HOWTO: Configure Ubuntu to work with WEP preshared-key

I've been having a hell of a time getting Ubuntu to connect to my wireless network at home. I have 128bit WEP setup with a preshared key.

I finally got it to work today. It turns out there's a sort of hack you have to do to get it to work with certain wireless routers.

These directions work with "Edgy Eft":

1. Run System -> Administration -> Networking

2. The Networking Settings panel pops up.

3. Highlight your Wireless Connection and choose "Properties."

4. Make sure your network name matches your access point's SSID.

5. Choose password type: "Hexadecimal"

6. HERE'S THE WEIRD PART: In the Password box, instead of just the password, you need to prefix it with the word 'restricted' and a space - man iwconfig to see why this works. However, the password box is NOT the correct place for this keyword.


IN the Password Box type:

restricted xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xx

where xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xx is the hex representation of the wep key you choose.

What a PITA! Guys, let's add a check box or something!


UPDATE: "Ah, this is obviously some strange use of the word "safe" that I wasn't previously aware of.”

Noam Eppel posts an update to his original article on Security Absurdity that includes community comments and feedback:

Community Comments & Feedback to Security Absurdity Article


HOWTO: Implementing a Smart Card Authentication Pattern with ASP.NET

UPDATE: I've completely overhauled my approach. See this article instead (or as well as).

Part 1

Typically when developing ASP.NET authentication architectures, developers can usually rely on a straightforward implementation of one of the following authentication scenarios:

  • Active Directory Authentication
  • Using integrated or basic authentication, (Kerberos, NTLM, Digest, Basic)
  • Forms authentication
  • Lookup users and authenticate against a custom data repository (SQL Server, LDAP).
  • Passport authentication
  • Use a third party (Microsoft live/passport logon) to authenticate users for you.
  • Smart Card Authentication with AD Domain Integration

While working on a particular ASP.NET project I came across an odd combination of requirements for user authentication.

The AAA requirements for this project are as follows:

  • Authentication (Who you are): All users must authenticate using Smart Cards
  • Use existing enterprise Public Key Infrastructure (PKI).
  • Use client certificates (from the smart card) to create secure channel (SSL) with client certificates using asymmetric encryption
  • Users of the system are not necessarily in Active Directory.
  • Only users with Smart Cards signed by our specific internal trusted Certificate Authorities (CA’s) can gain access
  • Revocation of certificate remove right to access the site
  • Authorization (What you are allowed and not allowed to do): Use nondiscretionary access controls or Role Based Access Controls (RBAC) for handling authorization to different resources within the site.
  • Accounting (keeping track of what you do): Ability to log/audit who does what within the system – Once we handle the authentication and authorization, the accounting is straightforward. I will implement a Global Application Logging Singleton that will track important security events within the system.

The particular AAA requirements stated above do not fit the common scenarios that IIS and .NET support out of the box.

Hopefully, you find yourself requiring a more straight-forward AAA Smart Card scenario, like one of the following:

  • All users of the system are users in Active Directory: Map client certificates to user accounts.
  • IIS will automatically associate the client certificate with the proper domain account if you have a PKI enabled Domain.
  • Using this methodology, when the user accesses the web site, they will provide their credentials (smartcard + pin) and IIS will then map the client certificate to the active directory user.
  • Then in ASP.NET, we can derive the users’ roles from the WindowsPrincipal stored in the HttpContext.User of the users mapped from the Client Certification from IIS.
  • Allow all users into the site who have a Smart Card signed by the internal CA (this will only work if we are NOT concerned about mapping users to roles with-in the system):
  • Configure IIS to work with the enterprise PKI solution – IIS alone will handle authentication.
  • Additionally we can add a “Many-to-1” rule in the IIS client certificate mapping – create a rule will check the issuer field of the client certificate and makes sure it matches our trusted CA and we can map all client certificates to one users or several users in different groups.
  • More simply, enable the Certificate Trust List at the site level in IIS and add the certificates to trust there.

