Four reasons why you should use VI over emacs...

Whats the most powerful text editor in the world... ? we all know that.. Its VI... emacs fanatics which pilgrim to "church of emacs" and worship St IGNU-cius may cry that its not... But VI need just four reasons to be greatest..

* VI smaller, faster and mobile than over sized, slow moving emacs..Also VI is free from creeping featurism..

* VI has presence in all UNIX based operating systems (some ppl tend leave out emacs due to its weight.. I know I do.. )..

* VI "Does one thing and Does it well".. its not a swiss army knife...

* VI doesn't use ctrl and alt keys.. which in turn reduce strain injuries on your wrist..

Auditing with BackTrack2

We all know there are all kind of penetration testing, sniffers, cracker, scanners, dictionary attack, tunneling, spoofing and exploit archive softwares.. Only problem is those are all over the web not in one convenient location. There are sites like insecure which rate those softwares and keep a record of them. Even though configuring all of them could be really a pain in the a**. You might get lots of dependency problems, missing libraries, version problems and not to mention your own mistakes. So when you add up all those you need to have helluva lot of will power to configure an OS with all those auditing softwares. Even after all those trouble its a hard installation.. not a mobile one.
What if we can have a OS with all those softwares in a LiveCD.. Which work right out of the box.. Which Identify all your new fancy hardware.. Which detect all available network and connect to an open network.. Sounds great ya.. Well we have one like that. Its call BackTrack2.
It worked perfectly well with my Dell D820.. and it had no trouble identifying dell wireless card 1390 but I'm not sure how it'll work with new wireless card 1490.. Even Ubuntu fiesty didn't recognize the hardware and we had to use the Microsoft driver through ndiswrapper..
Booting up BackTrack2 was a very smooth process.. It had a Gentoo like booting process.. It comes with default password.. but I had few problems login due to some media errors.. So I burned new CD and booted it up.. This time it worked without any problems.
During the boot up it detected all the hardware in Dell D820 notebook.. So straight away I went for the business.. There are few ADSL connection around the location with wireless networks.. So I fired up Kismet, within few minutes It detected all the wireless networks with their names. Some of then have hidden their wireless name.. but it was worthless. As I expected all them had WEP.. Unfortunately those networks not that active.. If I had enough packets could have guess the WEP key without any problems.. This was just one example.. with BackTrack2 things you can do are endless...
Also I found this nice video about Backtrack2 in youtube. This was shared by UberShiznit.. I hope he won't mind me putting it in my blog. (excuse for those green patches)



So next time when you are looking for something to audit your network.. give a try to BackTrack2. I think its a handy piece of tool.

WPA2 with EAP/TLS and Radius

Recently I configured WPA2 (Wifi Protected Access) in my network. So I thought to share how to do it all of you out there. Before Starting this article I like to make some assumptions ..
*1 Linux and Windows clients have wireless card configures and its functional
*2 You have Free Radius install and its working without any probs
*3 You quiet a good knowledge in linux administration
*4 Separate linux server with radius installed
*5 A Wireless Access Point (WAP) capable WPA (or 802.1x) authentication with RADIUS
*6 Make sure that your wireless card support WPA ( normally cards manifactured after 2003 support WPA, Id you want to make sure you can check it in www.wi-fi.org)

Also you may need below mention software,
*1 Openssl version 0.9.7j
*2 FreeRadius version 1.1.7
*3 wpa_supplicant for linux clients (you can get this from a repository using yum,apt or emerge)
*4 Windows XP with service pack2

Below are the things I used,
*1 The machine the Radius server resides runs on a Gentoo linux which also has DNS, DHCP and a firewall installed
*2 The client I used to access is Dell Latitude D820 with Ubuntu 7.04 version
*3 Access point I used is a D-Link one

Installation outline,
*1 Make Certificates
*2 Configure FreeRadius
*3 Configure the wireless access point
*4 Configure the client

Making Certificates
Certificates are a digital means of ensuring the identity of a machine or individual and providing keys for encryption. We'll need certificates for the client(s) and RADIUS server. These certificates also need to be certified by a root certification authority (CA), and we'll make one of these as well.
Before we continue details about EAP/TLS, digital server certificates beyond the scope of this article . So if you need more information you try following links,
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml (This has explained EAP/TLS in detail with diagrams)

We need a Certificate Authority to sign certificate and to validate them.So best options is to create a local CA. Before creating a CA, I advice you to change the openssl.cnf for optimization. Below are the things you need to change.

