Josh's Blog

I ran across a rather clever security information site. I'd suggest just visiting it to see for yourself:
http://www.ibm.com/developerworks/spaces/linuxsecurity?ca=dgr-lnxw02aLinuxSecuritySpaces

How safe are Wi-Fi hot spots?
I grew up in Green Bay Wisconsin, so I tend to pay attention to local news from that area. A friend sent me this story
http://www.postcrescent.com/apps/pbcs.dll/article?AID=/20070925/APC0101/709250595/1004

The story contains this morsel:

How safe are Wi-Fi hot spots?

"The Internet is not a real secure place in general, but it's also not something to be overly worried about if you're working with sites (and) businesses that you've worked with before," said Scott Liske, the city of Appleton's director of technology services. "When you know you're at a legitimate site, then there are very few issues."

I can understand how normal people are utterly confused by all the threats on the Internet when a supposed expert doesn't even get it. If your browser isn't encrypting the connection to the remote server, there is no way you can verify that the data you are seeing hasn't been altered between the host and your computer.

Is a chroot secure?
Kerneltrap has a nice summary of why a chroot is not a security feature. This is an issue that comes up every couple of years. It is likely this will continue to happen since there is quite a lot of information available on the Internet that claims a chroot is a fine way to keep something secure. The best advice if you wish to keep a process in a cage would be to use SELinux.
http://kerneltrap.org/Linux/Abusing_chroot

Is SELinux really too complex?
Speaking of SELinux, this article takes a rather insightful look at the technology.
http://enterpriselinuxlog.blogs.techtarget.com/2007/09/26/selinux-is-it-really-too-complex/

The article does point out that the OpenBSD mailing list is obviously a rahter biased place to find SELinux commentary, but many of the points made about SELinux are good for someone who hasn't been keeping an eye on the discussions.

Thanks to Andrew Tobias I found this video. It's rather amazing to think about what this will mean for the future.

Last week was fairly slow as far as all things security are concerned. There wasn't anything terribly exciting to happen, which always scares me a bit as I see it as the calm before the storm.

Internal Abuse Overtakes Viruses as Security Threat
I suspect these two threats go hand in hand to a certain degree, but this is terribly interesting. It begs the question why have the virus numbers gone down faster than the "Internal Abuse" numbers?

It's quite possible that the operating systems have become more robust, the users are better educated, antivirus software is starting to work better. Perhaps more companies are now running antivirus software. It's also very possible that the respondents to the report are starting to ignore the virus problem and just consider it a cost of doing business.

Internal attacks have always been a far larger issue than outside threats in an organization. A lot of people like to ignore this fact and focus on attacks coming in from the outside. It's easy to sensationalize some hackers trying to steal your bank account numbers. Catching Bob from accounting looking at executive pay isn't very exciting. I can understand why so many groups focus on the external. There is also the issue of keeping your employees happy and not making them feel like they work in a bad rendition of 1984.

Sometimes it works to compare a computer security idea to the tangible world. Nobody thinks twice about locking the server room door. Why should anyone take offense to not having access to an area of the network they don't need? A bit like the old saying that locks are really only there to keep the honest people honest.

This has a fairly crazy (but also dull) week as far as security things go. Here's a quick recap on the things I found the most interesting.

Who gets to define what malware is?
http://www.net-security.org/virus_news.php?id=857
Kaspersky Lab classified a program by a company named Zango as malware. Zango doesn't think their application is malware and sued Kaspersky. Kaspersky won the lawsuit, which is a great victory for the world of antivirus. This creates an rather unique question though. What is malware? Who gets to define it? No doubt to most people the answer to this question is rather obvious, but there are quite a number of companies who have questionable behavior.

Hack in the box
Two stories stood out this week:
NSA@home (DIY shared FPGA cracker)
Student, prof build budget supercomputer

These two stories lend themselves to an issue that quite a large number of people either like to ignore, or don't think about. Secrets today, are easily broken tomorrow. SHA-1 is a fairly new hashing algorithm and was though to be somewhat robust. This puts it in the same doghouse MD5 now lives in. It's only a matter of time before today's super computer will be available in a $5 calculator you can purchase in the checkout line. This means that while a 2048 bit key is great today, the neighbor kids will be able to crack our PGP mails in under an hour eventually. Sadly there isn't really a good answer to this problem other than ensuring that whatever you try to keep secret will be worthless information in 20 years.