OPAC Stations — Windows(TM) kiosks no more!

In the process of helping one of my libraries come up with a (very) cheap kiosk solution, I ran across WebConverger. It’s nothing new, the real revelation to me was the relative ease with which WebConverger can be customised. It’s actually very easy to do. Much easier than I was anticipating, especially if you have a shred of linux command line experience.

We wanted a kiosk solution that went to our catalog web page by default on boot. WebConverger doesn’t (usually) allow you to specify a URL besides their default, but you certainly can customize the ISO to make it your own. Here’s what we did:

Using WebConverger 7.2, we did the following:

Downloaded the original WebConverger ISO

Don’t bother trying to do this on Windows or OSX. You’ll just end up mad.

On a linux box (preferably one you can install packages to, I used Debian Lenny):

  1. Make sure you have mkisofs (sudo apt-get install mkisofs) and syslinux (sudo apt-get install syslinux) installed
  2. mkdir /mnt/webc
  3. mount -o loop webc-7.2.iso /mnt/webc/
  4. rsync -av /mnt/webc /mnt/custom
  5. chmod +w /mnt/custom/webc/isolinux/live.cfg
  6. Now edit /mnt/custom/webc/isolinux/live.cfg and change the boot command line with your homepage URL.
  7. Now rebuild the ISO like so:
mkisofs -o /tmp/custom-webc.iso -b -r -J -l
-cache-inodes -allow-multidot -no-emul-boot
-boot-load-size 4 -boot-info-table \ -b isolinux/isolinux.bin -c isolinux/boot.cat /mnt/custom/webc

Burn the ISO to CD, and go at it.

All done! Wasn’t that easy?

The Hacks Keep Coming

In case you needed a reminder of the constant presence of threats on the Internet, here are some interesting recent hacks and breaches:

PlayStation Network

According to the message sent to affected users (including myself):

between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network… we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

Ok, just gamer stuff, no big deal?  Actually, because of inevitable password reuse and the sheer volume of user data, it is a big deal.  Also, they go on to say maybe your credit card data was exposed too.  Ouch.

More recently, they revealed that some subscription-based gamers’ accounts, credit card and direct-debit bank info definitely was compromised.  In response they took PSN offline again.  That is a pretty serious move.  Imagine being Sony.  People who already bought PS3 games can no longer play them online, new downloadable games and content aren’t being sold, and the stable revenue base of your subscriber-gamers is wondering why they are paying you.  Fair to say, the entire PS3 enterprise is in jeopardy.

Sony Online Entertainment, their PC game division was also hit, so now when I say “sheer volume,” I mean 102 Million.

Gawker/Gizmodo/Jezebel/LifeHacker/etc

In December, around 1.5 million accounts from the many sites in the Gawker family were compromised and posted to Pirate Bay, including ultimately crackable password hashes.  The analysis from Duo Security is valuable, even showing the commands they used to examine the data.  But you won’t need those to read their list of 250 most commonly used passwords.  Here’s the Top 11 (with counts):

   2516 123456
   2188 password
   1205 12345678
    696 qwerty
    498 abc123
    459 12345
    441 monkey
    413 111111
    385 consumer
    376 letmein
    351 1234

This is a telling snapshot of how users really behave, but it’s not just “the public” that lack security-consciousness.  I have been issued and discovered accounts on .gov servers with some of these same very poorly chosen passwords.  (I am surprised that so many people use “consumer” though.)  I won’t reprint them here, but for extra irony compare #22 and #23 on Duo’s list.

So what does this let a hacker do?  Other than post acai berry spam on gizmodo boards, it lets them get started on users’ other accounts.  The emails are in there.  Do you think the same users that pick “password” are going to be fastidious against password reuse with their other accounts?  Then once you have access to email, you know pretty much everything about them.  For example, you can find billing statements from their bank, and try out credentials at that bank’s site.  Or just build a catalog of additional credentials and sell those to another more malicious group of hackers.  And if you really want to, you could reset passwords on many other accounts in the middle of the night, receive the reset emails, and briefly use them as your own.  Besides ATM use, this is why your bank assigns you an additional bank PIN.

Apache

That’s right, the same people who build the most widely used webserver on the internet also had their own infrastructure attacked last year.  The victim was their JIRA, Bugzilla and Confluence host.  Apache’s account is useful because they detail exactly how the attack took place, involving insecure application setup, cross-site scripting, users trusting a plausible but unprompted password reset email, password reuse and svn credentials caching.   The attack is incremental; each step sets up the next, but ultimately the attacker obtains system root.

Perhaps more useful, the account also says what worked and what they changed: lessen JIRA runtime privileges, require one-time-passwords for sudo, use Fail2Ban, disable SVN password caching.  It is somewhat numbing to realize that even the web’s own experts get owned, but before you go thinking that maybe it’s because of their distributed nature or volunteer composition and that a single commercial corporation would have more control…

RSA

RSA is amongst the top, if not *the* top commercial encryption/security firm, having major institutions around the globe as clients.  They have pushed multi-factor authentication including the SecureID fob/generator for a very long time, but the idea seems to have newfound popularity recently.   (Care to guess why?)  Therefore it was particularly distressing to see RSA’s system itself was breached and SecureID generation itself can legitimately be considered compromised.

CONCLUSION

It’s a good time to change passwords, especially if you are a PSN or Gawker account holder, but the widespread, repeated incidents should suggest that the problem is also an architectural one.  When your account is accessible with static data, and data “spillage” and retransmission are endemic, maybe it’s time to add another level of security.  In my next post, I’ll show one simple thing you can do protect yourself: free two-factor authentication for Gmail.

Your favorite distro is not our favorite distro

Every so often the Koha and Evergreen (and Drupal, and Plone, and $ANY_LARGE_COMPLICATED_FOSS_PROJECT) mailing lists and IRC channels will see requests for help from somebody who wants to install the software on a Linux distribution that isn’t one of the ones commonly recommended for that ILS. That’s fine; we don’t all have to run Debian or Ubuntu. But occasionally the requestor forgets one important fact:

Your favorite distro is not our favorite distro.

In other words, most active contributors to a large F/OSS project will tend to settle on one or two flavors of Linux for active development. While most projects will at least try to provide installation instructions or packages for most of the popular distros, ultimately if something is to be packaged and maintained for a distro that isn’t the one used by the majority of developers, somebody has to champion and maintain support for that distro. That somebody might not be one of the core developers.

So, if your favorite distribution isn’t the one best supported by the project, please consider the following tips:

  • If you’re evaluating the software, please consider setting up a temporary VM using the recommended distribution, then follow the installation instructions exactly as written. Also, many projects provide pre-built VM images or LiveCDs for evaluation purposes.
  • When asking for help, please remember that other users and developers may not be familiar with the quirks of your distro.
  • If you get past any roadblocks to getting the software working, please write up how you did it for the next person.
  • If you want your favorite distro to become one of our favorite distros, please be prepared to help get it there by maintaining installation instructions or packages.
  • What ever you do, please don’t just complain that the software isn’t packaged for your favorite distribution. It may be a perfectly good distribution, but few projects can package for every distro. If the software doesn’t work out for you and you don’t have the time or knowledge to figure out how to install it on your favorite distro, it’s perfectly fine to pass it by. But please don’t be rude about it.