This document is just the first of the new series of “Linux blueprints” (step-by-step guides for accomplishing specific tasks with Linux) which will be published on the IBM Systems Information Center (Info Center).

Enjoy!

[1] http://www.press.redhat.com/2008/05/21/red-hat-enterprise-linux-52/
[2] http://ecryptfs.sourceforge.net/
[3] http://trousers.sourceforge.net/

James Morris notes related work in his blog posting from this morning and offers to help the community preserve interoperability with SELinux.

Personally, I would be delighted to see widespread adoption of the FLASK architecture lead to usability improvements and complexity reduction across the board.

[1] http://www.opensolaris.org/os/project/fmac/
[2] http://www.opensolaris.org/jive/thread.jspa?messageID=204568𱼘
[3] http://www.osnews.com/thread?303491
[4] http://james-morris.livejournal.com/2008/03/05/

Now there is an excellent new article on developerWorks by Robb Romans Improving Security with polyinstantiation which describes in simple and detailed terms how administrators can polyinstantiate /tmp (and other world writable directories) to help prevent attacks through /tmp. This technique usable whether or not SELinux is enabled. This article helps answer calls for the complete elimination of world writable directories so as to defeat resource exhaustion attacks (quotas were described as “non-optimal”). One can instead use the method described in this paper to polyinstantiate world writable directories to completely different devices to effectively eliminate the attack. (Yes, they grok TMPDIR. And, yes, unfortunately there are customers who won’t use SELinux.)

So if you were wondering how you can get your feet wet with polyinstantiation, give the steps described in Robb’s article a try.

[1] http://download.boulder.ibm.com/ibmdl/pub/software/dw/linux/lspp-rbac.pdf
[2] http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
[3] http://www.ibm.com/developerworks/linux
[4] http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/

One of the most common requests I hear is for automation of security hardening, so it was pretty cool when TCS announced their Security Blanket product last fall. Earlier this month they announced that it is now compliant with DISA’s STIG. This is cool and all, but didn’t anyone tell their marketing branch that a security blanket just makes you feel better but doesn’t offer any real security? Not exactly the message that you want your hardening tool to confer.

I have a weakness for stories like Hacks, Phreaks, Worms, Tigers
and Bears–Oh My “The top eight events that changed the course of computer security history (and two that didn’t)” Nothing earth shattering, but a fun quick read.

And, of course, IBM to collaborate on NSA program is just amazingly awesome good news.

Links in this edition:
[1] http://citp.princeton.edu/memory/
[2] http://www.freedom-to-tinker.com/?p=1257
[3] http://www.infoworld.nl/idgns/002570DE00740E18002573F6007D544C/disk-encryption-easily-cracked–researchers-find.html
[4] http://www.techworld.com/security/news/index.cfm?newsID=11371
[5] http://halcrow.us/cgi-bin/blosxom
[6] http://www.nydailynews.com/money/2008/01/28/2008-01-28_sensitive_info_lives_on_in_old_computers.html
[7] http://www.gcn.com/online/vol1_no1/45781-1.html
[8] http://www.washingtontechnology.com/online/1_1/32222-1.html

Thanks to LinuxSecurity.com for linking to my blog and adding my blog to the “Featured Bloggers” section of the page. Most appreciated!

The most fun security news story has been covered everywhere but I’m going to include it here anyway precisely because it is so much fun. Joe Barr interviewed Linus Torvalds, Andrew Morton, Ted T’so, and Fyodor and wrote up an article called “Celebrity Advice on keeping your desktop secure”. It includes some excellent tips, like be wary of macro viruses which can also impact OpenOffice (from Ted) and update often, preferably nightly (from Fyodor). Fyodor made the point that the desktop is not the only critical factor for internet security because it can’t save people from themselves - falling for 419 scams, etc. In the end, perhaps the most fun part of the article is the voyeuristic thrill from knowing that Linus is so paranoid about the security of his systems.

With LCA’08 ongoing, there are some interesting news stories appearing on the LCA Planet and it is all too easy to lose far too much time there. I highly recommend the Jim Gettys’ post about the OLPC which reiterates all of the reasons why the OLPC is a critical project for our industry, our children, and our world.

