Subgraph OS


, , , , , , , , , ,

As you probably know already, I’m rather zealous in my belief that freedom of expression and privacy are fundamental rights, and they could only be guaranteed with technical safeguards.

Around the same time the Investigatory Powers Act (without opposition from New Labour) granted 40-odd public authorities access to most peoples’ Web browsing histories, Tory politicians took it upon themselves to submit a bill (also unopposed) to ban online pornographic videos that contain anything that wouldn’t be allowed on a commercial DVD. Meanwhile in the United States, The Powers That Be have given themselves a mandate, in the form of what’s referred to as ‘Rule 41‘, to maliciously hack any computer on a Tor circuit.
Given the mainstream media’s campaign against alternative media ‘fake news’ and the associations made between non-mainstream opinion and the ‘far right’, I wonder if tomorrow would see the banning of non-mainstream ideas, and maybe our browsing histories being made available to private sector organisations.

Obviously the solutions must be open source, they must be resilient against adversaries with advanced resources and their designs beyond the control of The Powers That Be. Subgraph OS provides us with an operating system security model needed for the current age, in one installation. As well as being a Linux distribution, I like to think of Subgraph OS as a template or pattern that other Linux installations can be configured to emulate with a little work. This is what I’ve done with my own Linux system over the years.


Application Layer
The first security measure is sandboxing of processes, using Linux namespaces to segregate resource usage. Conventionally a Linux system has a root process, and a single process tree that grows the more programs are running on the system. Linux Namespaces provides a way to logically isolate processes and process trees, so that each uses a separate instance of whatever system resources it needs. Since Linux Namespaces has been a native part of the kernel for a while, anyone could set this up on their own system.

As far as a compromised process is concerned, the root process is the first within the container, and the root privileges won’t extend outside to resources outside the namespace, and neither would the process be able to navigate beyond the virtual root directory – it shouldn’t, for example, be able to spawn a malicious process capable of installing rootkit components in the system directories. The namespace itself might be compromised, but its effects are isolated.

Based on the older YAZ proxy, Metaproxy creates an independent Tor circuit for each application, and handles the session routing between the applications and Tor proxy.
What protection does this provide? Despite being referred to as an anonymising technology, it only masks the IP addresses of the source and destination servers, and other layers of security are needed to strip payloads of anonymising data.
I should point out there are other options (e.g. VPNs and I2P) to fall back on, for anyone who doesn’t trust Tor.

Kernel Security
Although the containers and namespaces at the application layer are good for isolating compromised processes and containing the damage, ideally the first line of defence is to prevent exploits executing in the first place, at a low level.

PaX provides three low level security measures: Fields are added to the ELF as it’s loaded into memory, so the stack can be made non-executable and the executable section as non-writeable. This effectively prevents the functionality of a running program being extended by malicious code. Address Space Layout Randomisation (ASLR) makes it much harder to an exploit creator to predict memory addresses, assigning a different memory map whenever a process is spawned from an executable file.
Modern operating systems already have similar native components, and existing kernels can be upgraded with versions incorporating the PaX extensions.

Filesystem Encryption
The full disk encryption included with Subgraph is based on the mature and open source dm-crypt. This is an effective defence against threats who gain physical access to the hardware while it’s switched off – for example, if it’s a laptop that’s stolen or mislaid. Often this is provided with mainstream distributions (Linux Mint and openSUSE) as an option during the installation process.
Storage volumes using dm-crypt can also be mounted on Windows systems using LibreCrypt Explorer, by the way, so that potentially allows for some portability.

Payload Anonymisation
One pretty essential layer of security that appears missing from Subgraph is payload/traffic anonymisation, but it should be possible to install Privoxy or Ghostery for this. I strongly recommend this. During the typical browsing session, the payload of browser traffic contains identifying data, and potentially the browser could fetch malicious code from compromised ad servers, even when using Tor.

Aikido Defences Against Knife Attacks


, , , ,

For the past several weeks I’ve been deciding on which knife defence techniques to demonstrate at my recent grading – I needed techniques that could be stripped down to something practical and almost effortless. If it takes more than a couple of seconds to disarm an attacker, the technique isn’t much use.
Also, what all the defences here have in common is they can be broken down into two stages: the block and the technique, one flowing into the other. If the attack isn’t blocked correctly, the application won’t work. Never try and perform both at the same time.

