Bulletproof SSL and TLS

As I’m currently involved with lots of openssl automation at work, I bought the book “Bulletproof SSL and TLS” from Ivan Ristić. See the book’s site at https://www.feistyduck.com/books/bulletproof-ssl-and-tls/. Attention, it looks like on Amazon there is only the 2014 edition available, while on Ivan’s blog (https://blog.ivanristic.com/2017/07/announcing-bulletproof-ssl-and-tls-2017-revision.html), which I found out after the purchase of course, there is a 2017 version mentioned. Nevertheless that the book edition I read was a bit dated, I learned a lot, despite having been engaged with openssl before. 

It is a difference being able to generate and sign some certificates and knowing the history, the vulnerabilities and mechanisms of the protocol itself. This book is definitively the “bible” of TLS from the founder of the (Qualys) SSL Labs with the famous SSL server test tool (btw. also available as standalone tool: ssllabs-scan on github). So there is quite some expertise and mastership behind this book.

What can one learn from the book? Well first a thorough basis and the insight, or maybe reminder, that TLS is not just encryption but also certificate-based authentication and provides integrity and session management. So it’s a bundle of security functionality that can be used not only for HTTPS but also any other protocol that you can run over TCP. There are many articles about TLS port forwarding, but with the book, I have finally gotten the differences. 

There is by the way also a github repository to the book that contains among other resources configuration files for setting up a own root CA for self-signed certificates. That being a task that I’m just involved in and this thus very handy to verify my configuration taken from other sources in the web. Clearly for public customer or browser-facing endpoints one will always have to use purchased certificates from a public CA. But in the innards of a system, behind a reverse proxy or from the application backend to a infrastructure service, such as RabbitMQ or a DB, self-signed certificates, well-configured, serve well their purpose. And you save money and have the full control over expiration time and what not.

Especially interesting for were the details on OSCP and OSCP stapling and all the other initiatives that there are. Certainly a topic that one would like to explore at work for getting an additional grain of security into especially cloud-hosted services. Another concept that was covered were the different ways of pinning and what it really means. It is not so a sophisticated concept that nobody uses, anyhow. 

What I found especially helpful were, beyond some openssl command-line examples also a in-depth chapter on configuring Nginx with TLS, something that I happen to just do at the moment at work, too. What a coincidence. That adds well to the Nginx TLS documentation, which is more reference than tutorial. Especially the securing of a down-stream connection to backend services in a reverse proxy scenario.

Well, this is thick book and it took a while to get through but it was worth it and I’m now feeling much better prepared for practical work with TLS, openssl and juggling with certificates.

Yours, Peter

Books for Learning

Books, printed books, despite the promise that e-books will kill them in the age of the Internet, they’re still there and sold in millions by Amazon and the like. But I observe, that they’re still on the decline. Not because everyone would only read them in electronic form only. For this the smartphone is simply not really convenient. You need a tablet/iPad to enjoy reading e-books IMHO. No, it’s because books aren’t used anymore for learning. 

When I look around me at work, nobody other than me has books besides his desk and seems to read any book for work. Maybe they only read prose for pleasure, fine as well. But even that you see less and less in public transportation. What I see is that people don’t use books for learning but use other media instead. They watch videos, listen to podcasts or read articles in the world-wide web as they need it. You have an issue, you search and find some resource that tells you how to get ahead. On-demand learning, so to say. 

A book is something longer-term, you buy, you watch is waiting for you and you spend weeks, if not months to digest it in one piece if it is a good one. That takes time and effort and persistence to do. That’s not like a two-page article or 20min video that comes right to the point. I guess this is really the point, these other internet-based media are easier to digest and solve your problem of learning that you have right in this moment.

But this type of learning is a shallow one. You don’t really learn the fundamentals of the technology or topic. You learn how to solve exactly this one problem and the next day you’re as dump as you were. This is why people always say “I have no idea”. Really I avoid this phrase like hell. I do want to have a clue, an idea on the topics, I speak about, otherwise I shut my mouth. 

And for this you need deep knowledge, expert knowledge. Books are written usually by experts, at least if it’s a good book. They build up the topic from the grounds and systematically consolidate the matter using examples and give you reasons and arguments. At the end you are maybe not an expert yourself, experience is missing. But at least you have the feeling that you have profound knowledge to start from. 

There is the model of “cone of learning” from Edgar Dale, I think. It explains how good media are for learning. The book is doing pretty bad in this model. It is passive learning and you remember only small parts of what you read. In contrast a video or podcast is remembered much more. And that is probably right in the general. How long do you remember what you read a year ago in a book? Nevertheless the depth is a different in a book in contrast to other media. and I would say it needs to stay in the learning mix also these days, electronic or not. 

