Steve's Views Rotating Header Image

O/S’s

Networking 101

I’ll share some basics here:

All computers and devices on a network are each called a host. Each must
have a unique IP address just like each house has a unique address.

IP addresses are broken into the older IP version 4 (IPv4) which has
four numbers separated by a period ‘.’ like this 8.8.8.8.

Each number must be in the range of 0 to 255, but no host can have an IP
that ends on 0 or 255.

There are three main ranges of IP addresses which will not be routed
(forwarded) across the internet. These ranges are intended to be used in
local networks, which in practice means you can have a number of
computers with their own IP address on your network without it being
open to the world.

In other words these ranges will not work across the internet and is a
direct solution to not wanting to give up a “routeable” address for each
internal device. Otherwise the available IP addresses would be used up
very rapidly by large corporations. Plus, this way we have a layer of
security. There is a technology called Network Address Translation (NAT)
which ensures internal communication traveling from the inside of a
network to the outside is properly tracked.

The three ranges are:

10.0.0.0 – 10.255.255.255 with 16,777,216 IPs
172.16.0.0 – 172.32.255.255 with 1,048,576 IPs
192.168.0.0 – 195.168.255.255 with 65,536 IPs

There is an address for all computers to test networking without needing a
network card which is 127.0.0.1. It is called the loopback device.

The new IP version is called IPv6 and in theory allows for 2 to the
power of 128 (128 digits) versus IPv4 which only have about 4.3 billion
addresses. I’m not going into the details of it here.

A network that is under another one or is internal is generally referred
to as a subnet.

Each network reserves a few IPs for its own use:

For a network able to use all 256 addresses on a subnet , for example, 192.168.1.0 is called the network address, which obviously is the beginning of it.

Usable addresses then would be 1 through 254, except generally the first
usable one is usually the gateway to the network “above” it. So .1 is
usually reserved as the gateway IP.

Then the last IP is usually the broadcast address. The purpose with that
is when a device needs to reach another computer and does now know has
the IP sends out a broadcast asking “who has (IP)?” which is sent to the
.255 address. The gateway will then answer.

192.168.1.0 is the network IP
192.168.1.1 is the gateway
192.168.1.255 is the broadcast IP

We humans have a hard time tracking IP addresses so a system was
designed to allow up to use names instead. A server function called
Domain Name Server (DNS) translates the name to an IP address which is
needed to actually reach another computer.

Now for a computer to save time and not bother the DNS with questions
that it could answer a network mask was created which by its design can
tell if the computer you are trying to reach is on the local network or
needs to be sent to the gateway server to figure out. (And if it does
not know it sends it up to its gateway and so on.)

It is called subnet mask and for the above example it would look like
this 255.255.255.0. Thereby knowing that any host on 192.168.1.0-192.168.1.255 can be sent directly, anything else would need to be sent to the gateway, 192.168.1.1 for it to forward up the line.

Due to criminal elements online it is crucial that you have layers of
security. The first one is called a border firewall and is the first
layer of security. Other layers can be local firewalls on each computer,
educated users on what to do and not, log files that are monitored,
security patches applied in a timely fashion (immediately) and so on.

You do NOT need a separate subnet for VMs unless you WANT to have it. I
rarely do it. But if you do then simply assign IPs for the VMs that are
on the same subnet. If they need to go outside that subnet then make
sure you have a gateway assigned which sits across both subnets. That
will have port forwarding turned on which allows traffic to flow between
the network cards. (Google linux router.)

When you use virtual machines they too will each need an IP to talk to
any other host.

(You could create a subnet which does not have the ability to talk
outside that specific network, which could be handy when testing
something that could be interrupting other hosts on the main network.
Being totally isolated means it cannot be hacked nor leak something
outside that network.)

When you sit inside your subnet you may not allow random external (on
the internet) traffic to reach your internal computers unless there is a
hole on the firewall to allow some traffic in. For example, you might
have a web server which is reachable from the outside, which in turn
uses a database. Access to the database must be guarded to ensure it’s not reachable directly or via a flaw in the code.

You have to make the call if you can or should allow the VMs access to other networks.

How To Give Away Your Bank Accounts To Criminals

Sherri Davidoff, Author of “Network Forensics: Tracking Hackers Through Cyberspace” has documented a real life example of someone giving away all their credentials which means someone else now have the same access to your identity and subsequently, money, that you have.

