24 Timeless quotes on politics

From a forwarded email:

The adage that “ the only thing Man learns from History is that Man learns nothing from History” seems to be backed up by sayings of famous people, going as far back as 430 BC!

1. In my many years I have come to a conclusion that one useless man is a shame, two is a law firm and three or more is a congress. – John Adams
2. If you don’t read the newspaper you are uninformed, if you do read the newspaper you are misinformed. – Mark Twain
3. Suppose you were an idiot. And suppose you were a member of Congress. But then I repeat myself. — Mark Twain
4. I contend that for a nation to try to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle … – Winston Churchill
5. A government which robs Peter to pay Paul can always depend on the support of Paul. – George Bernard Shaw
6. A liberal is someone who feels a great debt to his fellow man, which debt he proposes to pay off with your money. – G. Gordon Liddy
7. Democracy must be something more than two wolves and a sheep voting on what to have for dinner. – James Bovard, Civil Libertarian (1994)
8. Foreign aid might be defined as a transfer of money from poor people in rich countries to rich people in poor countries. – Douglas Casey, Classmate of Bill Clinton at Georgetown University
9. Giving money and power to government is like giving whiskey and car keys to teenage boys. – P.J. O’Rourke, Civil Libertarian
10. Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. – Frederic Bastiat, French Economist (1801-1850)
11. Government’s view of the economy could be summed up in a few short phrases: If it moves, tax it. If it keeps moving, regulate it. And if it stops moving, subsidize it. – Ronald Reagan (1986)
12. I don’t make jokes. I just watch the government and report the facts. – Will Rogers
13. If you think health care is expensive now, wait until you see what it costs when it’s free! – P.J. O’Rourke
14. In general, the art of government consists of taking as much money as possible from one party of the citizens to give to the other. – Voltaire (1764)
15. Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you! – Pericles (430 B.C.)
16. No man’s life, liberty, or property is safe while the legislature is in session. – Mark Twain (1866)
17. Talk is cheap…except when Congress does it. – Anonymous
18. The government is like a baby’s alimentary canal, with a happy appetite at one end and no responsibility at the other. – Ronald Reagan
19. The inherent vice of capitalism is the unequal sharing of the blessings. The inherent blessing of socialism is the equal sharing of misery. – Winston Churchill
20. The only difference between a tax man and a taxidermist is that the taxidermist leaves the skin. – Mark Twain
21. The ultimate result of shielding men from the effects of folly is to fill the world with fools. – Herbert Spencer, English Philosopher (1820-1903)
22. There is no distinctly native American criminal class…save Congress. – Mark Twain
23. What this country needs are more unemployed politicians. – Edward Langley, Artist (1928-1995)
24. A government big enough to give you everything you want, is strong enough to take everything you have. – Thomas Jefferson

What is Check Point Secure Remote Office Mode

The general idea of a virtual private networking (VPN) over Internet is that it bridges two or more networks separated across Internet together as one through encrypted VPN tunnels.

In the case of the Check Point Secure Remote solution, one end of the VPN tunnel is the Secure Remote client software installed on a user’s PC, and the other, the VPN gateway on a Check Point firewall located at the headquarters.

After successful user authentication and a  VPN connection has been established, when the remote user’s IP packet enters the VPN tunnel and exits at the VPN gateway on the other end, the source address of that IP packet is the same one that he has on his PC in the remote office. On exiting the VPN  gateway, the packet will be routed to the destination address in the headquarters.

How does the reply packet return to the user’s PC?

If the user’s IP address is “alien-looking”, i.e. no explicit route within the headquarters, presumably it will be routed to the firewall (default gateway for headquarters), and the firewall will recognize the address and put the reply packet into the VPN tunnel connected to the user’s PC.

But what happens if the user’s remote office is administered by a different organization and the IP addressing scheme is similar to the headquarters?

The reply packet will no longer appear “alien-looking” to routers in the headquarters. It will be misrouted (or looped till its TTL expires) within the headquarters network, instead of being routed to the firewall.

This is where Check Point SecureRemote “office-mode” comes into the picture.

When an office-mode user authenticates successfully, Check Point will assign this user an IP address from a network address range dedicated (e.g. through explicit static route in the core routers) within headquarters for the purpose of VPN. This address range is special because that all packets destined for this range of addresses will always be routed to the Check Point firewall.

noapic boot option causes disk and network to share IRQ

An interesting troubleshooting article on a curious case where MySQL connections were being dropped as a result of the disk sharing the same IRQ as the network driver upon booting on Linux-Mag.

Conclusion: I’m not sure why we were ever passing the noapic option to our kernels at boot time. But it clearly had worked fine on our previous hardware platform running OpenSUSE 10.2. A bit of Google searching reveals a few interesting links, however: Why do so many machines need “noapic”? and What do the noapic/nolapic kernel arguments do?. Both lead to interesting discussions that may leave you believing that noapic is just one of those “safe defaults” that usually doesn’t cause problems–until it does.

Secure DHCP servers with iptables

Recently, I had to configure a pair of CentOS 5.3 servers to provide DHCP service in a failover/load-balancing configuration.

A search on Google returned many good quickstart guides on how to configure the ISC DHCP software bundled in CentOS.

If you want to secure your server with host-based firewall using iptables, these are the rules you need to insert into /etc/sysconfig/iptables (before the default reject rule in the last line)

-A RH-Firewall-1-INPUT -p udp --dport 67:68 -j ACCEPT

The line above alone is sufficient if the servers are not configured to use DHCP failover protocol. Otherwise, you also need something similar to the following (replace the IP addresses and failover port accordingly):

server1 = 10.0.0.1

server2 = 10.0.0.2

Failover TCP port = 647

On server1, you need:

-A RH-Firewall-1-INPUT -p tcp -s 10.0.0.2 --dport 647 -d 10.0.0.1 -j ACCEPT

On server2, you need:

-A RH-Firewall-1-INPUT -p tcp -s 10.0.0.1 --dport 647 -d 10.0.0.2 -j ACCEPT

Little-known Prerequisite for Nokia Check Point UTM appliance failover

Came across this thread on Check Point community forum by chance.

