Known Element Enterprises Corporate Blog

It’s pretty simple. That’s by design. I don’t want to have to mess with my production network. I want it to work non stop. So far it’s been rock solid.

As my readers know I’ve been working on data ownership for some time. I have reduced that concept to practice with great success. You can peruse my data ownership wiki page for infrastructure and software details.

I have moved a substantial portion of my data to a server under my control. This includes e-mails, wiki, documents, pictures etc.

I access my server via

1. Laptop running Ubuntu 10.04 with an NFS mount to my server. This allows for easy access to all of my data. My laptop is the single computer that I use. I use it for extensive content creation. Everything from writing code  and managing systems to mindmapping and knowledge management.
2. Blackberry (I pretty much live in my e-mail). I also use the blackberry browser for quick browsing sessions. It’s not as good as the laptop or Ipod touch browser but it works anywhere I have cell coverage. I also use my Blackberry to tether my laptop which allows me to access my data pretty much anywhere. The overwhelming majority of my data manipulation activities are via firefox on my laptop.
3. Jailbroken Ipod Touch (love using the browser for quickly consuming content and not needing to fire up my laptop). I also use this to consume music, videos and documents. (AirSharing is an awesome app).

So 3 devices, each with their own usage profile, all consuming data from my central server.  The laptop/blackberry is where I spend 85% to 90% of my time. The Ipod Touch is used while in transit. It’s awesome for the daily commute.

I’m very happy having the vast majority of my data under my full control. I hope others join me on this journey.

Recently I’ve decided to tackle a project in the parallel programming space, as a result of a conversation I had after the SGVLUG meeting this last Thursday.

It’s in the early stages yet. I am seeking subject matter experts in the following areas:

1. Seeking experts in llvm, grand central, protocol buffers, ptherads, boinc/gearman/<pick a distributed router type system>
2. Oh also need people who have implemented domain specific languages.
3. Also looking for people who have experience accelerating extract transform load workloads with parellel programming methods.

4. Oh yes, if you have 100 or mor hours working experience with opencl, I’m most interested in hearing from you.

5. Bonus points to folks who have educated guesses about what I’m trying to do. please reply privately.

6. By expert I mean you enjoy writing parsers by hand in ir. (If you have to google ir, don’t bother applying).

7. Do you consider stuff like porting pthreads from UNIX to Windows fun?
   

So that’s about it for now. More as it develops.

Last Saturday (February 27th 2010) I was out with my good friends @MikeFedyk and @k1059. We were seeking thermal paste so @MikeFedyk could rebuild his laptop.

We hit up three local computer stores and came up empty.There is actually 4, but we decided to not go to the one located at Santa Anita and the 10 freeway across from the 711. They had already been ruled out, as they didn’t even know what a micro sd card was. They wanted to sell @k1059 a regular SD card. Even BestBuy sales folks know the difference (of course there are certain stand out experts like my good friend @goodguymafia). I mean come on really?

Discovery 1:

We were surprised that El Monte had 3 computer stores. Before Saturday, I was only aware of two (the previously mentioned one that was full of fail, and the one near the Metrolink station).The third one is near the Valley Mall. Don’t recall exact location at the moment.  They are all essentially holes in the wall that do basic repair and light sales. We got the paste from the local radioshack.

Discovery 2:

The AT&T CO in town is two buildings. A single story structure that shares a lot with the Metrolink station, and a multi story structure across from the Chase branch. The multi story structure has doors on each floor and a bar that comes out from the side of the building. 5,000 lbs capacity.

Discovery 3:

We found fiber at Tyler and Amador ST. Right near a Service Area Interface box.

More details later, including pictures and details on a fiber deployment in town.

I use a combination of 4 tools to manage my life:

1) Redmine (numerous projects. every desired action item is captured here)

2) iTouch notes. I have a todo for this week note and todo next week note. The touch is always with me, and I capture things there before moving them to redmine if I’m not on a wifi connection. I also capture things like grocery list, errands etc. Things that don’t need to be tracked beyond doing them.

I also have a note title hot sheet, and I take random notes here.

3)Blog posts. I post high level thoughts about what I want to get done that month.

4)@ai folder in my e-mail. Things that come in via e-mail that need a response via e-mail. I have two @ai folders. One off my main inbox and one off my jobs folder.

That’s about it. Pretty simple and straight forward. It works for me.

• misc tasks. these are all captured in redmine. targeting end of month for completion. they range from setting up exchange to deploying green SQL. all are in support of owning my own data.

• Monitoring and alerting

Status:

Monitoring is in quite a state of flux and will be for some time. I have good coverage of all my prod systems at a basic level, but need to add more detail.Dev is in a very early state, with almost no coverage.

