Category: Programming

Programming

Firewalls Now Looking At Intercepting SSH Traffic Via A MITM Attack

conexion manual ssh

Can you trust Secure Shell (SSH) when you are behind certain firewalls? That’s the question raised by a post from a friend of mine:

Lies, Damn Lies, and Inspecting SSH Traffic Securely

It seems that because ssh can be used for tunneling services and application traffic several firewall vendors are now implementing “SSH inspection” services that essentially perform a Man-in-The-Middle (MITM) attack on your ssh connection.

When you go to ssh into a server, the firewall pretends it is that server and creates a ssh tunnel with you. The firewall then creates the actual ssh connection to the server and passes your packets from the first tunnel into the second tunnel – while being able to log or inspect the packets in between the two tunnels.

Now, of course with ssh you go through an initial handshake when you first connect to a server that results in the server’s public key being added to your list of known hosts.

If you connect to a server for the first time BEFORE being behind one of these firewalls doing SSH inspection, you would already have the correct public key of the server in your known hosts file. What would happen when the firewall tried to do a MITM is that you would be asked to approve the public key of the server again. (Because you are actually now approving the public key of the firewall.)

You would have to realize that this was wrong and stop your connection!

If you proceeded ahead with the connection and approving the public key, you would now have the firewall as a MITM.

If you connect to a server for the first time AFTER being behind one of these firewalls, well… I’m not sure what you can do. You’re going to see a public key to approve, but it would be from the firewall! You’d have to somehow learn the correct public key of the target server to be able to match it to the fingerprint you are being shown.

I don’t know how well that will work.

The good news for me personally is that I’m not behind these kind of firewalls in my regular networks – although I don’t honestly know what my Internet service providers are using. They could be doing these kind of things.

I don’t consider this a good thing that firewalls are now doing this. We need to trust the security of services like SSH. This decreases overall trust.

Photo credit: El Taller del Bit on Flickr

Wow! Cisco To Acquire Tropo’s Communications Application Platform

Tropo siteWOW! In companion blog posts today Cisco and Tropo announced Cisco's intent to acquire the Tropo team and platform:

As someone who was at Voxeo in 2009 and helped launch Tropo (and wrote many of the early blog posts about it[1], as well as some of the python samples), I'm thrilled for the team there now that this is happening.[2]

Congratulations to all involved!

Over the years since leaving Voxeo, I've written about Tropo from time to time and continued to watch its progress. I've continued to be very impressed by what they've done over the years. They've truly made it easy for people to create powerful applications using simple programming languages.

It looks like the Tropo website is struggling right now so here is a snippet of their announcement post:


Six years ago we launched Tropo with the idea to make it easy to power phone calls through a simple API. Since then, we’ve empowered thousands of developers to add voice and messaging to their applications.

From our very first sign-up in 2009, to powering thousands of mobile and voice applications, our mission has been the same: to make real-time communications more accessible and productive through great APIs.

Today we’re thrilled to share that Tropo is joining Cisco’s Collaboration Technology Group. Together we’ll enable completely new ways of communicating by opening up Cisco’s collaboration products to every developer on the planet (and maybe some off the planet…hey, they need collaborative tools on the International Space Station!)  :)


Knowing a good number of folks at Cisco, too, I think this is a great win for them in that they'll be able to make some of their products and services more accessible to developers.

I remember well back in 2009 when Jonathan Taylor (then CEO of Voxeo) brought in the Adhearsion team and "Voxeo Labs" was set up. Tropo was the first of the Voxeo Labs products, along with a number of others that were released over the following years. I watched as Voxeo Labs was then spun off from Voxeo in 2012 as a separate company and then Voxeo was acquired by Aspect in 2013... and Voxeo Labs was renamed to Tropo.

I watched, too, as the Tropo team continued their heavy involvement with WebRTC and brought that technology even deeper into their various services.

Congratulations to Jonathan Taylor, Jason Goecke, Johnny Diggz and all the rest of the Tropo team on this acquisition!

I look forward to seeing what Tropo and Cisco will do together to make it even easier to create voice, chat, messaging and other kinds of applications!


UPDATE #1: Jonathan Taylor has published a post on Facebook that outlines some of the history that led to this announcement. He includes this information related to Cisco:

We were even more surprised when Cisco approached us about acquiring Tropo. Selling Tropo was the last thing on our minds. But the potential was clearly huge for both companies, and over the course of the discussion, the deal terms clearly quite attractive. So here we are today!

