Install Latest Varnish Cache From Source

Leave a reply

Varnish Cache is rad.. but the packages available on the repositories of most platforms are for older versions. Never fear, compiling it from source is piece of pie. Read on and give it a shot yourself.

Update: @ruben_varnish reminded me via Twitter that the Varnish people keep a repository for RHEL and CentOS at http://repo.varnish-cache.org/redhat/varnish-3.0/el6/. Swap that “6″ for a “5″ if you’re running RHEL/CentOS 5.x.

Grab the code (substitute for the current file name found at https://www.varnish-cache.org/releases):
wget http://repo.varnish-cache.org/source/varnish-3.0.3.tar.gz

Install the dependencies if you don’t have them already:
yum install -y pcre-devel gcc

Unpack, compile, and install the code:
tar -xvzf varnish.tar.gz
cd varnish-3.x
./configure && make && make install

Add a Varnish user
useradd varnish

Download this configuration file, edit it to your needs, and move it to /etc/sysconfig/
The main thing to adjust here is the memory / size of the cache on the line beginning with ‘-s’. Read a word from the Varnish developers on that to guide you.
wget ../varnish
vim varnish
mv varnish /etc/sysconfig/

You’ll need to edit the VCL file at . Go here for an explanation of how it’s configured.

You can use this init script to easily start, stop, and restart the service. Just copy it to /etc/init.d/ on your system.
wget ../varnish
mv varnish /etc/init.d/

Fire it up and test it out:
/etc/init.d/varnish start

If you have trouble, you can try launching Varnish from the interactive console to see if the problem lies with your init script (or items it points to) or something else:
varnishd -f /usr/local/etc/varnish/default.vcl -s malloc,256M -T 127.0.0.1:2000 -a 0.0.0.0:80
This page explains what all those parameters do.

Varnish has a quite different way of logging, designed for speed. Here is a reference for that.

The Varnish documentation can be referenced here as well: https://www.varnish-cache.org/docs/3.0/installation/install.html#compiling-varnish-from-source

Set Up LVM on Software RAID in Ubuntu Installer

Leave a reply

Software RAID can be pretty confusing, especially when you are accustomed to dealing with hardware RAID like I am. Adding to the confusion is LVM on top of software RAID. A big key to understanding how this works and how to configure it is that with software RAID, partitions comprise the array, whereas with hardware RAID, it is the physical disks that comprise the array. So we are taking two physical disks, partitioning them for software RAID, then creating a RAID array and adding these “low-level” partitions to the array, then creating an LVM volume group, creating LVM volumes and adding them to the group, and finally creating partitions and file-systems on those volumes. Once all those steps are complete, the operating system can be installed.

Got all that?! It takes a moment to get your head around how this RAID method works but once you do, you’re on your way and things are much less confusing. If you haven’t got all that, don’t worry — I’ll take you through each step right here with screen-shots.

These instructions are for RAID 1 using the server image of the Ubuntu installation media though they can be adapted for other RAID levels (such as 5) and/or the desktop installation media. I’ve tested these instructions on versions 12.04 and 12.10 of Ubuntu.

Get started:

    • Install two drives in your system. Preferably, both drives are the same size. I am using a pair of two terabyte SATA disks.
    • Complete the initial steps of the install process as you normally would.
    • When you arrive at the partition screen, select manual partitioning.

 

    • Select the first disk (actually the line under it representing the partition) and create one partition that takes up all the space on the entire drive. If these drives are brand new and have no partions, you’ll get a prompt asking, “Create empty partition table on this device?” Say yes.
    • Designate your new partition for RAID bur selecting “Physical volume for RAID” at the “How to use this partition:” prompt. This process will create a new RAID device.

 

  • Repeat the previous step for the other physical disk.

Here’s the overview of my partiion layout and settings:

Next, enter the LVM configuration:

    • At the prompt asking, “Write the changes to disks and configure LVM?” Select yes.
    • Create an LVM volume group on the new RAID device (/dev/devname). Give it any name you wish. A prompt will appear asking which devices should belong to the new volume group. Select both devices by pressing [space] as shown. Again, you’ll be asked, “Write the changes to disks and configure LVM?” Select yes.

 

    • Create an LVM volume in your new volume group. I typically create a swap volume first and name it “swap.” Here I am setting the swap volume at 16GB.