Currently using sureping.com for external monitoring of various production systems/services (apache/smtp etc) and this is working quite well. Internally I’m using opsview to monitor all of my systems (production and development). I also get traffic graphs etc.

Other tools in use:

1. Netflow exports to NTOP
2. MRTG via opsview
3. RANCID

Planned items:

1. Network traffic visualization (snort/sguil/secviz.org tools)

• VLAN Setup

Need to setup production vlans.

• Find work.

I realized recently that I have data in many places, not under my direct control. I decided to change this in 2010 and take control of my data.

last year I got business class dsl from AT&T. it’s 6 Mbps down and 768k up. it comes with 7 static ip addresses. I use 99.59.102.17 to host my production traffic. this goes to a KVM virtual machine running a lamp stack. I pay 70.00 a month for the service, and whatever portion of the power bill the system, switch, router and dsl modem consume. I will be putting a kill a watt in place to figure out production and development gear load.

on this setup I host numerous subdomains and services

www
photos
blog
mblog
pastebin
URL
git
docs

I also host my own email. it’s on another dedicated server elsewhere. I make very heavy use of email, especially with rss2email.

all of these applications are free software. installation is very straightforward.

these allow me to avoid usage of numerous cloud based applications that have numerous drawbacks in terms of data security.

I am still on linkedin as that’s inherently social and there is a lot of benefit to it. I still want to build a very comphrenhsive employment profile on my own site, and link it and linkedin.

I haven’t found a good dopplr like site. it’s a very cool travel mash up journal. I think I will use my blog for that.

that’s about it. I’m not on facebook or myspace or any other social networking sites. I do interact with people on Twitter via my micro blog, as it has a bridge to Twitter.

Today Chuck Daddy Wy-Fi  became aware of injustice in the land of BarCamp San Diego.

I open with a bit of levity as this is an incredibly serious post and it weighs heavy on my heart and mind.

I am a direct member of numerous mailing lists and often have things sent to me from folks who are on lists I’m not a member of. Recently one of my numerous intelligence sources tipped me off to a thread on the BarCamp San Diego list about a product announcement on the list from an employee of Aten Labs named Dan Tentler.  The thread subject was ZipLine – a new security product from AtenLabs (and Viss!)

Reading over the announcement, I had some concerns and posted a reply at 12/31/2009 01:16PM.

Here is the log snippet from my mail system showing the reply:

mail.log:85:Dec 31 16:42:41 charles-laptop postfix/smtp[4305]: CC9964DF6B: to=<barcampsd@googlegroups.com>, relay=gmr-smtp-in.l.google.com[209.85.222.207]:25, delay=1.2, delays=0.26/0.05/0.31/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK 1262306560 24si4117155pzk.10)

Here is my post:

Viss wrote:

>> So how is this any better then OpenVPN running on a server I control?
>> Why on earth would one outsource their security to a 3rd party?
>> 

>
> People did that with anonymizer. There was a huge camp of people who
> claimed flat out that "Anonymizer helps people spread spam and helps
> attackers be anonymous". This was wholely untrue, but it certainly
> didn't stop people from making accusations. The bottom line is just
> because someone says something on the internet, doesn't make it true.
> 

Huh? What does that have to do with what I said? I'm not saying
that about your service. Let me ask another way.... What are the pros
and cons of Zipline vs my own (Ipsec/SSL)VPN solution?

> And plenty of companies outsource their security to 3rd parties. Any
> company that hires another company to do anything remotely security
> related is 'outsourcing their security'. Thats how companies like
> Tenable, Rapid7, Foreground and MANY others make their living -
> they're security experts and they work on a consultancy basis.
>
> 

They outsource audits, vulnerability assessments etc yes. However
most organizations host a VPN terminator under their administrative
control, and often physical control.  Placing that outside of ones control
is a recipe for disaster.

> 

>> I'll let the other replies in this thread stand on their own (in
>> regards to the exploits you have pulled in the past at a coffee
>> shop).
>> 

>
> I did exactly the same thing at Qualcomm, during RefreshSD for a room
> of 60 people. *EXACTLY* the same thing. Nobody at Qualcomm complained,
> in fact they came to me, shook my hand, and asked me what they could
> do to secure themselves in places where using cleartext was
> unavoidable. The difference is when I was at Qualcomm it was clearly
> understood that I was showing people something for educational
> purposes. At the coffeeshop there were a couple guys who went all fox
> news because they showed up an hour late and had no idea what was
> going on - then went berzerk and started a witch hunt.
>
> 

Heh.... well that is your view of the world Dan. It's not what actually
happened. However it's not my place to comment on ongoing litigation
in a public forum.

