From the Canyon Edge - :-Dustin Kirkland (via Mowser)

Tuesday, February 7, 2012

Gazzang Presents: Sh*t IT Security Guys Say

We had a blast at the Gazzang offices last week shooting this fun video, Sh*t IT Security Guys Say. What a great way to kick back and have a little fun on a Friday afternoon ;-)

We worked with Austin filmmaker Brandon Stephens who took some time away from work on his feature film, Enemy of the Mind, to hack on this little project. Our CEO Larry Warnock (Mr. Backdoor) called the shots and our new Marketing Director, David Tishgart (Mr. Redbull) handled the script. Also featured in the short: Ben First (Marketing, aka Mr. Ruby), Liz Britain (Marketing, aka Ms. Slashdot), Rob Balena (Sales, aka Mr. Millennium Falcon), Sergio Pena (Mr. $*&%!#), Eddie Garcia (Engineering, aka Mr. IT), and I guess I'm Mr. Wingdings ;-)

As many of my fellow hackers, I predictably cringe when I watch a movie or a tv show and the hapless IT characters attempt to interface with a computer or discuss technology. The Matrix, The Net, Swordfish, whatever, it's all painful to hear. And funny enough, our little video is no different, and this time I actually share the blame :-) Most of our one-liners make no IT sense whatsoever. And while some of the one-liners I proposed made perfect IT/Security sense, but they just didn't play well on the screen.

In any case, for my hacker/dev/IT peeps, here's my full list of one-liners I proposed for our project:

- Right, RSA 4096 is definitely the way to go - Ubuntu or Fedora? - Did you read Bruce Schneier's post today? - Wow, check Slashdot! - Open a new terminal - Emacs or Vi? - Grab my public key - apt-get dist-upgrade - Sure, I encrypt my home directory - Hang on, I'm recompiling my kernel - PC Load letter???? The f*ck does that mean? - Yeah, I need to merge those changes - We're moving from MD5 to SHA512 hashes - Of course I've rooted my Android! - Chef or Puppet? - There's an XKCD about that :-) - Users, I swear...add it to the FAQ - Buffer overflow, uh oh... - Python or Perl? Ruby!?! -- you gotta be kidding me :-( - You don't have to forward me that email. I've already seen it. You don't use email encryption :-) - Would you sign my public key? - Fire up an instance in EC2 - My kernel oops'd - TCP or UDP? - There's not enough entropy on this friggin machine! - You haven't rooted your phone? - No open access points? I see 12 running WEP. Give me a minute... Okay, I'm in. - Where's your public key? - Drop that in a pastebin - Okay, I have it. What's your fingerprint? - Java or C++? - What do you think of Unity? - OpenStack or Eucalyptus? - Check StackExchange - Shit, not another core dump...

I hope you enjoy watching it as much as we enjoyed making it!

Cheers!
:-Dustin

Thursday, February 2, 2012

bootmail encryption and shutdown messages now supported

I've made two pretty cool changes to the bootmail utility...

Bootmail now sends a message on both boot, and shutdown, using an upstart job. Big thanks to Clint Byrum for a bit of help on that one! Bootmail has always sent GPG-signed email. But now, it will actually send GPG-encrypted email too! All you need to do is set the RECIPIENT_KEYID variable in /etc/bootmail/gpg.conf to your GPG key id, and bootmail will send you GPG encrypted AND signed boot and shutdown messages!

Now, perhaps you wondering why, or how one would use this...

Actually, I have all of my EC2 instances set to install and use bootmail. With this, I get an email when I start, reboot, and shutdown an instance. I find it helps me remember what instances I have have running at any one time, by keeping the email in my Inbox (I practice Inbox Zero).

Moreover, I use cr-gpg with Gmail, so that I can read GPG encrypted email and verify GPG signatures within my Gmail web interface. Check out this post for more information on how to set that up!

:-Dustin

Wednesday, February 1, 2012

ssh-import-id gaining some steam

My Google Alerts and IRC highlights have been firing almost daily with references to ssh-import-id, a handy utility I co-authored with my buddy Scott Moser a couple of years ago.

