Open Source Security » Products

Red Hat Enterprise Linux 5.2 contains two security Technology Previews

Emily Ratliff — Wed, 21 May 2008 21:47:29 +0000

Red Hat Enterprise Linux 5.2 was released today. That is significant news in and of itself, but I am especially excited because it contains Technology Previews of eCryptfs, TrouSerS, and tpm-tools! As Technology Previews, they are not yet supported for production use, but this is the first step to allow for experimentation and time for ripening. I’m happy to see Red Hat’s continued dedication to security. If you try these packages out in RHEL, I’d love to hear of any successes or problems that you encounter.

[1] http://www.press.redhat.com/2008/05/21/red-hat-enterprise-linux-52/
[2] http://ecryptfs.sourceforge.net/
[3] http://trousers.sourceforge.net/

Not with a bang, but a whimper

Emily Ratliff — Fri, 15 Feb 2008 04:04:38 +0000

Roy Fielding[1] finally quit the OpenSolaris community today, see his resignation letter[2]. The kettle finally boiled over and the realization come to many (but not all) that Sun is publishing their Solaris code for marketing purposes, rather than creating an independent, community-led, open source project with the ability to make real decisions.

It seemed so promising at first: “[T]hey made promises about it being an open development project. … Sun gave up its right to make arbitrary decisions regarding the phrase ‘OpenSolaris’ as part of its public agreement with the community in the form of the Charter. That was a self-imposed restriction in exchange for the benefits of community-driven development, freely made, and cannot be changed except in accordance with the charter itself (for example, by amending or dissolving the charter).” (excerpt from Roy Fielding’s resignation letter) But it was a sham: “The charter has therefore been violated. … Sun agreed that ‘OpenSolaris’ would be governed by the community and yet has refused, in every step along the way, to cede any real control over the software produced or the way it is produced, and continues to make private decisions every day that are later promoted as decisions for this thing we call OpenSolaris.” (excerpt from Roy Fielding’s resignation letter)

To be fair, most developers recognized the community as a sham right away merely based on the copyright and patent assignments required by the contributors agreement[3]. To date, Sun has received 578 patches[4], which represents a rate of 0.6 patches a day (first patch dated 6/17/05, there were some earlier undated contributions). Linus gets more patches while he is brushing his teeth than OpenSolaris gets in a week. Despite Roy’s efforts to build a real community, contributing to OpenSolaris always has been and seemingly always will be, corporate welfare.

For me, the realization that Sun just doesn’t get it, and never will, was crystallized the day I was turned away from an OpenSolaris Users’ Group meeting for refusing to sign an NDA.

It is a credit to the Solaris engineers that a few hearty souls want to soldier on amidst the wreckage: “Nonetheless I believe the time has come for a reboot and I am looking for other like-minded people to stand and form a full Board for positive change.”[5] And others who are even contemplating forking: “We will need to build out our infrastructure so that we can host development, mailing-lists and etc.. Once that is done, we will need to make the case to start moving development to the new organization/infrstructure. This will mean that even Sun employees will have to chose to move their development work to a community ‘controlled’ development infrastructure.”[6] It is to them, that I dedicate the title.

[1] http://en.wikipedia.org/wiki/Roy_Fielding
[2] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004488.html
[3] http://www.opensolaris.org/os/about/sun_contributor_agreement/
[4]http://www.opensolaris.org/os/bug_reports/request_sponsor/
[5] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004487.html (Yes, the author of this email is a Sun employee.)
[6] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004477.html

New book on Trusted Computing

Emily Ratliff — Wed, 19 Dec 2007 21:59:18 +0000

Current and former co-workers, Kent Yoder, Dave Challener, Ryan Catherman, Dave Safford, and Leedert van Doorn have written a book called A Practical Guide to Trusted Computing. It’s now available for pre-order on Amazon and will available on Jan. 7, 2008. The authors have been instrumental in the creation of the TCG specs and key open source software, for example, Dave led the TSS Working Group for years and Leendert was on the Board of Directors. I reviewed an early copy of the book almost exactly a year ago. My favorite parts of the version that I read were the chapters on TSS along with the sample code for how to use the TSS API and the chapter on use cases for Trusted Computing (for the sheer fun of it). I think that it definitely lives up to its billing as a practical guide and it provides a complete grounding in the concepts of trust, attestation, measurement, etc. that are foundational to Trusted Computing. It is very readable and is a faster read and shorter than it seems because of the reference information included. I haven’t yet seen the ultimate version of the book, but I’m eagerly awaiting my copy from Amazon. Congratulations to the authors for sticking through the long haul and providing such a useful book!

