Archive for the ‘security’ Category

Din sikkerhet og datalagring

Monday, December 27th, 2010

Det er en stund siden jeg tok taxi – tror jeg – og det er kanskje derfor jeg ble svært overrasket når jeg satt meg inn i en taxi her om dagen og oppdaget at den er videoovervåket! Endringen må ha skjedd så og si over natta her i Oslo, og nå kan du knapt finne en uovervåket bil til tross for at video-overvåknings-ordningen er valgfri for sjåførene. Nåja sier jeg, den er nok ikke helt valgfri, det er bileieren som velger å overvåke bilen – sjåføren velger ikke om det skal overvåkes, og passasjeren aller minst. Videoovervåking er bra svarer sjåføren, de som ikke gjør noe galt har ikke noe å frykte.

storebror ser deg
Jeg tror det er nettop de som ikke har gjort noe galt som har mest å frykte. Taxi-sjåfører lever allerede i en verden der hele arbeidsdagen deres blir overvåket. Hva synes du om at nettop din arbeidsplass videoovervåkes? På kontoret, sykehuset, i butikken? Hva med i bilen din, på skolen eller i barnehagen? (For øvrig skjer dette allerede). Når kommer vi til å “frivillig” sette kamera i hjemmet, for å koble dem til videosentraler der menn betales for å sitte hele dagen og hele natta og stirre på skjermer?

Hvor er all dokumentasjonen som sier at vi blir tryggere av alle disse kameraene? Er det bare undersøkelser som er sponset av sikkerhetsfirmaer som tjener godt på den økte mistilliten, eller er det noen uavhengige sikkerhetseksperter som har uttalt seg?

Svaret er selvfølgelig at sikkerhetseksperter har uttalt seg, eksperter med millitær bakgrunn såvel som politimyndigheter og påtalesmakter, og det har også jurister og etterforskere av volds- og pedofili-saker, og det viser seg at ekspertene er enige i at økt overvåkning ikke vil føre til flere oppklarte saker, og at det tvert imot vil føre til at vi som blir overvåket gir opp vårt privatliv, ergo vår personlige sikkerhet blir med ett utslettet av at alt vi foretar oss blir logget og sporet.

Kriminelle trenger ikke å bry seg om personvern, om overvåkning og om hva som er rett og galt – de kan stjele identiteter, skjule seg bak falske adresser, kontonummre og proxy servere. Kriminelle kan stjele mobiltelefoner og kaste dem etter bruk, eller de kan som alle andre, bruke krypterte forbindelser og anonymiseringstjenester. Det krever litt ekstra kompetanse, men kriminelle har ekstra incentiv. Derfor vil ikke datalagringsdirektivet få has på kriminelle: ikke bare er direktivet rent teknisk bak mål, men grunntanken bak at økt overvåkning reduserer kriminalitet og øker oppklaringsevnen – er feil!

Nå vil jeg nevne at jeg har fulgt utviklingen av saken om Datalagringsdirektivet med stor interesse siden jeg hørte om forslaget et par år siden. Derfor tok jeg meg en tur til Rosenkrantzgate når det var DLD seminar i november. Her trekker jeg fritt paralleller til videoovervåkning selv om det dreier seg om mye mere: det dreier seg om geografisk sporing av deg og meg via posisjonssensor på mobilen, og det dreier seg om kartlegging av alle personer du har kontakt med noensinne over epost, telefon, SMS og sosiale medier.

Spesielt interessant har det vært å høre om implementasjon av det tilsvarende EU-direktivet i forskjellige land i Europa, og hvordan leverandører av kommunikasjonstjenester forholder seg til direktivet her hjemme. På seminaret stod sikkerhetssjefen i Tele2 frem og fortalte at de pr i dag lagret noe informasjon i 3 til 5 måneder av hensyn til faktureringsspørsmål, og her har det alltid vært snakk om hvor fort de kan slette informasjonen for å begrense resurssbruket. Datalagring vil føre til en regimeendring, sier han, der de må opprette og drifte en egen datalagringsbase i tilfelle myndighetene skulle trenge informasjonen.

Allerede nå har det vært tilfeller der myndigheter uten fullmakt til slik informasjon har prøvd å få tak i telefonlogger og fakturaer og lykkest i flere tilfeller på grunn av at personer ansvarlige for informasjonen ikke er sikre på hvordan de skal forholde seg til forespørslene.

Synes du at NAV skal få tilgang til fakturaene dine når de behandler en søknad fra deg? Hva med fullstendig kart over hvor du har vært de siste 5 årene? Hvis ja, hvem andre bør få tilgang når du selv ikke har innsyn?

Pressen vil værne kilder selv om de utsettes for press på å utlevere kildene sine. Menneskerettsdomstoler krever tillit til kildeværn. Verktøyet (datalagring) blir fort misbrukt, og det må settes begrensninger for ellers vil det bli misbrukt! Det kan dreie seg om utilsiktet oppdagelse av identiteten til kilder.

Påtalemyndighet som jobbet i narkosaker var med på DLD seminar og forklarte at hun har brukt lagret data i etterforskning. Hennes konklusjon var at vi må tåle noe kriminalitet, ellers lever vi i en politistat! Det er politisk vanskelig å si nei pga EU/EØS, men dette dreier seg om paradigmeskifte som snur vitnesbyrde opp ned. Redd et barn fra Helga Pedersen! Problemet er når vi ikke har mistenkte. Skal vi sitte og søke etter mistenkte?