That's quite exciting to me actually, as I find the tool really, really useful, and I wish more people knew about it. I tried in vain to contribute it to the OpenSSH project, as a complement to ssh-copy-id, but it never landed there. Oh well. There's rarely a day that goes by that I don't use it, actually. I frequently use virtual machines in public clouds; usually EC2 but not exclusively. I often want to share that machine with a colleague. Rather than sharing a password, I simply:

$ ssh-import-id edygarcia sergio-pena
INFO: Successfully authorized [edygarcia] 
INFO: Successfully authorized [sergio-pena]

And now, I just share the hostname or IP with Eddie and Sergio and they can SSH into this machine and authenticate using their SSH keypair.

Reviewing what actually happened...

ssh-import-id looped over each of the arguments on the command line, which are typically Launchpad user IDs Fetched each user's public keys from https://launchpad.net/~/+sshkeys Validated each key's syntax And concatenated the results to the local ~/.ssh/authorized_keys file

The methodology is secure in that:

I know what each of my colleague's Launchpad IDs are, and that's easier to remember than their SSH fingerprints I know that they had to authenticate with Launchpad to upload their SSH public keys I know that the communication between my system and Launchpad was authenticated and private as it used https with a valid SSL certificate

Note that I've uploaded a couple of minor fixes to ssh-import-id in the last 2 weeks that more accurately validates the contents of the public keys retrieved from Launchpad (thanks, Soren for one of those).

You can always grab the latest version from ppa:launchpad/ssh-import-id, though perhaps I should SRU some of these changes to Lucid/Natty/Oneiric. Anyone willing to test and validate those SRUs, if I propose and upload them?

Cheers,
:-Dustin

Monday, January 30, 2012

"Harvey" the Honey Badger

The feedback on eCryptfs' new mascot and logo has been just awesome :-) At the bottom of the last post, we opened a call for name suggestions.

As it turns out, my mom reads my blog from time to time, and with that post, she saw an exercise and opportunity for one of her high school classes. She tasked them with researching eCryptfs and the reasoning behind the new logo. As an extra credit assignment, they were invited to propose names for our tenacious new mascot. These are so much fun, we'll share all of them with you now!

Leading by example, Mrs. Kirkland (aka, my Mom) writes:

I think you should call him...Honey, but play on the "e" ... and the quotes actually look like claws. Hon"e"y. The "e" fits perfectly in the hand. Plus, when he is standing, he really forms an H. I am no artist but I am sure you can see the H in its body. I know you are just looking for a name... but I wanted to show you why I thought the name fit.

Thanks, Mom! The quotes around the "e" do look like claws, and it does refer back to the "e" in eCryptfs.

One of her students, Christopher Bordelon suggests:

I think the name Henry would be the perfect name for the honey badger. The name Henry refers to the noble politician Henry Clay. Henry led a defensive army when it came to the war of 1812. By naming the honey badger Henry it will set the tone of the project to have a well strengthened background. By being a member of the war hawks, Henry was always ready for a battle. He knew he would not be able to be defeated. I feel this is a great name for the honey badger because Henry Clay is a well known political leader in United States history. When people hear this name they will be drawn to it because of the historical accomplishments of Henry Clay. Henry was also known for living a very long time. By Henry living a long time this means that the project will be around for a long time too. He outlived the majority of his fellow leaders. By using his historical context the project will have a face that will never be forgotten. The project will have a mascot with a defensive output that will make customers want to bring their services there.

Thanks, Christopher. We just loved the historical references!

Another of her students, Kristin Seneca, had a different idea:

I really appreciate the new logo; it is a major upgrade to the last. It has more vibrant colors and an all around better design. It isn’t as plain or boring as the key overlapping the pie chart. With a great logo, the project should want a great name to go along with it. This is why Boris the Badger would be a perfect name for your project's new honey badger logo. Boris the Badger would be a great name for eCryptfs' new honey badger logo. This name has significance to the honey badger. A honey badger is fierce and strong, much like what the name means. According to 2000names.com, the name Boris means a battle or fighter. It was derived from the name Bogoris, meaning small. Since the honey badger is one of the smallest and fiercest warrior animals around, I believe that this name definitely suits the eCryptfs honey badger logo. He certainly looks fierce! eCryptfs is a great project and should have a really awesome name to go along with their new logo. Boris the Badger would be the best name for the honey badger because it represents the idea of a warrior or fierce battle. The honey badger is a ferocious warrior animal and will go to great lengths to defend itself, much like the project will go to great lengths to protect files and software.