 

  • Create an LVM “root” volume. Here, I normally create one volume that consumes the remaining space on the drive. If you’ve already created a swap partion at this point — or don’t want one — you can simply select “continue.”
  • Take a quick check at the LVM summary screen to verify you have the right number of everything. In my case shown and described in these instructions, there should be two used physical volumes, one volume group, and two logical volumes. Make sure your screen shows the desired result then select “finish.”

We’re almost there! Next, partition the swap volume:

    • Go to the LVM volume in the normal partition screen as shown. Set the filesystem type (under “Use as”) as swap.

 

  • Partition the root volume. Set filesystem type as ext4 (or whatever you prefer) and the mount point as ‘/’.
  • Now you can write these changes to the disks and continue the OS installation.

Voilà! You now have a fully redundant and performant RAID array, without the expense of a fancy hardware controller. Enjoy!

Weird keyboard problems on Thinkpad Edge

Leave a reply

My main home machine is a Thinkpad Edge. After just over two years, the keyboard started acting very strangely. Basically, it would type different letters or symbols than those on the keys pressed. Pressing some keys would result in a bunch of different characters appearing on the screen.

There is a post on the Lenovo forums about this (http://forums.lenovo.com/t5/ThinkPad-Edge-S-series/thinkpad-edge-15-keyboard-problem/td-p/406731/page/14). It includes some of the remedies people have tried. A particularly clever poster, who goes by the handle, jktroy, found the source of the trouble.

The problem

Basically, the design of the laptop is flawed such that the ribbon cable that connects the keyboard to the main-board is pinched under a bracket for the touch-pad. This pinching over two years — probably increased by leaning on the wrist-rest and touch-pad areas — caused the touch-pad bracket to crimp and scrape the cable so that the exposed metal bracket touches and shorts the bare wire of the cable.

 

The solution

To solve the problem, place a small piece of electrical tape over the bare metal as shown in image 3. To get to it, you’ll need to partially disassemble your Thinkpad — this is not as hard as it may sound. You only need to take up the wrist rest part in order to access the bit that must be taped. It might be helpful to refer to the maintenance manual for your model. They can be found at http://support.lenovo.com/en_US/guides-and-manuals/default.page .  I didn’t use a manual but I’ve done this sort of thing before. So it really depends on your comfort level too. By the way, the purpose of the tape is to insulate contact between the metal pice and the now bare wire, preventing contact, which causes the keyboard weirdness.

Do your best to avoid pulling on any of the ribbon cables on your computer. If you pull one, no big deal, just (very gently pull up on the locking mechanism in the front to unlatch the cable’s end, put the cable all the way back in, and latch it down again. If you continue to have trouble with your keyboard, pointing stick, or touch-pad and you’re quite sure you’ve applied the tape correctly, try re-seating your ribbon cables.


Here is the underside of the touch-pad before application of electrical tape.


Here is that same area with the tape applied. It’s difficult to see but the tape is the black square on the left.

Hope this helps anyone out there who’s run into the issue.

 

Disclaimer: I take no responsibility for any problems arising from following this article. Take apart your laptop at your own risk!

 

Fix Broken Display After Ubuntu 12.10 Upgrade

Leave a reply

After updating my trusty Lenovo X100e to the latest version of Kubuntu (which is actually presently in the final pre-release), my display resolution was locked in at a very sub-optimal 1024 x 768 and I couldn’t change it.

What happened: It appears some FGLRX (ATI proprietary drivers) packages were installed or changed during the upgrade process and were not functioning properly. Since I’m not a big gamer and this machine really isn’t made for graphics-heavy games anyway, I just removed the driver packages. After that process was complete, I rebooted and my sharp, high-resolution configuration was back!

Here’s how it’s done via the command console:

sudo apt-get remove –purge fglrx fglrx_* fglrx-amdcccle* fglrx-dev*

That should remove all the FGLRX packages. I just rebooted and went on with life from there since I can do with the default video drivers but if you want to re-install the proprietary ATI drivers again, the following should get you there:

sudo apt-get update && sudo apt-get install fglrx

 

These actions work for Ubuntu and all or most variants (Kubuntu, Edubuntu, Xubuntu, Lubuntu, etc) as well.

For more information on the ATI binary drivers, see the Ubuntu wiki.

 

 

I’m running for the CIRA board of directors

Leave a reply

I am a “member nominee” in this year’s CIRA board of directors election. Together, we will make the Internet in Canada — and the world — awesome.