Bruce Schneier’s keynote sounds like it was a good one hitting the high notes on psychology and information: “As security designers we need to address both the feeling and the reality of security” and “‘The way to get people to notice that reality and feeling haven’t converged is information. Information is the best weapon we have.’ In the IT industry, this information is a scarce resource, he said.” It will be interesting to see what he does next to get the industry to produce and publish the data.

On the convergence of security and productivity, zenhabits, a well-known productivity blog, has a guest post on How Productivity Habits Reduced the Impact of Theft … Twice in which Lodewijk’s habit of storing no files on his laptop which he started to improve his productivity has the nice effect of preventing data loss when two company laptops were stolen from him.

And finally, if you don’t already read Bob Blakley’s blog, I highly recommend it. He posts infrequently, but thinks deeply and writes beautifully. Plus he often adds gorgeous photographs. His most recent post is about why he bet his buddy a bottle of Scotch that DRM will be non-existent in the film industry within 4 years. His premise is that in the manner of Robert Rodriguez of old, new artists will make movies on the cheap and release them without DRM. Of course, Robert Rodriguez now makes $100M movies and YouTube is full of movies made on the cheap. That snarky remark aside, I wouldn’t bet against Bob’s vision but I might bet against the timeline. Despite the risk to the existing movie studios, I don’t see them changing their business model until faced with extinction because the New Studio’s massive growth. I would also expect them to pull whatever business tricks are necessary to keep the New Studio down as long as possible.

The January State of Spam Report says that in December spam accounted for 75% of all email. Just a reminder of the cost that we pay daily for failing to build any type of security into the protocol.

Here’s another interesting look of the daily human cost of some security technologies - Study: IT Monitoring Stresses Workers Out. Key quote: “The main consequence of IT surveillance has been a sharp increase in work strain, involving feelings of exhaustion, anxiety and worry related to work…” and unbelievably, “More than half of British workers are now under some sort of IT scrutiny…” Is the value of the data they are protecting through these measures really greater than the individual and societal cost of the measures?

1. http://etbe.coker.com.au/2008/01/20/lca-2008-security-blogging-contest
2. http://www.networkworld.com/nlvirusbug117216
3. http://www.darkreading.com/document.asp?doc_id=142821&f_src=drweekly

http://www.linuxsecurity.com/
http://www.linuxsecurity.com/content/view/133305/169/

1. http://sourceforge.net/mailarchive/forum.php?
thread_name=da7b3ce30801131643j74be4064l52daa8c0e90efa83%40mail.gmail.com&forum_name=trousers-users
2. PrivacyCA.com
2. http://trousers.sourceforge.net/faq.html#2.1

2. The guru speaks to the Linux community: Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007). Choice quotes: “Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems? Sometimes? I think they forget almost all the time.” and “What will be the biggest security issues in the future? Crime. Crime, crime, crime. Everything else pales in comparison.”

3. 11 open-source projects certified as secure: You can see my previous blog posting about quibbles with the way that the story is written, but ultimately this is great news for open source and well worth mentioning again. Here’s a good story about the same announcement (best story on the topic that I have seen in this round): Weeding Out Flaws in Open-Source Apps

4. Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October. Key quote: “‘The second someone crosses the line to armed robbery – [risking] a 25- to 50-year prison sentence – to steal some servers, we’re in different realm of security now,’ he said.”

5. Top 10 security headlines from 2007. I would have thought that the British data loss on most families with children under the age of 16 would have made this list but it is not here.

6. Yahoo tests support for OpenID. Key quote: “‘I expect Yahoo’s implementation to be a major influence in encouraging OpenID 2 adoption,’ wrote Simon Willison”.

In other news:

1. KernelTrap’s story on Decoding Oops and the referenced emails from Linus Torvalds and Al Viro are worth studying closely.

2. The Linux Foundation’s new podcast series Open Voices is off to a great start.

3. Linux guru offers sneak peak at Kernel Report - Computerworld interviews Jonathan Corbet. Key quote: “I am confident that, five years from now, we will say that we were able to accept unprecedented amounts of new code at a sustained rate for years while improving the quality of the final product.”

4. LWN.net: a ten-year timeline (part 1) LWN’s 10 year anniversary retrospective. (Subscriber only for 5 more days.) Interesting quote: “When Intel put money into Red Hat, it became clear to all that both Linux and Red Hat were headed toward success. This was, in some real sense, the point where Linux entered the dotcom bubble, though the real action was still a year away.”