I will be presenting SecurePass at SMAU (Milan, Italy) on October 19th at 4pm. SecurePass defines a new type of cloud service, i.e. the Secure Identity Service Provider. The service have to meet precise business needs:

1. scalable enough to serve small businesses to large European carriers and ISPs
2. be channelled also through partners who can sell the service with their own product/brand
3. ensure high availability, maximum security and confidentiality of data
4. easy to integrate in customers’ environment
5. easy to use and to interact

The creation of an innovative service -combined with business needs- has had multiple impacts on the technological implementation: in fact there is no commercial or open source software capable of addressing the features that the service implements. This talk explores the challenges presented and how they were resolved.

Register yourself for a free ticket at SMAU at the following address: www.smau.it/invite/giuseppepaterno

SecurePass web site is www.secure-pass.net

Honestly, I never liked Java. I’ve tried it and I still see some potentials, especially in deploying it easily into a web server: copy a single (war) file, what a sysadmin could ask more? But when it comes to programming … well, you know better than me: tons of frameworks, beans and more! It’s a sort of jungle out there.

Well, I started with perl something like 20 years ago and I found Ruby very similar to the perl approach in programming: I mean, I got the impression that it is flexible to write. I then learned rails over ruby and I felt confortable with it. I’m a lazy programmer and having a framework that do everything almost itself was great. A CRUD interface could be easily build with a “scaffold” and the validations are done on the model class. AJAX is easy to plug-in as well with few lines of code.

For a separate project, I had to learn python. What I admire the most about python is that when you look back at your sources, no matter if it was two days or two years ago, you can read it and feel confortable with it as if has passed only few hours. My impression is that is way faster than ruby at execution time and made python my choice to create a system network daemon. As I wrote the core APIs in python, it was natural that I had to write the admin web interface in python. And it was harder than expected: nothing impossible, but it reminded me the old days when everybody needs to code each single CGI page.

Django sounds promising and it does most of the things itself … but limited to the admin interface panel. If you want to do a CRUD as an application, well I have to do everything myself.

So in one side I got python: neat programming, lots of (stable) modules, fast to execute but IMHO poor web framework support.

On the other end Ruby: few modules available and most of them are unstable, code not always easy to read, but great Rails framework that let you code your web application in few hours (or even minutes).

Still I could not make my mind about Ruby and Python.

Today I ported Ubuntu Natty 11.04 to a REAL tablet. It’s a WeTab, that normally ships with Meego. As you well know, Nokia decided to switch to Windows Mobile and basically stopped MeeGo development on their side leaving Intel alone on the project.
I tried in the past with the Folio 100, but things are slow because it’s based on the nVidia Tegra2: good processor, but not easy to handle. I hope there will be something with FreeScale i.MX51 (or later), which is a processor I had some experience with.
Anyway, as WeTab it’s an Intel Atom processor, it was quite easy to port Natty on it, once you understand the process of booting off the USB adapter. It’s for sure far easier of other ARM processors, although Atom it’s more hungry on power consumption.
The final result is in the photo aside and I think it’s a good result: most of the functionalities works like a charm, such as bluetooth, wi-fi, video, …. for the keyboard emulation, I used florence, although it has some bugs related to the new qt-based Unity interface (it was designed for gnome). Natty is really towards a real tablet edition and unified experience across devices, we’ll see more with the next release: stay tuned for more UDS report

DISCLAIMER: this is not an official Canonical porting, it’s just my own effort to run this tablet.

I guess most of you share my same problem: friends are continuously asking for help installing their PCs, and most of the time is Windows. That would not be a problem if it was any sort of Linux distribution, re-installing using a pre-seed (Debian/Ubuntu) or Kickstart (CentOS/Fedora/RedHat) is pretty straightforward. Windows is pretty a beast and has to be prepared for each PC: drivers, applications, …. unless you’re a super-duper Windows ninja and you have your own sysprep, is unlikely you will have the full ready-to-go environment.