HP’s Laughable Claims About Range of HW Certified

Emily Ratliff — Mon, 05 Nov 2007 21:04:16 +0000

According to HP Backs Red Hat in Government Biz Bid [1], “Lillestolen said, however, that HP has gone further than Big Blue by certifying a wider range of hardware.” Hopefully, this is just a mistake in the reporting and HP isn’t actually making such outrageous claims. As you can see in the Validation Report [2], HP tested on

Intel Xeon (HP DL360)
Intel Xeon/Pentium (HP Compaq dc7600)
Intel Xeon EM64T (HP DL360) - dualcore
Intel Xeon EM64T (HP DL360) - singlecore
AMD Opteron (HP DL 385) â€“ singlecore
AMD Opteron (HP DL 385) - dualcore
AMD Opteron (HP DL 145) - singlecore
Intel Itanium 2 (rx 3600) â€“ dualcore
Intel Itanium 2 (rx 2620) â€“ singlecore

According to IBM’s Validation Report [3], the following platforms were tested:

System z Hardware: z900/z9 Host Operating system running: z/VM 5.1 or z/VM 5.3 within a PR/SM logical partition
Opteron Hardware: model 3455, Bladecenter LS-21
System p Hardware: p5 720 (9124), Bladecenter JS-21 Host system running: LPAR partition
System x 3550, HS-20 Bladecenter, HS-21 Bladecenter Hardware: Intel Xeon with Hyperthreading and EM64T

In both cases, 8 different machines were tested. However, IBM tested radically different architectures, whereas HP tested minor variations of a few themes. For those of you not familiar with IBM terminology, the IBM evaluation tested a mainframe, a POWER system, a POWER blade, a rack-mounted Opteron system and Opteron blade, two Intel Xeon blades, and a rack mounted, dual-core Intel Xeon server. For those unfamiliar with HP’s line of hardware as I am, their website shows that HP tested one desktop and 3 rack-mountable Intel Xeon systems, three rack-mountable Opteron systems, and two rack-mountable Itanium systems. None of the systems listed in their Validation Report is a laptop contrary to Lillestolen’s claim.

I am glad to see that RHEL5 has received so much testing in the MLS configuration. Perhaps widespread knowledge that many systems were tested in many configurations will help speed the adoption of the MLS configuration in the defense industry. But I hope that reporters won’t let HP get away with making such wild statements that are easily refutable via on-line documents.

[1] http://www.internetnews.com/ent-news/article.php/3708611
[2] http://www.commoncriteriaportal.org/public/files/epfiles/st_vid10165-vr.pdf
[3] http://www.commoncriteriaportal.org/public/files/epfiles/st_vid10125-vr.pdf

Security is our Brand!

Emily Ratliff — Fri, 02 Nov 2007 16:35:45 +0000

As a security practitioner, you’ve got to love it when your company comes out with a line like “Security is our brand” [1] and the press eats it up. Of course, security has always been our brand and, on the Open Source side, we have done some significant things to prove it. I’m speaking here of our multi-million dollar investment over the course of many years to Common Criteria certify Red Hat and Novell SUSE. We started out at EAL2 with the security functionality defined in our Security Target against the pre-existing security functionality in SLES 8. We got that evaluation done within 6 months when everybody was saying that it couldn’t be done - ‘Common Criteria certification takes years’, ‘open source can’t be certified’ they said. From that ground work, we marched up the value chain to LSPP/RBACPP/CAPP at EAL4+ with RHEL5 when still (after 6 successful evaluations at progressive levels) people were saying that it couldn’t be done (although much more subtly now) - “The lack of this protection might prevent another evaluation target from passing this evaluation.” [2]

Our LSPP evaluation included more hardware platforms in one evaluation (7) than all previous completed LSPP certifications combined. The beauty of the range of platforms certified is that it allows government agencies who need LSPP to also take advantage of the scale-up and scale-out capabilities inherent in Linux. As a tax payer, I love this because it allows government agencies to benefit from the lower TCO that Linux and open source software provide.

The LSPP evaluation, in my eyes, constitutes a revalidation of the open source development methodology because the project included competing and cooperating companies, along with government, distro, and individual contributors who were contributing as a labor of love and because they believe in the necessity of adding this level of security to Linux.

When we completed the LSPP evaluation, I went back and looked at all of the people who had contributed to the Common Criteria certification effort over the years. Just within IBM, the number went into the high double digits. Of course, none of this would have been possible without the dedication and passion for security shown by Novell and Red Hat. And our evaluator was invaluable - the insight, integrity and sheer brilliance of the people working for atsec is without measure or compare.

Security is Our Brand!

[1] http://www.internetnews.com/security/article.php/3708446
[2] http://www.sun.com/bigadmin/features/hub_articles/mls_trusted_exts.jsp

IBM to spend $1.5B on security development in 2008

Emily Ratliff — Thu, 01 Nov 2007 21:03:04 +0000

This press item has been picked up all over the place - IBM announces an initiative to invest $1.5B in security development and marketing for 2008. This is seriously cool.

Very interesting quotes from IBM executive Val Rahmani:
“‘We believe there’s a crisis in the marketplace right now,’ said Val Rahmani, who heads IBM’s infrastructure management services.” from NYTimes at http://www.nytimes.com/aponline/technology/AP-IBM-Security.html?_r=1&oref=slogin

“‘Security is broken,” Val Rahmani, general manager of IBM’s infrastructure management services, said in a telephone interview. ‘There has been a perfect storm of threats.”’ from http://www.bloomberg.com/apps/news?pid=20601204&sid=a6ohOhxgElJ0&refer=technology

Overloaded Terms and Acronyms - TCP and Trusted Computing

Emily Ratliff — Fri, 14 Sep 2007 19:44:49 +0000

The Register has a story Root-locked Linux for the Masses[1] that I’m finding almost unreadable because in the first sentence, the project originator has overloaded by the acronym TCP and the term Trusted Computing. I find it supremely amusing that someone would start a new project called the Trusted Computing Project, which has absolutely nothing to do with Trusted Computing - talk about starting from a deficit.

[1] http://www.theregister.co.uk/2007/09/14/linux_box/