Josh's Blog

I bought a 16 Gig USB drive for $20 yesterday at Frys. This itself is pretty cool, but I figured I'd try to install Fedora 12 onto it. I don't mean a USB livecd-iso-to-disk sort of install, but a real install, where anaconda treats it like a regular disk. I was amazed to see that it installed fine, but also boots perfectly.

I've tried this in the past, probably around Fedora 10, and it didn't work for me, so this is a pleasant surprise.

I was happy to find an article talking a bit about Hypervisor Security Concerns. It's not overly in-depth, but does point out the very real issue that virtualization poses some serious security concerns.

I think sometimes it's easy to get caught up in all the hype and forget about all the other issues a technology could create for us. I really like the title in the article

A New Definition of “Privilege Escalation”

Since it sounds cool, we should start calling a guest that breaks into the hypervisor, Hyper Escalation. It both sounds cool, and is fun to say. (I have bolded, underlined, and italicized it to stress its coolness)

In all seriousness though, this is a good discussion point, and an issue that will likely continue to come up for many years to come. Virtualization, like many things to come before it, wasn't built with security in mind, so it's going to take many many years to hammer out all the dents.

It's not often you read a security story that blames people for the problem. I found this one to be quite interesting.
Federal IT Face Cyber Attacks Daily

The best quote from the article is this:

Federal employees are still the main cause for security flaws because of their careless online activity along with failure to comply with organization policy, finds the research. It also finds that across civilian and defense organizations, 66% of those surveyed caught employees conducting irrelevant Web-surfing during 2008, while 44% found their workforce noted passwords on office stick-notes that could become public.

The hard part here is how do you get people to care? It's not much different in the real world, where people are rather careless about keeping belongings and personal information safe. It's even harder to convince someone to keep something intangible things safe.

The Internet of today is comparable to Fagin and his band of little pickpockets. The difference now, is the modern day Fagin doesn't use orphans, but zombie computers, and millions of them. Imagine trying to walk through a marketplace so full of thieving children you can't move. That's pretty much today's Internet.

I watched Johnny Mnemonic (there's also a short story the movie is based on, go read it) last night for the first time in a long time. The movie takes place in 2021, only 11 more years!

I think the most striking thing was that he was to carry around 320 Gigabytes of data in his head. The first time I saw that movie in 1995 or so, I remember thinking that 320GB was an insane amount of data. Today I type this on a computer with almost double that much storage capacity. I love it how movies that involve computer things age terribly. I suppose that's part of what makes them so fun to watch.

Except Tron, that one is still pure awesome.

It's been a while since I've posted anything, I've been annoyingly busy. Someday it'll slow down ... right?

So the first story that caught my eye today was this:
Security Report Finds Enterprise Infections Up 100 Percent
It's the normal story about how enterprises are full of viruses and worms and all sorts of other bad things. I suspect the real story here is that enterprises are looking for and finding malware rather than ignoring it (or not finding it).


The really interesting story of the day is this one though:
Tech Futurist Sees Rosy Prospects for Net Security
It's a story about how in the future all the ISPs and sites we visit will be stomping on malware for the good of all humanity. This probably will never happen unless there are drastic changes to our telecommunications laws. Right now data carriers are generally not liable for the data that travels over their network. This basically means that the ISP isn't responsible for what the two parties using you for transport do. If ISPs decide they need to start stopping malware, there are two potential problems. Who defines what malware is, and what happens if they miss some.

I'll explain this a little better. The first being the definition of malware.

Let's say I write a new operating system called door, and it's all the rage. My competitor decides they REALLY need to get rid of me, so they convince a bunch of ISPs (where convince is a giant bag of money) that I'm malware. Unless you have a huge army of lawyers on your side, there's probably little that can be done to resolve this situation.

The other possibility is what happens when the ISP doesn't block something new.

Perhaps I go to a legitimate web site and suddenly this new worm has infected my corporate network, causing a loss of millions in downtime. Right now, you could maybe go after the site hosting the malware, but probably not the ISP. If your ISP is claiming they can stop malware and they don't, they could potentially be sued by customers. Obviously they don't want this.

It's a slippery slope, but also a problem where they're hoping to fix the network rather than the endpoints. I'm not sure which would be easier.

An article caught my eye today entitled:
How to Defeat Full-Disk Encryption in One Minute

When you read this, it's a clever idea. Someone basically wrote a boot sector virus that sniffs hard disk encryption passwords and saves the password for later retrieval. This attack certainly isn't anything new, I'm not sure if anyone has written an easily consumable utility for it before now though.

If you're worried about keeping the data on your laptop secure (who isn't), it's not just about encrypting your hard drive. It's probably a good idea to use a bios boot password and keeping your laptop physically secure. If you're traveling, don't leave it lay on a desk in plain sight. When you're not using it, put it away in a bag. Make sure you lock your doors. When the machine is powered on, don't walk away even for a minute without locking the screen.

If someone wants to target you specifically, they'll likely get what they want eventually (unless you catch them at some point). The trick to sane security measures isn't to stop people like that, the goal is to make sure that a random attacker is going to pass you up in favor of someone who is more lax about security. This is comparable to locking the door to your house. If someone wants to get in, they can, but the lock can help persuade the bad guys to go look for an unlocked door.

