Josh's Blog

In Greek mythology, Sisyphus was being punished in Hades by rolling a large
stone up a hill, only to have it roll back to the bottom when he neared the
top. I was thinking the other day how similar this is to how security
updates are handled. This applies to everybody doing security updates; a
constant process where as soon as it seems you're in the clear, something
new arrives that needs to be dealt with.

There will never be any source code which is free of bugs. It's estimated
that for every ten lines of source, there is one bug. I'm not sure if
there is an estimate regarding how many of those could be classified as
security issues, but I think it's safe to say there are plenty of them.
I've found that fixing the security bugs is a task a lot like Sisyphus',
no matter how many times you roll the patches up the hill, they just keeps
rolling back down.

The real future in keeping a computer secure does not lie in patching the
various issues, it lies in preventative technologies. I'm not suggesting that
nobody ever applies a security patch, just that the current immediate need for
them should be reduced. Even with preventative technologies, it's possible
that an evildoer could leverage multiple issues to compromise a machine.
There will also always be certain attacks that are going to be nearly
impossible to stop with a preventative technology (cross-site-scripting
attacks come to mind as one).

There are some interesting things happening in the Linux universe right now
that can help address a large number of security issues. SELinux,
Exec-Shield, gcc FORTIFY_SOURCE, and user specific /tmp are some of the
current big ones, but I'm sure there is more to come (and even more I don't
know of yet).

For the sake of keeping this entry short, I'm going to stop here, but there is
much much more to be covered regarding this topic.

I spent my evening discovering the lack of documentatoin the python rpm bindings have. I read the article The Six Dumbest Ideas in Computer Security and started thinking about a point made in #2

Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.

RPM already knows about all the "Goodness" on my system, so the idea is that anything not in places like /home, /tmp, /var or /usr/local wasn't put there by me.

I have no idea where I will go with this, or even if I'll do anything, but it struck me as useful if I could easily constuct a list of things that the RPM database doesn't know about, or things that don't have the permissions or content RPM thinks they should have. I'm aware of the "rpm -V" command, but that's not very extendable, and it doesn't tell me of files that aren't in the RPM database.

On the topic of the python rpm bindings ...
I had a terrible time figuring them out. Luckily I found enough from reading yum source and trial and error, I think I know what I need to know now.

So I've finally setup a blog. I've not wanted to do this for a very long time as I find many blogs to be terribly silly things. I have however come to understand that they can be useful in certain situations. Putting various bits of my personal life on such a thing poses little interest to me, and probably even less to the masses as I'm just not an exciting person. There is however potential due to things like blog aggergators. It's a nice easy way to publish little tidbits of informatin related to Red Hat and Fedora that the users would be interested in.

The reason I'm doing this is because of the recent Firefox/Mozilla updates Red Hat published. The updates were a nearly flawless production of each team pulling things together in a crunch to release an update (on a Friday night), and nobody really knew anything about it until Mark posted something in his blog the next day.

So this is the place I plan on putting various tidbits about the happenings in the security universe for all to see.