I need your support. You can help by expressing a show of support on the CIRA web site: https://elections.cira.ca/2012/support/login/en

Below are the contents of my CIRA board of directors nominee application form, pasted verbatim. More information on the election is at http://www.ciraelections.ca. A copy of my application can also be found on the CIRA elections site.

My name is Mike Toscano. I believe in a free and open Internet for all Canadians.

With your support, we will proudly continue Canada’s journey to bring the Internet to new heights as an incredible vehicle for business, connectivity, information, and expression for everyone.

There is a lot of information about me, my qualifications, and my views in the responses below but here is a bit to get you started:

* I have a strident belief in a free and open Internet with equal access for all. My firm support of positions expressed by CIRA CEO, Byron Holland on infrastructure, privacy, performance (http://blog.cira.ca/2012/06/it%E2%80%99s-time-for-canada-to-bring-its-internet-traffic-home/), and access (http://blog.cira.ca/2012/08/broadband-speed-and-price-where-does-canada-rank/) serve as examples of such.

* My technical knowledge with regard to Internet technology is expansive and comprehensive. I’m a geek, through and through. I’ll contribute to the strong, up-to-date understanding of the technical issues on the Board, and ensure initiatives are relevant and have technical merit.

* I know how organizations like CIRA work. I also know a lot about business. My knowledge and skills in these areas would help make CIRA exceptionally efficient and well managed, with a laser focus on the needs of its constituents — you! As well, I would help CIRA stay on top of issues that matter most to Canadian businesses and people across the country. In cases where there is tension between the needs of business and people, you can bet on me favouring people every time.

After reading my responses to the questions below, please feel free to read more on my blog at http://blog.miketoscano.ca, or my LinkedIn profile at http://www.linkedin.com/in/miketoscano. I’d love to hear from you via e-mail, Twitter, or the CIRA elections message board on what you’d like to see in your CIRA board members, your thoughts on the issues, and of course, any questions you might have.

Thanks for your consideration,

Mike
Twitter ID: @mike_toscano
E-mail: mike4cira [at] miketoscano [dot] ca

CIRA Board of Directors nominee application questions:

1. Why do you want to be on CIRA’s Board of Directors?

It is my aim to do everything I can to have the greatest possible positive impact on the world. I can be most effective in this pursuit by leveraging my skills and experience, which are in the realms of technology, business, and public policy.

CIRA plays an important role in the development of the Internet, and by extension, in the development of Canadian business and society. I want to do my part to help CIRA be its very best, as well as to ensure it operates firmly in the public interest.

My simple, yet admittedly ambitious goals to make people’s lives better and the world a more just, intelligent place are why I have pursued my degrees, launched my technology business, and why I have decided to run for the CIRA board of directors.

 

2. What specific skills or experiences do you have that make you the best candidate for the CIRA Board?

* Over 13 years experience in information technology, the last five of which have been completely focused on Internet services (such as HTTP, databases, load balancing, and firewalls for web sites) for high traffic sites of some of the best known brands. I have incredibly comprehensive knowledge in technology relevant to CIRA. What’s more, I truly love technology and see it as an enabler — empowering people to communicate, learn, and organize to make their lives and the world better.

* As an Internet and technology professional, I have worked with many companies, large and small. With this experience and my business education, I understand well, how business works and the needs of new, small, and growing firms as well as large, established ones. This understanding helps me promote business and provide an environment for them to thrive without encroaching upon the needs and rights of individuals, which are paramount.

* I have outstanding communication and people skills. I like people and work well with others. If elected, I will foster positive change and innovation through healthy discussion, debate, and cooperation without “shaking things up” or driving other board members and staff nuts.

* I am a divergent, strategic thinker. I cultivate environments where ideas flourish and I’m pretty good at coming up with fresh, creative ideas, myself. One of the most exciting products of the Internet is the generation and proliferation of thought and ideas. A great example of this is the open source movement. It is through cooperation, collaboration, and unfettered exchange of ideas (and constructive criticisms) among smart people all over the world that powerful, disruptive projects like Linux, OpenStack, and Hadoop have been developed, improved, and distributed. Together with the Canadian Internet community, CIRA can build a vibrant ecosystem of creativity for tackling Internet issues. I would love to utilize my skills to help make that happen.

