Known Element Enterprises Corporate Blog

• misc tasks. these are all captured in redmine. targeting end of month for completion. they range from setting up exchange to deploying green SQL. all are in support of owning my own data.

• Monitoring and alerting

Status:

Monitoring is in quite a state of flux and will be for some time. I have good coverage of all my prod systems at a basic level, but need to add more detail.Dev is in a very early state, with almost no coverage.

Currently using sureping.com for external monitoring of various production systems/services (apache/smtp etc) and this is working quite well. Internally I’m using opsview to monitor all of my systems (production and development). I also get traffic graphs etc.

Other tools in use:

1. Netflow exports to NTOP
2. MRTG via opsview
3. RANCID

Planned items:

1. Network traffic visualization (snort/sguil/secviz.org tools)

• VLAN Setup

Need to setup production vlans.

• Find work.

I realized recently that I have data in many places, not under my direct control. I decided to change this in 2010 and take control of my data.

last year I got business class dsl from AT&T. it’s 6 Mbps down and 768k up. it comes with 7 static ip addresses. I use 99.59.102.17 to host my production traffic. this goes to a KVM virtual machine running a lamp stack. I pay 70.00 a month for the service, and whatever portion of the power bill the system, switch, router and dsl modem consume. I will be putting a kill a watt in place to figure out production and development gear load.

on this setup I host numerous subdomains and services

www
photos
blog
mblog
pastebin
URL
git
docs

I also host my own email. it’s on another dedicated server elsewhere. I make very heavy use of email, especially with rss2email.

all of these applications are free software. installation is very straightforward.

these allow me to avoid usage of numerous cloud based applications that have numerous drawbacks in terms of data security.

I am still on linkedin as that’s inherently social and there is a lot of benefit to it. I still want to build a very comphrenhsive employment profile on my own site, and link it and linkedin.

I haven’t found a good dopplr like site. it’s a very cool travel mash up journal. I think I will use my blog for that.

that’s about it. I’m not on facebook or myspace or any other social networking sites. I do interact with people on Twitter via my micro blog, as it has a bridge to Twitter.

Today Chuck Daddy Wy-Fi  became aware of injustice in the land of BarCamp San Diego.

I open with a bit of levity as this is an incredibly serious post and it weighs heavy on my heart and mind.

I am a direct member of numerous mailing lists and often have things sent to me from folks who are on lists I’m not a member of. Recently one of my numerous intelligence sources tipped me off to a thread on the BarCamp San Diego list about a product announcement on the list from an employee of Aten Labs named Dan Tentler.  The thread subject was ZipLine – a new security product from AtenLabs (and Viss!)

Reading over the announcement, I had some concerns and posted a reply at 12/31/2009 01:16PM.

Here is the log snippet from my mail system showing the reply:

mail.log:85:Dec 31 16:42:41 charles-laptop postfix/smtp[4305]: CC9964DF6B: to=<barcampsd@googlegroups.com>, relay=gmr-smtp-in.l.google.com[209.85.222.207]:25, delay=1.2, delays=0.26/0.05/0.31/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK 1262306560 24si4117155pzk.10)

Here is my post:

Viss wrote:

>> So how is this any better then OpenVPN running on a server I control?
>> Why on earth would one outsource their security to a 3rd party?
>> 

>
> People did that with anonymizer. There was a huge camp of people who
> claimed flat out that "Anonymizer helps people spread spam and helps
> attackers be anonymous". This was wholely untrue, but it certainly
> didn't stop people from making accusations. The bottom line is just
> because someone says something on the internet, doesn't make it true.
> 

Huh? What does that have to do with what I said? I'm not saying
that about your service. Let me ask another way.... What are the pros
and cons of Zipline vs my own (Ipsec/SSL)VPN solution?

