Josh's Blog

Samba
Last week saw the release of a new version of Samba, with two security fixes:
http://samba.org/samba/security/CVE-2007-4572.html
http://samba.org/samba/security/CVE-2007-5398.html

Both of these issues sound pretty bad, but only CVE-2007-5398 is truly scary. CVE-2007-4572 initially looked rather bad, but after a thorough analysis it was determined that under normal use the flaw shouldn't even crash the Samba server. A detailed analysis of this flaw can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=294631#c3

AppArmor's Security Goals
I'm no fan of AppArmor, but aside from that there is a most interesting read regarding it on Kernel Trap. Those of you interested in such a thing might find it useful:
http://kerneltrap.org/Linux/AppArmors_Security_Goals

Hushmail not so hush
It seems that Hushmail is willing to share the PGP keys of its clients with law enforcement:
http://www.itnews.com.au/News/65213,hushmail-turns-out-to-be-anything-but.aspx
While this probably isn't terribly surprising (most companies are willing to work with law enforcement). It is an opportunity to point out that unless you have complete control over your encryption key, you should assume that someone else has it. This includes things like storing keys on NFS home directories or using public computers with your private key. Keeping a private key protected properly is very difficult, and everyone has to compromise perfect security for reality at some point. It should be completely obvious though, that trusting someone else, especially a corporation, with your private key is most unwise.


I don't plan to write a column next week due to the holiday weekend. I shall see everyone the week of the 25th, which I'm certain will be eventful.

Fedora 8 released
Last week saw the release of Fedora 8. This is important for countless reasons, one of them being a new firewall configuration tool. This is important since it should hopefully keep more people using the firewall. In previous Fedora releases it was often easiest to just turn off the firewall when something didn't work. This is obviously an unwise move as it can leave your machine open to various other issues. One of the most difficult things for security to achieve is keeping users safe while staying out of the way.

pcre
Some rather foul pcre flaws were made public last week. In reality these flaws aren't a big deal for most users, but it was found that pcre is used by Konqueror. It seems that the Konqueror web browser uses the pcre library for its JavaScript regular expression support. Web browsers are easily one of the most dangerous applications on a computer, as they process an incredible amount of arbitrary third party content.

This week has been very slow. This isn't a bad thing, but when you have to write a weekly blurb about what happened, it's a bit of a challenge.

IBM Plans Major Security Initiative
http://ap.google.com/article/ALeqM5iSFxylj-4ojpf44zNT6k01yBY5RgD8SKHH781
IBM announced last week that they plan to spend 1.5 billion (with a big B) dollars on security research in 2008. Information Security is becoming a very serious business. I suspect the biggest issue now is going to be finding employees to fill these positions.