Why are so many browser flaws rated as critical?
To many people on the outside world, it's sometimes non obvious why such a big deal is made about the web browser. The story below highlights that an ad server was broken into and used to distribute malware.
People usually think that if they're at a trusted site, such as their bank, a news site, or even some search engines., they are safe and they can let their guard down. The network of webservers have become very pervasive, and the line between sites continues to blur. As various sites start opening up public APIs, this line will eventually vanish completely. The web seems to be evolving into one giant squishy ball of putty, rather than lots of little ones. This in turn is creating an environment more dangerous for its users, with no clear fix in sight.
Virtualization is less secure
I ran across this posting to an OpenBSD mailing list the other day:
Talk of security virtualization reminds me of the old saying about debugging by Brian Kernighan
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.
This is hard problem. I doubt the solution lies in writing golden code. It's more likely that technologies like SELinux are going to be far more effective than expecting everyone to write bug free software.
Firefox Security Update
This week was mostly consumed with the Firefox security update. A security update of Firefox will result in the release of Firefox, Seamonkey, and Thunderbird. This is of course a great deal of work for all the involved parties. Those programs are rather complex and much can go wrong along the way. On the plus side though, we have gotten rather good at dealing with these updates in RHEL and Fedora. All the interesting bits can be found here:
I expected my Saturday to be a rather relaxing day, where I would mow the lawn, and install the new water heater I bought. I don't usually post random personal things to my blog, but I just need to complain about this one in public where it can make me feel better
I never got around to mowing, and installing the water heater went something like this:
1. Go to hardware store, buy what I think I need
2. drain old water heater
3. remove old water heater
3. Find out parts bought in step 1 don't fit in my basement, back to the hardware store
4. Start building the connectors to go from the pipe to the heater, notice one of the fitting bought in step 3 was wrong
5. Go back to the hardware store to buy proper fitting
6. Finally get the water heater hooked up, start filling it with water.
7. notice the primary water shutoff valve is leaking, badly (it was 30 years old)
8. Go to hardware store, buy new shutoff valve
9. drain and move new water heater
10. Cut pipes to remove shutoff valve
11. notice I cut one of the wrong pipes
12. Go back to hardware store to get what I need to fix the wrong pipe I cut (at this point, I bought lots of extra things "just in case")
13. install new shutoff valve
14. Put new water heater back in place, fill it up
15. rejoice as nothing leaks and the house has water again (at this point, it is 11:30pm, I started this project at about noon)
At this point I'm claiming that the reason I didn't hire someone to do this, is that when the primary shutoff valve broke, it would have likely ended up costing me a fortune in plumbing fees.
So this week this entry isn't syndicated in Fedora Weekly News. I was very busy this weekend working on my yard and missed the deadline. If any of you ever think that planting ivy on the side of you house is a good idea, don't do it. It's horrible to remove.
OpenSSL Security Advisory
A very scary OpenSSL flaw went public last week: http://www.openssl.org/news/secadv_20071012.txt
On the surface this looks like a horrible flaw, which it is. The redeeming factor is that very little uses DTLS in OpenSSL. After an audit of Red Hat Enterprise Linux, we determined that nothing is shipped that actually uses DTLS.
Air Force to get ‘cyber sidearms’ http://www.fcw.com/online/news/150483-1.html
This is a rather odd idea the US Air Force seems to be planning to use. It seems the idea is that if a user thinks their computer has been compromised, they can somehow alert someone who can verify this. I'm going to guess this isn't going to work. It can probably be suggested that most of the machines in the 50 million computers that are part of the Storm Botnet do not have users that know they're a part of the network. No doubt some portion of Air Force personnel will be able to tell if their computer is hacked, but most probably can't.
I'm a rather big fan of carving pumpkins. I'm not entirely sure why this is, maybe it's because I get to roast the seeds afterwards. A few years ago I tried to find a Tux pumpkin stencil and came up dry, so I made my own. This year after many many hours of Gimping around (har har har), I have a THREE color stencil. Orange, lit up candle color, and sort of transparent orange. I created my artists rendition below. As you can see, I'm not a very good artist. The idea here is that the parts that look sort of like a cross between yellow and orange, are where one would just carve away some of the pumpkin, rather than cut it out completely. You end up with something a bit like this picture of a Gollum pumpkin I found (Note it is a three color carving)
My original stencil, along with the new one can both be found here:
When I finally get around to carving this in a pumpkin I shall post a picture of the finished product. I figured since I finished with my stencil early (I planned ahead due to how little art skill I have), there's no sense in not sharing this.
VM-Based Rootkits Proved Easily Detectable
Some time ago it a number of researchers claimed that it would be possible for a virtual machine based rootkit to evade security software. It seems that's not quite the case.
"you security people are insane."
Linus makes some interesting points about various security systems in the Linux kernel. While his colorful comments are humorous, this makes a rather powerful statement. Linus says:
Schedulers can be objectively tested. There's this thing called
"performance", that can generally be quantified on a load basis.
Yes, you can have crazy ideas in both schedulers and security. Yes, you
can simplify both for a particular load. Yes, you can make mistakes in
both. But the discussion on security seems to never get down to real
So the difference between them is simple: one is "hard science". The other
one is "people wanking around with their opinions".
This is a big problem. Security is hard to understand, so you end up with two different types of people causing trouble. There are people who don't really understand what they're doing. These are the people that say incorrect things and just make up what they don't know. There are also the people who will blatantly lie to further their own agenda. The hope is that the right solution will eventually win out, but that's not always the case.