So this weekend, my home server machine, that does all sorts of stuff for me, decided to crash. I rebooted, and noticed that one of my virtual machines running inside vmware didn't start. Upon spending some time with it, it became obvious that the disk was corrupt, well beyond what an fsck could fix. So I reinstalled, luckily I had backups. Later that day, same thing. At this point I fsck the real disk (fsck on 1TB takes a long time), which fails miserably. So I rebuild that drive, then rebuild my virtual machines, then the next day the server crashes again.

This sad game went on for a while longer before I finally ran memtest86. It lit up like a Christmas tree (note to self, do this first next time).

So the real point of this post though, is to comment on how painless the Corsair RMA process is (they made the RAM in question). Everything was via a web site, and in a few hours, I had my RMA sheet and was off to the post office. It's always nice when I'm ready to throw the computer in a lake, something goes right.

The extra cool thing is I bought this memory as a 2 stick deal, they offered to replace both sticks. Sadly I need this computer to be running, so that didn't happen, but I still dig the idea behind it.

In a strange way, this also makes me happy, as CentOS 5.4 is just days away, so I figure I'll wait and use KVM instead of vmware, which will give me a whole new world of headaches

The ClamAV folks have announced that they're going to EOL the 0.94 branch of ClamAV in favor of the 0.95 branch. They're doing this due to certain features in 0.95 which will allow them to distribute more complex signatures in an efficient manner.

I'm normally a rabid supporter of backporting fixes to older versions and keeping them alive forever, but in this instance, I think the ClamAV folks are doing the right thing. They're giving everyone plenty of notice, they're not being dishonest about why they're doing this, and it's certainly for a net gain.

The malware detection world is like an arms race, where the good guys are always a step behind. The real value ClamAV provides isn't in the detection software, it's in the malware signatures that the software processes. Anything that can give us better signatures and detect more malware is a good thing, even if it causes some temporary pain.

So while visiting my bank today, I noticed a shiny metal box on the side of the building clearly marked as "Burglar Alarm". I hope for the sake of sanity, that's not REALLY the burglar alarm, but rather just a shiny box to trick stupid thieves and make us customers feel safer.

So today Microsoft released something called Microsoft Security Essentials. It's basically a free anti-virus program from Microsoft.

Two things come to mind.
1) Why did this take so long?
2) Why do we still need this?

So as I've noted in the past, Coverity has been using their tool to scan Open Source software as what I presume is a rather clever marketing campaign. This is the third year they've been doing this and claim that there is a 16 percent reduction is flaws found. They are of course claiming that the software has become 16 percent better, not that their tool is 16 percent worse.

A story like this is probably misleading and can be really hard to understand. What the real story is that Open Source software has gotten better at fixing the sort of things that Coverity scans for. It's another debate of course if this is the result of Coverity scanning the source, or better upstream practices. I would be most interested in seeing how many bugs Coverity found were fixed, if that 16 percent lines up with their previously found bugs.

Understanding statistics is really hard to do and even harder to properly analyze. A story such as this is often misleading, and the organization writing it will make sure it's in their favor. This is best explained with an example. Imagine you have a group of people at risk for heart attacks. It's also quite likely that these people have poor diets that put them in this position. Now suppose you conduct a study where they eat oatmeal for breakfast. It turns out, the folks who ate the oatmeal had fewer heart attacks. So obvious oatmeal is a magic food that prevents heart attacks! ... right? So there are a few ways to look at this. The most likely is that these folks were eating terrible things for breakfast, so basically by eating pretty much anything other than what they were, it would reduce their risk for heart attacks.

I'm not saying that coverity ISN'T responsible for better Open Source code, they might be, but I'm also saying that we can't really know they are without more information.

So it would seem those clever virus writer types are now also leveraging the synergisticismly awesomeness of THE CLOUD.

It's no real surprise to anyone, if you're running a vulnerable web app, it's quite likely your server is going to be compromised. I'd even be surprised if this is the first web-app based worm, but it will likely get more press than others. The fundamental issue boils down to folks not keeping their systems updated. This is where leveraging things like distribution packages are a big plus, as when the distribution updates things all you have to do is install their updates.

So I'm back from the Red Hat Summit now. It was a good show. It's always nice to get some face time with customer folks and co-workers.

My talk went quite well, all things considered. The room while small, was full, which is always nice. My voice was a bit rough. The party the night before I spoke was very loud, which meant in order to talk, you had to yell. This left me with a rather weak voice. Good thing I had a microphone.

The most unexpected outcome from my talk I think was listening to customers talk about how annoying all the false positives they get from various security scanners. This is due to us backporting fixes. I plan to investigate this more in the near future, stay tuned.

Dan Walsh showed off some spiffy stuff. I expect he'll have some blog posts soon about his sandbox project.

There was a party at the Museum of Science and Industry on Thursday night. That place is always a pleasure to visit.

So while I like to waive around my geezer cane, I think it's time to use twitter for the upcoming Red Hat Summit. While I could just write a blog entry every hour, that is annoying to write, and annoying to read. Twitter offers me a special sort of stream-of-conscience-nonsense.

So feel free to play along at home
http://twitter.com/joshbressers

So I'm heading in the general direction of Chicago in a few hours, as the Red Hat Summit starts tomorrow. I'm giving a talk about Red Hat Security Advisories on Thursday at 11:20. As it's right before lunch, I expect most to be daydreaming about tasty treats.

I do always enjoy the summit, it's nice to get some face time with various co-workers, and speak with customers about our security updates. I'm always happy to hear from folks what we're doing well and what we could stand to improve.

If you're going to be at the summit, feel free to find me and pester me about anything security related. I look forward to it.