblock, which contains a unique UUID code for the array and a description of the array (size, raid level, etc). When Linux kernel boots up, this superblock is read by the md kernel module and a minor device number is assigned to the array. Even if you erase your partition table or mbr, this superblock won’t be erased.
The problem arises when you try to add a disk with an existing superblock to a computer that already has another array in place (for instance when replacing a faulty RAID1 or RAID5 disk): if md driver recognises a superblock, it won’t allow your added drive to join the array and will report a generic “Invalid argument” error. Furthermore, it can happen that, if a minor number is forced onto an array, when booting a system with two parts of arrays trying to grab the same minor, none of them can get through and therefore md devices are not available.
So, instead of zeroing the whole disk with dd if=/dev/zero of=/dev/path, which can take a certain amount of time and is quite useless (if you’re rebuilding RAID1 or RAID5, your disk contents will be overwritten by raid reconstruction anyway), you can use the command explained at the beginning to erase just the bad superblock and fix the problem.

Just a final notice: another problem with replacing disks in RAID1 and RAID5 happens when people try to use a volume which is slightly smaller than the others in the array (even if advertised capacity is the same of the old drives, there can be slight differences in actual number of blocks). In this case, the error reported from md upon loading is the same as above: “Invalid argument”. So if your disk is unused, this is probably the first thing to check, otherwise try the following command on the disk device to check for existing superblocks:

# mdadm -E devicepath

Related posts:

1. Linux Day all the way in 2010
2. Process management roundup/1
3. LUKS mermaids of remote unlock

Recently I replaced my mother’s PC, and I thought I could switch her to Linux. She was previously using Windows XP with several Open Source applications (Open Office, Firefox, Thunderbird, etc), so I decided to install Ubuntu 9.10, since it seems that it’s most devoted to non-expert users (she’s over-sixty and not inclined to change her computing habits).

The installation was straightforward and hardware support was really seamless (whew! ACPI works like a charm on new Dells), however I noticed that once the system is running, the “works with clueless user” claim (they call it “alternative to Windows“, but that’s the actual meaning) lasts only five minutes.

There are two main issues on the table:

1. Documentation: several aspects of the system have changed but documentation lags behind. For instance, upstart replaced old service management facilities and Services applet was removed from System -> Administration menu, but documentation still refers to it. Furthermore, internal documentation search feature is very primitive compared to Mac OS X or Windows ones and “search the forums” option cannot really replace a knowledge base like Microsoft’s.
2. Robustness: Ubuntu should take the release-early-release-often agility rule with a grain of salt: if replacing a subsystem completely takes a certain amount of time, you cannot really split replacement in two phases just to respect release scheduling. A lot of users are complaining about the fact that every upgrade adds more quirks than the ones it solves.

Open source applications that build up the Ubuntu’s image of Windows alternative are getting more and more mature and a lot of work has been done to make Linux look like a desktop operating system and not just a bunch of pieces put together. Now it’s time for distributions like Ubuntu to step up and fix higher quality standards for the whole development community.

For a start, they could set a common standard for documentation and knowlegde base: to offer a real post-install support, you need to have a common error reporting API, clear error messages (not like Microsoft’s “contact your System Administrator” message) and a central repository for documentation and solutions, with a common writing style (haven’t you noticed a regression since man pages days?), a decent search engine and translations in supported languages. Since no Linux distribution has enough work force to make it all alone, the only alternative is to find an agreement for an interoperability standard with large software projects (Samba, Open Office, Gnome, Cups, etc).

So now my mom is using Ubuntu: I’ve enabled remote controlling (ssh and rdesktop) to help her with the transition and I’ve installed a VirtualBox instance with Windows XP, just in case. I replaced standard theme and wallpaper with something she could find attractive (first impression counts!). If you have any good tips for making Ubuntu experience more comfortable, please share them using the comment box below.

Related posts:

1. Top 25 vulnerability RSS feeds
2. The Microsoft hotfix tale
3. Process management roundup/1