UPDATE #2: A number of news stories are appearing on Techmeme.

UPDATE #3: Writing over on NoJitter, Zeus Kerravala dives into more detail about the acquisition based on his pre-briefing with Cisco's Rowan Trollope. Zeus' article: Cisco to CPaaS Providers: Game On!


[1] Although in the time since I left in 2011, my account was understandably removed from the Tropo site and the author on all those posts I wrote between 2009-2011 was changed to someone else. :-)

[2] In full disclosure, I should note that I am a very minor shareholder in Tropo after exercising a few options upon leaving Voxeo in 2011. I had no knowledge of this acquisition and have not participated actively with Tropo since leaving in 2011.

Can You Please Help The Ottawa Linux Symposium?

Ols logoIf you have ever used the Linux operating system, could you please help out the Ottawa Linux Symposium (OLS)? For many years OLS has been one of the key events that has helped bring together people from all across the Linux community, and the connections made at OLS have helped to make the Linux operating system that much more powerful and useful. But… as organizer Andrew Hutton recounts on the OLS Indiegogo page, the event has fallen in a bit of a financial crunch and it is now not clear if there will be an OLS in 2015… or ever again.

Could you spare $10? $25? or even $50 or $100? (Or more?)

If so, please help fund OLS on the IndieGogo page!

I first attended OLS back in the early 2000s when I was living right there in Ottawa and working for first a startup called e-smith and then subsequently Mitel Networks. In looking at my list of presentations I can see that I spoke there several times… and the topics I covered take me back to a much different time:

  • 2004 OLS – Tutorial: Introduction to OpenPGP, GnuPG and the Web of Trust
  • 2002 OLS – Tutorial – Single Source Publishing Using DocBook XML
  • 2001 OLS – Maximizing Your Use of CVS

I still remember OLS as the incredibly passionate place where people connected…. and where I made so many connections and learned an amazing amount about Linux.

If OLS was ever important to you… or if Linux has been important to you… please consider donating to help the OLS organization get out of its financial hole and get moving ahead in future years. Organizer Andrew Hutton has poured his heart and soul – and personal money – into making OLS the incredible event it has been… now it would be great if we all can help him! Please consider donating!

Here are a few other viewpoints on the importance of OLS:

Please do donate if you can! THANK YOU!

ACM: Python Now The Most Popular Intro Language At Top US Universities

pythonlogo.jpgAs a long-time fan of the python language, I was intrigued by this post on the ACM’s blog: “Python is Now the Most Popular Introductory Teaching Language at Top U.S. Universities“. The post begins with a summary:

At the time of writing (July 2014), Python is currently the most popular language for teaching introductory computer science courses at top-ranked U.S. departments.

Specifically, eight of the top 10 CS departments (80%), and 27 of the top 39 (69%), teach Python in introductory CS0 or CS1 courses.

… and then goes into greater detail.  Of course, the moment you publish one of these “XXXXXX language is the most popular programming language” type of posts, you immediately get reflexive reactions from programmers who favor all the other languages out there…  and this Hacker News thread with 357 comments (so far) shows exactly that, with people either supporting the idea or ripping apart the article’s methodology and explaining why the author is wrong, wrong, wrong… 🙂

The programming language wars will always continue.  In the meantime, though, as someone who likes the python language, I’m pleased to see the uptake at universities around the U.S.  (and, as noted in the HN thread, by other universities around the world, too).

The Intersection of Github… and Babylon 5?

Lurkers guide to Babylon 5Back in the 1990’s I was a huge fan of the show “Babylon 5” for a great number of reasons. It remains, to this day, one of the best series I’ve ever watched on TV and I greatly admire the creator/writer, J. Michael Straczynski, for the narrative arc he used over the five year run of the series as well as the overall “universe” he created.

One of the web sites that those of us who enjoyed Babylon 5 frequently used was “The Lurker’s Guide to Babylon 5“. The pages there helped in the understanding of how all the pieces fit together and frequently offered glimpses of what was coming ahead. It was a great tool and reference source.

Today a Google search brought me back to that site although I hadn’t been there in years. And in visiting I learned that as of this past December the entire source for the website is now available on Github at:

https://github.com/sgrimm/lurkers-guide

It’s very cool that site creator Steven Grimm has made his site publicly available via Github. As he notes, others can now fork the code, send him updates via pull requests, etc.

It is also a great example of how I’ve told people that Github, and git in general, can be used for so much more than simply “source code” and that you don’t need to be a programmer to use it.