The key to setting up 2-node cluster for stateful failover of Check Point NGX on Nokia UTM appliance as given by Dominik Zanolari is as follows:

Physical, dedicated sync link is definitely preferred, but you can’t do it in all scenarios. In case of VLANS, I would establish a second sync link on an interface with low utilization.

As for the VLAN IDs, Nokia stated that the sync interface must have the lowest VLAN ID on the physical interface, otherwise it will fail.

The output of a cphaprob -a if will show you, if there is a sync interface properly configured.

How to use yum-protect-packages?

When enabled, this package prevents yum and all its dependency packages from being updated.

In addition, it will protect packages listed one per line in either of the following:

• /etc/sysconfig/protected-packages
• /etc/sysconfig/protected-packages.d/*.list

Read the original inline documentation:

#pydoc /usr/lib/yum-plugins/protect-packages.py

If your intention is merely to prevent specific package from being updated, then use the yum ‘–exclude’ option like so:

#yum -y --exclude=php-imap update

Good, cheap, fast

Web application security scanners

This is a summary of information I came across when searching for an appropriate web application security scanner for my employer.

First and foremost, I strongly recommend reading these slides by Erwin Geirnaert of Zion Security where he explained what one could realistically expect (and what not) from automated tools which he presented at the May 2006 OWASP App Sec Europe presentation. He also covered what’s involved in testing for the Top 10 and identified shortfalls of automated tools.

Evaluation criteria for black box scanners - http://www.virtualforge.de/whitepapers/web_scanner_benchmark.pdf

The US National Institute of Standards and Technology (NIST) runs the Software Assurance Metrics And Tool Evaluation (SAMATE) project  which “is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods.” Here is a slide made in Oct 2007 which summarizes what they do.

I find the following compilation of tools on the site particularly useful:

• Source code security scanners
• Web application vulnerability scanners

Open source tools I currently use:

•  Pixy – written in Java for scanning PHP4 source file. I wrote a wrapper script in Perl so that it could scan all potentially vulnerable source file below a directory.
• OWASP SQLix – written in Perl for black box testing URLs. It can test a single URL or spider a site (-crawl option) for potentially vulnerable links but the spier misses out a lot.
• Google ratproxy – a semi-automatic scanner written in C. You have to set your browser to point to ‘ratproxy’ service as your web proxy and visit specific links on the web site being tested. But, once it notices potential vulnerabilities, it can perform additional testing on its own.

Another promising tool which I had wanted to try out was SecuBat. Alas, it runs only on MS Windows and requires MS SQL server.

Permitting Remote Desktop through Check Point NGX60 firewall

Scenario: You want to permit specific sources to access a protected resource through Check Point NGX 60 firewall.

Both “services” below must be allowed:

• UDP remote desktop
• TCP terminal services

Yahoo account hijacked?

Over the weekend, a friend told me that she had received an email from her friend, purportedly requesting for an urgent loan. Although the sender’s email address was exactly her friend’s (Yahoo account), she was absolutely sure that her friend would never have made such a request.

This morning, I found a similar email in my mailbox and the sender’s address belongs to an ex-schoolmate. So, I am certain that a (large?) number of Yahoo accounts have been hijacked by Nigerian 419 scammmers.

 

I have removed my friend’s Yahoo identity from the verbatim below.

From: richard tan [mailto:******@yahoo.com] 

Sent: Sunday, 8 March, 2009 12:51 PM

To: ******@yahoo.com

Subject: Please i need your help

I am in a hurry writing you this message, i am sorry i didn’t inform you about my urgent trip to London i don’t have much time on the pc here,so i have to brief you my present situation which requires your urgent response actually, I had a trip to London yesterday but unfortunately for me all my money got stolen at the hotel where i lodged due to a robbery incident that happened in the hotel.I had been so restless since last night cos i have been without any money i am even oweing the hotel here as well moreover the Hotel’s telephone lines here got dissconnected by the robbers and they are trying to get them fixed back i have access to only emails at the library because my mobile cant work here so i didnt bring it along,please i want you to help me with money so please can you send me $2500 so when i return back i would refund it back to you as soon as i get home,I am so confused right now and dont know what to do,you can have it sent through Money Gram or Western Union Money Transfer so will get it immediately its sent but let me know if you can helpme then i will make findings.please let me hear from you so i can give you my the address and name where you can send the money to today please.Its really urgent for me as i dont know what to do right now than to leave here soonest you send it to me and i’ll pay you back immediately i get home..Thanks alot for your kindness,   

I will really appreciate your quick response.

         Best Regards 

           Tan

-Private & Confidential- 

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and hereby notified that any disclosure, copying, or distribution of this message (or any part thereof),  or the taking of any action based on it, is strictly prohibited.

The mail headers showed the sender’s IP address as 206.190.49.152, which indeed belongs to Yahoo. It is not located in UK, but in the USA (according to http://www.geobytes.com/IpLocator.htm?GetLocation).

A search on the Internet for similar cases suggests that my friend has probably fallen victim to phishing attack and revealed his Yahoo account login information to scammer at some point.

If you receive a similar scam email, contact the sender (not via this hijacked email address, of course) as soon as possible to have his/her password changed, and to do so using a trusted computer free of malware (virus, spybot, rootkit, etc.)