Updating Windows' WSL2 Fedora Version

Just a quick one today.

I like using Fedora.  I've used it since I transitioned from Red Hat proper back when it was called "Fedora Core".  I just prefer it, though I do keep other flavors on tap to mess around with or provide easy access to utilities that are ready made for them, but not Fedora or Rocky Linux.

That said, I run WSL (the Windows Subsystem for Linux) on my Windows boxes and frequently interact with them via the CLI whenever I see that a task would be easier with a bit of "Linux-Fu".  Having installed Fedora for WSL once that was available, I wondered what the process would be to update the versions from, say, 42 to 43, as this was the most recent update.  I actually found the process to be nearly identical to the process on Fedora proper.

To that end, I found out how to do it from a post on the Fedora Project's forum (thank you Manuel Fombuena, aka "mandolin"!).  I will post the link to this forum post below, but I figured I would present it here in this short blog, so here it is, paraphrased from Manuel's post...

How to Update Fedora for WSL

Prep Your Fedora for WSL Instance

1. In the Fedora for WSL CLI, run:

    $ sudo dnf upgrade --refresh -y

        # Truncated output...

    $ sudo shutdown -h now

This will shut down the Fedora instance in WSL and close the CLI session.

Upgrade Your Fedora for WSL Instance

2. After a minute or so, launch Fedora again, and run:

    $ sudo dnf system-upgrade download --releasever=43 -y

        # Truncated output...

    $ sudo dnf5 offline reboot

This will close the CLI session again, this time so the instance can upgrade all its packages to the release indicated (43 above), then reboot the instance.

The upgrade will take a few minutes depending on the size of your current installation and the number of packages to be installed.

Upgrade WSL

3. While you're waiting, open a PowerShell CLI and run:

    > wsl --update

Changing the Title in Windows

4. Still in PowerShell:

    a. Click the ∨ arrow

    b. Select "Settings"

    c. Under "Profiles" click "FedoraLinux-42"

        i. Change the name from "-42" to "-43"

        ii. Click "Save"

5. Open the Windows Start Menu.

    a. Type "Fedora"

    b. Right-click "FedoraLinux-42"

    c. Select "Open file location"

    d. Click on the "FedoraLinux-42" shortcut

        i. Press <F2> (the shortcut to "Rename" a file)

        ii. Change "-42" to "-43"

        iii. Press <Enter>

6. Lastly, open the Windows Registry Editor ("regedit" or "regedt32", if you're searching.  

    a. Change "42" to "43" in the following keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss\{uuid-string}\DistributionName

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss\{uuid-string}\ShortcutPath

That's it!

It’s almost exactly like any other Fedora in-place upgrade, apart from the Windows-specific steps (which is mostly cosmetic).

Here's the original forum post from the Fedora Project:
https://discussion.fedoraproject.org/t/wsl-how-do-i-upgrade-from-fedoralinux-42-to-fedoralinux-43/171750/5

What is Commercially-Available Information (CAI)?

I'm working on some thoughts about the ODNI report on Federal Agencies purchasing Commercially-Available Information (CAI for short), and I thought that it would be worth fleshing out some of the basics about what this information actually is.

So then, what is CAI?

The ODNI report, itself says this about CAI:

As the acronym indicates, and as we use it in this report, “CAI” is information that is available commercially, through a commercial transaction with another party. The acquisition may occur on a one-time or subscription basis, and may involve the IC directly ingesting the CAI or obtaining a license agreement that affords a continuing right of access. CAI typically is acquired for a fee, but as we use the term it also includes information offered at no cost if it is the type of information that is normally offered for sale – e.g., a free trial offering of CAI.

As we use the term in this report, CAI does not include information that is stolen or otherwise misappropriated and then acquired from a black market or otherwise via traditional HUMINT acquisition methods (e.g., espionage). Nor does it include information obtained through traditional SIGINT acquisition methods (e.g., wiretapping) that does not involve a commercial transaction at all. As such, it does not necessarily include all information acquired from commercial entities, such as information acquired via lawful process (e.g., a search warrant or subpoena) served on a communications service provider or financial institution.

Cutting through all the Governmental jargon, "CAI" is information:

• obtained through legal means
• typically acquired for a fee from another party
• available commercially
• not obtained via "traditional" human intelligence (HUMINT) collection methods (such as espionage or interrogation)
• not obtained via "traditional" signals intelligence (SIGINT) collection methods (such as wiretapping)

Generally, the idea is that if anyone can acquire the information legally, it counts as Commercially Available Information.

Next up will be my thoughts on the Government using CAI...

Staying Relevant in Cyber and Information Security: PODCASTS!

    Staying up to date is absolutely essential to remaining relevant in your field.  Here, I've curated most of the podcasts I listen to, arranged in a few different categories.