It is a very effective demonstration of what not to do, share it with others!

And not necessarily very hard to protect yourself from. The best is of course to never accept and use links in emails, IM, etc. Which can be hard when you think it is from your friend or family member, or in the above case, your bank.

A safer method would be to use a LiveCD (a CD which you boot and run programs from) which does not have the ability to be altered. Which means each time you boot it – it is completely untouched by any virus. But it means booting into it each time you want to visit your bank, or other sensitive websites.

Joanna Rutkowska is a Polish security researcher who released a modified Operating System called Qubes OS which I think is a great compromise, and the best I have seen. It accomplishes that by setting up virtual environments in a particularly nifty way. First the whole O/S have been modified to be hard to break into, then it uses dedicated virtual computers for each sensitive website (all according to your preference).

I created one environment for each bank, Paypal etc. Then I ONLY visited that one website using that virtual environment. In other words if you have Paypal you would use the Paypal virtual environment to only visit Paypal. And so on.

Now it requires that the banks website gets infected with the malware needed to infect my virtual computer but only for that bank. Not for any other. It is also particularly easy to fix. Remove it and add a new one.

Another virtual environment is used for casual browsing. Another for business, email etc.

This means an infected email cannot corrupt your other environments and you have a very effective tool against online malware.

Security is about balancing security and work-ability. Too secure and nothing can get done. Too easy and you’ve given easy access for criminals. You need to strike a balance. It took very little to get used to and is about the safest and best balance I’ve seen anywhere.

As you can see at the bottom of the above article LMG Security offers workshops and her book is a very good read.

Make the extra effort to be security aware and avoid being a victim while at the same time not being the tool used to wreck someone else’s life.

September 24 Is World Day Against Software Patents

Foundation for a Free Information Infrastructure, has a press release declaring Sep 24 World Day Against Software Patents:

Brussels, 2nd September 2008 — A global coalition of more than 80 software companies, associations and developers has declared the 24th of September to be the “World Day Against Software Patents”. Five years ago, on 24 September 2003, the European Parliament adopted amendments to limit the scope of patent law and thereby protect small software companies from the harmful effects of broad and trivial software patents. A global petition asking to effectively stop software patents worldwide will be launched on 24 September 2008, together with specific additional requests for certain regions such as Europe, the United States or India.

Full Press Release.

Matt Asay from CNET want’s us to turn the other cheek to Microsoft

Today I read an article by Matt Asay in CNET’s news.com. In it he speaks up against the Open Source community for not welcoming Microsoft’s attempt to get their incompatible license approved. He proclaims the Open Source Initiative’s (OSI) is discriminating against MS which Matt thinks is “explicitly against the OSI’s Open Source Definition”.

That is a totally false assumption. Their purpose is to look out for the Open Source community’s best interest and not approve licenses that does not comply with it.

Further Mike calls it a “horse-whipping” and says “I don’t believe in discrimination of any kind…even of ‘bad people.'”

My response to him:

Mike I don’t know you from a hole in the wall, but judging from this article I sure would not consider you safe to keep around. Per your writing you would be the one letting some lunatic into my house with my children. Or a pyromaniac or something. After all you say one cannot discriminate against anyone, regardless!

People who cannot discriminate themselves are usually people that should be discriminated against due to some fatal flaw in their character. I’m not really trying to mount some attack against you, but your logic is so dangerous that not speaking up against your idea would be a dereliction to my community.

Your bio says you have “nearly a decade of operational experience with commercial open source and regularly speaks and publishes on open-source business strategy”.

Yet you now suggest throwing away all that experience based not only on inaccurate information (you really should read the OSI requirements, rather than guessing as it makes you look like an horse’s eh, butt, if you get my drift) and with a stunningly bad business advice.

Again, not knowing you one starts to wonder what are you really up to? What are your true intentions?

Then you have the stomach to call the community’s, which you have been making money on for nearly a decade, response as horse-whipping. I guess if you came to my door and asked to be let in and I turned you down you would call that horse-whipping too?

No Matt, I think your true colors are showing up, and anyone who listens to your advice should get their monies back. You either are that eh, naive, or you are up to no good. The result is still the same.