Open Source Security
Welcome at » news

Steve Hanna has written an excellent cloud security overview article A Security Analysis of Cloud Computing which talks about how trusted computing can help solve some of the cloud security problems.

Privacy concerns for the ages, is anonymity sufficient? Facebook and Google: Contrasts in Privacy Is privacy an illusion or a social contract? Blakley’s blog post Gartner gets privacy dead wrong debates the issue. Will Facebook users go along with Facebook’s new policies and the sense that their privacy was an illusion, or will they revolt, pile on EFF’s FTC complaint and leave Facebook in droves?

This article covers a lot of ground on the impact to security of virtualization and cloud adoption. I like it right up the the abrupt ending. Virtualization Adoption Slips.

Three just for fun: has a 2009 retrospective of Linux activity: A look at Linux in the recession. Somehow I missed the news about Hannah Montana Linux.

An octopus and its travel trailer: Tool Use Found in Octopuses.

There is a new specialty of female bodyguards in Egypt.

Here are seven links that are worth the time that it takes to read them if you are interested in systems security.

The Evil Maid attacks again:

Two Trusted Computing articles:

An introduction to Tin Hat Linux which is a Linux distribution based on hardened Gentoo which “was conceived as a challenge to the old mantra that physical access to a system means full access to the data”.

Everybody is talking about the botnet on AWS: Zeus botnet finds hold in Amazon cloud. From now on, I fully expect that stories about botnets controlled from within a cloud will become a footnote, rather than noteworthy and they will be served with standard takedown notices.

By Bryan Jacobson, Linux Technology Center.

Tyler Hicks (from our team) recently attended the 5/25-29 Ubuntu Developers Summit for Karmic Koala in Barcelona, Spain.

Some of Tyler’s observations on Security topics:

  • There are quite a few eCryptfs users out there and they are generally happy with the version shipped in Jaunty. Most were using the encrypted home feature, but some wanted more flexibility and had custom setups.
  • eCryptfs encrypted swap is on the roadmap for Karmic.
  • Michael Rooney has been working on graphical applications to compliment some of the eCryptfs userspace tools that are currently bound to the command line.
  • Tyler held an eCryptfs roadmap talk about future eCryptfs features: eCryptfs on top of popular network filesystems, improved key management, and asking for someone interested in completing the eCryptfs GPG key module.

Some general observations from Tyler:

  • Ubuntu would like to be the premier guest available in Amazon EC2.
  • Ubuntu users will soon have a daily build of the virtualization stack available, which is a big win for both the upstream developers and the users.
  • Dustin Kirkland gave a talk on leveraging the cloud for data center power savings.
  • The Ubuntu kernel team committed to removing non-upstream kernel code that no one is using anymore.

See the whole story on Tyler blog at:

Red Hat Enterprise Linux 5.2 was released today. That is significant news in and of itself, but I am especially excited because it contains Technology Previews of eCryptfs, TrouSerS, and tpm-tools! As Technology Previews, they are not yet supported for production use, but this is the first step to allow for experimentation and time for ripening. I’m happy to see Red Hat’s continued dedication to security. If you try these packages out in RHEL, I’d love to hear of any successes or problems that you encounter.


It’s been a little time since I have written in the blog. I’m still experimenting with how often to post to balance out the drivel with the interesting and the original. I have to say that I’m was a little surprised at how well received the “Best Security News Stories” line has been so I will keep that up. If a story makes me want to run down the halls and tell my co-workers, I’ll post it here instead.

Thanks to for linking to my blog and adding my blog to the “Featured Bloggers” section of the page. Most appreciated!

The most fun security news story has been covered everywhere but I’m going to include it here anyway precisely because it is so much fun. Joe Barr interviewed Linus Torvalds, Andrew Morton, Ted T’so, and Fyodor and wrote up an article called “Celebrity Advice on keeping your desktop secure”. It includes some excellent tips, like be wary of macro viruses which can also impact OpenOffice (from Ted) and update often, preferably nightly (from Fyodor). Fyodor made the point that the desktop is not the only critical factor for internet security because it can’t save people from themselves – falling for 419 scams, etc. In the end, perhaps the most fun part of the article is the voyeuristic thrill from knowing that Linus is so paranoid about the security of his systems.

With LCA’08 ongoing, there are some interesting news stories appearing on the LCA Planet and it is all too easy to lose far too much time there. I highly recommend the Jim Gettys’ post about the OLPC which reiterates all of the reasons why the OLPC is a critical project for our industry, our children, and our world.

