Josh's Blog

So while I like to waive around my geezer cane, I think it's time to use twitter for the upcoming Red Hat Summit. While I could just write a blog entry every hour, that is annoying to write, and annoying to read. Twitter offers me a special sort of stream-of-conscience-nonsense.

So feel free to play along at home
http://twitter.com/joshbressers

So I'm heading in the general direction of Chicago in a few hours, as the Red Hat Summit starts tomorrow. I'm giving a talk about Red Hat Security Advisories on Thursday at 11:20. As it's right before lunch, I expect most to be daydreaming about tasty treats.

I do always enjoy the summit, it's nice to get some face time with various co-workers, and speak with customers about our security updates. I'm always happy to hear from folks what we're doing well and what we could stand to improve.

If you're going to be at the summit, feel free to find me and pester me about anything security related. I look forward to it.

What happens when you lose your Kindle?

The rate at which physical devices are managing our virtual worlds is always becoming more apparent. The question becomes, what happens when you lose one of these devices. Many of these contain quite a lot of personal information about ourselves, but also the people we know. If you have a phone that contains a web browser, it likely will contain lots of passwords and site history, phone numbers, text messages, instant messaging transcripts, and who knows what else. It's a scary thought.

It's still not a problem most people worry about (yet), but it makes losing one's wallet seem trivial in comparison.

There is current buzz about a proposed US Senate bill that could grant the president the power to "control" the Internet.
Bill would give president emergency control of Internet

Apart from the obvious issues here, there is something far more troubling in the article.

A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001.

This isn't really a comparison at all. In the US, every single aircraft in the sky is regulated by an organization called the Federal Aviation Administration. The FAA has the ability to tell a plane it can't takeoff. The Internet was specifically build in a manner that it can't be "shut down". I'd be surprised if any of the large backbone providers could even shut down their networks in less than a week. The Internet is basically an unregulated mess. It's what makes it so cool. This bill is most likely another example of an out of touch lawmaker trying to apply tangible ideas to an intangible thing.

There isn't even a possible analogy here, as there really isn't anything that exists comparable to the Internet. Nowhere else do you have a huge collection of computers, scattered all over the world that are mostly able to communicate freely.

The register has a rather frightening story about the arms race in the malware industry.

Virus arms race primes malware numbers surge

So the important bit from this story is this paragraph:

The amount of catalogued malware by Panda was 18 million in the 20 years from the firm's foundation until the end of 2008. This figure increased 60 per cent in just seven months to reach 30 million by 31 July 2009.

This sounds utterly amazing, but the really scary part is thinking about the future. Let's say that this trend continues, even at say a 60 percent increase per year (the example given is 7 months).

If there are currently 30 million cataloged pieces of malware, next year there will be 48 million, then 76 million, then 122 million. It's a bit obvious that the trend probably won't grow exponentially, simply because the number of virus writers would probably have to outpace the population of the planet at some point.

Let's assume it grows at a linear rate though, 10 million new viruses per year. As it happened last year, it's likey it'll happen again. That means in 5 years, you're looking at 80 million pieces of malware. One has to wonder if Moore's law can keep up with this.

Right now malware is handled in a reactionary manner. It is going to have to move to a proactive approach, as the reactive race can't be won (as the above numbers show). The scary part about proactive response, is it's a thin line between protecting users and forcing them to only use their hardware device for a specific purpose.

Pidgin
A new version of Pidgin came out last week. It fixes a potential issue where a remote MSN user could send a message that could execute arbitrary code on a victim's computer. This could be mitigated by only allowing people on your contacts list to contact you. This is wise behavior regardless of such flaws as this. If you allow any random person to contact you, it can be quite annoying.

The world of security has been somewhat unexciting as of late. That's probably a good thing.

Linux Kernel privilege escalation
The most interesting security story last week was probably a new kernel privilege escalation flaw. If you simply run something like a single user desktop machine, flaws such as this aren't all that serious, as it's unlikely there are any untrusted users on your system.

Things like servers pose a much greater risk where it's likely you have untrusted users able to execute arbitrary code on the machine in question. A flaw such as this would allow such a user to run commands as root. If this is your setup, there is a possible mitigation.