The technical term is ‘Tanto Tori‘, or ‘Tantodori‘, a ‘tanto’ being a Japanese short-bladed weapon. Personally I prefer to keep the knife defences simpler, shorter and practiced with more aggression than what’s typically demonstrated on YouTube – this is why this is usually practiced by higher grades at our dojo. The following are the ones I decided on.

Method 1
Not my favourite method to practice at speed, since I’ve had my stomach opened up once already, but the fact is shanking seems the most common form of knife attack, and the chances are the victim wouldn’t even realise there was a knife until sometime after the confrontation. That’s something to bear in mind.
The first thing to do is move off the centre, simply by turning 90 degrees – get the timing right and the knife will miss, and that buys an extra second. And at the same time block the striking arm near the wrist.

For the technique, grab the hand holding the knife, just as you would with tenchi nage, and turn the wrist upwards as soon as you’re facing the attacker.

Method 2
A little like the first method, but this time hit the attacker’s wrist with the palm of the hand as you turn. From there, you’re in a position to continue with the shiho-nage technique (risky because it means the blade is closer to the neck), or the sayoundo.

What’s demonstrated in this video is shihonage at the beginner level. Again, defending against a knife, I break this down into two stages that are drilled separately: Turn and block with just one hand. Do this before following up with the shihonage.

Method 3
A kokyunage followed by a wrist lock. I teach beginners this, because I know from experience the entry is highly effective as a reflex against right-hooks, it allows for a palm strike to the throat and at least five techniques can be performed from it. The latter point means you could get away with using the same entry twice in a grading.
In fact, it’s one of multiple things Krav Maga borrows from Aikido.

As the attacker initiates a punch or slash, get straight in, use your forearm to block near the wrist, and palm-strike upwards into his jaw (or throat if you’re seriously threatened), all in one swift movement. Unlike the Krav Maga application, it’s critical to stay relaxed and use your whole body for this, rather than just using your arms.

Aikido Grading


, ,

Gradings at out Aikido club get longer and more varied as one progresses through the ranks. Two of our exceptionally skilled Dan grades were wearing the blue belt (or 2nd Kyu) when I first started out, so gaining that rank last night, after a very difficult and messy grading, was a personal milestone. Now I’m just one rank away from officially being a coach/instructor.

I’m especiallly proud of Daniel, who also passed – it takes a lot of courage to go up there for the first time, when candidates pass and fail in front of a large audience (and usually the critical eye of Mal Saunders). Even the lowest ranks get a huge amount of respect here, because they’re damn hard to earn. Also, I’m very happy Ryan passed his – as an MMA fighter, he’s really helped sharpen my techniques. Also, Mark, an excellent teacher, who got his 3rd Dan grade last week.

Here’s a rundown of what the 2nd kyu grading involved:

  • Ki Tests: Testing co-ordination with movement, with the bokken and with the jo.
  • 5th Form Techniques: All techniques are performed with movement.
  • Other Techniques: A random selection of 1st, 2nd, 3rd and 4th form techniques. These are all just variations on the initial nine techniques learned, but practiced with more speed and aggression.
  • Knife Defences: Demonstrating three defences against knife attacks.
  • Two-Man Attack: Dealing with a couple of attackers for a minute.
  • Bokken Kata: Probably the easiest part of the grading, almost impossible to fail this if the movement is right.

As always, we’ll be moving onto new things in our next session.

Binning Service Broker Messages


, , , , , ,

Removing messages from a Service Broker queue isn’t straightforward as deleting a database table row, because a message is chained into a conversation and Service Broker expects it to be received eventually instead of dropped.

Initially I tried loading the entire queue into memory as objects (which Entity Framework already does) and removing the selected object before dumping everything back into the queue. After running into problems with that, I decided on a much simpler solution that involved creating a database table (dbo.QueueDump here) where selected messages could be dumped and later deleted.

When creating this table, it’s a good idea to add a timestamp and primary key, along with the main data column for the message body.

CREATE TABLE [dbo].[QueueDump](
[Id] [int] IDENTITY(1,1) NOT NULL,
[message_body] [xml] NULL,
[dateCreated] [datetime] NULL CONSTRAINT [DF_QueueDump_dateCreated] DEFAULT (getdate())

My application already calls stored procedures for moving messages between queues, taking ‘conversation_handle‘ as the message identifier, so it’s just a matter of repurposing one of them to start a new conversation on a different queue and terminate the old conversation.


Next, in the application project, update the Entity Framework model to include the stored procedure (‘Update Model from Database‚Ķ‘), or just add the following to the model’s DbContext class:


The controller for calling the stored procedure would look something like this:


And remember to modify the View layer also for the Delete function: