Open Source Security
Welcome at » 2008 » January

It’s been a little time since I have written in the blog. I’m still experimenting with how often to post to balance out the drivel with the interesting and the original. I have to say that I’m was a little surprised at how well received the “Best Security News Stories” line has been so I will keep that up. If a story makes me want to run down the halls and tell my co-workers, I’ll post it here instead.

Thanks to LinuxSecurity.com for linking to my blog and adding my blog to the “Featured Bloggers” section of the page. Most appreciated!

The most fun security news story has been covered everywhere but I’m going to include it here anyway precisely because it is so much fun. Joe Barr interviewed Linus Torvalds, Andrew Morton, Ted T’so, and Fyodor and wrote up an article called “Celebrity Advice on keeping your desktop secure”. It includes some excellent tips, like be wary of macro viruses which can also impact OpenOffice (from Ted) and update often, preferably nightly (from Fyodor). Fyodor made the point that the desktop is not the only critical factor for internet security because it can’t save people from themselves – falling for 419 scams, etc. In the end, perhaps the most fun part of the article is the voyeuristic thrill from knowing that Linus is so paranoid about the security of his systems.

With LCA’08 ongoing, there are some interesting news stories appearing on the LCA Planet and it is all too easy to lose far too much time there. I highly recommend the Jim Gettys’ post about the OLPC which reiterates all of the reasons why the OLPC is a critical project for our industry, our children, and our world.

Bruce Schneier’s keynote sounds like it was a good one hitting the high notes on psychology and information: “As security designers we need to address both the feeling and the reality of security” and “‘The way to get people to notice that reality and feeling haven’t converged is information. Information is the best weapon we have.’ In the IT industry, this information is a scarce resource, he said.” It will be interesting to see what he does next to get the industry to produce and publish the data.

On the convergence of security and productivity, zenhabits, a well-known productivity blog, has a guest post on How Productivity Habits Reduced the Impact of Theft … Twice in which Lodewijk’s habit of storing no files on his laptop which he started to improve his productivity has the nice effect of preventing data loss when two company laptops were stolen from him.

And finally, if you don’t already read Bob Blakley’s blog, I highly recommend it. He posts infrequently, but thinks deeply and writes beautifully. Plus he often adds gorgeous photographs. His most recent post is about why he bet his buddy a bottle of Scotch that DRM will be non-existent in the film industry within 4 years. His premise is that in the manner of Robert Rodriguez of old, new artists will make movies on the cheap and release them without DRM. Of course, Robert Rodriguez now makes $100M movies and YouTube is full of movies made on the cheap. That snarky remark aside, I wouldn’t bet against Bob’s vision but I might bet against the timeline. Despite the risk to the existing movie studios, I don’t see them changing their business model until faced with extinction because the New Studio’s massive growth. I would also expect them to pull whatever business tricks are necessary to keep the New Studio down as long as possible.

Russell Coker is running a security blogging contest in conjunction with LCA 2008. Only people who have never been employed to work on security, have their own blogs, and who write positive blog entries on a security topic are eligible. He’s looking for commercial sponsors and offering cash prizes. This looks like a very cool contest that will hopefully have the nice side effect of garnering complete coverage of all of the security topics at the conference for those of us who are not there. Thanks, Russell!

The January State of Spam Report says that in December spam accounted for 75% of all email. Just a reminder of the cost that we pay daily for failing to build any type of security into the protocol.

Here’s another interesting look of the daily human cost of some security technologies – Study: IT Monitoring Stresses Workers Out. Key quote: “The main consequence of IT surveillance has been a sharp increase in work strain, involving feelings of exhaustion, anxiety and worry related to work…” and unbelievably, “More than half of British workers are now under some sort of IT scrutiny…” Is the value of the data they are protecting through these measures really greater than the individual and societal cost of the measures?

1. http://etbe.coker.com.au/2008/01/20/lca-2008-security-blogging-contest
2. http://www.networkworld.com/nlvirusbug117216
3. http://www.darkreading.com/document.asp?doc_id=142821&f_src=drweekly

LinuxSecurity.com is running a fascinating retrospective on the Top 10 SELinux stories of 2007. It makes for fascinating reading and shows some of the issues around SELinux (complexity – #1 and #8), some of the progress that was made in 2007 (secure networking – #4, setools – #6), and some of the critical benefits of using SELinux (SELinux protection of Samba – #2 and #10). The top stories were chosen based on the number of hits they generated. I think that it is too bad that a story about a wiki (#3) beat out any story on the first Common Criteria certification of SELinux (not present on the list at all). The importance of the Common Criteria certification of SELinux in RHEL 5 is that it makes it more easily adoptable by the U.S. government which in turn makes Linux in general more easily adoptable by the government.

http://www.linuxsecurity.com/
http://www.linuxsecurity.com/content/view/133305/169/

A longstanding limitation of doing remote attestation between “strangers” has been eased through some experimental work that Hal Finney recently announced on the TrouSerS user’s list. Hal has announced that he has created a Privacy CA at PrivacyCA.com. Question 2.1 of the TrouSerS FAQ contains a graphic showing the prerequisite pieces for doing remote attestation. Hal has filled in the Privacy CA and notes that Infineon does supply the Endorsement Credential. He also provides a “test and debug mode” so that users of other TPMs can still experiment with the service without the guarantee that they are using real TPMs. Up to now, attestation keys had to be exchanged via sneaker net (manual exchange and verification before attestation was possible) to enable machines to do remote attestation. Hal’s announcement represents a great leap forward in the usefulness of TPMs.

