« June 2009 | Main | August 2009 »

8 posts from July 2009

07/29/2009

Does Technorati Work Any More?

If I ever need to know when I switched this blog over to its present-day domain name of 'blog.techstacks.com', Technorati has a great service for small-time bloggers like me called "Last Ping".  Last Ping, gives you the number of days since you last pinged technorati telling their crawlers that you have published or posted something new on your blog.  

As of the time of this writing, even though I ping technorati EVERY TIME I post something new or update something on the site, Last Ping is always there ready to let me know that it has been 185 days since my last ping (and counting!).  185 days ago is when I switched domain names from 'allsortsandnotions.blogspot.com' to 'blog.techstacks.com'.  

It's almost cruel.  It doesn't seem to matter where or how I ping.  Ping from their "Ping Us" page:  "Thanks for the ping!  You last pinged us 185 days ago!"  Ping through Ping-O-Matic?  "Ping sent!"  I've written this primitive groovy script below that pings using their XML-RPC API.  "Thanks for the Ping!" 

#!/usr/bin/env groovy

import groovy.net.xmlrpc.*

def server = new XMLRPCServerProxy("https://rpc.technorati.com/rpc/ping")

def result = server.weblogUpdates.ping("blogging techstacks" , "https://blog.techstacks.com/")

if (result != null)
 println "Thanks for the ping!" 
And still, Last Ping is always there to remind me that all my subsequent ping attempts are really cute and funny.  So, I have written a new script for other bloggers out there called "Last Ping" that logs into Technorati and reminds you how long it has been since your last worthy ping.  Uses Perl and the WebService::Technorati module, (gosh--CPAN really does have everything).  This script is a real time-saver!  Below is the source code and it may soon wind up available for download on the Downloads page.  Update:  Technorati API calls began failing on October 25th, 2009, due to the launch of the 'new' Technorati, so this script has been removed from the Downloads page.  Plug in your blog url and your technorati api key in the corresponding $url and $apikey variables and you too can see at a glance when your last 'real' ping was received.  Output for me is as follows:

    The last compelling thing I wrote was on: 2009-01-20 06:56:38 GMT

Perl and Groovy Source:

#!/usr/bin/env perl

use strict;
use warnings;

use WebService::Technorati;

my $apikey = 'enter_your_API_KEY_here';
my $url = 'your_BLOG_URL_goes_here';
my $t = WebService::Technorati->new( key => $apikey );
my $q = $t->getBloginfoApiQuery($url);
$q->execute;

my $lastping = $q->getSubjectBlog();
print "The last compelling thing I wrote was on: " . $lastping->{lastupdate} . "\n";

I'm hoping that soon Technorati will build some web services out of their support site so that I can then script something that will track how long it has been since I opened my first and second cases with them about this particular issue and maybe even calculate the delta between the case open date and a response.

The groovy version of the script above is:

#!/usr/bin/env groovy

import groovyx.net.https.RESTClient
import groovy.util.slurpersupport.GPathResult
import static groovyx.net.https.ContentType.*

client = new RESTClient( 'https://api.technorati.com/bloginfo?key=INSERT_YOUR_API_KEY_HERE&url=INSERT_YOUR_URL_HERE' )

resp = client.get( contentType:XML, headers: [Accept: 'application/xml'] )
  resp.data instanceof GPathResult

println "The last compelling thing I wrote was on: ${resp.data.document.result.weblog.lastupdate}"

b7xqdu7i7e

5K4HH6YPHF77

07/28/2009

Apache 2.2.12 Released

You know, I was just thinking to myself earlier this morning that it has been a while since the last time an update to apache came out and merely 12 hours later, the milkmen at the apache httpsd project have delivered!  Apache 2.2.12 has been released!  7 Security-related fixes and lots of bug fixes mostly in the mod_proxy_* modules, some mod_deflate fixes, a mod_ssl fix, etc.

Also, new in this release is a new piped log syntax that allows piped logging without spawning a shell process, (or so I've gathered from the release notes).  

Grab a copy of the source right now at a mirror near you.  The CHANGELOG details all the fixes, updates, and love included in this release.

07/26/2009

New Release: CryptoNark v0.2

CryptoNark 0.4.1 is the most recent version. See the Release Announcement for more details.