Daily - Morning Listens (every weekday morning):

• 
  The CyberWire 
• ~20 min
• General cyber landscape news, some interesting features
• https://thecyberwire.com/podcasts/daily-podcast
• SANS Internet Storm Center Podcast 
• ~5 min
• Technical, current exploits and vulnerabilities
• https://isc.sans.edu/podcast.html
• BBC Global News Podcast
• ~30 min
• Global news (it is imperative to understand how this can impact the cyber landscape)
• http://www.bbc.co.uk/programmes/p02nq0gn
• 
  The Daily Stoic
• ~3-90 min, depending on the day
• Personal development, stoic philosophy, daily "re-centering" and refocusing
• https://art19.com/shows/the-daily-stoic
• Up First [NPR]
  
• ~15-20 min
• 3 top stories for the day, focused on US news primarily
• http://www.npr.org/programs/morning-edition/

As They Are Published (mostly time-sensitive content):

• Paul's Security Weekly
• ~3 hours
• Phenomenally insightful and funny cyber security show "for security professionals, by security professionals"
• 
  I always get something useful from this show
• http://securityweekly.com/
• Risky Business
• ~60 minutes
• Weekly cyber security news and analysis
• Very insightful, regularly voted one of the top industry podcasts
• https://risky.biz/
• Security Weekly News
  
• Another podcast in the Paul's Security Weekly network (several of these are worth the listen if you've got the time and interest)
• ~30 min, twice weekly
• 
  News and insight, then a show recap from the rest of the network's offerings [ie. Paul's Security Weekly, Enterprise Security Weekly, Application Security Weekly, etc.]
• http://hacknaked.tv/
• Talkin' About Infosec News
• From Black Hills Information Security
• ~60 min
• InfoSec news from BHIS, with John Strand providing a lot of good insight and breakdowns
• https://www.blackhillsinfosec.com/
• Defensive Security Podcast
  
• ~40 min
• InfoSec news from industry professionals
• https://defensivesecurity.org/

As They Become Available (not necessarily time-sensitive content):

• Darknet Diaries
  
• ~60-90 min
• Amazing stories about hacking and incidents, well-told, and well-produced
• https://darknetdiaries.com/
• Malicious Life
• ~30-60 min
• Similar to Darknet Diaries (but with a specific underwriter), with a lot more episodes
• https://malicious.life/
• Cyber Security Interviews
• ~30-60 min
• Interviews with industry professionals, interesting stories, insights and philosophies
• https://cybersecurityinterviews.com/
• 
  Command Line Heroes
  
• ~25 min
• Some interesting, technically-focused content from RedHat
• https://www.redhat.com/en/command-line-heroes
• The Idealcast with Gene Kim
• ~90-120 min
• DevOps-focused podcast, with insights that can contribute to the improvement of most projects from the author of "The Unicorn Project"
• https://itrevolution.com/
• Caveat
• ~30-45 min
• Focuses on the legal and policy sides of cyber security, from The CyberWire
• http://www.thecyberwire.com/
• Down the Security Rabbithole
• ~40-60 min
• Insightful security topics discussed (usually in interviews) and how those topics interact with the business side
• 
  https://blogwh1t3rabbit.medium.com/
• Click Here
  
• ~20-30 min
• Former NPR journalist focuses specifically on cyber and intelligence, providing industry insight with geopolitical context
• From Recorded Future
• https://therecord.media/podcast/
• Programming Throwdown
• ~60-90 min
• Two computer scientists describe and discuss programming languages and technologies
• Surprisingly interesting and good primers to languages and technologies you may not be familiar with
• http://www.programmingthrowdown.com/

Other Podcasts with Topical Interest:

• The Art of Manliness
• 
  ~35-60 min
• Interesting topics about most anything in life
• https://the-art-of-manliness.simplecast.com/
• The Jordan Harbinger Show
• ~40-100 min
• Interviews with all sorts of people about all sorts of topics
• https://www.podcastone.com/the-jordan-harbinger-show
• The Digital Forensic Survival Podcast
  
• ~15 min
• Absolutely phenomenal podcast describing various digital forensic artifacts and collection methods
• http://digitalforensicsurvivalpodcast.libsyn.com/podcast

    It's a long list.  But there's always something to learn.

    I don't necessarily listen to every single episode of each of these (except the daily ones), and I generally listen at accelerated speed (about 1.2-1.5x).  I listen to several podcasts that inevitably cover the same thing, because there's usually some decent insight to be gained by listening to several different opinions.

    It has been a tremendous source of pride to be able to provide current, relevant information to my leadership, as well as provide insight as to what the geopolitical effects might be.

    Happy Listening!!

Staying Relevant in Cyber & Information Security

    Hi folks!  I know it's been a while since I posted, but there's been a lot going on in the world and my life.  I am hoping to post more frequently in the future, but some words from you can help motivate me!