But our unanimous favorite here at the Gazzang offices was from Mrs. Kirkland's student Blane Palazzo, who wrote:

Reviewing possible names for the new honey badger design, I've decided that "Harvey, the Honey Badger" sounds the best. Not only is this name appropriate because of its beginning with an "H," but the name "Harvey" also means, "battle worthy." When determining which names would be possible for the new logo's design, I kept in mind that defense was a major part of choosing the "fitting" name. Having a defensive name, while at the same time establishing trust, was very important. Not only does the name "Harvey" build trust, it also has a background that allows for an understanding that he "means business." Like a true honey badger, he "takes what's his!" Paul Harvey is famously known for his “Rest of the Story” segment, which was watched by millions until his death at the age of 90. The name Harvey can be related to many things, including the stamina held by Paul Harvey Himself, and the impact of his life felt by millions of Americans. This “Harvey” could be looked to for the “rest of the story” when it comes to protecting software and programs being used. The finality of such a name could be applied to the logo of a project that protects and defends. eCryptfs is software that thrives on protection, and as mentioned in the blog, is a “vibrant and open-sourced” project. Having a fitting name is appropriate when it comes to any new idea or project. In order to be remembered as a project that strives for excellence, the logo has to be focused on and perfected. The name “Harvey” is a name that is not easily forgotten, and provides a significant enough meaning to the new logo.

Well done, Blane. We, here at the Gazzang offices, absolutely love it! And so, I'm pleased to introduce Harvey, the Honey Badger!

:-Dustin

Thursday, January 26, 2012

UDW: Pair Programming and Code Reviews in the Cloud

Next week is yet another installment of the Ubuntu Developer Week education series. If you been wanting to get involved in Ubuntu or Free Software development, or perhaps just hone your existing skill set, please join us in #ubuntu-classroom on irc.freenode.net Tuesday/Wednesday/Thursday next week. Check the schedule, and hopefully you'll find something that piques your interest.

I'm pleased to note that each member of Gazzang's engineering team will be attending at least two sessions per day! With today's shrinking education budgets, perhaps you can convince your employer to let you attend some excellent, continuing technical education at no additional expense to them. Should be an easy sell ;-)

I will be leading an hour long session on Thursday, February 2nd from 18:30-19:30 UTC -- that's 12:30pm-1:30pm in my local Central Standard Time. My session is on Pair Programming and Code Review in the Cloud.

I've used Pair Programming for years -- ever since I was introduced to the Extreme Programming methodologies in the Tivoli Bootcamp as an intern in 2000. Pair Programming is a relatively simple concept -- two people, one keyboard and screen. It's a great way to teach, learn, and review code. Back then, we were a couple of developers, sitting side by side in the Arboretum in Austin, Texas.

But times have changed! It's highly unlikely that I'm sitting next to the person I need to pair program with. Rather, they're sitting somewhere far across the world.

Welcome to 2012! I'll spend an hour, sharing a screen with a few dozen of you, showing you how some Ubuntu developers work with colleagues across the world, through the Cloud!

I'm going to fire up Amazon's largest instance splurging $2.10 an hour for 60GB of RAM and 16 CPUs. You hardly need this, but I thought it would be fun. If nothing else, drop in and have a look at what this kind of hardware looks like :-) We'll import SSH public keys and users will SSH into a shared Byobu/Tmux session, where I'll demonstrate how to make the most use of our screen resources. We'll split the window horizontally and vertically, look at code side by side, while still tailing log files and conducting builds.

Prerequisites:

A terminal and an SSH client with Internet access

And to maximize your experience:

Please run your terminal/SSH client maximized/full-screen

I'll open up the classroom IRC channel in there, which you'll be able to read

Open an account at Launchpad.net and add your public SSH keys Print out a copy of the Byobu keyboard shortcuts for quick reference

As a teaser, here's what my terminal currently looks like, and a taste of where we'll get to, in this session. This session can be detached and reattached later, or even by multiple users at the same time.

