Access Control on my Mind

I just started watching Westworld for the first time. Yes I know I’m late to the party, but such a show is a dangerous thing for me since I’ll binge all available episodes in one shot if given the chance.

I loved the first season overall, but a scene from Season 1 Episode 9 stood out to me (Spoilers for Season 1 below!)

In the scene, Bernard requires Dr. Ford’s approval in order to access his own earliest memories. As a security guy I found this compelling. How does one go about implementing an access control system for someone else’s mind?

The Bank Pin Setup

One toy problem setup is as follows:

  1. I start a savings account for my future child.
  2. When they are old enough to remember, I give them the bank pin but XOR’d with another number.
  3. I promise to give them the second number when they turn 18.

Note: in this toy problem we must ignore the simple approach of asking a gullible bank attendant for your PIN. I expect my future child to be quite charming so this is a legitimate and effective strategy.

Upon completion, I have stored a value in my child’s memory (saving on my own limited mental capacity) and they require my assistance to access it.

How does this work for Hosts?

Bernard being a walking computer (SPOILER) definitely makes this setup even more feasible. Perhaps there is a secure enclave built within him that immediately encrypts all memories? Or more simply Dr. Ford can just extract, encrypt and reinsert Bernard’s memories during a maintenance session.

The Split Personality Setup

A more interesting question for humans is how could I hide information from another personality residing in my mind? If I knew my alternative personality lacked patience, I could encode the encryption key in some kind of puzzle.

Funnily enough, I’ve already successfully tested this theoretical approach. Being clever and distrustful, past Michael (me but referred to in third person to emphasize the difference in personality) decided to save his Ledger seed phrase in a random permutation and encrypt that permutation order with a long phrase secured by a puzzle. This way anyone with the physical backup would still need one more step in order to get my paltry crypto assets (literally not worth much more than the Ledger itself).

Surprise surprise, while I had tested this recovery two weeks after implementing it, I recently revisited it and found I no longer knew how to decode the garbage I had written down. Cue an annoying migration of assets to a temporary wallet.

Verdict: Westworld is accurate, humans can hide knowledge from themselves in their own mind, I’m always too clever for my own good.

Advertisement

Intuition i.e. what my smooth brain needs

TL;DR – go read this Probability Theory primer by Michael Betancourt https://betanalpha.github.io/assets/case_studies/probability_theory.html

I spent the past month or so struggling with the measure theoretic foundations of probability theory. What the heck are sigma algebras? Nothing I read really landed with the dozen or so brain cells I have dedicated to mathematics. You may rightly ask what could possible work with such little mental capacity.

From the shockingly limited learning I’ve somehow accomplished to date, I’ve made a couple far-reaching and likely false generalizations that fit my world view:

1) Every key insight can be explained simply given the correct framework.

2) Any esoteric notation or concept has an underlying motivation that can be simply explained.

My hope is that I can find those simple explanations for everything I care to learn. Sir Dr. Betancourt’s excellent exposition checked those boxes for me. Whether or not that translates into a workable grasp of these concepts is left to be determined.

Do I really need a domain name for every crappy idea that crosses my mind?

No but we all have our vices. After getting soundly trounced in a puzzlehunt, I took some of that frustrated energy and channeled it into https://autoideate.com. Right now it only highlights random portions of the input text. I had grand visions of automated rearrangements of words, pattern recognition, association building etc. Of course all of that fell by the wayside as life moved on.

Now my favorite personal use case is to fill the entire screen with “-” characters and watch the light show.

Street Parking Map

I’ve learned a lot about myself since moving to LA. One thing I learned immediately is that I’m terrible at street parking.

I came to terms with this truth while scraping the overcooked bits off the bottom of a hot pot, during a dinner I was an hour late for.

https://streetparkingmap.com is my first step towards conquering parking.

I hate parking.

SQLite, inspiring.

Just take a look at this website: http://www.sqlite.org/testing.html

They test everything. One particular term caught my eye, because I didn’t understand it.

100% modified condition / decision coverage

What does this mean?

First, what is 100% decision coverage? For each conditional, both the true and false branch must have test coverage.

Consider A & B, the following two cases provide 100% decision coverage:

A = true, B = true

A = true, B = false

But these cases don’t provide 100% condition coverage, which states that both A and B take on all possible values. These cases provide 100% condition coverage, but not 100% decision coverage:

A = true, B = false

B = false, A = true

What about 100% condition / decision coverage? Each decision and each conditional must take on all possible values at least once.

A = true, B = true

A = false, B = false

These test cases provide condition / decision coverage.

Finally, what is modified condition / decision coverage? Like, condition / decision coverage, each conditional and decision must take on all possible values. The additional restriction is that each condition must affect the decision independently.

The above cases don’t provide 100% MC / DC coverage, because of this case:

A = false, B = false

If we hold one fixed, the decision of A & B is not affected by the value of the other.

We would need 3 cases:

A = true, B = true

A = true, B = false

A = false, B = true

To satisfy 100% MC / DC coverage. Pretty strong requirement huh?

Oh and every entry / exit point of the program must be exercised, but that’s a minor detail.

 

ecryptsfs and ssh don’t play nice together

I encountered the most aggravating issue today. My zeal for security combined with my lack of understanding was my downfall.

Recently I bootstrapped a server with a fresh Ubuntu installation. When asked if I wanted to encrypt my home directory, I didn’t hesitate for a second. No baddie was pulling my files off my disk, no hell no.

When ungodly winds struck LA last weekend, the power went out. Nine times out of ten, any wind over 15mph and LA’s grid is struggling.