> And plenty of companies outsource their security to 3rd parties. Any
> company that hires another company to do anything remotely security
> related is 'outsourcing their security'. Thats how companies like
> Tenable, Rapid7, Foreground and MANY others make their living -
> they're security experts and they work on a consultancy basis.
>
> 

They outsource audits, vulnerability assessments etc yes. However
most organizations host a VPN terminator under their administrative
control, and often physical control.  Placing that outside of ones control
is a recipe for disaster.

> 

>> I'll let the other replies in this thread stand on their own (in
>> regards to the exploits you have pulled in the past at a coffee
>> shop).
>> 

>
> I did exactly the same thing at Qualcomm, during RefreshSD for a room
> of 60 people. *EXACTLY* the same thing. Nobody at Qualcomm complained,
> in fact they came to me, shook my hand, and asked me what they could
> do to secure themselves in places where using cleartext was
> unavoidable. The difference is when I was at Qualcomm it was clearly
> understood that I was showing people something for educational
> purposes. At the coffeeshop there were a couple guys who went all fox
> news because they showed up an hour late and had no idea what was
> going on - then went berzerk and started a witch hunt.
>
> 

Heh.... well that is your view of the world Dan. It's not what actually
happened. However it's not my place to comment on ongoing litigation
in a public forum.

>> Though I do rather like this quote:
>>
>> The architecture of Zipline is dubious from a security standpoint, and
>> moreover, we have every reason to believe that its operators are
>> precisely the sort of script-kiddies Zipline purports to protect
>> people
>> from.
>> Dan, you are the fox, offering hens your services as henhouse manager.
>> Moreover, you expect them to pay for it! The mind boggles.
>> 

>
> How juvenile. Name calling and slinging mud, this is exactly what we
> want on the barcamp mailing list, thanks.
> 

Oh I was simply reposting a quote from a previous reply on this thread.
I do agree it was a bit flamy, but it captures the sentiment of what
happened.

> 

>> Even if you didn't pull those antics, why should any potential user of
>> your product trust you?
>> 

>
> I'm not twisting your arm - if you dont like me, dont buy my products.
> So far the people from this mailing list that are using my product are
> quite happy with it.
> 

Oh it has nothing to do with you personally. It has to do with
product/service
selection criteria. I was simply asking what about you and your organziation
would convince me to go with your product/service over something else
(namely
a vpn concentrator under my administrative control).

> 

>> Do you hold industry standard credentials from
>> SANS or other reputable organizations?
>> 

>
> I hold certs from websense and an OSCP cert. I don't see how this is
> relevant at all, since I'm offering a VPN product from a well known
> infrastructure vendor.
> 

It was a follow on to my question of why I should choose you. I look for
these sort
of things when I select a security product or service.

> 

>> Do you undergo regular security
>> audits?
>> 

>
> Yes.
> 

Good. Presumably the results of the audits are available to customers
upon request (subject to good faith/NDA etc)?

> 

>> Do you meet any sort of SBOX/PCI compliance requirements? Or
>> are you just some guy with a box in a colo asking people to trust you
>> with their data?
>> 

>
> I don't have to, I'm not a publically held company. I don't need to
> undergo audits to maintain PCI compliancy because I don't take credit
> card payments or store credit cards (I'm using paypal for now, then
> intend to use a solution provided to me by Intuit.). I don't have to
> undergo sarbox compliancy because, again, I'm not a publically held
> company and I don't have shareholders. I have, however, been paid to
> DO sarbox audits from an IT standpoint - I quite enjoy them.
> 

Well... as an organization providing products/services, there are many
aspects of PCI and SBOX that apply to you. Many people/organizations
exploring your  product/service will want that as a checkbox.

> The bottom line is this is sounding more and more like a flamewar.
> This is not something that belongs on the barcamp mailing list.
>
> 

This is not a flame war. Mr Tentler, if you feel this is flaming, the you
sir have never been flamed.    

> If you aren't interested in my product, don't buy it - simple.

Is this the attitude you take with all potential customers Dan? This is
a pretty standard list of questions one might ask, especially after
performing
due diligence on you and your organization.