Since Smart Cards are not that widely deployed and I have found that using Smart Cards for Authentication and Authorization in ASP.NET is not a broadly covered topic. The documentation on configuring IIS to work with Smart Cards (a type of Client Certificate) is adequate and not too complicated. However, marrying the IIS Smart Card architecture and ASP.NET is not discussed much at all. When IIS authenticates a user with a smart card that is not configured to map back to a domain account, ASP.NET does not map the Smart Card user to an IPrincipal object and store it in the HttpConext.User object as it does when using Integrated Authentication. This is because there is no such thing as a X509 Identity in .NET, only Windows Identity or Generic Identity. Windows Identities map to Machine or Domain Accounts (and can be derived from the Smart Card in a PKI enabled domain). Generic Identities map to a generic user of a web application (i.e. perhaps for Forms Authentication).

I will extend Forms Authentication in ASP.NET add X509 certificate support to allow both authentication and authorization in ASP.NET. I’ve accomplish this by creating a new IPrincipal object that handles more of the common tasks of Smart Card authentication, while combining it with Principal Permissions. My current implementation targets .NET 1.1.

The Solution
For us to implement a solution we need IIS to authenticate the Smart Card User and then hand off the X509 certificate to ASP.NET so we can map the users’ client certificate to a row in the users table in the database.

Once the user is authenticated, we will create an IPrincipal object based on this user so we can use Principal Permission Demands (imperative or declarative) and Explicit Role Checks available in the .NET framework.

To accomplish this I decided to modify one of the current patterns and implement a custom authentication model building upon similar principals. Since Forms Authentication provides the most flexibility, it is probably the best way to roll our own authentication while still building on the underlying Forms Authentication architecture that Microsoft has already provided. One of my goals here is not to re-invent anything, but build upon existing .NET architecture and technology. Forms Authentication allows the flexibility we need to customize the authorization mechanism (as stated above).

ASP.NET does have an object that stores the Client Certificate from the Smart Card. The Page class exposes the Request.ClientCertificate property, but oddly, it is not of type System.Security.Cryptography.X509Certificates.X509Certificate, but instead it is a System.Web.HttpClientCertificate. One would wonder why we need two classes in the framework that are very similar; one more limited then the other? I suspect it is because there were two different development teams working on different parts of the .NET Framework.

Setup IIS for SSL and to Require Client Certificate Authentication
In IIS, open the Site (or Application) - click on Properties – choose Directory Security

  • Install a SSL Certificate
  • Allow only Anonymous authentication (disable Integrated and Basic auth)
  • Under Secure Communications – Click Edit
  • Require Secure Channel (SSL)
  • Require 128-bit encryption
  • Choose "Require Client Certificates"
  • Check Enable Certificate Trust Lists and configure appropriate certificate.

Implementing Smart Card Authentication using ASP.NET
Once IIS is setup and configured properly, the next step is to implement Forms Authentication. I start with the Patterns/Practices book from Microsoft called Building Secure Microsoft ASP.NET Applications – Microsoft has an online version of this book here. It has several HOWTO articles in the Appendix. I would recommend reading “How To: Use Forms Authentication with SQL Server 2000”, “How To: Create GenericPrincipal Objects with Forms Authentication”, and “How To: Implement IPrincipal.”

Implementing Authorization in ASP.NET
There are several ways to implement authorization using Code Access Security (CAS) for authorization within ASP.NET code once we have the IPrincipal setup properly:

<PrincipalPermission(SecurityAction.Demand, Role:=”Administrators”)> _
Public Function DeleteUser( _
ByVal userId As Integer _
) As Boolean
' ...
End Function

Dim permCheck As New PrincipalPermission(Nothing, "Administrators")

Or we can check if the IPrincipal is in the role we require (which is exactly what the PrincipalPermission class does by using the IPrincipal stored in the Thread.CurrentPrincipal):
If MyPrincipal.IsInRole(“Administrators”) Then
nd If

Specify access permissions to files and/or folders in the web.config.