>> Though I do rather like this quote:
>>
>> The architecture of Zipline is dubious from a security standpoint, and
>> moreover, we have every reason to believe that its operators are
>> precisely the sort of script-kiddies Zipline purports to protect
>> people
>> from.
>> Dan, you are the fox, offering hens your services as henhouse manager.
>> Moreover, you expect them to pay for it! The mind boggles.
>> 

>
> How juvenile. Name calling and slinging mud, this is exactly what we
> want on the barcamp mailing list, thanks.
> 

Oh I was simply reposting a quote from a previous reply on this thread.
I do agree it was a bit flamy, but it captures the sentiment of what
happened.

> 

>> Even if you didn't pull those antics, why should any potential user of
>> your product trust you?
>> 

>
> I'm not twisting your arm - if you dont like me, dont buy my products.
> So far the people from this mailing list that are using my product are
> quite happy with it.
> 

Oh it has nothing to do with you personally. It has to do with
product/service
selection criteria. I was simply asking what about you and your organziation
would convince me to go with your product/service over something else
(namely
a vpn concentrator under my administrative control).

> 

>> Do you hold industry standard credentials from
>> SANS or other reputable organizations?
>> 

>
> I hold certs from websense and an OSCP cert. I don't see how this is
> relevant at all, since I'm offering a VPN product from a well known
> infrastructure vendor.
> 

It was a follow on to my question of why I should choose you. I look for
these sort
of things when I select a security product or service.

> 

>> Do you undergo regular security
>> audits?
>> 

>
> Yes.
> 

Good. Presumably the results of the audits are available to customers
upon request (subject to good faith/NDA etc)?

> 

>> Do you meet any sort of SBOX/PCI compliance requirements? Or
>> are you just some guy with a box in a colo asking people to trust you
>> with their data?
>> 

>
> I don't have to, I'm not a publically held company. I don't need to
> undergo audits to maintain PCI compliancy because I don't take credit
> card payments or store credit cards (I'm using paypal for now, then
> intend to use a solution provided to me by Intuit.). I don't have to
> undergo sarbox compliancy because, again, I'm not a publically held
> company and I don't have shareholders. I have, however, been paid to
> DO sarbox audits from an IT standpoint - I quite enjoy them.
> 

Well... as an organization providing products/services, there are many
aspects of PCI and SBOX that apply to you. Many people/organizations
exploring your  product/service will want that as a checkbox.

> The bottom line is this is sounding more and more like a flamewar.
> This is not something that belongs on the barcamp mailing list.
>
> 

This is not a flame war. Mr Tentler, if you feel this is flaming, the you
sir have never been flamed.    

> If you aren't interested in my product, don't buy it - simple.

Is this the attitude you take with all potential customers Dan? This is
a pretty standard list of questions one might ask, especially after
performing
due diligence on you and your organization.

> If you
> have PROOF that I'm capturing packets, manipulating traffic, or doing
> something nefarious with zipline after I've clearly stated I haven't,
> please present it.

I don't. I'm simply asking questions about your product/service. The
various audits/compliance check boxes etc lead to further assurance.
At some point customers will simply need to trust you of course.

> Keep in mind - if someone was shortsighted enough
> to try and sell a product wherein the alterior motive was to capture
> traffic and someone were to find out - that would put them at the
> business end of a class-action lawsuit.
> 

It would in all likelyhood land them in jail for violating federal law.
A lawsuit
would be the least of the worries.

I was not the first or last person to post a reply to the thread.

Mail messages available upon request.

However it now appears as if this thread  was deleted. It is no longer in the Bar Camp San Diego google group archives.

If one looks at the owner of this google group they will see that it is Viss. The same person who initiated the thread.

If I was asked for my expert opinion in this matter, I would say that the list owner deleted the thread as it was critical of his product.  I have no proof that the list owner deleted the thread. It is just my opinion, and not a statement of fact.

I will leave it to the community to draw their own conclusions to ethics and morals around this activity.

The first thing I need to do this year is finish getting my production network in order.

• Document the existing production network.

Status: This has been completed. Well as completed as such a thing can be. It will always be in flux. Please see http://wiki.knownelement.com/index.php/Network_Stuff for details. It’s a very long page, and is quite thorough.

• Backups and restores

Status: This is now completed. The production server, production server replica and development server is backed up to an external USB drive on a nightly basis. Home directories and system configuration (/etc and all mysql databases). Cisco gear is backed up nightly via rancid.

• Redo development rack wiring from scratch and clean up office.

A few months ago Rufus and I redid the rack from scratch. Very happy with the layout (documented at the above wiki link), but the wiring leaves a bit to be desired.

Status: Completed.

1. The production Ethernet and power has now been cleaned up. Much better then before. Liberal use of zipties, and more slack.
2. Dev wiring is completed.
3. Cleaned up office and outside storage space. I can now find things very quickly.