1. http://sourceforge.net/mailarchive/forum.php?
thread_name=da7b3ce30801131643j74be4064l52daa8c0e90efa83%40mail.gmail.com&forum_name=trousers-users

2. PrivacyCA.com
2. http://trousers.sourceforge.net/faq.html#2.1

1. The Fedora Weekly News Issue 114 (dated Dec. 31, 2007) describes three “SELinux Rants” along with the response from the Fedora community. Choice quote: “…suggested that rather than blame SELinux for complexity it was better to realize that it was describing the complex interactions between different pieces of software.” Personally, I disagree with this sentiment. I think that our tools should abstract away some of the complexity rather than reflecting the complexity up to the user. I understand that details get lost during abstraction which can be detrimental to security, but if there cannot be some level of secure abstraction, then the tool is not going to be usable by the average user/administrator. Thanks to Oisin Feeley for this excellent synopsis of the threads.

2. The guru speaks to the Linux community: Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007). Choice quotes: “Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems? Sometimes? I think they forget almost all the time.” and “What will be the biggest security issues in the future? Crime. Crime, crime, crime. Everything else pales in comparison.”

3. 11 open-source projects certified as secure: You can see my previous blog posting about quibbles with the way that the story is written, but ultimately this is great news for open source and well worth mentioning again. Here’s a good story about the same announcement (best story on the topic that I have seen in this round): Weeding Out Flaws in Open-Source Apps

4. Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October. Key quote: “‘The second someone crosses the line to armed robbery – [risking] a 25- to 50-year prison sentence -to steal some servers, we’re in different realm of security now,’ he said.”

5. Top 10 security headlines from 2007. I would have thought that the British data loss on most families with children under the age of 16 would have made this list but it is not here.

6. Yahoo tests support for OpenID. Key quote: “‘I expect Yahoo’s implementation to be a major influence in encouraging OpenID 2 adoption,’ wrote Simon Willison”.

In other news:

1. KernelTrap’s story on Decoding Oops and the referenced emails from Linus Torvalds and Al Viro are worth studying closely.

2. The Linux Foundation’s new podcast series Open Voices is off to a great start.

3. Linux guru offers sneak peak at Kernel Report – Computerworld interviews Jonathan Corbet. Key quote: “I am confident that, five years from now, we will say that we were able to accept unprecedented amounts of new code at a sustained rate for years while improving the quality of the final product.”

4. LWN.net: a ten-year timeline (part 1) LWN’s 10 year anniversary retrospective. (Subscriber only for 5 more days.) Interesting quote: “When Intel put money into Red Hat, it became clear to all that both Linux and Red Hat were headed toward success. This was, in some real sense, the point where Linux entered the dotcom bubble, though the real action was still a year away.”

Oh boy, I thought I had quibbles with the news story on the Coverity announcement yesterday and today someone points out the worst piece of yellow journalism that I have seen in quite some time: Open Source Code Contains Security Holes. First the title is atrocious and this quote “the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects” may (have) be(en) accurate, but without context sounds worse than it really is. The truth, as George Wilson said, is that this is an article along the lines “And in other news, fire is hot and water is wet.” I personally consider this irresponsible journalism. They had to willfully ignore older stories based on information from Coverity and Carnegie Mellon such as Open Scrutiny of Open Source Code which contains the nugget “The average defect rate of the open source applications was 0.434 bugs per 1000 lines of code. This compares with an average defect rate of 20 to 30 bugs per 1000 lines of code for commercial software, according to Carnegie Mellon University’s CyLab Sustainable Computing Consortium.” This is simply yellow journalism whose primary intention is to drive traffic and raise the ire of open source fans! Harrumph! Outrageous!

Note to Charles Babcock: software has bugs, even security bugs. If you want to drive down the number of bugs in the software that you are using, use open source.

This type of crappy response comes up almost every time Coverity announces a significant improvement. See this similar news story from ZDNet back in October 2006: Most open source is better.

Coverity has announced “Rung 2” and that 11 open source projects have achieved “Rung 2”. This means that they have resolved all Rung 1 defects found by the latest release of Coverity Prevent. There is news coverage at news.com: 11 open-source projects certified as secure which claims that the projects “have been certified as free of security defects”. The 11 projects with bragging rights are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. The Coverity announcement itself says “resolved all of the defects identified at Rung 1”. Looking at the Rung 2 page, it appears to me that there are uninspected defects remaining at Rung 2 which may or may not represent actual defects (and/or actual security flaws), so I’m not sure that the news article’s claim is justified. I also would quibble with the use of the word “certified” which is at risk of becoming overused and rendered meaningless when applied in this context. Despite my quibbles with the news story, Coverity has done us all a major service by exercising their excellent source scanning tools on hundreds of open source projects and reporting the results in a controlled fashion. The 11 projects: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL, have done themselves proud by grinding through the reports and fixing defects found. Thanks to Homeland Security for sponsoring this effort, I appreciate this use of taxpayer money. Congratulations and a hearty Thanks! to Coverity and Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL!

http://scan.coverity.com/
http://www.news.com/8301-10784_3-9843682-7.html?tag=nefd.top
http://scan.coverity.com/rung2.html

TruTV (was CourtTV) has created a new show on security testing called Tiger Team. You can view the first episode online at the TruTV video website. Their “Share” feature yielded this link but these links don’t tend to stay fresh long, so to find it click on New, then look down through the listings for Tiger Team (on page two as of Jan. 2). This show has widely been reported as an IT show, but the first episode is about pen testing a car dealership. Only one person on the team specializes in computer security, another person specialized in social engineering. It shows them dumpster diving, social engineering, breaking in after dark (“daring late night break in”), casing the dealership, etc. Choice quote: “If there is any other team in the world who does what we do, hands down we are the best”. Don’t expect to learn anything from it, but it is highly amusing in the reality show breathless kind of way and vividly demonstrates the security mindset.

Here’s a great blog post by Matt Hines that describes the episode in amusing detail.