* I have a Master in Business Administration (MBA) degree from University of British Columbia — one of the world’s top universities — with a specialization in information technology and sub-specialization in marketing. In the process of earning this degree, I have learned a great deal in all areas of business – accounting, finance, economics, entrepreneurship, corporate social responsibility, and much more. As a board member, this knowledge would help provide context behind our initiatives, as well as enable me to better communicate and understand the perspectives of other .CA members, CIRA board members and management and other stakeholders – inside and outside of CIRA — who come from varied backgrounds in government, business, and non-profit sectors.

 

3. What do you feel are the top three challenges and opportunities facing the .CA domain name space during the next three to five years?

First, we must ensure the Internet remains open, accessible, and free (as in freedom) for all Canadians. We, in Canada, have a significant role to play in shaping the Internet at large as well and our .CA name space is an important part of that. Unfortunately, attaining and keeping an open, accessible, and free Internet will always be a major challenge because more than a few powerful groups in the world have too much to gain by locking up and stifling it.

We can achieve this fundamental goal by maintaining CIRA as a strong, democratic, independent, and credible institution that operates squarely in the public interest. Electing responsible board members with solid knowledge on how the Internet and registries work, CIRA’s role in shaping the Internet coupled with equally solid commitment to Canadian principles and values of freedom and justice is essential. There is, perhaps, nothing more important to me than human rights. I would stand firmly in the way of those who would attempt to use the name system to silence or censor expression on the Internet. Moreover, I would work to maintain CIRA’s solid corporate governance structure and ensure all activities and elections continue to be conducted with complete transparency and integrity in the interest of all Canadians.

A second major challenge for CIRA and all Internet organizations is security. As we enter a new data-driven age powered by computers and the Internet, more and more information is stored and activities take place digitally by people, businesses, and governments than ever. This phenomenon will continue at an incredible rate. While these advances in technology great enablers in Canadian society, their vulnerabilities pose great risks and threats. We have seen several examples of such with security issues identified in DNS in recent years as well as a new breed of incredibly sophisticated powerful viruses, trojans, and worms – some even likely sponsored by nation-states (Stuxnet, Flame). Herein lies an opportunity to leverage innovation and excellence — such risks can be controlled through proper process, public policy, defensive technologies (like DNSSEC), and rapid, nimble response. Public organizations often perform reasonably well at the first two items mentioned but the pace of the Internet today requires a nimble, well informed group able to quickly react, anticipate, and take advantage of changes in technology, risks, and disruptive change. A sharp, technologically astute board will be able to foster innovation to address these issues.

Finally, CIRA’s aim to sustain and increase the .CA domain’s prominence and relevance as the Internet continues to grow at break-neck speed and with the introduction of many more TLDs (top-level domains) will become more challenging to achieve. As your CIRA board member, I would bring my skills in marketing, public speaking, and writing to help raise the profile of the organization, and the .ca TLD. As well, I would do more to foster engagement in the Internet and business communities as I see such engagement as vital to raising awareness and in running any entity in the public interest.

CIRA has already done a fantastic job in all three of the aforementioned areas but the challenges presented will become even more substantial as time passes, requiring renewed commitment and resolve. I am eager to tackle these and all of the challenges we can look forward to facing in the future.

 

4. What specific actions do you propose to overcome one or more of these challenges and opportunities?

I have woven actions, general an specific, into my responses on each of the challenges and opportunities mentioned. If you would like me to expand on or provide more detail, please feel free to contact me.

 

5. Please describe your understanding of the role of a Director on CIRA’s Board.

Like any board of directors, CIRA’s board serves as a primary form of governance of the organization. This means ensuring CIRA is accountable to its stakeholders and operates according to its bylaws and other applicable regulations.

The board provides general direction to CIRA and most of all, supports and provides guidance to achieve the corporation’s vision of being a world leader among country code top-level domain registries and to make .CA the TLD of choice for Canadians.

As an individual, I would consider my place on the board one not only of fulfilling these fiduciary duties outlined above but also in doing the best I can to help the board be efficient, effective, and a valued resource for information and guidance to CIRA management and the Internet community at large.

Wireless Site Survey With Free Tools

Leave a reply

Between characteristics of modern buildings (block walls, walls with metal studs, cement floors, and the like) and the large numbers of wireless networks assailing the airwaves, setting up a reliable wireless network can be a real challenge. Site surveys — where technical architects / network administrators examine a given physical environment’s suitability for wireless networks — can really help identify potential WiFi issues.