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = ./myCA
default_days = 730

countryName_default = LK
stateOrProvinceName_default = Western
localityName_default = Colombo
0.organizationName_default = MyCompany

Ok save openssl.cnf.. Now to create CA you need to run CA.sh script. You can find the script in /usr/share/ssl/CA.sh or /etc/ssl/misc/CA.sh. In this you need to change the CATOP variable to match the dir you gave in openssl.cnf. CATOP =./myCA. Now to create a CA do the following (as root)..

# cd /etc/ssl
# /usr/share/ssl/CA.sh -newca

You then are prompted to create a new root certificate and to type a passphrase for its private key. Choose a difficult-to-guess passphrase, and write it down in a safe place-if you forget it, you'll be unable to use your CA.

After the script is done, your SSL configuration directory should contain a new directory, myCA. At the root level of this directory is your new CA's public certificate; by default this file is named cacert.pem. You need to copy this file to your FreeRADIUS server and to each wireless client.

There's one more thing you need to do before creating certificates if you've got Windows XP wireless clients. Windows XP expects certain attributes in server and client certificates, so you need to create a file called xpextensions that contains the lines shown below.

[ xpclient_ext ]
extendedkeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

To make WPA2 work you need at least to more certificates. One for the radius server and other for the wireless client. Creating certificates has 3 steps..
*1 Generate a signing request (aka Unsigned certificate)
*2 Sign the signing request with your CA key
*3 copy the signed request to the host

*Run all these commands as root in directory /etc/ssl/*

Generate Radius server key

* Create the signing request
# openssl req -new -keyout radius_key.pem -out radius_req.pem -days 730 -config ./openssl.cnf

This command creates the files radius_req.pem, which contains the actual request an unsigned certificate and radius_key.pem, always remember the passphrase of the private key. First, though, you are prompted for your organization's Country Code, State and so on, much of which can use the default values you tweaked in openssl.conf. Pay special attention, however, to Common Name. When prompted for this, type the fully qualified domain name of your server, for example, radius.mycompany.com.

* Use the CA key to sign the request

# openssl ca -config ./openssl.cnf -policy policy_anything -out radius_cert.pem \
-extension xpserver_ext -extfile ./xpextensions -infiles ./radius_req.pem

This command reads the file radius_req.pem and, after prompting for your CA key's passphrase, saves a signed version of it plus its corresponding private key to the file radius_cert.pem. Notice the -extensions and -extfile options, this is why earlier we created the file xpextensions. After that open your signed certificate and delete everything upto -----BEGIN CERTIFICATE-----.

Generate Client keys

* Create the signing request
# openssl req -new -keyout client_key.pem -out client_req.pem -days 720 -config ./openssl.cnf
(always wirte down the passphrase in a safe place)

* Use the CA key to sign the request
# openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem \
-extension xpclient_ext -extfile ./xpextensions -infiles ./client_req.pem

Also, if your clients run Linux, you should delete the extraneous stuff in the certificate, like you did with radius_cert.pem.

If your certificate is to be used by a Windows XP client, you have one more step to take. You need to convert the certificate file(s) to a PKCS12-format file, with this command:

# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. Now you can copy over certificates cacert.pem and client_cert.pem and client_key.pem for linux clients. For windows copy cacert.pem and client_cert.p12 for windows. From this point creating certificates phase is over. Now we can move on to preparing radius server.