So I turn this machine on again, and go to SSH in. It prompts me for my password.

Strange, I absolutely had my public key installed on the server.

I ran ssh-copy-id again for good measure.

Same problem.

I scoured Google with vague terms “SSH public key still prompts for password send help”

And then it worked! I ran ssh and it logged me in smoothly, no-hassle, as God intended.

Did I fix it? Take Note: When something works without any change to the system, no you did not fix it. I’m looking my fellow programmers dead in the eyes right now.

I carried on, logged out and tried again. Once again prompted for the password.

OH I logged out of all my sessions! I could only SSH with public key authentication when I was already logged in with a separate session.

What the devil is this bullshit … ecryptfs … my home directory was only decrypted and mounted when I had an active login session.

Where do SSH keys live by default? /home/user/.ssh/authorized_keys.

 

SSL for Everything Else

Last post I mentioned how easy it was to setup SSL with AWS Certificate Manager.

But what about all your other servers? Are we going to cough up $16 per year for a single-domain SSL certificate from Gandi?

Negatory.

Let’s talk about Let’s Encrypt. I downloaded their Linux version and got down to business.

Here is a running tally of my steps.

  1. Google “nginx letsencrypt” and find this DigitalOcean guide.
  2. Stop my nginx server to free up port 80, which is used in the letsencrypt process.
  3. run $ ./letsencrypt-auto certonly –standalone
  4. Enter my domain name.
  5. Make 15 seconds worth of changes to my server blocks in nginx.
    1. Redirect port 80 -> 443
    2. Setup a block for port 443 SSL, all in the guide
  6. $ sudo service nginx start

It took 5 minutes to fully setup.

I love it when life is stupid easy.

Easy SSL with AWS Certificate Manager

Amazon Web Services recently rolled out the AWS Certificate Manager: blog post

Always a brave soul, I used it to set up HTTPS for a domain name I have lying around. I’m writing about how it blew me away. It’s so damn easy.

I’m a big fan of HTTPS. Being a security enthusiast (note: not qualified expert) I think the whole protocol is pretty sexy.

Michael’s Old Dumb Way

Normally, I use the one-year free SSL certs from gandi. Free is always good, but setting it up is a pain in the ass. For each domain name I need to fill out the form for a Certificate Signing Request, etc.

Then I need to configure my web servers to use HTTPS, usually by updating my nginx configuration.

The AWS Way – Best Way

This process can be completed in 30 minutes or less, especially if you’re familiar with AWS.

Step 1: Route53

Create a hosted zone with your domain name (example.com). Go to your registrar and input Amazon’s nameservers.

Step 2: Amazon Certificate Manager

Create a certificate request for example.com. Amazon will send you a confirmation request via your WHOIS contact email. Accept it and boom you’re done!

Step 3: Elastic Load Balancer

Create a load balancer instance that accepts both http (80) and https (443) in it’s security group configuration. Attach your ec2 instances to the load balancer.

Note: It’s good practice to make sure your ec2 instances only accept traffic coming from your load balancer’s security group. I allowed public ssh for convenience.

If you use the default health check (example.com/index.html), this will get your ec2 instance up and running quickly.

$ ssh -i yourkey.pem ubuntu@ec2-blahblahblah
$ echo "Hello World!" >> index.html
$ sudo python -m SimpleHTTPServer 80

Go to the AWS Certificate Manager interface and create a new record set. Click “yes” for alias and select your Elastic Load Balancer instance by clicking on the blank.

Congratulations! Visit https://example.com and bask in the glory.

Or visit https://one.haus in the next hour to see my Hello World!.

 

Chroot Jail Part 3

Recently I decided my dev DigitalOcean instance needed a boost. Normally 512mb is sufficient for production but I want to develop remotely.

I opted for a temporary resize to 1gb of RAM.

I also learned that my attempts to bind /dev/urandom and /dev/tty in /etc/fstab were failing miserably. I had to use DigitalOcean’s VNC connection and manually try to figure things out.

Remember how often I hit Ctrl-W and closed the tab still raises my blood pressure.

I ended up using /etc/rc.local to run

 

$ sudo mount --bind /dev/urandom /jailthing/urandom
$ sudo mount --bind /dev/tty /jailthing/tty

And it worked like a charm!

No more VNC to setup my convoluted login scheme anymore!

Getting MEAN

I’m forcing myself to build websites to back my domain names. If you didn’t know this about me, I love buying domain names. Sadly, I’ve been lax about making use of them.

Beautiful names like http://ware.haus and http://one.haus are wasted.

Well actually one.haus is set up with No-Ip to give my personal machines subdomains, but that service has proven less than useful to me.

To get back into the web space, I chose to play with MEAN.

I head on over to the tutorial page and get cracking. My target server is a 512mb Digital Ocean droplet with Ubuntu 14.04.

Everything goes smoothly for the most part. I did hit a few snags:

mean init

This command initializes your application. It creates a directory of your choosing with a skeleton app.

If for any reason this fails (root owns ~/.npm, oops), the directory is still created. Simply running mean init again errors out due to the directory already existing. I had to rm -rf that shit and it’s annoying.

The tool offers to set up an admin user but requires a password of either letters, numbers or dashes with max length 15. What the hell.

npm install

The process is killed if the process requires more memory than is available. No error message beyond “Killed” is emitted. This step will fail on a 512mb instance.

The accepted workaround is to either create or expand the swapfile used by the system.

https://www.digitalocean.com/community/questions/npm-gets-killed-no-matter-what

 

I’ll make another post about my actual development experiences, stay tuned!