<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Nov 21, 2016 at 1:01 PM, John Gilmore <span dir="ltr"><<a href="mailto:gnu@toad.com" target="_blank">gnu@toad.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dustin Kirkland wrote a randomness client and server for feeding<br>
Ubuntu virtual machines that don't have good randomness sources, which<br>
is now a standard feature in Ubuntu since 14.04 Cloud instances. See:<br>
<br>
<a href="http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html" rel="noreferrer" target="_blank">http://blog.dustinkirkland.<wbr>com/2014/02/random-seeds-in-<wbr>ubuntu-1404-lts-cloud.html</a><br>
<a href="https://launchpad.net/pollinate" rel="noreferrer" target="_blank">https://launchpad.net/<wbr>pollinate</a></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I am wondering just how hard this would be for NSA or another passive<br>
attacker to break.<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
that hash of the response to /dev/urandom. The code is shipped with<br>
the certificate of host "<a href="http://entropy.ubuntu.com" rel="noreferrer" target="_blank">entropy.ubuntu.com</a>" and by default makes an<br>
HTTPS access to it, checking via the certificate that it hasn't been<br>
impersonated.<br>
<br>
My initial concern is that the entire transaction is visible to<br>
eavesdroppers.</blockquote><div>... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">What am I missing?</blockquote><div>
<br>You seem to have a handle on the risks.<br>To me the issue is the notion of a cloud and cloud service.</div><div><br></div><div>For a VM in a cloud to reach out to the internet at any time</div><div>especially as part of the normal system boot sequence and </div><div>initial firewall settings seems wrong. A cloud service can fix that</div><div>and should in the images they deploy for you.</div><div><br></div><div>I see that, pollinate is easy to modify and puppet has</div><div>some notion of how to keep things close:</div><div> "<span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif">Prior to configuring </span><span class="gmail-app gmail-application" style="font-size:13px;margin:0px;padding:0px;border:0px;font-style:italic;line-height:1.5;font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">puppet</span><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> you may want to add a DNS </span><span class="em emphasis" style="font-size:13px;margin:0px;padding:0px;border:0px;font-style:italic;line-height:1.5;font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51);white-space:normal">CNAME</span><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> record for </span><span class="em emphasis" style="font-size:13px;margin:0px;padding:0px;border:0px;font-style:italic;line-height:1.5;font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51);white-space:normal"><a href="http://puppet.example.com">puppet.example.com</a></span><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif">, </span></div><div><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> where </span><span class="em emphasis" style="font-size:13px;margin:0px;padding:0px;border:0px;font-style:italic;line-height:1.5;font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51);white-space:normal"><a href="http://example.com">example.com</a></span><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> is your domain. By default</span><span class="gmail-app gmail-application" style="font-size:13px;margin:0px;padding:0px;border:0px;font-style:italic;line-height:1.5;font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">Puppet</span><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> clients check DNS for <a href="http://puppet.example.com">puppet.example.com</a> </span></div><div><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"> as the puppet server...."<br>Keeping control over external connections and actions at initialization is important.</span></div><div><span style="font-size:13px;color:rgb(51,51,51);font-family:ubuntu,"ubuntu beta","bitstream vera sans","dejavu sans",tahoma,sans-serif"><br>Using the same mind set I would change <a href="http://entropy.ubuntu.com">entropy.ubuntu.com</a> to entropy.cloud.my_domain.con</span></div><div><font color="#333333" face="ubuntu, ubuntu beta, bitstream vera sans, dejavu sans, tahoma, sans-serif">having put a local server inside the cloud space and behind the main firewall. I would</font></div><div><font color="#333333" face="ubuntu, ubuntu beta, bitstream vera sans, dejavu sans, tahoma, sans-serif">also install a default firewall rule set and force hop counts at initialization to be short enough</font></div><div><font color="#333333" face="ubuntu, ubuntu beta, bitstream vera sans, dejavu sans, tahoma, sans-serif">that they never leave the building until a number of sanity checks and initializations are finished. <br><br>The entropy service is modest enough that a raspberry-pi could serve up</font></div><div><font color="#333333" face="ubuntu, ubuntu beta, bitstream vera sans, dejavu sans, tahoma, sans-serif">bits for a very large number of first boot systems as long as the power is </font></div><div><font color="#333333" face="ubuntu, ubuntu beta, bitstream vera sans, dejavu sans, tahoma, sans-serif">sequenced.</font></div><div><br>He has a solution for his cloud view but the world is bigger.<br>His idea seems simple, portable and easy to adjust...<br>I suspect managing the default firewall and hop count would be key</div><div>to keeping initial actions close to home and under control.<br><br>The title is interesting... </div><div>Cheng Jin and Kang G. Shin, "Defense against Spoofed
IP Traffic </div><div>Using Hop-Count Filtering", IEEE/ACM
Trans. Networking, vol. 15 No. I, Feb 2007. <br><a href="https://www.eecis.udel.edu/~hnw/paper/rogueip_ccs03.pdf">https://www.eecis.udel.edu/~hnw/paper/rogueip_ccs03.pdf</a><br></div><div class="gmail_quote"><br></div>On Ubuntu.. pick a number that does what is needed.<br> sudo sysctl net.ipv4.ip_default_ttl=5 # to start keep things close<br> sudo sysctl net.ipv4.ip_default_ttl=129 # all set, let us go</div><div class="gmail_quote"><br>-- </div><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>