I have modified cryptonark (aka 'cnark.pl') so that it is a little more useful now as a pci compliance auditing tool.  New in this version, which is available in the Downloads section of this site, is color-coded output.  Information on this tool is on the main CryptoNark page as well.  "Good" ciphers are labeled in Green and "Bad" ciphers are labeled in Red, which should help provide visual cues as to how successful your remediation efforts involving disabling weak ssl ciphers have been.  

A screen shot, taken against my highly insecure test instance, to illustrate the new output is below:

V0.2eyecandy


 The idea behind this script is pretty straight-forward.  Simply run:  cnark.pl <hostname> <port>. If any ciphers show up red, modify your web or application server's configuration to disable those ciphers.  Re-run the script again to make sure only Green ciphers are listed. 

The source code is listed below for anyone wanting to suggest improvements or changes.

#!/usr/bin/env perl
# Usage: ./cryptonark.pl host port
# based on sslthing.sh by blh [at] blh.se
# ported to perl by Chris M - techstacks.com
#
# cryptonark: 
# version 0.1 - Initial Version
#
# almost a direct port, this version also tests
# null and anonymous ssl ciphers and reports 
# accordingly. A little more information is provided
# in the output. Used best if used to validate PCI-DSS
# compliance--to check that null, anonymous and weak ciphers
# are disabled. 
#
# It probably will not run right "out of the box"--it requires
# IO::Socket::SSL. Tie::Hash::Indexed, although not strictly required
# is nice to have in order to order the hash lists from strongest to 
# weakest. Otherwise, the order could be random making the results a
# bit harder to read.
#
# version 0.2 - Added Color Coded output. 
# Good ciphers are green, bad ones are red.

use strict;
use warnings;

use Term::ANSIColor qw(:constants);
use Tie::Hash::Indexed;
use IO::Socket::SSL;

my $host = $ARGV[0];
my $port = $ARGV[1];

my $help = "Usage: $0 <hostname> <port>";

my $key;
my $value;
my $ssl2client;
my $ssl3client;

if ( !@ARGV ) {
 print $help . "\n";
 exit 0;
}



# Populate array with OpenSSL ciphers
# Note: TLSv1 ciphers and SSLv3 ciphers are identical
# but I'm running separate checks any way.

tie my %ssl2_ciphers, 'Tie::Hash::Indexed';
tie my %ssl3_ciphers, 'Tie::Hash::Indexed';
tie my %tls1_ciphers, 'Tie::Hash::Indexed';

%ssl2_ciphers = (
 'DES-CBC3-MD5' => '168 bits, High Encryption',
 'RC2-CBC-MD5' => '128 bits, Medium Encryption',
 'RC4-MD5' => '128 bits, Medium Encryption',
 'DES-CBC-MD5' => '56 bits, Low Encryption',
 'EXP-RC2-CBC-MD5' => '40 bits, Export-Grade Encryption',
 'EXP-RC4-MD5' => '40 bits, Export-Grade Encryption'
);

%ssl3_ciphers = (
 'ADH-AES256-SHA' => '256 bits, High Encryption, Anonymous Auth',
 'DHE-RSA-AES256-SHA' => '256 bits, High Encryption',
 'DHE-DSS-AES256-SHA' => '256 bits, High Encryption',
 'AES256-SHA' => '256 bits, High Encryption',
 'ADH-DES-CBC3-SHA' => '168 bits, High Encryption, Anonymous Auth',
 'EDH-RSA-DES-CBC3-SHA' => '168 bits, High Encryption',
 'EDH-DSS-DES-CBC3-SHA' => '168 bits, High Encryption',
 'DES-CBC3-SHA' => '168 bits, High Encryption',
 'ADH-AES128-SHA' => '128 bits, High Encryption, Anonymous Auth',
 'DHE-RSA-AES128-SHA' => '128 bits, High Encryption',
 'DHE-DSS-AES128-SHA' => '128 bits, High Encryption',
 'AES128-SHA' => '128 bits, High Encryption',
 'RC4-SHA' => '128 bits, Medium Encryption',
 'RC4-MD5' => '128 bits, Medium Encryption',
 'ADH-RC4-MD5' => '128 bits, Medium Encryption, Anonymous Auth',
 'EDH-RSA-DES-CBC-SHA' => '56 bits, Low Encryption',
 'EDH-DSS-DES-CBC-SHA' => '56 bits, Low Encryption',
 'DES-CBC-SHA' => '56 bits, Low Encryption',
 'ADH-DES-CBC-SHA' => '56 bits, Low Encryption, Anonymous Auth',
 'EXP-ADH-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-ADH-RC4-MD5' => '40 bits, Export-Grade Encryption',
 'EXP-EDH-RSA-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-EDH-DSS-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-RC2-CBC-MD5' => '40 bits, Export-Grade Encryption',
 'EXP-RC4-MD5' => '40 bits, Export-Grade Encryption',
 'NULL-SHA' => 'Null cipher, No Encryption',
 'NULL-MD5' => 'Null cipher, No Encryption'
);