Bruce Schneier’s keynote sounds like it was a good one hitting the high notes on psychology and information: “As security designers we need to address both the feeling and the reality of security” and “‘The way to get people to notice that reality and feeling haven’t converged is information. Information is the best weapon we have.’ In the IT industry, this information is a scarce resource, he said.” It will be interesting to see what he does next to get the industry to produce and publish the data.

On the convergence of security and productivity, zenhabits, a well-known productivity blog, has a guest post on How Productivity Habits Reduced the Impact of Theft … Twice in which Lodewijk’s habit of storing no files on his laptop which he started to improve his productivity has the nice effect of preventing data loss when two company laptops were stolen from him.

And finally, if you don’t already read Bob Blakley’s blog, I highly recommend it. He posts infrequently, but thinks deeply and writes beautifully. Plus he often adds gorgeous photographs. His most recent post is about why he bet his buddy a bottle of Scotch that DRM will be non-existent in the film industry within 4 years. His premise is that in the manner of Robert Rodriguez of old, new artists will make movies on the cheap and release them without DRM. Of course, Robert Rodriguez now makes $100M movies and YouTube is full of movies made on the cheap. That snarky remark aside, I wouldn’t bet against Bob’s vision but I might bet against the timeline. Despite the risk to the existing movie studios, I don’t see them changing their business model until faced with extinction because the New Studio’s massive growth. I would also expect them to pull whatever business tricks are necessary to keep the New Studio down as long as possible.

Russell Coker is running a security blogging contest in conjunction with LCA 2008. Only people who have never been employed to work on security, have their own blogs, and who write positive blog entries on a security topic are eligible. He’s looking for commercial sponsors and offering cash prizes. This looks like a very cool contest that will hopefully have the nice side effect of garnering complete coverage of all of the security topics at the conference for those of us who are not there. Thanks, Russell!

The January State of Spam Report says that in December spam accounted for 75% of all email. Just a reminder of the cost that we pay daily for failing to build any type of security into the protocol.

Here’s another interesting look of the daily human cost of some security technologies – Study: IT Monitoring Stresses Workers Out. Key quote: “The main consequence of IT surveillance has been a sharp increase in work strain, involving feelings of exhaustion, anxiety and worry related to work…” and unbelievably, “More than half of British workers are now under some sort of IT scrutiny…” Is the value of the data they are protecting through these measures really greater than the individual and societal cost of the measures?


1. The Fedora Weekly News Issue 114 (dated Dec. 31, 2007) describes three “SELinux Rants” along with the response from the Fedora community. Choice quote: “…suggested that rather than blame SELinux for complexity it was better to realize that it was describing the complex interactions between different pieces of software.” Personally, I disagree with this sentiment. I think that our tools should abstract away some of the complexity rather than reflecting the complexity up to the user. I understand that details get lost during abstraction which can be detrimental to security, but if there cannot be some level of secure abstraction, then the tool is not going to be usable by the average user/administrator. Thanks to Oisin Feeley for this excellent synopsis of the threads.

2. The guru speaks to the Linux community: Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007). Choice quotes: “Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems? Sometimes? I think they forget almost all the time.” and “What will be the biggest security issues in the future? Crime. Crime, crime, crime. Everything else pales in comparison.”

3. 11 open-source projects certified as secure: You can see my previous blog posting about quibbles with the way that the story is written, but ultimately this is great news for open source and well worth mentioning again. Here’s a good story about the same announcement (best story on the topic that I have seen in this round): Weeding Out Flaws in Open-Source Apps

4. Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October. Key quote: “‘The second someone crosses the line to armed robbery – [risking] a 25- to 50-year prison sentence -to steal some servers, we’re in different realm of security now,’ he said.”

5. Top 10 security headlines from 2007. I would have thought that the British data loss on most families with children under the age of 16 would have made this list but it is not here.

6. Yahoo tests support for OpenID. Key quote: “‘I expect Yahoo’s implementation to be a major influence in encouraging OpenID 2 adoption,’ wrote Simon Willison”.

In other news:

1. KernelTrap’s story on Decoding Oops and the referenced emails from Linus Torvalds and Al Viro are worth studying closely.

2. The Linux Foundation’s new podcast series Open Voices is off to a great start.

3. Linux guru offers sneak peak at Kernel Report – Computerworld interviews Jonathan Corbet. Key quote: “I am confident that, five years from now, we will say that we were able to accept unprecedented amounts of new code at a sustained rate for years while improving the quality of the final product.”

4. a ten-year timeline (part 1) LWN’s 10 year anniversary retrospective. (Subscriber only for 5 more days.) Interesting quote: “When Intel put money into Red Hat, it became clear to all that both Linux and Red Hat were headed toward success. This was, in some real sense, the point where Linux entered the dotcom bubble, though the real action was still a year away.”