<?xml version="1.0" encoding="utf-8"?>
<authentication mode="Forms">
<!-- loginUrl="Authenticate.aspx": Authenticate.aspx provides Smart Card login and role assignments -->
<!-- requireSSL="true": require cookie to pass over SSL connection only -->
<!-- protection="All": Perform encryption and validation of session cookie -->
<forms name="SmartCardCookie" loginurl="Authenticate.aspx" timeout="60" path="/" requiressl="true" protection="All">
<!-- Deny all anonymous users unless specifically granted below -->
<deny users="?">
<!-- Users who have a Smart Card are automatically put into the User Role -->
<!-- All who are in the Users, Sales, and Administrator group can view Default.aspx -->
<location path="Default.aspx">
<allow roles="Administrator">
<allow roles="Sales">
<allow roles="Users">
<deny users="*">
<!-- Only the Administrators and Sales roles should be allowed in the Sales folder -->
<location path="Sales">
<allow roles="Administrator">
<allow roles="Sales">
<deny users="*">

In part one I have discussed the concepts behind the solution for implementing a Smart Card authentication pattern with ASP.NET. In part two, I will provide a sample implementation of the Forms Authentication code with custom IPrincipal object that maps the smart card client certificate to roles and then applies role-based access controls to provide authorization to different parts of the web site.

If you find this article helpful:
kick it on


Reporting on Smart Card Logon in Active Directory

Yesterday, the higher-ups needed a report of all users in Active Directory whose accounts required Smart Cards to log into the Domain (and those that did not). Most things I have needed to retrieve out of Active Directory have been quick to find and usually obvious, but this particular information was a bit more elusive. Any AD guru would certainly know exactly where to look, but alas, I did not. As I looked around Google and on all the properties on the User object in AD, nothing obvious came up – then I stumbled across this KB article: kb305144.

The Smart Card Required for Interactive Logon check box located in the property pane for a User in Active Directory Users and Computers mmc snap-in is stored as a bit field in the UserAccountControl property of the User object in Active Directory. Once I saw it was a bit field and I had all the possible values, the rest is simple.

Here the quick and dirty code I wrote to run the report:

using System.DirectoryServices;

namespace AdSmartCardReport
public class AdUtility
// This retrieves the root entry point for AD for
// current DOMAIN
internal static string ADsDomainName
DirectoryEntry rootEntry
new DirectoryEntry("LDAP://RootDSE");
return "LDAP://" +

public void RunReport()
DirectoryEntry _entry
new DirectoryEntry(AdUtility.ADsDomainName);


DirectorySearcher searcher
new DirectorySearcher(_entry);

= SearchScope.Subtree;
= "(&(objectCategory=person)" +
"(objectClass=user)(!" +

SearchResultCollection results
int counter = 0;

foreach (SearchResult result in results)
ResultPropertyCollection collection

string displayName =
string email = (string)collection["mail"][0];
string samAccountName =

UserAccountControl userAccountControl

if ((userAccountControl &
== UserAccountControl.SMARTCARD_REQUIRED)

// Write out to console in csv format

"There are " + counter +
"users required to use a Smart Card to logon " +
"in the domain.")
if (_entry != null)

// See: for more
// info on UserAccountControl flag in Active Directory
public enum UserAccountControl
= 0x1,
= 0x2,
= 0x8,
= 0x10,
= 0x20,
= 0x40,
= 0x80,
= 0x100,
= 0x200,
= 0x800,
= 0x1000,
= 0x2000,
= 0x10000,
= 0x20000,
= 0x40000,
= 0x80000,
= 0x100000,
= 0x200000
= 0x400000,
= 0x800000,
= 0x1000000

I hope others may find this helpful.

UPDATE: You can also filter the search results using the same UserAccountControl enum.

Let's inspect the following expression:


decodes to:

Filter on AD Records where (objectCategory = Person) && (objectClass=user) && (UserAccountControl & 0x40000)

The number sequence 1.2.840.113556.1.4.803 tells AD to to a bitwise AND operation on the value in useraccountcontrol and 262144 (0x40000 hex). See kb269181 on how to query Active Directory by using a bitwise filter.

Using a bitwise AND (&) on UserAccountControl and 0x40000 will return true (bit 1) if that bit field is set.