There is one more aspect, that I reflected about. Exactly that is the point, writing a book is equally more effort and takes more time than creating a podcast, video or writing an article (like this one, lol). So there is so much preparation going into writing a (good) book. A good friend of mine, Barbara Hoisl, wrote a book last year. Content-wise this is a completely own article, but she worked for more than a year only on the book, left apart the time for thinking about it and preparing the steps to get to start at all. But this is not only time, it is reflection and thinking time. And a book includes this reflection and thinking of months and years. It is maybe courageous to talk about wisdom, but a book certainly captures more wisdom than other media. And this is why one should read books in addition to consuming internet-based media.

Well, think about it, yours


Installing filebeat on Raspberry PI 3 (amd64)

Currently I’m experimenting with using a Raspberry PI 3 B+ as a network security monitoring (NSM) sensor node. So I have Bro and Suricata installed on that little guy running Kali Linux for arm64. But I need a modern way to transport the logs to its log monitoring station. So not using syslog-ng or ryslog but the best log shipper for the elastic stack, and that is Beats, better the Filebeats.

Problem: Elastic does, unfortunately, despite desperate inquiries from users in the forums not provide binaries or a .deb package for Beats. After trying some other paths I came across some receipts to install Beats on arm64 by manually compiling the binary with Go. I have to say, Go is marvelous! On the PI itself, I had bad luck, because the “go build” quickly finished with out-of-memory. So that didn’t work unfortunately on that little pal.

But because Go is so cool, I just “cross-complied” it on a bigger laptop, also running Kali Linux. And that’s so easy that I have to tell the world, because the other receipts are sometimes too specific and parts are missing for a full running manual installation, which is more than just the filebeats binary.

Step one on the other Debian-base system, the laptop, you need of course also Go installed.

# mkdir -p go/src/github.com/elastic
# cd go/src/github.com/elastic
# git clone https://github.com/elastic/beats.git
# export GOPATH=$PWD/go

You could also get the sources with “go get” bu that doesn’t matter, result the same.
Now the important step, watch out:

# export GOARCH=arm64
# cd beats
# go build -v -x

Flags just so see what’s happening, as go build is very silent otherwise. Magic, in a few seconds, you have a “filebeat” binary in this directory!

# file filebeat
filebeat: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=svVi8LJGhqXEjRJveTrA/7cOYouMPn1VzyeJqwq3W/TXZ3DZ8Wa_QYdKnsR8cm/8bg35yoawYw18mAJ30oX, not stripped

Remember we are on amd64 not arm64 on the laptop!
Now just copy the file over to the PI using ssh and test it there:

# ./filebeat –help

Works! But when you try

# ./filebeat modules list

It does not show any, because we are missing something, all the module configuration and kibana dashboards that are normally also contained in the .deb package.  So on the laptop just install filebeats, as for amd64, there is of course package:

# cd ~/Downloads
# curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.1.1-amd64.deb
# dpkg -i filebeat-7.1.1-amd64.deb
# filebeat modules list

Here you get the modules of course.
Now just let’s see what’s in the debian package:

# dpkg –listfiles filebeat|more

As you can see, besides the binary (for amd64) no other binaries are really in the .deb, just lots of YAML and JSON files. Now that’s of course good news.
So what I did for getting a fully functional installation is just copy the files over form the laptop to the PI using SSH in /etc/init.d/filebeat, /etc/filebeat/*, /usr/share/filebeat, /lib/systemd/system and /usr/bin/filebeat (a script). Then place the compiled arm64 binary in “/usr/share/filebeat/bin/filebeat” and we’re got to go on the PI:

# filebeat modules list

And here we get the list.
Now this is not a package that will be manged by apt-get of course. Maybe, I didn’t try one could for to install the official amd64 .deb package and only exchange compiled binary.

Hope this helps, Peter

Book Platform Ecosystems

There are a couple of books on platform business models and ecosystems. I recently bought two of them. One is “Platform Ecosystems, Aligning Architecture, Governance and Strategy” from Amrit Tiwana (see cover). The book is built up very systematically in explaining what the difference between a platform business model in a multi-sided platform and a classical product or solution business in a single-sided model is. He stresses the important of the interaction between architecture and governance in the evolution of a platform. Something a platform software architect likes to hear of course. Some later chapters are too advanced for my current needs at the moment but very very informative and clearly written. This will be for me a very influential book and is definitively worth a read!


End of last year I read this book on the TRIZ methodology, in English “theory of creative problem solving” originally developed by Genrich Saulowitch Altschuller in the former soviet union. Quite some time already I wanted to read about TRIZ, as I’m fascinated by the idea that you could systematically find and direct innovation. The book is also a nice introduction to innovation management by the way. Of course the method comes more from mechanical engineering and unfortunately does not translate directly to my space of computer science. That remains the open question for me, is it possible to find and document similar patterns in software engineering as TRIZ does it? Or do we maybe have something like this with architecture and design patterns more or less? It was an interesting read nevertheless and gets you thinking about how to systematically find new ideas and solutions for problems. And of course it is a nice piece of off-the-path thinking from Russia!

