Friday, June 10, 2016

Hubert Zanczak: Two Questions to Ask a Stranger

Hubert Zanczak

Henry Segerman: Three Gears are Possible

Henry Segerman

Bill Gates: What He is afraid of

Bill Gates

Ichiro Suzuki (イチロー) & Marlines (マーリンズ): 試合前にチームメイトと鼓舞する姿 (2016.6.10)




  • 鼓舞(こぶ)

Nmap (Network Mapper): Scanning for Open Ports of Remote Server from Local Machine (OS X)

Command (Scanning open ports of a LAN server):

$ sudo nmap -sT -P0 -p 1-65535 192.168.0.6
Password:

Result:

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-16 16:34 JST
Nmap scan report for 192.168.0.6
Host is up (0.0064s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 34.09 seconds


Command (Scanning open ports of a remote server):

$ sudo nmap -sT -P0 -p 1-65535 remote.servername.com

Result:

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-16 16:36 JST
Nmap scan report for remote.servername.com (150.000.000.00)
Host is up (0.053s latency).
rDNS record for 150.000.000.00: ik1-000-00000.vs.hostingservice.ne.jp
Not shown: 65533 filtered ports
PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 436.18 seconds

Nmap (Network Mapper): Installing on OS X Using Brew

Command:

$ brew install nmap


Result:

==> Installing dependencies for nmap: openssl
==> Installing nmap dependency: openssl
==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2h.el_capitan.b
######################################################################## 100.0%
==> Pouring openssl-1.0.2h.el_capitan.bottle.tar.gz
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local.

Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

==> Summary
🍺  /usr/local/Cellar/openssl/1.0.2h: 1,691 files, 12M
==> Installing nmap
==> Downloading https://homebrew.bintray.com/bottles/nmap-7.12.el_capitan.bottle
######################################################################## 100.0%
==> Pouring nmap-7.12.el_capitan.bottle.tar.gz
==> Caveats
Python modules have been installed and Homebrew's site-packages is not
in your Python sys.path, so you will not be able to import the modules
this formula installed. If you plan to develop with these modules,
please run:
  mkdir -p /Users/username/Library/Python/2.7/lib/python/site-packages
  echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/username/Library/Python/2.7/lib/python/site-packages/homebrew.pth
==> Summary
🍺  /usr/local/Cellar/nmap/7.12: 727 files, 23M

Nmap (Network Mapper) : Installing and Scanning for Open Ports

Command (nmap):

$ nmap
プログラム 'nmap' はまだインストールされていません。 次のように入力することでインストールできます:
sudo apt install nmap


Command (Installing nmap):

$ sudo apt install nmap
[sudo] username のパスワード:


Result:

