It’s been a little time since I have written in the blog. I’m still experimenting with how often to post to balance out the drivel with the interesting and the original. I have to say that I’m was a little surprised at how well received the “Best Security News Stories” line has been so I will keep that up. If a story makes me want to run down the halls and tell my co-workers, I’ll post it here instead.
Thanks to LinuxSecurity.com for linking to my blog and adding my blog to the “Featured Bloggers” section of the page. Most appreciated!
The most fun security news story has been covered everywhere but I’m going to include it here anyway precisely because it is so much fun. Joe Barr interviewed Linus Torvalds, Andrew Morton, Ted T’so, and Fyodor and wrote up an article called “Celebrity Advice on keeping your desktop secure”. It includes some excellent tips, like be wary of macro viruses which can also impact OpenOffice (from Ted) and update often, preferably nightly (from Fyodor). Fyodor made the point that the desktop is not the only critical factor for internet security because it can’t save people from themselves - falling for 419 scams, etc. In the end, perhaps the most fun part of the article is the voyeuristic thrill from knowing that Linus is so paranoid about the security of his systems.
With LCA’08 ongoing, there are some interesting news stories appearing on the LCA Planet and it is all too easy to lose far too much time there. I highly recommend the Jim Gettys’ post about the OLPC which reiterates all of the reasons why the OLPC is a critical project for our industry, our children, and our world.
Bruce Schneier’s keynote sounds like it was a good one hitting the high notes on psychology and information: “As security designers we need to address both the feeling and the reality of security” and “‘The way to get people to notice that reality and feeling haven’t converged is information. Information is the best weapon we have.’ In the IT industry, this information is a scarce resource, he said.” It will be interesting to see what he does next to get the industry to produce and publish the data.
On the convergence of security and productivity, zenhabits, a well-known productivity blog, has a guest post on How Productivity Habits Reduced the Impact of Theft … Twice in which Lodewijk’s habit of storing no files on his laptop which he started to improve his productivity has the nice effect of preventing data loss when two company laptops were stolen from him.
And finally, if you don’t already read Bob Blakley’s blog, I highly recommend it. He posts infrequently, but thinks deeply and writes beautifully. Plus he often adds gorgeous photographs. His most recent post is about why he bet his buddy a bottle of Scotch that DRM will be non-existent in the film industry within 4 years. His premise is that in the manner of Robert Rodriguez of old, new artists will make movies on the cheap and release them without DRM. Of course, Robert Rodriguez now makes $100M movies and YouTube is full of movies made on the cheap. That snarky remark aside, I wouldn’t bet against Bob’s vision but I might bet against the timeline. Despite the risk to the existing movie studios, I don’t see them changing their business model until faced with extinction because the New Studio’s massive growth. I would also expect them to pull whatever business tricks are necessary to keep the New Studio down as long as possible.
Russell Coker is running a security blogging contest in conjunction with LCA 2008. Only people who have never been employed to work on security, have their own blogs, and who write positive blog entries on a security topic are eligible. He’s looking for commercial sponsors and offering cash prizes. This looks like a very cool contest that will hopefully have the nice side effect of garnering complete coverage of all of the security topics at the conference for those of us who are not there. Thanks, Russell!
The January State of Spam Report says that in December spam accounted for 75% of all email. Just a reminder of the cost that we pay daily for failing to build any type of security into the protocol.
Here’s another interesting look of the daily human cost of some security technologies - Study: IT Monitoring Stresses Workers Out. Key quote: “The main consequence of IT surveillance has been a sharp increase in work strain, involving feelings of exhaustion, anxiety and worry related to work…” and unbelievably, “More than half of British workers are now under some sort of IT scrutiny…” Is the value of the data they are protecting through these measures really greater than the individual and societal cost of the measures?
1. http://etbe.coker.com.au/2008/01/20/lca-2008-security-blogging-contest
2. http://www.networkworld.com/nlvirusbug117216
3. http://www.darkreading.com/document.asp?doc_id=142821&f_src=drweekly
1. The Fedora Weekly News Issue 114 (dated Dec. 31, 2007) describes three “SELinux Rants” along with the response from the Fedora community. Choice quote: “…suggested that rather than blame SELinux for complexity it was better to realize that it was describing the complex interactions between different pieces of software.” Personally, I disagree with this sentiment. I think that our tools should abstract away some of the complexity rather than reflecting the complexity up to the user. I understand that details get lost during abstraction which can be detrimental to security, but if there cannot be some level of secure abstraction, then the tool is not going to be usable by the average user/administrator. Thanks to Oisin Feeley for this excellent synopsis of the threads.
2. The guru speaks to the Linux community: Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007). Choice quotes: “Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems? Sometimes? I think they forget almost all the time.” and “What will be the biggest security issues in the future? Crime. Crime, crime, crime. Everything else pales in comparison.”
3. 11 open-source projects certified as secure: You can see my previous blog posting about quibbles with the way that the story is written, but ultimately this is great news for open source and well worth mentioning again. Here’s a good story about the same announcement (best story on the topic that I have seen in this round): Weeding Out Flaws in Open-Source Apps
4. Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October. Key quote: “‘The second someone crosses the line to armed robbery – [risking] a 25- to 50-year prison sentence – to steal some servers, we’re in different realm of security now,’ he said.”
5. Top 10 security headlines from 2007. I would have thought that the British data loss on most families with children under the age of 16 would have made this list but it is not here.
6. Yahoo tests support for OpenID. Key quote: “‘I expect Yahoo’s implementation to be a major influence in encouraging OpenID 2 adoption,’ wrote Simon Willison”.
In other news:
1. KernelTrap’s story on Decoding Oops and the referenced emails from Linus Torvalds and Al Viro are worth studying closely.
2. The Linux Foundation’s new podcast series Open Voices is off to a great start.
3. Linux guru offers sneak peak at Kernel Report - Computerworld interviews Jonathan Corbet. Key quote: “I am confident that, five years from now, we will say that we were able to accept unprecedented amounts of new code at a sustained rate for years while improving the quality of the final product.”
4. LWN.net: a ten-year timeline (part 1) LWN’s 10 year anniversary retrospective. (Subscriber only for 5 more days.) Interesting quote: “When Intel put money into Red Hat, it became clear to all that both Linux and Red Hat were headed toward success. This was, in some real sense, the point where Linux entered the dotcom bubble, though the real action was still a year away.”