New paknet blog


in the past there were multiple blogs for private, software architecture and the unofficial MIDAS weblog. I decided to restart with one single blog that can potentially include material for all topics and probably new ones as well.

Don’t expect any more material on MIDAS though. First Blue Elephant Systems is dead, MIDAS as a product is dead and the whole topic of IT management is dead in my mind. You will potentially see references to MIDAS from Atos or 4Things Solutions. These companies try to market what is left from MIDAS to HP OM customer that did not notice yet that MIDAS is gone with its author. The last brain that knew anything about the complete product suite is me, and I’m not with Atos nor 4Things. And don’t believe anyone else that they understand the product nor further develop it nor be able to maintain its rests, just don’t. I will keep the old content of the blog in the archive, this is where it belongs.

I’ve changed work and also the area. No more IT management, monitoring or stuff that is just a necessary evil that needs to be done. IoT and industrial internet/i4.0 or connected industry as it’s called is now the new topic. And its thrilling and interesting like hell! This is the topic I will be writing about.


6. Jahrestagung DGSD

Since June 2012 blue elephant systems is member of the “Deutsche Gesellschaft für System Dynamics” (DGSD), German chapter of the “System Dynamics Society” (SDS), the institution for the advancement of the system dynamics methodology for modeling and simulation of complex dynamic systems. On the 21st to the 22nd of June 2012 the DGSD held its 6th yearly conference on system dynamics (SD) in Frankfurt Main in the rooms of the PA Consulting Group and I had been participating for the 2 days for the first time.

A series of presentations, mostly in the areas of business and jurisdiction showed applications of SD from purely qualitative to very data-centered quantitative models, from very high-level academic to pretty practical levels. For me the purpose was mainly learning about system dynamics, seeing practical SD models and their applications in various fields as well as getting contacts in the SD community. In that respect it was a very interesting and mind-opening event that got me started in modeling and simulation.
I am a the moment evaluating SD tools, from XJ Technologies AnyLogic, via Consideo MODELER to Vensim, so I also wanted to see what tools other people use. Apparently due to the excessive price of AnyLogic a lot of people use Vensim and Consideo, although those usability is not even remotely comparable to AnyLogic. Well we need to see how we can solve this problem.
As an interesting fact, I found out that the University of Stuttgart, with Prof. Dr. Meike Tilebein is very active in the field, whose doctor father is obviously the BWL Prof. Dr. E. Zahn. When I studied BWL as my minor field of study at university, Prof. Zahn had been my professor in Organization (in-depth elective).

I especially liked the openness of the SD people, it was obvious that they are happy of every new member that is deeply interested in system dynamics, and obviously blue elephant is bringing in a new application field where SD is not yet widely applied.

Projango Agile

At blue elephant, we are using, SCRUM as our development methodology. Now Edgar, my project lead would scream and cry that we would not do it right, but we are doing agile development SCRUM-style, for me that is just fine. Doesn’t have to be the pure law 🙂

As the SCRUM tool of choice we use Projango the SCRUM project management of Xenatec. By pure coincidence Edgar is partner of Xenatec and co-author of Projango. Blue elephant has been, so to say, the major beta tester for Projango in the last year(s) and in the mean time this tool is our core tool for the development team.

The visually very nice Projango SCRUM-board is in daily use by the developers to work on their tasks so that everybody knows who is doing what as well as for time bookings. Using the board we do task break downs of the user stories and effort estimations in the team. Instead of someone writing the tasks in an excel to centrally enter them in a system, we immediately create the tasks, prioritize and estimate them online during our planning sessions.
Urgent customer requirements are entered in the backlog and linked via Weblinks with our bug tracking tool Jira.

The big advantage of Projango versus other SCRUM solutions, e.g. from Atlassian, is the very direct visual manipulation of stories and tasks. Just drag and drop them to prioritize or change the state. In-place editing and the engineer-images are very cool, so that one visually sees who’s working on or verifying a task. Also the impressive burndown chart and the generated MS Excel documentation help to manage and present R&D work in the organization.

We can only recommend Projango, so have a look!

IntelliJ IDEA

Can’t code without Since years now I work with IntelliJ IDEA as my Java IDE, which I introduced already back at HP as the Java development tool of choice. While there had been some small problems with performance in earlier versions, it got now better and faster again than ever before.
Meanwhile the Eclipse users around me are getting more and more and they brag about why it would be so superior and much better. I just let them talk and lough at them, because in the end I’m still so much more productive with IDEA. And if I’m the last IDEA user, I will never surrender to Eclipse, which is full of over-engineered features, usability nightmares and unnecessary complexities.
I just don’t understand it why the do not prefer IDEA, where do some people look at? Are they running blindly through the world or just behind the masses? Development is like handcraft, you need the right tools for the work, then it is already half done. IDEA is the powertool for Java and Groovy developers, unparalleled in this ecosystem. At least for me, even if I have given up on these Eclipse-guys meanwhile.