パッケージリストを読み込んでいます... 完了
依存関係ツリーを作成しています              
状態情報を読み取っています... 完了
以下の追加パッケージがインストールされます:
  libblas-common libblas3 liblinear3 liblua5.2-0 libxslt1.1 lua-lpeg ndiff python-bs4 python-chardet python-html5lib python-lxml python-pkg-resources python-six
提案パッケージ:
  liblinear-tools liblinear-dev python-genshi python-lxml-dbg python-lxml-doc python-setuptools
以下のパッケージが新たにインストールされます:
  libblas-common libblas3 liblinear3 liblua5.2-0 libxslt1.1 lua-lpeg ndiff nmap python-bs4 python-chardet python-html5lib python-lxml python-pkg-resources
  python-six
アップグレード: 0 個、新規インストール: 14 個、削除: 0 個、保留: 0 個。
6,311 kB のアーカイブを取得する必要があります。
この操作後に追加で 28.1 MB のディスク容量が消費されます。
続行しますか? [Y/n] Y
取得:1 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 libblas-common amd64 3.6.0-2ubuntu2 [5,342 B]
取得:2 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 libblas3 amd64 3.6.0-2ubuntu2 [147 kB]
取得:3 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 liblinear3 amd64 2.1.0+dfsg-1 [39.3 kB]
取得:4 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 liblua5.2-0 amd64 5.2.4-1ubuntu1 [106 kB]
取得:5 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 libxslt1.1 amd64 1.1.28-2.1 [145 kB]
取得:6 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 lua-lpeg amd64 0.12.2-1 [28.3 kB]
取得:7 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-bs4 all 4.4.1-1 [64.2 kB]
取得:8 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-pkg-resources all 20.7.0-1 [108 kB]
取得:9 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-chardet all 2.3.0-2 [96.3 kB]
取得:10 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-six all 1.10.0-3 [10.9 kB]
取得:11 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-html5lib all 0.999-4 [83.1 kB]
取得:12 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 python-lxml amd64 3.5.0-1build1 [819 kB]
取得:13 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 ndiff all 7.01-2ubuntu2 [20.1 kB]
取得:14 http://jp.archive.ubuntu.com/ubuntu xenial/main amd64 nmap amd64 7.01-2ubuntu2 [4,638 kB]
6,311 kB を 0秒 で取得しました (8,446 kB/s)
以前に未選択のパッケージ libblas-common を選択しています。
(データベースを読み込んでいます ... 現在 64750 個のファイルとディレクトリがインストールされています。)
.../libblas-common_3.6.0-2ubuntu2_amd64.deb を展開する準備をしています ...
libblas-common (3.6.0-2ubuntu2) を展開しています...
以前に未選択のパッケージ libblas3 を選択しています。
.../libblas3_3.6.0-2ubuntu2_amd64.deb を展開する準備をしています ...
libblas3 (3.6.0-2ubuntu2) を展開しています...
以前に未選択のパッケージ liblinear3:amd64 を選択しています。
.../liblinear3_2.1.0+dfsg-1_amd64.deb を展開する準備をしています ...
liblinear3:amd64 (2.1.0+dfsg-1) を展開しています...
以前に未選択のパッケージ liblua5.2-0:amd64 を選択しています。
.../liblua5.2-0_5.2.4-1ubuntu1_amd64.deb を展開する準備をしています ...
liblua5.2-0:amd64 (5.2.4-1ubuntu1) を展開しています...
以前に未選択のパッケージ libxslt1.1:amd64 を選択しています。
.../libxslt1.1_1.1.28-2.1_amd64.deb を展開する準備をしています ...
libxslt1.1:amd64 (1.1.28-2.1) を展開しています...
以前に未選択のパッケージ lua-lpeg:amd64 を選択しています。
.../lua-lpeg_0.12.2-1_amd64.deb を展開する準備をしています ...
lua-lpeg:amd64 (0.12.2-1) を展開しています...
以前に未選択のパッケージ python-bs4 を選択しています。
.../python-bs4_4.4.1-1_all.deb を展開する準備をしています ...
python-bs4 (4.4.1-1) を展開しています...
以前に未選択のパッケージ python-pkg-resources を選択しています。
.../python-pkg-resources_20.7.0-1_all.deb を展開する準備をしています ...
python-pkg-resources (20.7.0-1) を展開しています...
以前に未選択のパッケージ python-chardet を選択しています。
.../python-chardet_2.3.0-2_all.deb を展開する準備をしています ...
python-chardet (2.3.0-2) を展開しています...
以前に未選択のパッケージ python-six を選択しています。
.../python-six_1.10.0-3_all.deb を展開する準備をしています ...
python-six (1.10.0-3) を展開しています...
以前に未選択のパッケージ python-html5lib を選択しています。
.../python-html5lib_0.999-4_all.deb を展開する準備をしています ...
python-html5lib (0.999-4) を展開しています...
以前に未選択のパッケージ python-lxml を選択しています。
.../python-lxml_3.5.0-1build1_amd64.deb を展開する準備をしています ...
python-lxml (3.5.0-1build1) を展開しています...
以前に未選択のパッケージ ndiff を選択しています。
.../ndiff_7.01-2ubuntu2_all.deb を展開する準備をしています ...
ndiff (7.01-2ubuntu2) を展開しています...
以前に未選択のパッケージ nmap を選択しています。
.../nmap_7.01-2ubuntu2_amd64.deb を展開する準備をしています ...
nmap (7.01-2ubuntu2) を展開しています...
libc-bin (2.23-0ubuntu3) のトリガを処理しています ...
man-db (2.7.5-1) のトリガを処理しています ...
libblas-common (3.6.0-2ubuntu2) を設定しています ...
libblas3 (3.6.0-2ubuntu2) を設定しています ...
update-alternatives: /usr/lib/libblas.so.3 (libblas.so.3) を提供するために自動モードで /usr/lib/libblas/libblas.so.3 を使います
liblinear3:amd64 (2.1.0+dfsg-1) を設定しています ...
liblua5.2-0:amd64 (5.2.4-1ubuntu1) を設定しています ...
libxslt1.1:amd64 (1.1.28-2.1) を設定しています ...
lua-lpeg:amd64 (0.12.2-1) を設定しています ...
python-bs4 (4.4.1-1) を設定しています ...
python-pkg-resources (20.7.0-1) を設定しています ...
python-chardet (2.3.0-2) を設定しています ...
python-six (1.10.0-3) を設定しています ...
python-html5lib (0.999-4) を設定しています ...
python-lxml (3.5.0-1build1) を設定しています ...
ndiff (7.01-2ubuntu2) を設定しています ...
nmap (7.01-2ubuntu2) を設定しています ...
libc-bin (2.23-0ubuntu3) のトリガを処理しています ...