Preparing Radius Server
Most of the time radius configuration resides in /usr/local/etc/raddb or in /etc/raddb. In the radius configuration directory there's a sub-directory called certs/. This is the location where you need to put your certificates. Copy over cacert.pem and server certificates radius_cert.pem and radius_key.pem. Now give the below mention permission to those files..
(I used radiusd as the freeradius user and group)

-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_key.pem
-rw-r----- 1 root radiusd 1915 Aug 12 09:34 radius_cert.pem
-rw-r----- 1 root radiusd 1224 Aug 12 09:35 cacert.pem

--to be continue--

Firewall to your Notebook

Before starting this blog I would like to say this is for people who have installed *nix in their notebooks.. Sorry to say I'm not much of a windows fan....
We all know *nix is a very secure operating system but using *iptables* we can make it more secure. So below is a simple script that will set up a simple firewall for a notebook.
First of all log in to your system and become the *root* (# su - )...

* I suggest that its best to have a *bin* directory in root's home.. So that you can store all your system related scripts inside that and can stop other users in the system from accessing them..
# mkdir /root/bin

* Open an empty file using the Vi editor (My favorite editor is 'Vi' but you can use your favorite editor ;) )
# vi /root/bin/firewall

* In the file type the following commands.. (you can simply copy & paste this and change accordingly)

#(defining the shell)
#!/bin/bash

#(define iptables location. depend on the system)
iptables='/sbin/iptables'

#(define network interfaces)
WIRED='eth0'
WIRELESS='eth1'

#(define loopback address)
LOOP='127.0.0.1'

#(First we should drop all tables)
$iptables -P OUTPUT DROP
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F

#(define default policies)
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables-P FORWARD ACCEPT

# Prevent external packets from using loopback addr
$iptables -A INPUT -i $WIRED -s $LOOP -j DROP
$iptables -A FORWARD -i $WIRED -s $LOOP -j DROP
$iptables -A INPUT -i $WIRELESS -d $LOOP -j DROP
$iptables -A FORWARD -i $WIRELESS -d $LOOP -j DROP

# (Allow local loopback)
$iptables -A INPUT -s $LOOP -j ACCEPT
$iptables -A INPUT -d $LOOP -j ACCEPT

# Allow incoming pings (purely for diagnostic purposes)
$iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Put all the services you want outsiders to access (I allow only http and ssh)
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Keep state of connections from local machine and private subnets
$iptables -A OUTPUT -m state --state NEW -o $WIRED -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -A OUTPUT -m state --state NEW -o $WIRELESS -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

* Ok that's it.. Now save your file..

* We need this file to an executable. Try below for change the file permissions
# chmod 750 /root/bin/firewall

* To apply your file to the system..
# /root/bin/firewall

* To check the firewall settings..
# /sbin/iptables -L -n

* You may want to apply your firewall when your system startup. Most of the *nix system has a file call /etc/rc.local which runs custom scripts of the user at the end of multiuser runlevel. Simply add your script location to that (remember to give the full path to the script).

Ok this is how we configure a simple firewall for notebook users.. I'll try to follow this with a blog about simple measures you can take to secure your notebook from attacks.

Optimus Prime

I AM
66%
OPTIMUS PRIME

Mrs. Firefox

Mozilla Firefox......

Hackles !!!

"Hackles" is a pretty old cartoon strip about a software company called Bitco. I came across this site when I was digging for some Linux penguin images in Google. This mostly build around some Linux geeks in the company. Even though this was a cartoon strip, It was very technical. So sometimes you may need technical knowledge in computers to understand the humor. I place this as one of my favorite cartoon strips after 'Cow and Boy' and 'Dilbert'. But let be known that creators stopped the strip after 2004 :(. Please use the below link to check the strip archive..

http://www.hackles.org/archives.html

Latest Releases from WSO2

WSO2 Web Services Framework/C is a standards compliant, enterprise grade, open source, C library for providing and consuming Web services in C. The PHP extension of WSF is based on Apache Axis2/C, Apache Sandesha2/C and Apache Savan/C, and is created for providing and consuming Web services in PHP.

WSO2 also released a new version of WSO2 WSAS, which is an application server for Web services with full support for XML, SOAP, WSDL, and reliable secure communications.