> If you
> have PROOF that I'm capturing packets, manipulating traffic, or doing
> something nefarious with zipline after I've clearly stated I haven't,
> please present it.

I don't. I'm simply asking questions about your product/service. The
various audits/compliance check boxes etc lead to further assurance.
At some point customers will simply need to trust you of course.

> Keep in mind - if someone was shortsighted enough
> to try and sell a product wherein the alterior motive was to capture
> traffic and someone were to find out - that would put them at the
> business end of a class-action lawsuit.
> 

It would in all likelyhood land them in jail for violating federal law.
A lawsuit
would be the least of the worries.

I was not the first or last person to post a reply to the thread.

Mail messages available upon request.

However it now appears as if this thread  was deleted. It is no longer in the Bar Camp San Diego google group archives.

If one looks at the owner of this google group they will see that it is Viss. The same person who initiated the thread.

If I was asked for my expert opinion in this matter, I would say that the list owner deleted the thread as it was critical of his product.  I have no proof that the list owner deleted the thread. It is just my opinion, and not a statement of fact.

I will leave it to the community to draw their own conclusions to ethics and morals around this activity.

The first thing I need to do this year is finish getting my production network in order.

• Document the existing production network.

Status: This has been completed. Well as completed as such a thing can be. It will always be in flux. Please see http://wiki.knownelement.com/index.php/Network_Stuff for details. It’s a very long page, and is quite thorough.

• Backups and restores

Status: This is now completed. The production server, production server replica and development server is backed up to an external USB drive on a nightly basis. Home directories and system configuration (/etc and all mysql databases). Cisco gear is backed up nightly via rancid.

• Redo development rack wiring from scratch and clean up office.

A few months ago Rufus and I redid the rack from scratch. Very happy with the layout (documented at the above wiki link), but the wiring leaves a bit to be desired.

Status: Completed.

1. The production Ethernet and power has now been cleaned up. Much better then before. Liberal use of zipties, and more slack.
2. Dev wiring is completed.
3. Cleaned up office and outside storage space. I can now find things very quickly.

Me no love centralized systems not under my control long time.

I’m all about open source, distributed systems.

Earlier this year I

1) Got off of facebook (it was just mirroring my twitter updates anyway).
2) Stopped using google services (though one of my blogs had other authors with g00g accounts so a blog of mine is still there) (I use live search).
3) Started using Status.net (twitter replacement)
4) Wordpress/mediawiki/redmine/trac etc for blogs/doc/knowledge/project management

Now twitter has proven to be very interesting and useful to me, and to many other folks (iran situation was/is particularly illustrative of uses).

With virtual machine images for all of the above (or apt-get or wget src, untar, mysql create, appurl/install.php) there is no excuse to not do your own stuff in my opinion. I get the whole time management thing. I just decided that owning my data was critical.

Now I host this on my home server, attached to an AT&T DSL line. So if that goes down (whether for layer 1-7 reasons, or layer then I’m off the air. This is where things like autonomous mesh comes in (see http://netsukuku.freaknet.org/ for example).

However….. how do we solve search? How do we make that distributed and under control of no one? Do we care about searching the internetz or do we focus on vertical portals?

Right now a  duoply exists on search:

1) bing (powers yahoo and of course ms search)
2) google

I don’t know how to solve that problem. Do people here? How many of you have thought about this? Is there enough open source talent and spare compute resources to build internet scale applications in a sustainable manner? What sort of forums discuss this stuff with a good signal to noise ratio?

There is a little something called “denial of insight”, and is a very real concern of certain large three letter agencies and some of the larger public safety agencies in the United States. Why do you think there is an opensoruce.gov portal feeding into intelink, and the Homeland Security Operations Center? They want to know what’s going on, and they want to know now.  The US govt has a large enough budget to independently verify open source intelligence with their own observers. The majority of us average citizens do not. I happen to have friends at a public safety agency in Los Angeles which relies very heavily on real time open source intelligence as well as their own intelligence assets. Without these data sources people die. Denial of insight is ossed around at Gartner conferences and meetings where the target customers reps wouldn’t even provide you their last name (and you could be fairly certain the first name of bob or jim was also made up). It’s not getting a lot o!
f main stream attention. Google and Bing don’t want it getting attention for obvious reasons.