How many times your friends come back, after you installed the PC once ago, and asked for re-installation again? It happens a lot of times, at least for myself. The idea was then to create an OEM-like recovery partition, i.e. a partition that holds the Windows image and the program that is able to recover it. The idea was quite simple: using Clonezilla to accomplish the task. But how to automate the recovery partition was another story. Here’s the receipt:

1. Before installing Windows, make sure you create a small extra partition, let’s say 10GB to be safe
2. Install your Windows (XP/Vista/seven/…), drivers, windows patches, applications and whatever is needed for your friend(s)
3. Format the second partition as FAT32 (VFAT) and label it, say for example RECOVERY
4. Make sure the installation is clean, the drive is defragmented and … empty the Trash!
5. Download grub4dos and place it in a convenient directory, say C:GRUB4DOS
6. Copy file grldr into the root of the boot disk, es: C:grldr
7. Unhide the C:boot.ini and modify it by adding a line such as: C:grldr=”Recovery procedure”
8. Download Clonezilla Live for hard disk: basically it’s a zip file that has to be uncompressed into the root of the recovery partition as is
9. Create a “menu.lst” file in the C: partition and populate as suggested at point five of the clonezilla how-to. Be aware of that configuration is buggy and rename vmlinuz1 and initrd1.img with vmlinuz and initrd.img that are held in the /live directory of the recovery partition.

Once you select the “recovery procedure” menu at boot time, the Windows bootloader will chainload grub4dos that will load the kernel and the initrd of Clonezilla. As such, you will have a full functional Clonezilla Live from the recovery partition. At this stage, through the Clonezilla menu, you will be able to dump and recover the partition. Use the local_dev and mount the recovery partition to hold the actual image.

Enjoy

I had a quick chat with a friend last day and he was complaining that someone was maybe attacking him, using the same ESSID. He was very upset and wish to have a resolution, so he called me for an advices… most of the time we forget that every day you are working with wireless is a gift. Unless what happens in a wired world, radio waves travels in the air and air is not own by anybody. Whatever he was under attack or not, radio waves can’t be stopped: it is not something we can confine or leave outside the door or the building. Therefore, in the unlicensed spectrum (2.4GHz and 5GHz are in this category), everyone owns the right to allocate a wireless LAN (ESSID) and there’s nothing you can do. This is the ephemeral of wireless.

LONDON, UK. In a communication with Lirpa Airlines, Giuseppe Paternò (aka Gippa) announced today that he will join Lirpa Airlines as a pilot in command. Giuseppe states that “there was too excitement in the IT space, and I decided to switch to a more standard job instead”. Gippa will continue in the security computing industry as an hobbyist and his main goal is to test security of on-board equipment while flying the plan: “It’s not any different from doing a vulnerability assessment of a bank production environment, except that you are airbone”, he stated. Lirpa Airline is convinced that giving more security will make more customers safe and happy: their  brand new Airbus A-320 will be equipped with a new firewall sign for the passengers, that are now obliged to activate their firewall on their electronic devices before taking off and landing.

I am please to announce the release of the paper “Strong Authentication and Security for Oracle Application Express“.

Oracle Application Express is a simple yet powerful RAD/web application framework that can address specific rapid application needs, from small businesses to larger enterprises. However, it is missing an out-of-the box strong authentication functionality, such as One Time Passwords (OTP) keys or smart card. Moreover, the administrative interface and all hosted applications are potentially reachable by an attacker. My publication proposes an architecture to fill these gaps, providing an highly secure environment to run your own business applications.

Preface was gently provided by Mark Shuttleworth, founder of Ubuntu, Canonical and Thawte.

The paper is freely available from the following URL:

http://www.gpaterno.com/publications/2011/strong_auth_sec_oracle_apex.pdf

I was able today to complete an integration of Oracle DBMS plus Oracle Application Express (also known as ApEx) with my Open Source One Time Password (OTP) daemon. More, I was able to protect given ApEx applications through combining a Web Application Firewall (WAF) inside ApEx. This integration will enable customers to deliver secure misson-critical enterprise web applications. A paper will come soon… stay tuned!

A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3 modular storage array shipped to date.

Apparently a hidden user exists, that is built into the system and doesn’t show up in the user manager, and the password may not be able to be changed (unconfirmed), creating a perfect “backdoor” opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to. The hard coded user and password in the HP MSA2000 is set to an embarrassingly simple:

username: admin

password: !admin

Because the password can’t be changed or deleted, it creates another serious enterprise vulnerability. Similar vulnerabilities were recently discovered in Cisco Unified Video Conferencing products, where a linux shadow password file contained three hard-coded usernames and passwords.

More on the SecurityWeek website.

A beta preview of the TOTP algorithm has been implemented into OTPD, the Open Source OTP daemon I maintain. Aside TOTP, The Feitian c200 hardware token is also supported. Apparently it should be compliant to the TOTP standard, and it is somehow, but the fact that the time seems rounded to the next minute.

The TOTP daemon has been tested also with the OATH Token for iPhone, and it’s fully compliant. You’re more than welcome to report hardware and/or software tokens that works with it.

If you wish, you can check out the sources from Google’s SVN, full instructions are available on the project “source” section.