    Anyway, here is today's post...

    Staying up to date in a field like cyber & information security can be as difficult as it is important.  Being effective in a security professional role requires that you maintain some level of awareness of the landscape in which you operate.  With all the different sources available, choosing some that are worthwhile can be a daunting task.

    This is a presentation I gave to several colleagues last year.  Some of the newer folks were struggling with strategies to keep up with the ever-evolving digital security landscape, and I put this together as an example.  

    I hope it may help anyone who is struggling with the problem of staying relevant.

    As always, comment below with your thoughts and additional ideas to share!

Creating a Scheduled SystemD Service

This post was generated from a document I wrote for another team to assist them in creating a service that could be scheduled and logged by SystemD.

SystemD Unit Files

You'll put these files will be located in "/usr/lib/systemd/system/".

The .service file will look like this:

[Unit]
Description=Execute My Script

[Service]
User=admin
Group=admin
ExecStart=/srv/scripts/myScript.sh

[Install]
WantedBy=default.target

The name of the .service file is arbitrary, and can be named anything. If you call it "myService.service", then you can invoke it like this:

$ sudo systemctl start myService

Make sure your "ExecStart=" statement value corresponds to the script in the location you want it.

The .timer file looks like this:

[Unit] 
Description=Execute myService Daily at 1215 UTC

[Timer]
OnCalendar=*-*-* 12:15:00
Unit=myService.service

[Install]
WantedBy=default.target

Again, the name is arbitrary. I named mine "myService.timer", which made it simple to pair with my .service file.

The time listed is for a 1215 UTC execution, which is because my server's system time was set to UTC. Make sure you list the name of your .service file in the "Unit=" statement.

You would then enable the timer like this:

$ sudo systemctl enable myService.timer

SELinux

Chances are that the stuff above will all be thwarted by SELinux, for better or worse. It's going to take a few commands to get that squared away.

In my example, the location of the scripts are in "/srv/scripts", and the SystemD unit files are named "myService.service" and "myService.timer". Change this to meet whatever your system reflects.

For the scripts:

# semanage fcontext -a -t bin_t "/srv/scripts(/.*)?"

# restorecon -R -v /srv/scripts

For the SystemD Unit Files:

# semanage fcontext -a -t systemd_unit_file_t /usr/lib/systemd/system/myService.*

# restorecon -R -v /usr/lib/systemd/system

Obviously, these are being run as the root user. The "semanage" command is setting the SELinux file context on each set of files to the appropriate type, and the "restorecon" command is registering the change with the running SELinux subsystem.

 

 

Edited:  10 April 2021

InfoSec Professionals vs The World

As InfoSec Professionals, we fight for Freedom and Justice!

We beat back the Forces of Evil that would do our Organizations harm!  And we fight for the End User!

We are Superheroes!

I've got news for you, folks...

The End User could care less.  They just want to do their jobs without interruption by you and your "Cyber crap".

This is one of the most sobering things that a new person coming into the industry must face:  the lack of recognition and gratitude from those whom we help protect can be off-putting for those who aren't used to it (or even thrive on it, such as some of us do).

Indulge me in a bit of a backtrack in my own career... 

College vs Experience

I wanted to take the opportunity to address a topic I've wrestled with so often over the years, and it is well worth posting on it.

I've posted about this before (not on this particular blog), and I've said (circa 2010):

I fully believe that college degrees just mean that the person knew how to take the test at that time, and doesn't mean they know anything now.  Experience, I believed, counts for far more than a mere degree.

I stand by that claim.

Now, before I'm crucified by the masses for this statement of equal self-importance, allow me to caveat that I would revise that statement to add this: 

"If you want a job or career that requires some sort of specialized or expert knowledge, you should get a college degree."

The difference in the last nine or so years is that I am quickly closing in on retirement and the prospect redirecting my career (though slightly).  It will require a different mentality, to be sure.  It will also require a resumee.

"Ay', there's the rub..."

I want a job that values my vast and varied experiences, but I also want a job that I can actually be interviewed for because my resumee has made it past the initial selection.  So, it seems that the initial cut is determined by how educated I may look on paper.

How I look on paper...

This is my postulation on this:  Until a person is known independently by name and/or reputation, their "paper face" is just as important as their true qualifications and potential.

To that end, a degree is important to prove multiple things...at least, on paper.

A degree shows that you have the aptitude to pass the program of study at a college-level.  A degree shows that you have the drive to follow-through with a course of action.  A degree shows a minimum level of proficiency.  Having a degree is a definitive discriminator.

A degree doesn't have to mean you know more than another person in the same field, but when you are starting out, it is extremely important to show that you have more "extra" than the next person.  If you don't have the experience in the field, or a name that respected people may recognize as someone worth a damn, then you need some other way to set yourself apart.

Get a degree.  If nothing else, it will open up more doors than it closes.