Denial of insight is actively practiced by corporate and government espionage organizations. Think blackhat SEO (what you thought all the botnets were used for spam and DDOS of gambling organizations) meets highly targeted phishing (i’ve seen 0 day exploits against very specific server/os/iis plugin combinations at a high value target) meets DNS cache poisoning (one vulnerable linksys router of one employeee out of a 100k user organization logged into the corporate VPN = foothold) meets SSL mitm (defcon presentations are usually at the tail end of the previous generations use of exploit methodologies).

Thank you for affirming google should be avoided. In fact, now that I think about it, there’s all this superciliousness towards all things Microsoft in this group but for some reason Google’s offenses are so much more egregious and yet it all goes kind of “… but Google is a our friend. Google, please violate me some more.”

I have noticed that to a certain extent, however it appears to be dropping off, as they continue to expand their reach and make people nervous.  And now they are releasing an operating system.

Sorry for the rambling…. I just want people to think deeper about this.

My guess is that most people just ignore you. Which might be a shame,
because your point of view is different enough from the average member
of the list that you are valuable here just by being different. I think
of you as a pompous egomaniac nut case, but that’s just my opinion; I
have no Greek or Latin quotations to back it up and no 5-point treatise
about how some part of scripture says you’re a bad person. It’s just
what I believe, based entirely on what you’ve said here.

In your world you’re a fancy professor with power and authority. You’re
probably the intellectual terror of [your] postal code. Here in my
world of cyberspace you’re just an arrogant twit who knows Greek. If
you want to spend your time making impassioned arguments to the people
who already agree with you, then just keep doing what you’re doing. If
your goal is to change somebody’s mind about one of the topics that you
address, then you need to learn both some manners and some rhetorical
technique. If you want to teach somebody, to expand somebody’s
understanding, to increase the number of people in the world who agree
with you, then please listen to me, because here in cyberspace I’m the
guy with the power and experience and authority and you’re just an
insect. …

Let me give you a few pointers on being taken more seriously.

* First, you have the habit of making arguments from authority, rather
than as an individual. Sometimes it is important to establish
your authority in some area, in much the same way that an expert
witness in a courtroom establishes his credibility and authority on the
topic for which he is to testify.

You may think of yourself as an authority on the matters that you are
expounding on, but we don’t yet. Your academic pedigree and your
quotations from ancient languages are just bluster here on the Internet.

The general principle here in cyberspace is that we participate as
individuals and not as representatives of authoritative bodies. You can
earn the right to wield the authority of some body on whose behalf you
speak, but you don’t walk in our door holding that authority just
because you are B.A., M.A., Ph.D. and have a white beard.

[...]

If your goal in writing to the Internet is to change somebody’s mind
about some topic that you care about, then you really must learn to
communicate in a very different style.

* Second, you are constantly trying to impress us with how much better
educated you are than we are. This might be related to the first item,
above, since if you’re going to be arguing from authority then you
probably need to keep establishing that you have some authority. I
think you’ll find that this is a pretty highly educated crowd, but you
don’t catch us relying on our academic pedigrees instead of on our
ability to communicate. I am quite certain that I have absolutely as
many degrees as you do, and I am completely certain that I know many
more obscure languages than you do, but if I can’t win an argument with
you based on what I say and how I say it, then my degrees are all just
puffery, aren’t they?