Unfortunately, many of the tools traditionally employed for performing wireless site surveys cost thousands of dollars. Not to worry! Here, we’ll discuss how to perform a wireless site survey for 802.11 networks using free open source tools so you can build a rock-solid set-up, regardless of budget. This article focuses on the tools, rather than the process of WiFi surveys. For information on the process, check the links at the bottom of this article.

WiFi Analyzer is a tool that basically turns your Android phone into a spectrum analyzer. With it you can easily see what access points are nearby, the channels they are on, and their signal strength — all through clear, colourful real-time graphs. This is one of the fastest and easiest ways to see what’s going on in the airwaves near your home or office and how to avoid interference on your network. WiFi Analyzer can be found on Google Play (https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en) for free (the program is ad-supported).

To take things a step further, you can break out Kismet, a powerful wireless utility that can not only do all of the above but possesses an array of capabilities for wireless security auditing as well as intrusion detection. Kismet is in the repositories of several popular Linux distributions and you can download the source from http://www.kismetwireless.net as well. The links page of project web site also includes a link to a Windows port of the front-end to Kismet. If you just need to use the tool occasionally and don’t have a Linux machine handy, I recommend using a Linux live CD or VM. Heck, maybe you can use this as an excuse to take the plunge into the awesome world of Unix.  ;)

To use Kismet for a simple wireless survey, you really only need to use a few of its features. Let’s go through running Kismet for this purpose, step-by-step.

* Launch Kismet as root. If you are using Ubuntu, type “sudo kismet” at the command line. If you are using pretty much any other Linux distribution, become root by typing “su -” [enter] at the command line. Then type “kismet”.

* After pressing the space bar to dismiss the introduction message, we are presented with the list of networks found so far. As Kismet is a passive discovery tool, it will find more networks as time passes and it observes traffic moving across them.

* Pressing “h” brings up the help window, which explains commands and what the items on screen mean. We’ll go through most of those relevant to wireless auditing here to make it easy for you to get started.

* A quick check to look at first is the statistics window. Press “a” and it appears, presenting a nice high-level view of what Kismet is detecting – number of networks, packets transmitted, maximum packet rate, and the all important channel usage. There is even a nice graph showing the concentration of APs on each channel. A table with exact numbers of APs on each channel is to the right. With this, we can get most of the information we need to see how crowded a given area is with wireless access points and what channels everyone is on. If you need to dig deeper, read on.

* Sort the results by typing “s.” Then select how you would like them to be sorted. I usually sort by channel when doing a wireless survey. You actually must sort in some fashion in order to actually navigate the list of access points (APs).

You may see an item in the list labelled “Probe Networks” (often marked with a “G” in the network type (T) column because they are in a group, otherwise, they are labelled as the “P” network type). This shows wireless clients in range attempting to access networks that may or may not be in range. So they are not really relevant in a wireless audit. The probe networks detection feature is more useful for security auditing. It can reveal information about networks that are intended to be hidden, among other things. To see these networks, highlight the Probe Networks entry and press the space bar.

Other common network types are ad-hoc networks (designated by an “H” in the type column), and access points (designated by an “A” in the type column). Of course, APs are the type of networks you should be paying particular attention to. Ad-hoc networks are typically of less concern in wireless surveys because they are usually temporary.

There you have it! With WiFi Analyzer and Kismet, you can perform a very effective wireless network survey without spending a dime (as long as you have an Android device already). Once your survey is complete, chose the least crowded channel available.. It’s best to chose one that is farther away from occupied channels. For example, if other networks are on channel one and five, it is best to set your network to channel three, if it’s open. Then, you should have a relatively interference-free connection to your network. You can often check signal-to-noise ratios on your AP (especially if you have an AP running DD-WRT. See www.dd-wrt.com). Kismet also reports noise but it always seems to be 0 when I check it, which is not right.

More information on wireless surveys and the tools covered here are available via the links below.

 

WiFi survey process links:

http://en.wikipedia.org/wiki/Wireless_site_survey

http://www.wi-fiplanet.com/tutorials/article.php/3761356

http://www.computerworld.com/s/article/9004641/Six_steps_to_a_wireless_site_survey?taxonomyId=15&pageNumber=2

 

WiFi Analyzer Google Play page: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=e

Kismet project page: www.kismetwireless.net

Picalo: An Open Source Competitor to ACL and IDEA

1 Reply

Reprinted from my post at the now defunct IT risk management blog at UBC Sauder School of Business.

