Josh's Blog - Linux

Linux Will Never Not Always Maybe Get Viruses ... or something

nospam@example.com (Josh Bressers) — Fri, 07 Sep 2012 06:30:20 -0400

I ran across this article the other day Why Linux Will Never Suffer From Viruses Like Windows.

The article makes some pretty bold claims about Linux getting a virus. I admit, I'm quite skeptical of the conclusions the author makes. I do security work on Linux and I keep telling everyone "our day is coming". I won't complain if I'm wrong, but I suspect I'm not.

Here are my thoughts on the issue.

The reason Linux doesn't have viruses is because Linux doesn't have viruses
This basically means nobody is really writing them. Why not of course is up for debate, but even if they didn't propogate well, we'd at least see something out there. So far there's not much.

Your phone is bigger than the Linux Desktop
I expect every year for the next 50 or so to be "The Year of the Linux Desktop". What a lot of people don't get is the desktop is becoming less relevant than ever before, but Linux is more important than ever before. Watch out for viruses on your phone, that's the next place the bad guys are going to go. Except this time it's not going to be about telling all your friends you love them, it's going to be about stealing all your information and money, THEN telling all your friends how much you love them.

People are the problem
Fundamentally speaking, until we remove people from the equation (which is pretty hard to do and still turn a profit), we will have attacks. While some platforms do make attacking them easier than others, I'm fairly certain in at least 80% of instances it was a person making a bad decision that caused their computer to become infected. Technology moves faster than people can learn, what was safe today won't be safe tomorrow. We can't even imagine what the next attack will look like.

Will Linux have viruses? Maybe. Will Linux become a bigger target? Certainly. Can we do anything about it? Even if not, we're going to try. Buckle up, I suspect the next few years are going to be a wild ride.

Expanding Red Hat's Product Security Efforts

nospam@example.com (Josh Bressers) — Mon, 21 Nov 2011 07:17:00 -0500

I'm rather excited to announce an expansion of Red Hat's product security efforts. I've been tasked with creating a team inside Red Hat to formalize our product security work. There is already a lot of really good work happening inside Red Hat in the security space. Technologies such as SELinux, ExecShield, secure development principals, and hardening in the toolchain have come a long way. However as happens with all decent sized companies, the left hand doesn't always know what the right hand is doing. Rather than letting good work go unnoticed, we're going to start formalizing some of these efforts to leverage what's being done, expand existing efforts into other product areas, and develop new programs.

Some additional efforts I would like to further are areas such as secure design principals, developer security training initiatives, secure coding practices, and security testing.

If you're interested in being a part of this effort, I have a number of open positions scattered around the world, feel free to apply directly or contact me if you have any questions. I'm quite happy to discuss location, so don't let that scare you off.

Please note these positions are no longer open. If you want to view open positions, please visit
http://careers.redhat.com

Software Engineer - Security Best Practices Development
Software Engineer - Tool Development
Software Engineer - New Security Technologies Development
Software Engineer - Code Audit Development
Developer Training

I don't expect any of this to be easy, but nothing worth doing is ever easy. I expect many challenges and rewards to come from this. Red Hat is in a unique and great position to take on such a task. Stay tuned for more updates.

Virtualization liveCD Fedora spin?

nospam@example.com (Josh Bressers) — Thu, 21 Jan 2010 17:35:00 -0500

Dear Internets,

Is there a Fedora virtualization liveCD of sorts in existance? I can't find one. Here's what I'm thinking.

Right now I have a virt machine under my desk, I would love to have it just boot off a usb stick or CD and fire up all the virtual machines that live on it. This would make my life quite a bit easier, as instead of having to worry about keeping the Host OS in order, all I have to do is power down, swap USB drives, power on and I'm running the latest and greatest virtualization goodness.

USB Thunbdrive Awesomeness

nospam@example.com (Josh Bressers) — Mon, 07 Dec 2009 07:45:00 -0500

I bought a 16 Gig USB drive for $20 yesterday at Frys. This itself is pretty cool, but I figured I'd try to install Fedora 12 onto it. I don't mean a USB livecd-iso-to-disk sort of install, but a real install, where anaconda treats it like a regular disk. I was amazed to see that it installed fine, but also boots perfectly.

I've tried this in the past, probably around Fedora 10, and it didn't work for me, so this is a pleasant surprise.

F11, pain, suffering, and it's pretty cool too

nospam@example.com (Josh Bressers) — Wed, 10 Jun 2009 07:13:08 -0400

So yesterday my primary machine which ran F10 decided to go and corrupt its filesystem. This was no doubt the universe telling me to "upgrade" to F11.

So after a rather annoying night of restoring files and installing things, I'm mostly functional. I must admit, it's amazing how much stuff "just works" these days. I recall the good old days when it took a week to get a mostly functional system, now it's basically there out of the box. There's also something about Fedora 11, it just feels better than Fedora 10. I can't explain it, but something in my caveman like brain thinks this is nicer than the previous one.

