Sunday, December 9, 2007

OpenBSD on Soekris -- A Cheater's Guide

I've been using Soekris devices for quite some time. Basically any time I need to get some routing, firewalling, skullduggery, etc, that doesn't require serious CPU, I toss a Soekris box at the problem. They are great little devices -- low power, dead quiet and rock solid.

The obvious downside of a system like the Soekris is the wimpy CPU. This really is only an issue during installation and during the initial system configuration. After that, the box is a real work horse.

Below are the steps I recently used to get my NET4801 running OpenBSD 4.2 -current. The difference here is that I use qemu to make use of the considerably faster CPU on my desktop to breeze through the install and initial configuration.

  1. Download install42.iso from your local mirror
  2. Plug in your CF card that you'll use in your Soekris. Take note of what device it gets assigned
  3. Start qemu, replacing /dev/sdb with whatever device your CF is:
    qemu -hda /dev/sdb -cdrom install42.iso -boot d
  4. Install as usual. Configure your interface to use DHCP, as anything else won't work inside qemu. Set default console to com0 and set the speed to match your Soekris (9600)
  5. Finish installation. Halt. Stop qemu. Restart without the iso:
    qemu -hda /dev/sdb
  6. Once booted, edit /etc/fstab so that / is mounted with noatime, read-only. My /etc/fstab looks like this:
    /dev/wd0a / ffs ro,noatime 1 1
  7. Now put the volatile stuff into MFS so you won't wear out your CF too fast. Create an MFS directory for /var:
    mkdir /mfs
    cp -rp /var /mfs/var
  8. Similarly for /dev:
    mkdir /mfs/dev
    cp /dev/MAKEDEV /mfs/dev
    cd /mfs/dev
    ./MAKEDEV all
  9. Add the appropriate lines to /etc/fstab to ensure that /dev and /var get mounted as MFS at boot. Change values for -s and -i as you feel necessary. This works for me a on 1G CF:
    swap /var mfs rw,-P=/mfs/var,-s=32768,noexec,nosuid 0 0
    swap /dev mfs rw,-P=/mfs/dev,-s=8192,-i=128,noexec,nosuid 0 0
  10. Now symlink /tmp to /var/tmp so that temporary files can be written to:
    rm -Rf /tmp
    ln -s /var/tmp /tmp
  11. Install rsync to handle synchronizing /var. This assumes you've set $PKG_PATH to your favorite local mirror:
    pkg_add rsync
  12. Add a cronjob to periodically sync any changes to /var. I prefer a weekly job. Add something like the following to root's crontab:
    1  0  */7  *  *  /usr/local/bin/rsync -az --delete /var/ /mfs/var/
  13. Finally, edit the shutdown script to sync any unsynchronized changes at shutdown time. Add the following to the end of /etc/rc.shutdown:
    /usr/local/bin/rsync -vaz --delete /var/ /mfs/var/

Thats it. Halt your OpenBSD installation, stop qemu and install the CF in your Soekris. Any further configuration can be done by way of sshd or the serial console, but don't forget the / is mounted read-only, so don't forget to mount it read-write if you need to change something.


Saturday, December 1, 2007

Demystifying Craigslist Anonymization

Craigslist is one of those services that many people could not live without. Where else can you go to get free palm trees, 40 cubic yards of broken concrete sidewalk, AND get rid of that ugly couch and pick up a date all in one visit?

When Craigslist started, if I had to guess there was little expectation of privacy. When you posted, you entered your "real" email address and your dirty laundry was now in the public eye. At one point they added functionality whereby you could anonymize your posting if you so desired. The functionality was quite simple. At the time of your posting, if you opted to remain anonymous, an email address within craigslist was created -- it took the format of Emails to this address would get relayed to your email address of choice. At some point within the last year or so, the options have changed. Previously, you could chose to be anonymous or not, or even not post any email related contact information whatsoever. You now only have two options -- anonymous or none.

As an example of how this anonymization works, I've posted to the Los Angeles Craigslist "items wanted" section seeking the much desired left handed smoke shifter. The email address [email protected] will accept and relay messages to my Gmail account which I keep for these purposes. If you email and I reply, by default you would see my Gmail address, thereby ruining my anonymity. Many Craigslisters, however, are savvy enough to properly set their From: when replying to continue to mask their true identity. For example, in my .muttrc, I have the following:

alternates = .*@spoofed\.org|.*@craigslist\.org

This tells mutt that if I get email to either of those domains, it should set the From: to that of the original To:. You can accomplish something similar in Gmail with the "send mail as" setting.

Unfortunately, Craigslist anonymization only provides a minimal amount of anonymity, but I suspect it serves its original purpose -- to protect the addresses of posters from being harvested by spammers. This should not come as a surprise to anyone who is familiar with how SMTP works, but aside from front-line anonymity, this service is rather trivial to abuse.

For example, if you respond to my posting about the left-handed smoke shifter, I see the following in Gmail:

Date: Sat, 1 Dec 2007 12:46:24 -0800
From: Jon Hart 
To: [email protected]
Subject: shifter?

That address forwards all correspondence to my Gmail address. When I reply, the untrained eye will see:

Date: Sat, 1 Dec 2007 12:51:33 -0800
From: Test 
To: Jon Hart 
Subject: Re: shifter?

However, with the exception of pretty much all email services except one that is configured exactly for this purpose, the headers will give away my true identity:

Date: Sat, 1 Dec 2007 12:51:33 -0800
From: Test 
To: Jon Hart 
Subject: Re: shifter?

As you can see, if you view the full, unmolested headers of my supposedly anonymous response, the From: is my craigslist relayer, but Return-Path: and Sender: give me away. There are other headers that can give away, most notably X-Original-From:.

I have to stress that this is not really anyone's fault. Craigslist did what you asked -- it masked your email address. Gmail and other services did what you asked -- they set your From: to your craigslist address. When you combine these two services, however, your anonymity is broken.

The lesson here is that if you are a disgruntled employee ranting about your boss, a SWF BBW ISO NSA BDSM from a generous SBM, or other forms of depravity, either create a dedicated email address that cannot be trivially traced to your true identity, or simply don't respond to any emails sent to your supposedly anonymous craigslist email.