If you found this article helpful: kick it on


Coffee Roaster Mod for Home Roasting

The past month and a half I've been a bit distracted by coffee... I discovered that I can roast coffee at home in a regular old pop-corn popper. And not a brand new $30+ pop-corn popper, but I found out it was preferable that the pop-corn popper be really old. This is why God created e-bay - for around $10 (that included shipping) my wife bought me an old used crappy West Bend Poppery II pop-corn popper. And this is the PREFERABLE one to buy for this type of roasting. What's even more amazing is I discovered it tastes better than 99% of the coffee you can buy in the store or at your local coffee shop.

Don't believe me? Go check Google.

Anyway, combine the West Bend Poppery II, Sweet Maria's wholesale green coffee beans supplier and about an hour of free time and you've got yourself about a half-pound of the freshest coffee you can imagine.

After doing this for a couple of weeks I realized I needed to upgrade my coffee rooster. The Poppery II only allowed me to roast 1/4 cup of coffee at a time and that just isn't enough. I needed some real power with out the $400+ price tag for a fancy home roaster.

This is another reason why the Internet is great: SC/TO

That's right - I'm talking about the Stir Crazy / Turbo Oven home modded coffee roasting machine for around $90. Never heard of it? Neither had I until I looked to the coffee roasting forums of CG and Sweet Marias. The amazing combined coffee knowledge at these places will really make someone who thought they knew some things about coffee really feel inadequate. Yet I loved every minute of it.

Right - back to the SC/TO. West Bend does it again with their Stir Crazy Popcorn Popper. While it's quite proficient at popping corn, it's incredibly inadequate at roasting coffee - the temperature in the Stir Crazy only reaches around 320 degrees Fahrenheit. For coffee even to think about roasting, you need temperatures starting at 400 degrees up to 500 degrees F. Now careful, if you actually get the internal bean temp to 500 degrees you'll have charcoal. Anyway - back to my point that the Stir Crazy just doesn't cut it: What it DOES have is little spinning arms that have excellent stirring action for agitating the coffee beans.

This is where the Turbo Oven is important. What, you ask, is a Turbo Oven? It's a lid fashioned with a convection slapped on top. Its' temperature range goes just over 500F - perfect.

Some fairly small modifications and the Stir Crazy / Turbo oven is born. Now I can roast 1/2 lb to a full 1lb of coffee at a time, in a half-hour.

Here are some pictures I took while putting it all together:
Creation of the SC/TO
Roasting Sumatra Class Mandlehing in the SC/TO

What's great about this type of setup is that the coffee beans cost aprox. half as much as if you bought them at the store, but YOU get to determine the level of roast you like for a particular coffee. And you get the freshest coffee around.


The .NET Hydrus DataSet ToolKit

Hydrus Software has just released a very cool toolkit for working with DataSets, Data Adapters, etc. in .NET 1.1 and 2.0.

It's very impressive and a great time-saver. After using it for a while, you WILL wonder how you ever lived with out it.

Here's a little article on how it works:

They have a 30 day trial for download.


"Ah, this is obviously some strange use of the word "safe" that I wasn't previously aware of.”

9:32 AM j. montgomery 0 Comments

Interesting perspective on the current state of security:

Page is long gone: Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security

Found a copy of it here:


HexToBin and BinToHex

While dealing with storing parts of an X509 certificate, I’ve found the need for a couple of utility methods that allow converting the string representations of the Public Key to a byte array (or vice versa). That’s what the HexToBin() method does. Included also is BinToHex() for going the other direction.

Private Shared Function BinToHex(ByVal data As Byte()) As String
If Not data Is Nothing Then
Dim sb As New System.Text.StringBuilder
For i As Integer
= 0 To data.Length - 1

Return sb.ToString()
Return Nothing
End If
End Function

Public Shared Function HexToBin(ByVal s As String) As Byte()
Dim arraySize As Integer
= CInt(s.Length / 2)
Dim bytes(arraySize
- 1) As Byte
Dim counter As Integer

For i As Integer
= 0 To s.Length - 1 Step 2
Dim hexValue As String
= s.Substring(i, 2)

' Tell convert to interpret the string as a 16 bit hex value
Dim intValue As Integer = Convert.ToInt32(hexValue, 16)
' Convert the integer to a byte and store it in the array
bytes(counter) = Convert.ToByte(intValue)
+= 1

Return bytes
End Function

If you found this article helpful:


New BETA2 of Microsoft Threat Analysis & Modeling v2.0

BETA2 of Microsoft Threat Analysis & Modeling v2.0 (formerly codenamed “ACE Torpedo”) is now available for download here.

