Josh's Blog

Last week wasn't very exciting as far as security issues go. I have nothing of interest to note. Next week should be quite busy though.

Black Hat and DEFCON are going on in Las Vegas. Things are expected to be very busy.

Security Circus
By far the most entertaining story from last week was Linus giving a few choice quotes.

He does get some things right, but there's still the very real fact that security flaws let people do things they shouldn't be able to do. This adds a certain amount of danger and does require more attention than some other flaws. A nice comparison is automotive recalls. If there are two problems, one is a broken cup holder, the second makes the car explode, which do you think they'll do a recall for?


principle of least privilege
Steve Grubb has a nice interview up on SearchEnterpriseLinux.com.

It offers some hints into some of the intresting things that have happened and can be expected in the SELinux space.

There has been a lot of squabbling about disclosing security issues, specifically in the Linux Kernel as of late.

This is probably getting a lot more attention than it should. There are two ways this can be dealt with.

1) Insist the bikeshed be painted your favorite color. Complain to no end that it's not fair that you have to look through the source code to find your own fixed security issues. This is open source, everything is full disclosure. The guys who take care of the Linux Kernel do a top notch job, and they cover the security bits quite well. I've yet to see anyone who isn't an annoying troll say something negative about the job they do.

2) Deal with it. Dig around in the mud, find the problems, talk about them, fix them, write exploits for them. This is what myself and a team of very bright people do for Red Hat. It's not always pleasant (usually not), but we deal with it. Sometimes things are embargoed, sometimes they're not. We don't complain about it, we do our jobs.

The goal here is to keep the end users safe. Not to become famous, not to get a t-shirt made with our catchy slogan on it. Safe users. That's it.

DNS flaw
A serious flaw in the way most DNS requests are made was announced last week. It is expected that the details of this issue will be known later this month when Dan Kaminsky presents at Black Hat. In the meantime, if you run a DNS server, be sure to get an update from your vendor.

On a side note about this issue, newer Linux kernels have a feature where the source port of UDP requests is randomized. That means that as long as the requesting application has random transaction IDs, it doesn't need additional logic to ensure random UDP source ports.

Package Manager Flaw?
A report came out last week titled: Attacks on Package Managers. The actual details of this are quite a bit less interesting that the reporter makes it sound. It's basically the same problem as using an out dated mirror.

This week saw the release of a new Firefox. This means that I was horribly busy last week and most of this one. So this week, here are a few stories I found interesting, without my usual commentary to wreck any hope you had of enjoying the content

Ten tips for securing Linux desktops
Mozilla Security Metrics Project
Firefox users most likely to run latest version of the browser

I apologize for this and I hope the weekly entry will be back to normal next week.