Latest posts

Mitigating CVE-2014-6271 "shellshock" in lighttpd with mod_magnet

Quick braindump:

  • a remote code vulnerability (CVE-2014-6271) in bash has been disclosed
  • bash will parse any environment variable value which begins with () { as a function, and continue parsing and executing any shell commands it encounters
  • env x='() { :;}; echo vulnerable' bash -c "echo" will print "vulnerable" if your bash is vulnerable
  • lots of Internet facing services put strings from requests into environment variables
  • curl -A "() { :; }; touch /var/www/oh_hai_webroot" http://eg.your.webserver/cgi-bin/foo.cgi

Using lighttpd's mod_magnet, you can write arbitrary Lua scripts to do all kinds of things to requests. Read on for one that looks for the exploit's signature, logs all the request details and returns a HTTP 500 error.

My first article for The Feminist Observer: Dealing With Trolls

I've written a piece for The Feminist Observer, an awesome monthly digital magazine covering a wide range of topics within and related to feminism. It's a succinct article on recognizing and dealing with trolls, and you can read Dealing With Trolls on The Feminist Observer's blog, or check it out with the rest of the articles in their January 2014 issue.

Backup and other file rotation in Python

Write programs that do one thing and do it well.

So I finally tired of implementing file rotation and retention functionality for backup scripts on an ad-hoc basis, and have sorted it out forever*.

To that end, here's a Python script and class that handles rotating and retaining copies of files, with hourly, daily, weekly and monthly granularity.

Fabric, Python and remote running scripts

As a systems administrator, I occasionally need to run a script on a number of machines, be it to diagnose an intermittent issue, gather some ad-hoc statistics, or what have you. As such I have a small library of scripts, each with an aptly-named Fabric task defined in a fabfile. Of course, each of these tasks is almost identical: copy script to remote server, run (either as a regular user, or as root). I finally tired of repeating myself, and decided to solve this once and for all (obligatory xkcd).

To wit: presenting a Python snippet for turning a directory of scripts into remote-running Fabric tasks. Like magic.

Google retiring Google Reader - where to now?

Google today announced that they're retiring Google Reader, as of July 1st this year, as part of their spring cleaning. While the reason given for the closure is that "over the years usage has declined", this move leaves the (few?) die-hard Google Reader users out in the cold. So, where can we go from here?

Downgrading postgresql-libs behind pure-ftpd's back

Nothing important, just a note to myself on downgrading (should also work with upgrading) postgresql-libs with to a different version.

service pure-ftpd stop && \
rpm --erase postgresql9-libs --nodeps && \
yum install -y postgresql8-libs && \
service pure-ftpd start

How Syria Turned Off the Internet

The CloudFlare blog has an excellent post about the Syrian Internet shut off today:

To begin, all connectivity to Syria, not just some regions, has been cut. The exclusive provider of Internet access in Syria is the state-run Syrian Telecommunications Establishment. Their network AS number is AS29386. The following network providers typically provide connectivity from Syria to the rest of the Internet: PCCW and Turk Telekom as the primary providers with Telecom Italia, TATA for additional capacity. When the outage happened, the BGP routes to Syrian IP space were all simultaneously withdrawn from all of Syria's upstream providers. The effect of this is that networks were unable to route traffic to Syrian IP space, effectively cutting the country off the Internet.

Sharing Secrets and Distributing Passwords -- Data Genetics Blog

The DataGenetics Blog has posted Sharing Secrets and Distributing Passwords, an excellent break down of Shamir's Algorithm, an algorithm implementing several ideal properties for distributing a secret as a number of parts:

  • Knowledge of any non-complete combination of sub-passwords gives an attacker no additional information on how to solve the problem. Even if you have knowledge of n-1 passwords, there are still an infinite number of curves that fit through these points, and thus an infinite number of possible intercepts.
  • As we can clearly see, it's very easy to generate new sub-passwords as needed. If we need to generate and distribute a new sub-password, we simply pull off another coordinate from the curve and give that out! None of the existing passwords need to change.
  • If some of the sub-passwords are compromised (and you know which ones) and you want to regenerate new ones, but keep the uncompromised ones the same, you can generate a new curve that passes through the points you wish to keep. [Edit - Only if the the number of uncompromised points is two (or more) less than the minimum number needed to reconstruct the secret. Thanks for the correction @N1DQ]
  • To weight passwords (such as giving The President a nuclear launch password with three times the power of a regular password), we simply give out multiple coordinates to that person. Thus, for the nuclear launch example requiring requiring five votes, we generate an order-4 polynomial, give The President three coordinates from the curve, The Secretary of Defence two coordinates off the curve, and the rest of the troops one coordinate each.

New project release: collectd_php_dashboard

I've just published collectd_php_dashboard — a basic multi-host dashboard for collectd metrics, written in PHP.

collectd_php_dashboard running on



Subscribe to Latest posts