This tool is really starting to shape up!


HOWTO: Use the aspnet_setreg utility to encrypt other values in the Web.Config

Here’s a slight hack I came up with to store encrypted connection strings in the registry that mimic the aspnet_setreg utility that comes with the .NET framework:

First you’ll run the aspnet_setreg command:

c:\> aspnet_setreg -k:Software\ASP.NET\MyKey -c:"data source=server;userid=user;password=password"

Please edit your configuration to contain the following:

sqlConnectionString = "registry:HKLM\Software\ASP.NET\MyKey\ASPNET_SETREG,sqlConnectionString"

The DACL on the registry key grants Full Control to System, Administrators, and Creator Owner.

If you have encrypted credentials for the <identity> configuration section, or a connection string for the <sessionstate> configuration section, ensure that the process identity hasRead access to the registry key. Furthermore, if you have configured IIS to access content on a UNC share, the account used to access the share will need Read access to the registry key. Regedt32.exe may be used to view/modify registry key permissions.

You may rename the registry subkey and registry value in order to prevent discovery.This command will create a Key in the registry here:


Within that key it will create a Binary Value called “sqlConnectionString” set to the encrypted value of your connection string.

From here, I like to make one more modification:

Since I may not be storing a SQL Connection string, I’ll rename "sqlConnectionString" to something else more meaningful. For this example I’ll rename it to "customConnectionString"Next, I’ll add the following to my ‘web.config’

<add key="ConnectionString" value="registry:HKLM\Software\ASP.NET\MyKey\ASPNET_SETREG,customConnectionString" />

Next, I have written the following class which takes advantage of the NCrypto library to easily decrypt the connection string in the registry.
Imports Microsoft.Win32
Imports NCrypto.Security.Cryptography
Imports System.Text

Public Enum RegistryHive
End Enum

Public Class RegistryCryptoUtility
Private Const COLON_DELIMITER As String
= ":"
Private Const COMMA_DELIMITER As String
= ","
= chr(92)
Private Const REGISTRY_PREFIX As String
= "registry:"

' Receives a string in the format:
' registry:HKLM\Software\ASP.NET\MyKey\ASPNET_SETREG,sqlConnectionString
' and pulls the value from the correct registry hive, and extracts and
' decrypts the connection string information
Public Shared Function DecryptRegistryConnectionString( _
ByVal configConnectionSetting As String _
) As String
Dim regKey As RegistryKey
Dim registryBytes As Byte()

If configConnectionSetting.StartsWith(REGISTRY_PREFIX) Then
Dim regKeyPathAndKey As String
= _

Dim regKeyPath As String
= _

Dim keyName As String
= _

Dim regkeyHive As RegistryKey

' Open the proper Registry Hive
If regKeyPath.StartsWith( _
System.Enum.GetName(GetType(RegistryHive), RegistryHive.HKLM) _
) Then
= Registry.LocalMachine
ElseIf regKeyPath.StartsWith( _
System.Enum.GetName(GetType(RegistryHive), RegistryHive.HKCR) _
) Then
= Registry.ClassesRoot
ElseIf regKeyPath.StartsWith( _
System.Enum.GetName(GetType(RegistryHive), RegistryHive.HKCU) _
) Then
= Registry.CurrentUser
ElseIf regKeyPath.StartsWith( _
System.Enum.GetName(GetType(RegistryHive), RegistryHive.HKU) _
) Then
= Registry.Users
ElseIf regKeyPath.StartsWith( _
System.Enum.GetName(GetType(RegistryHive), RegistryHive.HKCC) _
) Then
= Registry.Users
Throw New ApplicationException(
"Unknown Key reference: " & _
End If

Dim seperatorPosition As Integer
= _
0) + 1
= regKeyPath.Substring( _
seperatorPosition, regKeyPath.Length
- seperatorPosition)
= regkeyHive.OpenSubKey(regKeyPath)
= CType(regKey.GetValue(keyName), Byte())