The latest addition to WSO2 products is the WSO2 Mashup Server, which is a powerful yet simple and quick way to tailor Web-based information to the personal needs of individuals and organizations.


Please use http://dist.wso2.org/products to download the latest WSO2 releases.

WSO2 WSAS v2.0 beta is Released!

WSO2 WSAS is an application server for Web services. With its built in high-performance Web server, full support for XML, SOAP, WSDL, and support for reliable, secure communications, WSO2 WSAS makes it simple and effective to create, consume and manage Web services. Based on the concept of Service Oriented Architecture (SOA), the Web services specifications support secure, reliable and transactional integration based on the concept of loose coupling, which is inherently scalable.

http://dist.wso2.org/products/wsas/java/2.0-beta/

WSO2 WSF/C v1.0.0 is Released!

WSO2 Web Services Framework/C (WSO2 WSF/C) is a standards compliant, enterprise grade, open source, C library for providing and consuming Web services in C. WSO2 WSF/C is a complete solution for building and deploying Web services, and is the C library with the widest range of WS-* specification implementations.

http://dist.wso2.org/products/wsf/c/1.0.0/

WAR, Human Rights and State of Fear

Well I'm wise enough to know just to utter the word Human Rights these days is good enough to open a can of worms.. But I really can help it. When you look at the articles of every news papers, televisions, radios, Internet and of course even in blogs.. you see every one is talking about WAR and Human Rights (now on I'll refer it as "HR", I don't want to waste my time to type such a long word) so eagerly.. so energetically... so frenetically ...

So it seems that Human Right is the todays new trend, a new life style. Every one wants to talk about.. every one wants to grab other attention and show-off their intelligent by harping about how state violate human rights and how we should devote ourselves to protect it.. But usually these so-called conversations doesn't happen in places where HR get shredded and cut in to pieces or where it get violated grossly... Most of the time they happen in Star Class hotels or very top of the class night clubs.. Where they drink expensive alcohol and smoking top of the range cigars.. or in a top conference hall surrounded by lots of news scavengers (aka TVs,Radios etc)

Every now and then these so-called HR watchers will get out of it and might hold a rally or a protest with fancy names just to burn up those calories they gain.

I really see this as creating a "STATE of FEAR"

What is this "State of Fear" ?

Its a pretty complex thing to explain... I'm not a sociology expert.. so I'll try to define it in the simplest of the form I can.. State of Fear is creating an un-necessary and non-existent fear among general public, So that whoever created that Fear can control the people with minimal effort..

for an example take a look at USA... most powerful country in the world.. but its people live under a constant fear.. They are afraid of Muslims and other Asians and they don't want to fly etc etc etc.... I can go on for ever but I'll keep it simple..
Also USA has this color coded security alert system... So that mean if the Alert reach "Red".. well its the time to stop whatever you do and go inside your bunkers, house or whatever and never to come up until the government say so..

So same thing is going on here.. some bunch of people, who really doesn't have the skill to do something productive, form some organization with an attractive name and some Dollars from west... and talk about HR from dawn to dusk... What will they do to stop HR violation ... Nothing... Why ? Because its their living... thats what they do to earn money and live a fancy life with minimal fuss....

(Before continuing further I want to clarify one thing.. I am NOT a racist.. I do respect other nationalities... So far in my life I haven't abuse any one racially and I'm not planning to do rest of my life.. )

There are creating this HR fear among us... They define HR the way they want... If bus full of Sri Lankans blown up by LTTE or If LTTE chase away any Sri Lankans from north or east..., That's not HR violations.. Those so-called HR watchers will not utter a word against it.. BUT if a LTTE personnel get arrested for suspicion behavior then that is HR violation...

Also they say if you don't support this "Their version of HR" other countries will stop aid... they'll ban us etc etc etc.... If this isn't creating fear or what ???? you tell me...

Just like the other trends we had.. this will also die away... If anyone can remember tell me.. Did we or they talk this much about HR last year around this time ???

And for sure next year around this time they/we will talk about something else.... I really don't know to predict future.. But I'll make a guess... I think it'll be about "Army capturing killinochchi..."..

