Author Archives: Tim

The following information can be obtained with Wireshark;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 [truncated]Authorization: Negotiate YIG...NER
    GSS-API Generic Security Service Application Program Interface
        OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
        Simple Protected Negotiation
            negTokenInit
                mechTypes: 4 items
                    MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                    MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                    MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism)
                    MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                mechToken: 6092a864886...
                krb5_blob: 6092a864886...
                    KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                    krb5_tok_id: KRB5_AP_REQ (0x0001)
                    Kerberos
                        ap-req
                            pvno: 5
                            msg-type: krb-ap-req (14)
                            Padding: 0
                            ap-options: 20000000 (mutual-required)
                                0... .... = reserved: False
                                .0.. .... = use-session-key: False
                                ..1. .... = mutual-required: True
                            ticket
                                tkt-vno: 5
                                realm: INTRA.NET
                                sname
                                    name-type: kRB5-NT-SRV-INST (2)
                                    sname-string: 2 items
                                        SNameString: HTTP
                                        SNameString: intra.net
                                enc-part
                                    etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                    kvno: 2
                                    cipher: 678ed5435c9ec4d6...
                            authenticator
                                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                cipher: 62a133014138848d900d436...

The following information can be obtained with Wireshark or with Noodle DEBUG;

1
https://intranet.onelogin.com/trust/saml2/http-post/sso/699546?SAMLRequest=fVLLbtsw...%2FkD&RelayState=https%3A%2F%2Fintra.net%2FSAML.po

Should be sent to the IdP which before it is deflated and base 64 encoded looks like

1
2
3
4
5
6
7
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="-5abe3a1a-1671d27aa18--8000" Version="2.0" IssueInstant="2018-11-16T15:33:17Z" ProviderName="Noodle" Destination="https://intranet.onelogin.com/trust/saml2/http-post/sso/699546" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://intra.net/SAML.po">
    <saml:Issuer>Noodle</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted" AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="false">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The IdP should reply with "Content-Type: application/x-www-form-urlencoded" containing "SAMLResponse: PHN...fCg==" which when base 64 decoded looks like

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R6229535893ec8f41746de8cd0bb42fe1008d88a7" Version="2.0" IssueInstant="2018-11-16T15:33:18Z" Destination="{recipient}" InResponseTo="-5abe3a1a-1671d27aa18--8000">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/699546</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx95004805-783d-f0ee-f32d-17d50ca7ef90" IssueInstant="2018-11-16T15:33:18Z">
        <saml:Issuer>https://app.onelogin.com/saml/metadata/699546</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#pfx95004805-783d-f0ee-f32d-17d50ca7ef90">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>uCsDHp/wXNnMIz7nkq2D7OF81zY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>QbDsbkTMULdxYmiV8lu64jUE4BNj7ETQvUhjlgHrbaUKMaUdnluJma8T9jh8WOUEQw+Of/MGP4hMJE18f2XOJJK3X3VQnlggE5z98xjHrP0SugRH+elgQpOVkB9ht685UXtzRF6SVAIwstOGphOgqgGRwrG9fPQpN6DAKr00IOc6ItM7cbhVnA+EA8iHP8WP0n+VZXkdub9Sb/tgVkimih3/7DZPIWi6FpmlsTN88mlxBXJKnslr1Iw0ZLqLjR5dJSFz7SHrkBijirFf/kOydoQeOQrRS+6XzOmXayWCP2hHWXVvr5Ye1GbDZyjKTxMpObc+Lv6nj7llC1Mal2M0cw==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIEFzCCAv+gAwIBAgIUUVsi+5GzFHp5EeCzav01iiNyreEwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1ZpYWxlY3QxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDkzNzAwHhcNMTcwNjI1MTYzMjM5WhcNMjIwNjI2MTYzMjM5WjBYMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHVmlhbGVjdDEVMBMGA1UECwwMT25lTG9naW4gSWRQMSAwHgYDVQQDDBdPbmVMb2dpbiBBY2NvdW50IDEwOTM3MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFTuHcxpp8/hhD8BepAo8EI9AT7dACYFfISZo9IEcBMI1af3p/mm+lV9Iz1ZvoFTddIxHQMVe686segtdkg+p/LA+bWETyRv59yDfH8B3avZkbZkXR7lYq+noMMpQwoA3JYDcJGp9Hoh7FHuhCEZZQCGMuUbGaHMTMaMipzPB7AI9Bg6nZpTmDRqzPEd6SzKJHs18W2dZxJA+lDfze2tfyBaAuC2VFqJ3R2NZhZtpUE7IqCG67zv3ItLNk0sDqPEU3/LSIGyT0+fYcVEraBpIMkLp4MQDcihyTWZSVfhdxaOr0Fn4fUV9aTS/a1a5gybK/zat0cs6pJDgBSfoh9xRUCAwEAAaOB2DCB1TAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQFLDFhCLxjqc6f+cwpm7YnNZH2PTCBlQYDVR0jBIGNMIGKgBQFLDFhCLxjqc6f+cwpm7YnNZH2PaFcpFowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1ZpYWxlY3QxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDkzNzCCFFFbIvuRsxR6eRHgs2r9NYojcq3hMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAG/YWVdBSvyUjpO8s97Z7KPo843putSf0jgiDHtD8FGddNmdRbAwPbzWBnFupZGyPPgogoEoTRqgRalPvV0xP4PmBMJuAYssI+vwqsj9cqr4pXzpqcsGzJct8SeWSvBqbzBbu+OMbSJ5hm3RvbzSjY6nNAHY7gMe0+7V5Cd+0vzGvmSeXFnKgW7HGlP/98gmDf7KpJYmQmFDITMFc0IS0BQb13SWd7FHVchIXukqqUFFpczWx2cwUmNq1TqcGZESA3XEGbtiJ0HoEmSIQA2RLGSgEPSUgMV+UM8MhYf/bQx6VAInizM/10IokZaAQn2fzz0m5uIbf2qSMXBBoYWWWng==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tim@intra.net</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2018-11-16T15:36:18Z" Recipient="{recipient}" InResponseTo="-5abe3a1a-1671d27aa18--8000" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-11-16T15:30:18Z" NotOnOrAfter="2018-11-16T15:36:18Z">
            <saml:AudienceRestriction>
                <saml:Audience>{audience}</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2018-11-16T15:33:17Z" SessionNotOnOrAfter="2018-11-17T15:33:18Z" SessionIndex="_c9a77760-cbdb-0136-fc65-0233ce1b6e10">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