Return Encoding.Unicode.GetString( _
' return the Config string, registry not specified
Return configConnectionSetting
End If
End Function
End Class

Finally, all that is left is to use the code above to extract the encrypted value from the connection string whenever you need it:

Dim connectionString As String = _

That's all there is to it.
References: How to use the ASP.NET utility to encrypt credentials and session state connection strings (Microsoft KB329290)

If you find this article helpful: kick it on


How NOT to do Web Security

12:13 PM j. montgomery 2 Comments

This is a great post on how NOT to do client authentication:


Modify WinXP CMD Prompt to Match ABC's Lost Computer Prompt

I’ve been watching ABC’s TV show Lost religiously lately and while using cmd.exe this week at work, a silly idea came to me. I was reminded of the old DOS days and playing with the look and feel of the command prompt and I realized how trivial it would be to change it to match the prompt from the Lost TV Series….

It’s as simple as this:
1. Open the Control Panel
2. Choose “System”
3. Click on the “Advanced” Tab.
4. Click the “Environment Variables” button at the bottom.
5. Choose the “New” button on either the User or System sections to modify the command prompt for just the current logged in your or the entire system.
6. In “Variable name:” put PROMPT
7. In “Variable value:” put ‘$g: ‘ (leave out the quotes, but leave a trailing space).

The $g maps to the ‘>’ character. See: Microsoft Windows XP - Prompt for customizing the prompt for cmd.exe

8. Click “OK”
Now Start -> Run and type: cmd and you should see your change. I also adjusted the colors to green and command prompt size to large to further make it similar. Hitting ATL-ENTER blows up the cmd window full screen giving it the most likeness...

Creating this effect for your account on a un*x system would be trivial as well by using 'set prompt = ">: " command. I don't have one handy or I'd try it out.


.NET Kicks

If you’re familiar with and you’re a .NET software developer, you might find the .NET Kicks web site an interesting social network to find a good repository for code snippets, articles, HOWTO’s and coding practices. I have tried posting .NET specific articles to Digg, but it's not really the right community of people to care about those sorts of topics.


Terrible Journalism: Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1

Information week wrote an article yesterday that hardly qualifies as good journalism:
Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1

The summary of the article:“Linux and Unix, including the Mac, had 2,328 vulnerabilities last year, compared with 812 vulnerabilities for Microsoft Windows, according to the U.S. government's computer security group.”

I was going to explain why this was a terrible article, but someone on /. already did a good job so the following comment posted by
molnarcs (675885) sums up my thoughts exactly:

And I quote:
“There are at least 12 distinct operating systems in their list - Solaris, Cisco, SCO Unixware, OpenBSD, FreeBSD, NetBSD, HP-UX, AIX, HP Tru64, MacOS X, Linux variants like SuSE, Debian, Gentoo, RedHat (I counted Linux as one, even though most of the vulns. are found in their specific configuration/management tools). Add an arbitrary number of applications: KDE and GNOME, that in itself has more apps that are counted for Windows, every free SQL database server, mail server, (LotusDomino for Christ's sake!), imap client, ftp client, ftp server, etc...

Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

Of course, the fallacy of the comparison is that it suggests that Linux or Unix is an Operating System. For someone who does not look at the details, it might seem that installing a specific Linux or Unix operating system is more risky - hey, there are more bugs found in Linux/Unix, that's what the article says! In fact, the opposite is true, if you look at the details.

Not that the comparison is useful in any way - why are Safari bugs counted at all? Safari runs on OS X only, so you can't just dump safari bugs into linux/unix bugs category (how retarded is that?). Why are bugs found in SuSE YAST counted as Linux bugs? They have nothing to do with linux or unix - they are specific to one operating system: SuSE linux (the same applies for all the bugs counted in Debian, RedHat, Gentoo, etc.) Not to mention the duplications: Eric Raymonds "Fetchmail POP3 Client Buffer Overflow" is counted 5 times for linux and BSDs. There are duplications for windows as well though. In other words, this list or comparison is pretty much unusable.”