I have 8 panes open in a single Byobu session. The first two windows have some eCryptfs source code (mount.ecryptfs_private.c and pam_ecryptfs.c). Next, I have a little test window where I'm checking my changes, with a foobar@x220 user logged in, and it's just above a small window where I'm reading some manpage documentation. To the far right, I'm re-compiling the new ecryptfs sources. Across the bottom, I'm tailing 4 log files (kern.log, dmesg, auth.log, syslog). Note that I'm using tail -f and ccze for colorized log files -- which really helps separate warnings and errors (in warm reds and yellows) from the rest (in cool blues and greens).

Hope to Pair Program with you on Thursday!

Cheers,
:-Dustin

Wednesday, January 18, 2012

Video Explanation of ACTA / SOPA

I think it's important for everyone to understand what's at risk here today. This is a must-see, and well worth 7 minutes of your time...

[ http://www.youtube.com/embed/NXhIktkK78s ]

Dustin

Monday, January 16, 2012

Automatically Swapping Launchpad and Bazaar Identities

I've been a Launchpad.net member since 2006-10-11, when I first created an account to add some debugging information and submit a patch to a bug affecting the xserver on iMac G3s and the Ubuntu 6.06 PowerPC LiveCD, which my wife, Kim, used in her 4th grade classroom. Wow, those were the days! I see that that bug is still open :-) I can't imagine that hardware is even functional anymore....is it?

I was thoroughly impressed with the shear elegance, look, feel, and usability of Launchpad.net. I was a long time user of SourceForge.net and Bugzilla, and had brushed by at least a dozen other bug trackers. No other bug tracker or source code system could hold a candle to Launchpad, in my opinion.

In my ~4 years at Canonical, Launchpad.net and Bazaar became the cornerstone and foundation of my day to day development and productivity. I was absolutely thrilled when Launchpad was open sourced (to relatively little fanfare, sadly).

I've filed and fixed a few minor issues, and worked around some others, and leveraged Launchpad for tools of my own (like ssh-import-id). And today, I still think Launchpad.net and Bazaar are the best combination of bug tracking, source code management, binary package builders, team building, blueprint tracking out there!

I continue to use Launchpad and Bazaar to manage more than two dozen open source projects. And now, we're also using commercial Launchpad here at Gazzang now, actively committing to both public and private projects every day.

This introduced a new challenge, for me, though. I want to make ensure that my commits to Bazaar when I'm "at the office" and working on Gazzang projects are correctly credited to my work email address and identity, and otherwise, they're credited to my personal email address.

This email address is stored in ~/.bazaar/bazzar.conf. For me, the logic is pretty easy... I generally work from the office where we have a (mostly) static IP address. I simply run a cronjob every five minutes that checks my external IP address, and updates ~/.bazaar/bazzar.conf accordingly. Your logic might differ (perhaps time of day, etc.). Does anyone know how I might perhaps hook bzr to check the project's name at commit time? Also, any ideas about how to update $DEBEMAIL in a similar manner? It's an environment variable, so it's pretty hard/impossible to update that in all of my shells and byobu sessions/windows/splits, and the Debian maintainer rejected a few requests to support $DEBEMAIL in ~/.devscripts. Other ideas?

My script currently looks something like this:

#!/bin/sh
# $HOME/bin/update-email

work_email="dustin.kirkland@work.example.com"
home_email="dustin@home.example.com"

work_ip="10.9.8.7"
current_ip=$(wget -q -O- http://v4.ipv6-test.com/api/myip.php 2>/dev/null)

if [ "$current_ip" = "$work_ip" ]; then
        sed -i -e "s/<.*>/<$work_email>/g" $HOME/.bazaar/bazaar.conf
else
        sed -i -e "s/<.*>/<$home_email>/g" $HOME/.bazaar/bazaar.conf
fi

And it runs in this cronjob:

*/5 * * * *  run-one $HOME/bin/update-email

Suggestions for improvement? Leave a note!

Enjoy!
:-Dustin