It's also possible I'm just really tired.

I'm pretty happy I'm running Fedora 11 now, I'm not pretty happy how I came to this decision

nmh 1.3-RC1 is out

nospam@example.com (Josh Bressers) — Tue, 29 Apr 2008 23:32:42 -0400

So while I know there aren't many nmh users around, I figure I'll make some noise about it anyway. nmh-1.3-RC1 is out. I've updated the packages in Fedora 8 and 9, they should go live with the next package update.

I dare say the biggest change from nmh 1.2 (which was in 2005) is the inclusion of proper unicode character support. Now you can read all that unicode spam the way it was meant to be seen! There were also of course numerous bugs fixed as well.

New colo machine

nospam@example.com (Josh Bressers) — Mon, 29 Jan 2007 20:00:00 -0500

So I got a new colo machine today. I was previously using a service called unixshell#, which was based on xen. In general I've had mostly good experiences with unixshell#, but I noticed that they were directing people to their new offering running on virtuozzo, TekTonic, with a price that's hard to pass up. For $15 a month I get

256MB Dedicated RAM
10GB Disk Space
Dual Processors
1.0 Mbit Unmetered (equiv. 320GB)
1 IP Address

So far I'm pretty happy. I've already noticed that the virtuozzo setup caps the disk IO. Normally this would be a bad thing as my performance on IO heavy tasks isn't great, but it also means that other users on the same hardware can't destroy my performance by running find. The best part of the whole thing was my unixshell# machine was magically migrated to the virtuozzo host, which took zero time on my part for this migration to happen.

I figured I'd give TekTonic my praises and let anyone looking for a decent inexpensive shared hosting colo a place to look.

Using Xen to Segment Applications

nospam@example.com (Josh Bressers) — Thu, 06 Apr 2006 22:05:00 -0400

I've been toying with the idea of using a xen virtual machine to segment various at risk applications I run. Once I have some of the kinks worked out I may create a howto. The idea is to create a xen virtual machine that needs as little memory as possible, then run a single application within it. I've done my testing with firefox as the browser tends to be a glutton for punishment. I'm aware that is a bit paranoid, but anytime security is involved, being a little paranoid is good. Beyond the paranoia, if a security feature adds value without being a hinderance, it's a very good thing.

I've found that after installing FC5 and stripping out all services other than sshd, I can run firefox with little trouble in a xen domain allocated 64 MB of memory. It's not as snappy as it would be if I was running it on this desktop instance, but it's very usable. I imagine things would work better if I wasn't tunneling my X connection over ssh.

There are still a few issues I'm trying to work out.

- Sound. Right now I get no sound from things like flash. This is really only an issue when I'm wondering what Strong Bad is up to.

- Plugins and helper applications. I don't have any movie players configured (see my sound comment above). I also have the problems of viewing various documents. If I open a PDF viewer, my memory needs go up. Something like OpenOffice.org will raise them dramatically. With the price of memory, I can probably handle giving my xen instance 128 MB or 256 MB, but my goal is to be a memory miser.

- Downloads. If I download a file, it lives on my xen instance. This should be fairly easy to solve by enabling NFS.

I've also experimented with the idea of setting my / partition to read only via the xen configuration file. This would ensure that even if someone could become root and get past SELinux, they could only modify /home and /tmp. The other nifty thing with a read only / is that I can share that partition between two concurrent xen sessions without any ill effects (at least none I can see).

That leads into my plans to run firefox and gaim from their very own xen instances, but with a single shared /. That would mean I only have to run a yum update once, and update all my running instances, but there is much testing I still need to do regarding that.

Encrypted filesystems

nospam@example.com (Josh Bressers) — Sat, 25 Mar 2006 21:13:56 -0500

There is currently a thread on the fedora-maintainers mailing list about using encrypted filesystems. This thread has been ongoing for a few days, and I found it odd that nobody pointed out a really nice and easy to use fuse filesystem called EncFS

Some things it can do is encrypt a directory (and the things that live below it), along with letting me backup the encrypted data without having to jump through hoops.

I highly suggest taking a look. It's available in Fedora Extras as the fuse-encfs package.

National Free Tech Support Week

nospam@example.com (Josh Bressers) — Tue, 27 Dec 2005 01:54:27 -0500

I've spent a fair amount of time this week working on computer problems for my family. I often wonder how much free tech support happens during the holiday season. Sometimes I want to install a Linux distribution for my family members, but then I have nightmares about trying to explain why the $2 CD of 74,000 photo editing programs they bought won't work.

Hopefully as Windows becomes more obtuse, I become more unable to actually help as I don't own anything that runs Windows