I in BAIT 512 in the Sauder MBA program, I saw the references to ACL in the syllabus for data analysis in auditing. It mentions we have to go to the computer lab to use ACL because it is a (very expensive) commercially licensed product. Being the open source person I am, I thought to myself, “What a shame. I bet there is at least one open source package that does the same thing really well for free.” After all, the number of outstanding open source security and network auditing tools out there is enormous (Nmap, tcpdump, netcat, Wireshark and others spring to mind). Lo and behold, a query to Google instantly brought me to Picalo.

Picalo is a really well done Python GUI application for Mac, Linux, and Windows that does (as far as I can tell at this early stage) everything ACL and IDEA do and it includes some things those programs might not have such as a library of pre-written scripts for a variety of types of analysis, and a Python framework for writing your own scripts (rather than using some specialized language that only works with one application). Picalo is very well documented with lots of tutorials and information on the applications operation and internals. Developers can also download and use Picalo’s Python libraries as an engine for their own applications.

I downloaded the Python source for Picalo and ran it on my laptop (an Ubuntu Linux machine) and was able to get to work right away using sample data and the library of analysis scripts. Users of Mac and Windows will also be able to get ip and running quickly by using the available installation packages for those platforms.

It was easy to see how powerful a tool like this is for identifying fraud, inconsistencies, or anomalies in an organization’s records. There is a lot going on here with such a capable tool-set and one could probably spend a lot of time learning the ins and outs of it. I haven’t tried this yet but it appears you can even use Picalo as an interface to a running database and run queries against it. That said, Picalo makes finding errant payments to vendors, suspect withdrawals, information gaps, and the like much easier and efficient than they would be using a manual or spreadsheet-driven technique. If you have any interest in IT or financial auditing, I highly recommend taking it for a spin.

Mike

Links:
http://www.picalo.org/ – Main Picalo project page
http://www.picalo.org/download/IntroductoryManual.pdf – Picalo introductory manual
http://www.picalo.org/?page_id=7 – Download Page
http://en.wikipedia.org/wiki/Computer_Aided_Audit_Tools – a brief Wikipedia article on auditing tools
http://blog.bitengine.ca – my blog, contains other articles on auditing tools as well.

…but what about those printers?

Leave a reply

Reprinted from my post at the now defunct IT risk management blog at UBC Sauder School of Business.

Given that we’re still not quite to the elusive paperless society so many futurists and technologists have promised us, our offices and homes have printers. Some of our offices have lots of printers and lots of different printers at that.This brings me to an interesting question. Have you considered your printers in your information security practise?

Now at this point, you might be laughing at that idea. After all, printers print things and not much more aside from the odd print/scan/fax/copy multi-function unit, which also doesn’t sound very scary. Right? The truth is, however, that printers are really computers in and of themselves and (if network printers) run network services, such as web serving, FTP, telnet, and others, in addition to their regular printing duties.

The rationale mentioned above leads many organizations to pay very little attention to their printer fleets and how they are configured and managed, which can be quite dangerous.

What’s dangerous for them is fun for hackers auditors. So let’s take a quick look at how it’s done! The following is a bit technical though not vital to getting the gist of this post so feel free to skip it if you wish.

Printers can be found on a given network with a simple port scan. Here’s what such a port scan looks like using the popular Nmap utility:

nmap -sS -p515,9100 192.168.1.*

What this line does is instruct Nmap to scan the entire 192.168.1.0 network for services listening on ports 515 or 9100 — ports commonly used for print services.

Once the printers are identified, one can begin probing further. Another scan against the printers for port 23 will reveal if telnet is running. If it is, you can attempt logging in to the printer via telnet. If you can get in via telnet, you can do all sorts of things, as detailed here and elsewhere, such as find information printed, faxed, or copied for a start.

If FTP is running on the machine, it can be used to store and serve files. As such, printers are used for hiding files on the network or run a somewhat stealthy file sharing server.

Most network printers these days have web servers for web based configuration and they are all too often left with no password protection enabled or have only default passwords. Once in to the web configuration console, any of it’s settings can be changed (many of these things can be changed via the telnet command line interface as well).

Lots of shenanigans are possible in exploiting printer security like changing the display and banner messages, putting paper clip images on every page so people think there is a paper clip stuck in the machine, or sending scan jobs to random users.