%tls1_ciphers = (
 'ADH-AES256-SHA' => '256 bits, High Encryption, Anonymous Auth',
 'DHE-RSA-AES256-SHA' => '256 bits, High Encryption',
 'DHE-DSS-AES256-SHA' => '256 bits, High Encryption',
 'AES256-SHA' => '256 bits, High Encryption',
 'ADH-DES-CBC3-SHA' => '168 bits, High Encryption, Anonymous Auth',
 'EDH-RSA-DES-CBC3-SHA' => '168 bits, High Encryption',
 'EDH-DSS-DES-CBC3-SHA' => '168 bits, High Encryption',
 'DES-CBC3-SHA' => '168 bits, High Encryption',
 'ADH-AES128-SHA' => '128 bits, High Encryption, Anonymous Auth',
 'DHE-RSA-AES128-SHA' => '128 bits, High Encryption',
 'DHE-DSS-AES128-SHA' => '128 bits, High Encryption',
 'AES128-SHA' => '128 bits, High Encryption',
 'RC4-SHA' => '128 bits, Medium Encryption',
 'RC4-MD5' => '128 bits, Medium Encryption',
 'ADH-RC4-MD5' => '128 bits, Medium Encryption, Anonymous Auth',
 'EDH-RSA-DES-CBC-SHA' => '56 bits, Low Encryption',
 'EDH-DSS-DES-CBC-SHA' => '56 bits, Low Encryption',
 'DES-CBC-SHA' => '56 bits, Low Encryption',
 'ADH-DES-CBC-SHA' => '56 bits, Low Encryption, Anonymous Auth',
 'EXP-ADH-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-ADH-RC4-MD5' => '40 bits, Export-Grade Encryption',
 'EXP-EDH-RSA-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-EDH-DSS-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-DES-CBC-SHA' => '40 bits, Export-Grade Encryption',
 'EXP-RC2-CBC-MD5' => '40 bits, Export-Grade Encryption',
 'EXP-RC4-MD5' => '40 bits, Export-Grade Encryption',
 'NULL-SHA' => 'Null cipher, No Encryption',
 'NULL-MD5' => 'Null cipher, No Encryption'
);

sub is_weak{
 if ($key =~ /^EXP-|^NULL|^ADH-|DES-CBC-/) {
 print RED, " " . $key . " -- " . $value . "\n", RESET;
 }
 else {
 print GREEN, " " . $key . " -- " . $value . "\n", RESET;
 }
}
 

print "Testing SSLv2 Ciphers...\n";

while (($key,$value) = each(%ssl2_ciphers)) {
 my $ssl2client = IO::Socket::SSL->new(
 SSL_verify_mode => 0,
 SSL_version => 'SSLv2',
 SSL_cipher_list => $key,
 PeerAddr => $host,
 PeerPort => $port,
 Proto => 'tcp',
 Timeout => '5'
 )
 && is_weak();
}

print "Testing SSLv3 Ciphers...\n";

while (($key,$value) = each(%ssl3_ciphers)) {
 my $ssl3client = IO::Socket::SSL->new(
 SSL_verify_mode => 0,
 SSL_version => 'SSLv3',
 SSL_cipher_list => $key,
 PeerAddr => $host,
 PeerPort => $port,
 Proto => 'tcp',
 Timeout => '5'
 )
 && is_weak(); 
}

print "Testing TLSv1 Ciphers...\n";

while (($key,$value) = each(%tls1_ciphers)) {
 my $tls1client = IO::Socket::SSL->new(
 SSL_verify_mode => 0,
 SSL_version => 'TLSv1',
 SSL_cipher_list => $key,
 PeerAddr => $host,
 PeerPort => $port,
 Proto => 'tcp',
 Timeout => '5'
 )
 && is_weak(); 
}