Plus… if you wander through some of the pages, like this one, it’s kind of fun to see references to how we used to get our information: “Stay caught up with the Usenet B5 discussions, which are often a great source of material.” 🙂

Cool stuff!

SourceForge Redesigns Itself To Compete With Github

sourceforgeWhen I received an email today telling me that one of my ancient projects was being “upgraded” to the “new” SourceForge developer platform, I had to admit that I had no clue that SourceForge was even launching a new platform.

But sure enough, “The Next SourceForge” is out with a host of redesigned features that do look nice… and do remind me of everything that I currently use over on Github!

Of course, the project being “upgraded” is a small python app called “viewportfolio” that I wrote back in 2000 during the height of the .COM insanity when Red Hat’s stock had exploded and the tech bubble was all around us.

I last touched the code over 12 years ago!

I have no clue if it actually still works – and to be quite honest if I were to do anything with that app today, even to test it and make any fixes, I’d probably move it first to my Github account where I do all my work today.

But back twelve years, SourceForge was THE place where you hosted your project.  Everyone was using “SF” and it was where we all interacted for code.

Then, over time, it became a site so hideously overwhelmed with advertising that it was close to useless to interact with the site. And, well, more and more people started using the git version control system and for quite some time SourceForge seemed to still be wedded to SVN.

So I moved any new projects over to Github, as did many others that I knew, and I left SourceForge behind, only occasionally going in there when I needed to find older projects.  Even today, I’m working with someone who has a project on SF, but he’s moving that to Github in the next few weeks where I can work on it with him and where we’ll publicize it.

I applaud the folks behind SourceForge for launching “The Next SourceForge,” if for no other reason than that I do believe it is healthy to have competition around – and having another competitor for Github (there are several already) is a good thing in that it will continue to encourage innovation among the platforms providing project hosting services.

It’s also great to see the visual redesign of SF – a much cleaner interface and thankfully all the ads that were slathered all over the site seem to be gone.  And these new features do seem to be great improvements for projects hosted on SF.

Will “The Next SourceForge” prompt me to launch new projects on SF?  Or to stop migrating projects away?

Probably NOT.

The reality is that I’m now comfortably ensconced over on Github and I rather like it there. I guess I also trust the people/company behind Github more than I do Dice Holdings, the latest corporate overlord of SourceForge, in terms of being responsive to users and to continuing to improve the user experience.  Now this may be unfair… the folks behind SourceForge may be as equally committed as the folks behind Github… but one is a passionate startup and the other is part of a large publicly-traded company that is ultimately focused on helping connect employers and professionals with each other.

What about you?  Will “The Next SourceForge” get you to open new projects there? (Or to not migrate away?)

Slides – Adding DNSSEC to Fedora and Red Hat Linux

What is the status of DNSSEC being added to Fedora and Red Hat Linux?  What changes have already been made?  What changes will occur in the future?  What tools are available to help?

At the recent ICANN45 DNSSEC Deployment Workshop, Paul Wouters from Red Hat spoke about integrating DNSSEC into Linux. Paul’s slides are available for download and a video of the entire workshop is available from the main page.

Paul Wouters presentation on DNSSEC in Linux

In the presentation, Paul talks about the difference between Fedora and Red Hat Linux and then dives into what needed to be modified to support DNSSEC. He provides some insight into their experiences using DNSSEC in different configurations and with different tools.

Paul also spoke about support for the DANE protocol to use DNSSEC to validate SSL/TLS certificates and in particular his TLSA Validator add-on for the Firefox browser and his “hash-slinger” tool that generates TLSA records.  Both tools are available at his site at:

http://people.redhat.com/pwouters/

It was a great presentation to hear, and Paul is very active within the DNSSEC community working on tools such as these to help get DNSSEC further deployed. It is well worth some time checking out his tools.

Got A DNSSEC Project That Needs Funding? Apply to NLnet Foundation Before Dec 1

NLNet FoundationDo you have an open source project (or the idea for one) related to DNSSEC that needs funding? Perhaps a new tool that will make it easier to use DNSSEC?  Or perhaps new software that supports the DANE protocol to increase the security of TLS/SSL? A browser plugin?  A program that makes it easier for registrars to pass DS records?  A measurement tool for DNSSEC usage?

Or do you want to add DNSSEC capabilities to an existing program, like the Jitsi team did when added DNSSEC validation to VoIP?  Would you like to build DNSSEC validation into your tool or service?  Would you like to add DANE support to your browser or other tool?  Would you like to add DANE support to another service beyond the web?  Do you have a use case where DNSSEC-signed TLS/SSL certificates would greatly add another level of security?