While much of the issues I have already mentioned are not major, in and of themselves, what’s really concerning is that compromised printers can also be used to map out entire networks or as a proxy for attacks on other devices.

So what can you do to protect yourself from threats involving printers? Mostly standard security measures apply. The web panels for them can be locked down with authentication. Some can even be centrally managed. Disable unnecessary services running on the devices (as with all devices), log and restrict access to administrative functions to only those who absolutely need it. Ensure any ports the printers are listening on are not accessible from untrusted networks (like the Internet). Most importantly, have a comprehensive information security plan at your organization that includes all information systems components and educate everyone on what it means as well as why it’s important.

The real lesson here is that security and risk management is really a way of thinking and operating. It is a continual process that encompasses the entire organization — devices, software, facilities, process, and (most of all) people, rather than a concrete set of rules or a software package that one can buy. Such a comprehensive posture toward security and risk is how these less obvious vulnerabilities can be found and properly mitigated.

 

Much of the information presented here was based on my experience in systems administration and security auditing. However these sources were also used in informing and writing this article:
http://www.schneier.com/blog/archives/2006/08/printer_securit.html
http://www.itbusinessedge.com/cm/blogs/weinschenk/its-not-exciting-but-n…
http://www.irongeek.com/i.php?page=security/networkprinterhacking

Drupal 7 Access Denied Error on Contact Pages

Leave a reply

Based on our very positive experience in building the IONICA video platform sites, we recently revamped the IONICA corporate web site in Drupal.

One problem we ran into was that any unauthenticated visitor who visited the contact page would get an ugly “Access denied You are not authorized to access this page.” error. This was not good as all our regular site visitors are not authenticated.

After some digging, I was able to find the fix.. and it’s actually quite simple.

To allow anyone, even unauthenticated users (called anonymous users by Drupal), to view and use a Drupal 7 site’s forms, log in to your site as the administrative user and follow the steps below.

    • Click the modules menu.
    • Next, click the permissions tab in the top-right.
    • Scroll down to the section labelled “Contact.”
    • In the row, “Use the site-wide contact form,” tick the anonymous user box. Tick the others too if you would like authenticated and administrative users to have access to the form as well (you probably do).
    • Click the Save button.

That’s it! Now every visitor to your site can access the contact form.

CIRA Bylaw and Governance Changes

Leave a reply

Recently, CIRA announced it has proposed key changes to its bylaws. Of particular concern is the way board members are selected. Read on to see my letter to the corporation.

The public consultations on this matter are open until May 2 — tomorrow. I urge you to submit your comments to CIRA today if you have not done so already. To submit comments, e-mail governance@cira.ca before May 2. Visit http://www.michaelgeist.ca/content/view/6451/135/ and http://cira.ca/legal/governance/ for more background.

UPDATE: Thanks to clarification from CIRA Chair, Paul Andersen, I see that I have misinterpreted the wording on the full slate of candidates. The reference to that in my letter is lined through.

To: CIRA Board Members

This message is to express my feedback regarding proposed changes to the CIRA bylaws.

Most notably, there are changes in the bylaws that remove the ability for people to run for a director or advisor position of the CIRA board without being on a slate assembled (presumably) by the existing board.

I strongly oppose this change, along with the running of a full slate, rather than individual candidates in board elections. As well, I oppose the provision for board directors to appoint other directors — even temporarily. This proposed structure and process lacks the accountability and transparency required to govern such an important public institution in the public interest. It sets the stage for an environment where only insiders are able to hold positions on the CIRA board and dramatically reduces CIRA members’ power to express confidence (or lack thereof) in board members individually or even as a group.

The make-up of the CIRA board is important, not only because of how important the corporation is, but because it is vital Canadians and the world have confidence in the legitimacy of it. Under proper governance, CIRA can be an exemplar for other similar organizations around the world to follow but in order for that to be, the board has to be taken seriously. Transparency and public confidence are prerequisites for legitimacy in boards of our public institutions.

I understand that the current CIRA board desires a more efficient process for selecting board members. Democracy, while not as efficient as the alternatives, is the only way to ensure accountability and proper governance of the CIRA board. Any changes to the CIRA bylaws must go substantially further in maintaining the integrity and legitimacy of the board than the current proposal, rather than degrade such integrity and confidence.

If you have any questions or comments for me on this matter, please feel free to contact me.

Thank you and best regards,

Mike Toscano