Command (Scanning ports):

$ sudo nmap -sT -P0 -p 1-65535 123.456.789.01

Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-10 17:46 JST
Nmap scan report for ab1-123-12345.vs.servername.com (123.456.789.01)
Host is up (0.000091s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds

Secure Shell: sshd_config: Disable Password Login

Command (Duplicating configuration file):

root@remote:/etc/ssh# cp -p sshd_config sshd_config.org


Command (Displaying original configuration file):

root@remote:/etc/ssh# cat sshd_config.org


Result (Displaying original configuration file):

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


Command (Displaying configuration file after modification):

root@remote:/etc/ssh#  cat /etc/ssh/sshd_config


Result (Displaying configuration file after modification):

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

UsePAM no


Command (Comparing configuration files before and after):

root@remote:/etc/ssh# diff sshd_config sshd_config.org
28c28
< PermitRootLogin no
---
> PermitRootLogin prohibit-password
52c52
< PasswordAuthentication no
---
> #PasswordAuthentication yes
88c88
< UsePAM no
---
> UsePAM yes

Thursday, June 9, 2016

Derek McAuley: Security of Data on Disk

Derek McAuley


  • Micro controller
  • Flash memory
  • Solid State Drive
  • Blocks
  • Cells
  • Magnetic drive
  • Magnetic read head
  • Magnetic field strength
  • Thresholding
  • Hard disk drive
  • Flash drive
  • Magnetic seek time
  • Bad block redirection
  • Good blocks
  • Semiconductor memory
  • Wear leveling

Robert Miles : Public Key Cryptography

Robert Miles



  • Public-key cryptography (公開鍵暗号)

Richard Mortier: Encryption and Security Agencies

Richard Mortier

Secure Shell: Logging In Without Password After Placing Public Key on Remote Server

Command:

$ ssh remote.servername.com
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Thu Jun  9 21:33:51 2016 from 123.456.789.01

Secure Shell: authorized_keys: Placing the public key on the remote server

Commands:

$ ssh username@remote.servername.com
username@remote.servername.com's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Tue May 17 21:41:16 2016 from 123.456.789.01


$ ls -al
合計 40
drwxr-xr-x 4 username username 4096  6月  9 21:04 .
drwxr-xr-x 3 root root 4096  5月 12 22:42 ..
-rw------- 1 username username 1770  5月 17 21:40 .bash_history
-rw-r--r-- 1 username username  220  5月 12 22:42 .bash_logout
-rw-r--r-- 1 username username 3771  5月 12 22:42 .bashrc
drwx------ 2 username username 4096  5月 12 22:50 .cache
drwxrwxr-x 2 username username 4096  5月 17 00:09 .nano
-rw-r--r-- 1 username username  675  5月 12 22:42 .profile
-rw-rw-r-- 1 username username   66  5月 17 00:09 .selected_editor
-rw-r--r-- 1 username username    0  5月 12 22:52 .sudo_as_admin_successful
-rw-r--r-- 1 username username  400  6月  9 21:04 id_rsa.pub


$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yd2EAAAADAQABAAABAQDNN6bT33VQ4CXWmFBx0H428yw/SHwARc91vc/Z/CExXrjUb3uhUaHb4EHCl7/pXpJgyyRr6dE5sl2FlE3jPWua2ooZ3uXof7NkiK2WMPVDpWZeKE2zxynEg5yPw41AtwyxI+Y15Hbt4WNEEhXsHunCu+ekGf3d3w67VCxGz8aA1Tbxe6zOs3e9VXNrgQW99ycD5xtXAXh8x5Jt+HhgAma5P7+gQ0rSMKSYsxKxr7TcR1k5yg9uC02u8NgqjuQDXoqLO9I+CGxv1rfFyl6n8fUlclPFgftJzYK9JuzHxEl3yMFSH/izSviYKp0MTph1dH3UWa5DiIAf8blDmZVkPCkT


$ mkdir .ssh
$ chmod 700 .ssh/
$ cat id_rsa.pub >> .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
$ cd .ssh/


$ ls -al
合計 12
drwx------ 2 username username 4096  6月  9 21:36 .
drwxr-xr-x 5 username username 4096  6月  9 21:35 ..
-rw------- 1 username username  400  6月  9 21:36 authorized_keys


$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yd2EAAAADAQABAAABAQDNN6bT33VQ4CXWmFBx0H428yw/SHwARc91vc/Z/CExXrjUb3uhUaHb4EHCl7/pXpJgyyRr6dE5sl2FlE3jPWua2ooZ3uXof7NkiK2WMPVDpWZeKE2zxynEg5yPw41AtwyxI+Y15Hbt4WNEEhXsHunCu+ekGf3d3w67VCxGz8aA1Tbxe6zOs3e9VXNrgQW99ycD5xtXAXh8x5Jt+HhgAma5P7+gQ0rSMKSYsxKxr7TcR1k5yg9uC02u8NgqjuQDXoqLO9I+CGxv1rfFyl6n8fUlclPFgftJzYK9JuzHxEl3yMFSH/izSviYKp0MTph1dH3UWa5DiIAf8blDmZVkPCkT


Man page (sshd):


~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user.  The format of this file is described above.  The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users.  In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.


Secure Copy (scp): Sending Public Key to Remote Server

Command:

$ scp .ssh/id_rsa.pub username@remote.servername.com:~/
username@remote.servername.com's password:
id_rsa.pub                                                                                                                100%  400     0.4KB/s   00:00