 

 

GDPR checklist;

Local

  • We hold payment information optionally provided by clients, and share it with no one. we use it to charge for our software service.
  • We hold at least one pice of contact information to update payment information.
  • Data is stored on our accounting computer
  • This is our publicly accessible policy
  • We have a DPO
  • Our staff and management is aware of this document
  • We use modern and up to date security.
  • We appoint clients as there own representatives in the EU
  • If ever we become aware of a personal data breach our customers and local authorities will be made aware.
  • customers can verify and update information by simply asking.
  • We review this policy annually or as required.
  • We understand when DPIA is required

Hosted

  • Data is stored-in / removed-from a location of the clients request.

  1. Create a drive key and secret
  2. Put them in "System Tools > Settings > General > Google Drive OAuth"
    1. Note that OAuth requires your Noodle server to be accessed via a public domain
  3. Enable in the "Administration > Properties" of the folder you want to connect.
  4. View the folder and follow the prompts.

Vialect Bug Bounty;

  1. Contact us and let us know you are interested
  2. We will send you an installer or an IP address
  3. Qualification
    • Confine aggressive/damaging testing to the installer/IP we provide
    • Keep your findings confidential until we fix the bug (same day we hope)
    • We pay whenever we make a change as a result of your bug report.
  4. Send us a report with enough information for us to reproduce the bug
  5. We will reward you (You will not be prosecuted)
    • Public credit and thanks
    • Payment (varies by severity of the bug from $1 to $1000 per bug)

postgresql.conf ships with quite modest defaults so be sure to august it for anything more than light use. We recommend for ~4k users;

  • Available Memory = System Memory - OS (1GB for Windows) - Java (100 to 512)
  • effective_cache_size = Available Memory / 2
  • shared_buffers  = effective_cache_size / 4
  • max_locks_per_transaction = 512
  • max_connections =  60
  • checkpoint_segments 30
  • log_min_duration_statement = 10000
  • log_line_prefix =  ''%m: ''

There is a convenient config creator here.

When something unexpected happens Noodle will ask you what you were doing and email a stack trace to Vialect. Bug reports may also be sent to techsupport@vialect.com. Please use saleshelp@vialect.com for any other inquiries.

Please provide the following to help us reproduce and correct issues faster:

  • Minimal steps to reproduce the issue from scratch. Possibly relevant details:
    • The URL
    • The version of Noodle
    • The version of Web Browser
    • The version of Operating System
    • A username and password
    • An ordered list of buttons/links clicked
    • Sample file/data
  • Expected behavior, possible details:
    • 720p mockup of desired appearance with min and max sample data.
  • Actual behavior, possible details:
    • A full resolution screen shot including address and scroll bars
    • Web Browser console output
    • The source of any warning pages (wrong format, missing parameter)
    • The source of any email
    • A zip of the Noodle/log folder
  • Observe email educate
    • A short descriptive email subject
    • Reply to the email thread only for the the same issue
    • Don't make new threads for the same issue.
    • Avoid requesting thread history review.
    • Do not place legal or print notes in signatures or otherwise bloat them.
    • Use test in favor of images
    • Use attachments not overlays/embeds of images or text
    • Be concise.

Leaving out information leads to Vialect spending less time creating solutions and more time attempting to reproduce issues and linking to this page.

 

The first encrypted request after starting Noodle can be 3 orders of magnitude slower than normal due to random entropy pool depletion. If your server suffers from this issue (most EC2 servers) you can verify by checking the pool size:

cd /proc/sys/kernel/random/ && cat poolsize entropy_avail

There are at least 3 solutions to a depleted pool:


1 Hardware

Some hardware includes random generators (like the rdrand CPU flag):

cat /proc/cpuinfo | grep -i rdrand | wc -l

You can enable its use with:

Debian/Ubuntu

apt install rng-tools
systemctl start rng-tools.service
systemctl enable rng-tools.service

Fedora/RedHat

yum install rng-tools
systemctl start rngd.service
systemctl enable rngd.service

2 urandom

If you don't have a hardware generator or you don't trust it you can edit /opt/Noodle/multiserver to use:

-Djava.security.egd=file:///dev/urandom

Or edit java.security in $JRE8/lib/security or $JRE9/conf/security to use:

securerandom.source=file:/dev/urandom

3 haveged

For higher throughput and lower CPU usage than urandom haveged can be used but it can still block:

Debian/Ubuntu

apt install haveged
systemctl start haveged.service
systemctl enable haveged.service

Fedora/RedHat

yum install haveged
systemctl start haveged.service
systemctl enable haveged.service