As for the war i have one thing to say.. We need to fight out terrorism... "HR and war doesn't go along" as some once said in parliament..

What I have to say is don't get entangled in this web of Fear created by Media, So-called activist .. Just study the thing carefully and then make a decision.. Then you'll live without fear for rest of your life..

"I tried my Best".....

When I say "Best" I was not referring to the small village in Netherlands. I was actually referring the word "Best".
Why did I come up with that suddenly ? What is the relevance, I'm pretty sure everyone in this world (well it should most of the people in the world) knows the meaning of the word "Best".
OK without further due, the reason I bought it up is, I sat for two of my final year papers today. Last paper I had today was "Software Engineering Methods and Management"... All I can say about it is "I tried my Best"...
So is that mean I really did enough to get an A+ ???
When you are considering my scenario, I say there are 3 different definitions for "Best"...

1. I studied really hard and I'm really good at Software Engineering. So based on that, you can say "I tried my Best". (This is a sure A+)
2. I studied OK and I'm OK with Software Engineering. So based on this, you can say "I tried my Best". (This is somewhere around B)
3. I studied a little and I really suck at Software Engineering.So based on this, you can say "I tried my Best" too. ( This has a fine line between Pass and Fail. Marker is the only person who can decide which side you'll be end up at the end of the day)

So I guess you'll see there's a certain weight attach to the word "Best". That weight is the thing that gives the word a real meaning and a real value. So without that added weight the word "Best" is just another word in the vocabulary.
So next time When someone says to you "Machan I really tried my Best".... Stop for a while and think what did your "Machan" really mean out of the above 3....

(and for all of the curious kind out there, I meant the third one ... Well to be honest I'm not much of a Software Engineer and I'm much of a S........... )

What is Life.....?

Today I realized I'm 24 years 04 months and 10 days old for 02nd of June 2007.... and I'm 17 hrs away from sitting for first paper of my final exam... Thinking back about my 24 years of existence in Ceilão, I wonder...

Am I really happy about where am I in my life after 24 years ??
Am I under achieved or over achieved ??
What were the things I missed in last 24 years ? Do I regret those missed moments and opportunities ?
What were best moments I had ? Would I go back in time to live those moments again if I can ?
What's future holds for me in Ceilão.. ? Will things in Ceilão get worse or will it get better ?
What are the things I need to achieve in rest of my life ? basically from here to where ???
Whats the ultimate objective of my life, so that I can say "I achieved what I lived for" and I can quit....
Who exactly put me in this universe ? and why earth ?? and why in Ceilão??
Am I serving the purpose of whoever the almighty power behind my existence ?
Is it (All mighty power) happy about it so far ? and When will I get a performance evaluation ??
What will happen to my Astral Life after I die... ? Will it go to heaven(or hell) ? Will I be reborn in this universe ??

Have you ever thought about those stuff ?? Have you ever stop a while to wonder about it ?

I think I know the ultimate answer for the Life, Universe and everything .......... Its 42 ... and you know what, Earth is the powerful computer that was built to figure out, what exactly 42 means... Guess I'll be lucky enough to hang around till it give the meaning behind 42..... (hope Vogons won't come before that :) ).....

My First Blog

First I thought to start this off with the similar fashion that I wrote my first Java program. I know its the first step for all of those Gurus and Pundits out there... Since this is a blog and this something that we do to harp about ourselves to world, I just thought to start off with simple "Hiya".... I thought this is simple enough to not to scare off any souls...
Before starting this, I went through all the Ceilão's blogs available in www.achcharu.org... They are very interesting and very fascinating... Too be honest I learned thing or two about life from those bloggers :D. So basically that made me start my own blog, so that in a way.. in some distant future I may be able to help someone to think about life in a different way (I know its never gonna happen but no harm in trying... right :) )...
Before going further, for those who are wondering "What the f*** is Ceilão ?"... Well yeah I just have to say "you just have to brush up your own history knowledge about Ceylon son :)". Ceilão was the name given to our emerald isle by Portuguese who wondered into Colombo back in 1505.