MC's Journal

Locked Shields 2019

John, me and Johan in the Apps subteam. Photo by Anders G Warne.

John, me and Johan in the Apps subteam. Photo by Anders G Warne.

Locked Shields is an annual blue team computer security exercise organised by NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE). Many countries, both NATO and non-NATO, participate in the exercise. This year there were 24 teams.

The narrative during the exercise is that there is some tension between two fictive countries, Berylia and Crimsonia. Berylia might be attacked by Crimsonia at any time, especially in the cybers. The blue team is part of an expert team dropped into Berylia to help them defend themselves.

Through $DAYJOB I was invited to join the Swedish blue team for Locked Shields 2019 in April this year. The Swedish part of the exercise was held at Swedish Defence University in Stockholm.

The actual exercise was just two days but we had three initial training days to familiarize ourselves with the network and the machines, prepare our tools and our own version control systems. There were about 150 machines: some Windows boxes, some Linux boxes, some industrial control systems, different firewalls, routers and switches.

After some initial confusion I ended up in the newly created Apps subteam. We took responsibility of all the Berylian in-house software, the development systems, the continous integration and the Docker swarm. Everything was, of course, rather broken and insecure. I was really impressed by the people who had been setting this up.

The CCDCOE red team started attacking our systems almost immediately. We had our hands full trying to harden the systems, fixing things, reporting cracked systems and coordinating with other subteams.

The Berylian software developers themselves were curiously missing during the entire exercise but their users were present and complaining about systems that didn't work.

Several times other subteams had hardened their part of the network and effectively brought our systems down by, for instance, demanding strong authentication and encrypted connections which the Berylian software didn't support. We had to add features like that on the fly.

At times things were miserable but all in all we learned much and had a lot of fun.

Team leader Erik Biverot looking at something funny on my screen. Photo by Anders G Warne.

Team leader Erik Biverot looking at something funny on my screen. Photo by Anders G Warne.

Result: The Swedish team ended up in third place! Congratulations to the French and Czech teams!

Cottage office

The cottage office is shaping up! Not on par with the office in town yet nor the office at work, naturally, but much better than before.

Bakelite phone

Found this beauty, an LM Ericsson m/50, in a second hand shop. It was made between 1947 and 1962. Initial testing makes me believe it actually still works. I've done some testing with an ATA box as well. It would be very funny to have this as a SIP phone.

NTS developments

Once again $DAYJOB sponsored a mini hackathon in Malmö during the IETF hackathon. Martin “cos” Samuelsson, Daniel “quite” Lublin and I gathered in Netnod's southern office for two days of hacking on Network Time Security (NTS), the authenticated flavour of the Network Time Protocol (NTP).

See my first post about Network Time Security for an introduction to NTS.

The first few hours my daughter graced us with her presence and left a few traces...

Omni also came by for a while and helped us reading specs.

The hackathon sort of dragged on for a couple of days into my summer vacation. We now have a working NTS client written in Go!

NTS/NTP package

A friendly fork of beevik/ntp with NTS support:

https://github.com/mchackorg/ntp

Use it like this:

options := ntp.QueryOptions{ NTS: true, C2s: c2sKey, S2c: s2cKey }
resp, err := ntp.QueryWithOptions(server, opt)

Authenticated time is now available in resp.Time.

NTS-KE

An NTS-KE library for doing the initial key exchange:

https://gitlab.com/hacklunch/ntske

NTS client

A small NTS client using the above libraries:

https://gitlab.com/hacklunch/ntsclient/

Use with -set to actually set system time.

This is still a work in progress but seems to work fine against for example time.cloudflare.com:1234 and zoo.weinigel.se:4446.

I'm not formally working on NTS during work hours so I'm glad I had the chance to do at least something on the project.

Fiber to the (weekend) home

The new fiber connection to my little cottage in the woods recently lit up!

I've had a maxed out ADSL giving me something like 8/2 Mbit/s since we bought the cottage. With ~3 km of old copper cables I couldn't get any higher bandwidth but on the other hand I got customized customer support over IRC! Thanks, Philip! Too bad my old ISP didn't get enough interest for fiber here in the woods. Telia/Skanova is increasingly abandoning the copper network under the euphemism The Network of the Future, often leaving people depending on ADSL with only capped and metered mobile network as the only alternative.

With the new fiber I could have had a full symmetric gigabit/s but it was rather expensive and most of my stuff here can't even get to those speeds over wireless, so I settled for a symmetrical 100 Mbit/s. Plenty of bandwidth for most stuff and especially the upstream (backups, anyone?) is now really nice.

It's kind of strange that I still don't have a fiber connection to my flat in the city but a fiber connection to my weekend cottage. In town we're in a house with Internet over cable TV cables. Granted, it's something like 250/10 Mbit/s, but still not fiber.

On the other hand, the new fiber connection doesn't have IPv6 and not even real v4 adresses since they use CG-NAT. I've asked the ISP about a public v4 address. Rumours has it that they even have a 6rd gateway somewhere, but of course I can't use it behind CG-NAT.

I'm trying to think about my bandwidth history at home. Something like this:

What does your Internet connection look like at home?

1 of 32 Next Page