But in establishing a precedent of authority and pedigree as the basis
for power, you are treading on dangerous ground. Here in cyberspace you
aren’t in your world, you’re in mine. If you make the mistake of trying
to establish some ground rules in which argument by authority is the
norm, then you’d better make sure that you don’t ruffle the feathers of
somebody who has more of it than you do. I can make the Internet do
anything I want it to do. I can perform the digital equivalent of
heaving lightning bolts in front of your chariot, and rending the earth
beneath your mail reader. I can turn your hard disk into a toad. I’m a
technocrat. But I won’t, because we professionals don’t act that way. I
don’t have to brandish my power and authority and education and
knowledge of arcana in order to get people to listen to me. I try to
make a crisp argument and let my words carry that argument. If I fail,
then I don’t go running for some Greek derivation or invoke some
long-dead philosopher. Heck, I don’t even go running for analogies from
Clint Eastwood’s “Unforgiven”, which is every bit as fine a piece of
literature as Aristophanes.

* Third, you convey a complete disdain for your reader. Your writing
style reeks of the belief that your time is so much more important than
the time of your reader that you can’t be bothered to write correctly
or to edit what you write. If you’d like to have more readers, then it
would be very worthwhile for you to be more respectful of them. Among
other things, this means that you need to write in a way that makes
it easier for your reader to read: use real sentences with real
capital letters at the beginnings of them, and do try to spell as many
words right as you can muster.

So mind your manners, learn to communicate better, stop insulting your
readers, and then come back and contribute your intellect to [this]
mailing list. If you keep acting like a jerk I’m going to wake
up some morning, yawn, make a cup of tea, and then vaporize your
mailbox. Sometimes we supremely powerful technocrats just have a bad
day.

As many of my readers know the KNEL crew has attempted numerous startups over the past few years. These have all ended in failure. I have relaunched KNEL as a professional services company, and a for profit shell around socalwifi.net.

I’ll be blogging about the things I’m working on and plan to have other employees guest blog about cool stuff they are doing. Stay tuned!

Hi. This is the  blog for Known Element Enterprises. My name is Charles Wyble and I’m the founder of the company. This blog will have a high degree of technical content.

Welcome aboard.

It’s been a good run with LiveJournal. However I will no longer be posting here. Please see my new blog/homepage at http://charlesnw.blogspot.com

Thanks to LiveJournal for the outstanding service. I will still keep my account here and participate in the various community blogs that are unique to LiveJournal.

I thought I would take some time and define my daily process and some of my productivity tips. I have always been pretty efficient, but am always looking for ways to improve.

I start my day by catching up on e-mail. I subscribe to some RedHat Emerging Technology Project lists (such as FreeIPA and et-mgmt-tools). I generally will skim those messages first as they relate to the InfrasBox project. I then move my spam into the junk folder.

My next step is to open Flock and skim my RSS feeds. I click on the articles that interest me and read them. I generally don’t follow the links in the articles as that consumes quite a bit of time. If I don’t know what something is I’ll search and skim the WikiPedia article and/or info page. I will often bookmark something that is of interest.

Both my e-mail and bookmarks are in a somewhat obsessive/extreme folder structure and I am able to locate just about any e-mail or bookmark in less then 30 seconds. I have found that I have a very category/hierarchy oriented mindset.

Another e-mail tip I have is that I almost never save messages from a list. They are all archived (at least the ones I subscribe to). A lot of information I will never refer to again anyway. For example bug reports/triage etc. Its very interesting and topical for a short period of time, then becomes old news. I don’t really have any hard and fast criteria for saving list messages, as I do it so rarely.

So that covers e-mail/rss (new information).

The above process usually takes me about 2 hours on a daily basis. The e-mail portion is generally completed while I commute (I take mass transit).

Any e-mails which require action I add to a task list.

I then work through those tasks. If I am interrupted I will either complete the task (if its less then 10 minutes) or will add it to my task list.

I am reviewing the GTD approach and looking at my current process and seeing how I stack up. So far I have the collect and organize steps down quite well. I am also able to accomplish a lot efficiently enough that my customers haven’t complained about lack of progress.

Hopefully this post will help you become more productive.