If you have any ideas along these lines, the NLnet Foundation is funding projects through their “DNS Security Fund” and THE NEXT APPLICATION DEADLINE IS DECEMBER 1, 2012 at 12:00 Central European Time (CET).  You can read more and find out how to apply at:

http://www.nlnet.nl/dnssec/

That page lists at the bottom some of the many projects that the NLnet Foundation has funded.  Their most recent “Open call for funding” gets into more details.  There is one very important note:

There is one important condition which is that any software or hardware that a project produces must be available under a valid open source licence (GPL, BSD, Apache, etc.).

As long as you are fine with that, you may be able to get some level of funding through NLnet Foundation.

We’d definitely appreciative of all the great work that the NLnet Foundation has funded to date. Tools like Unbound, DNSSEC-Trigger and the multiple DNSSEC developer libraries they have supported have made it so much easier to get DNSSEC deployed.

Now it’s your turn – what can you develop to help get DNSSEC more widely deployed?    If you’ve got an idea, the NLnet Foundation may be able to help… apply before December 1 to see if they can!

P.S. Note also that if you can’t apply before December 1, the NLnet Foundation accepts proposals six times a year, with deadlines of February 1, April 1, June 1, August 1, October 1, December 1.

Code Examples: Checking the DNSSEC Status Of A Large Number of Domains

SIDN LabsDo you want to check the DNSSEC status of a large number of domains?  To know whether they are signed or unsigned? Or perhaps if any of the domains are failing validation?

Yesterday at the DNSSEC Deployment Workshop at ICANN 45 in Toronto I learned that the good folks at SIDN Labs in the Netherlands have created a service that allows you to do just that… and they are offering it for free public usage.

They provide two ways to use the service: 1) a web interface where you upload a file; or 2) a RESTful API you can query.  The web interface is in Dutch, but for non-Dutch-speakers it’s not hard to figure out (or translate via browsers):

http://check.sidnlabs.nl:8080/form

You just upload a file and the service will give you back the results of whether the domains are secure, insecure or failing validation (‘bogus’).

What was more interesting to me, though, was the RESTful API allowing you to query the status of a domain by simply connecting to:

http://check.sidnlabs.nl:8080/check/domainname

as in:

http://check.sidnlabs.nl:8080/check/internetsociety.org

The comma-separated results that come back are:

internetsociety.org,"",secure,""

with the third field being either “secure”, “insecure” or “bogus”.

My immediate thought was how I could use this to create a simple little program to help me remember which of my domains I have signed and which ones I still need to sign.  After playing around with it for a few minutes in python, I decided that others might find my experiments useful or interesting, so I uploaded them to a Github repository at:

https://github.com/Deploy360/dnssec-portfolio-checker-examples

I included one very simple example that does no error checking and simply issues queries based on a list in the program.  I then added a second example that you could use from a command line to query for one or more domains:

python dnssec-check.py internetsociety.org ietf.org dnssec-failed.org

(Omitting the ‘python’, of course, if you change ‘dnssec-check.py’ to be executable.)  An obvious extension would be to make the program accept the name of a file containing domain names.  You could also change it so that “bogus” entries come out on top or have big “Danger! Danger!” warnings of some type. I may make a web page that when I go to it shows me visually which of my domains are signed and which aren’t.  There’s a hundred other things you could do with it.  My purpose was just to try it out and see how the API worked.

Feel free to use those examples in whatever way you want… and thanks to SIDN Labs for making this service available for any of us to use!

Video: What Is WebRTC/RTCWeb All About? How Does WebRTC Work?

Do you want to understand what WebRTC / RTCWEB is all about and why so many people are passionate about its potential for extending real-time communications (voice, video, chat, data-sharing, etc.) into web browsers?

I recently wrote about some of the larger issues of how WebRTC will disrupt telecom, but in this video, "RTCWeb Explained", Cullen Jennings, one of the co-chairs of the IETF's RTCWEB working group, dives down into the technical details to explain how it all works and what the various different components of of the solution are. I particularly like how Cullen covered some areas like "identity" that I haven't seen stressed as much in other pieces about WebRTC. The video comes in at about 39 minutes and is well worth viewing:

For more information, I've put together a page about the broader WebRTC / RTCWEB initiative with links to relevant resources.


If you found this post interesting or useful, please consider either: