Author Archives: phocean

Anti-IE 6 campaign

I found this initiative, apparently started in Sweden, quite funny but also educative.

So I just set up the Shockingly Big IE6 Warning plugin in this blog.

Then I became curious and checked the stats of this site :

browser-stats

So there is still about 9% of our visitors that are running IE 6 and 3% using some rather outdated versions of Firefox.

And, my god, I would have never imagined that Netscape would appear in the list !

Yes, there is still a lot of work to do about security awareness among users.

Connecting your GNS3 labs to the real network

There is a nice video tutorial to get your GNS3 lab connected to your physical network.

However, it requires you to use a real network card with a fixed IP for doing that. This is not really handy if, llike me, you use GNS3 on a laptop whose connectivity is frequently switching between cable and wireless, and on different subnets.

I started to look for something more convenient like a virtual interface.

I first thought about declaring a virtual IP on eth0, but no way : briding is layer 2 (based on MAC address), you can’t add eth0:0 to a bridge.

Then I found the very handy dummy interface.

Load the module :

% sudo modprobe dummy
% lsmod | grep dummy
dummy                   3192  0
% ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr AE:89:91:BD:61:87
BROADCAST NOARP  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

To have the module loaded at boot time, do :

In debian :

% echo dummy >> /etc/modules

In openSUSE, edit this line in /etc/sysconfig/kernel :

MODULES_LOADED_ON_BOOT="dummy"

Then, you could go on with the tutorial linked above, replacing eth0 with dummy0, or use the script I made :

#!/bin/sh

/bin/tunctl -t tap0
/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig dummy0 0.0.0.0 promisc up
/sbin/brctl addbr br0
/sbin/brctl addif br0 tap0
/sbin/brctl addif br0 dummy0
/sbin/ifconfig br0 10.10.10.99/24 up
/path/to/GNS3-0.6-src/gns3

You may also insert this line if you want to interconnect your lab network with your other networks (it activates kernel’s IP forwarding) :

echo 1 > /proc/sys/net/ipv4/ip_forward

I saved it /usr/local/bin/gns and created a pretty shortcut for the application browser of Gnome :

% cat /usr/share/applications/gns3.desktop
[Desktop Entry]
X-SuSE-translate=true
Encoding=UTF-8
Name=gns3
GenericName=Cisco routers emulator
Exec=/usr/local/bin/gns-start
Terminal=false
Type=Application
X-KDE-SubstituteUID=true
Icon=gnome-window-manager
Categories=GNOME;Network;

This shortcut will prompt you for the root password (unfortunately, when dealing with tap interface, GNS3 requires root access – security could be tighten with SELinux or AppArmor) and launch GNS3 with most of the network stuff prepared.

Just in case you want to clear that all quickly, there is the gns-stop script :

#!/bin/sh
ifconfig br0 down
brctl delif br0 tap0
brctl delif br0 eth0
brctl delbr br0
tunctl -d tap0

/etc/mtab~ issue at startup

I don’t know how it really happened – probably a VMWare crash that locked my file system, but after a reboot I got this message at startup :

Cannot create link /etc/mtab~
Perhaps there is a stale lock file?

As a result, some of the partitions were not mounted and the system was pretty much broken.

But, no need to panic, just erase all the lock files (be careful not to erase the mtab file itself !) :

$ rm /etc/mtab~*

Now test mounting your partitions to check that you don’t get this message anymore :

$ mount -a

If it is alright, reboot and it should be fine.

MD5 in your SSL certificate ? No need to panic !

MD5 was found vulnerable a few years ago. Recently, a team succeeded in producing a fake CA SSL certificate.

MD5 or SHA-1 is the algorithm used to authenticate the peer in SSL messages. If it gets compromised, and using various combined technics, it becomes possible to do a MiM attack.

But too much noise has been made about it. There is a nice reaction.

Indeed, it still requires a lot of efforts and conditions for the attack to be possible. And the CPU power is still huge : the researchers used not less than a cluster of 200 PS3 to drive the attack. Even with that hardware and engineering, it took until 3 days of intensive computation.

Not everyone can afford it, nor would have much motivation to attack a single user like this.

Security has always been a compromise between usuability and risk. Today, the risk concerning MD5 is still low enough to stop this wind of panic.

Let’s begin the migration to SHA-1 quietly.

openSUSE 11.1

openSUSE 11.1 is out and already on all my desktop PC.

This distribution is, by far, the best Linux environment for a desktop PC : very stable, up to date, polished, professional…

I also appreciate the huges improvements made on Yast and the package management system. Despite being an advanced user that like to use the command line, I reallly appreciate sometimes to have a nice graphical frontend that just do what I want easely and quickly.

openSUSE 11.1 deserves its increasing popularity. Really, give it a try !