Når vi trår inn i Orwells styggeste fantasi, skal vi da gi individuell tilgang til data? Skal vi åpne for at det finnes noen anonyme samtaler, for eksempel kilder til journalister eller hjelpelinjer for voldtektsofre? Hvordan skal vi sortere og analysere dataen, og hvor lenge? Straks vi setter igang lagring blir det vanskelig å bli kvitt dataene, og vanskelig å holde styr på lovendringer og tilganger, de som forvalter dataene, altså telefon og data-tilbydere, har ikke kapasitet eller kompetanse til å lagre dataen forsvarlig.

EU-direktivet sier at hver medlemsstat kan trekke seg fra datalagring hvis de kan begrunne hvorfor – og Romania og Tyskland har sagt nei fordi det strider mot grunnloven!

Hvis du tilfeldigvis befinner deg 100 meter fra stortinget idet en voldelig demonstrasjon pågår, og denne informasjonen blir lagret, hvor lenge tror du du må forklare deg for å slippe å bli implisert i volden? Norsk politi har allerede brukt posisjonsdata for å kalle inn til avhør 100 mennesker som var i nærheten av en kriminell hendelse. Glimrende politiarbeid, vil jeg si!

Om en kjent kriminell ringer opp en kjent og kjær politiker som Storberget og legger på idet den andre tar telefonen, og samtalen blir logget vil da Storberget kunne assossieres med kriminelle og kalles inn til avhør basert på mistanke. Lekker saken om innkalling til avhør er politikerens karriære over uansett om han var skyldig i noe eller ei.

Der ble meg fortalt en søt men sann historie fra USA, der myndighetene i en liten delstat på landet vant en stor pengepremie som de skulle bruke på å øke sikkerheten i delstaten. De brukte pengene på å sikre demninger i delstaten, og når sikkerhetsfolk kom på besøk og spurte dem hvorfor delstatskontoret var åpent og usikret forklarte senator i delstaten at hvis det er noen som vil ha ham til livs, får de bare komme og skyte ham nårsomhelst. Han var mere opptatt av sikkerheten til folket sitt, og den var best tjent ved å sikre mot flom og andre naturkatastrofer.

Det viser seg forøvrig, ved hjelp av de meget hjelpsomme cablegates, at i hvert fall ett lands datalagringslovgiving har blitt satt på den politiske agendaen med sterke føringer fra en ekstern supermakt. Hvem trenger å snakke om konspirasjonsteorier og paranoia, når vi har ekte konspirasjoner.

Siden en av oppgavene mine er nettopp sikkerhet og overvåking av nett tenkte jeg det verdifult å dele med deg mine erfaringer med datalagring og hvordan ditt privatliv vil bli direkte berørt av et lovforslag som er konstruert for å gi store gutter flere leketøy og inget annet. Dette oppå eksisterende lovgivning som tillater overvåkning av kriminelle.

… og vet du hva? Taxi-sjåføren visste heller ikke hvor kameraet var hen i bilen. 1984 ringte og vil ha tilbake storebror som alltid ser deg! Kanskje regjeringen burde komme seg på Facebook og “friend-e” alle så de kan følge med på hva som skjer?

caching wikileaks with varnish

Friday, December 3rd, 2010

In times like these I like to remind everyone that truth is a virtue and that the best resistance to corruption is decentralization.

With that in mind I quickly threw together a cache for wikileaks at wikileaks.uplink.li. This is not a full mirror obviously but it will stay up even though the main sites go down.

The host in question isn’t really specced for high loads but that is beside the point. The point is that you can do this in your own varnish instance. Here is how you do the same, in VCL:

# help wikileaks stay online by providing caching
# helps more if you have persistent storage.                                                                                                
#
# comotion@krutt.org 2010-12-03
# http://kacper.blog.linpro.no
 
backend wikileaks2 {
   .host = "213.251.145.96";
   .probe = {
      .url = "/img/favicon.ico";
      .interval = 60s;
   }
}
backend wikileaks3 {
   .host = "wikileaks.ch";
   .probe = {
      .url = "/img/favicon.ico";
      .interval = 60s;
   }
}

# won't work while the DNS name is taken out
#backend wikileaks1 {
#   .host = "wikileaks.org";
#   .probe = {
#      .url = "/img/favicon.ico";
#   }
#}
director wikileaks round-robin {
   #{ .backend = wikileaks1; }
   { .backend = wikileaks2; }
   { .backend = wikileaks3; }
   { .backend = wikileaks4; }
}
 
sub vcl_recv {
   if (req.http.host ~ "^(wiki)?leaks" ||
       req.url ~ "^/(wiki)leaks" ||
       req.http.referer ~ "leaks"){
      set req.backend = wikileaks;
      if(req.backend.healthy){
         set req.grace = 7d;
      }else{
         set req.grace = 365d;
      }
   }
}
 
sub vcl_miss {
   if(req.url ~ "^/(wiki)?leaks"){
      set bereq.url = regsub(req.url,"^/(wiki)?leaks","/");
   }
}
sub vcl_fetch {
   if(req.url ~ "^/(wiki)?leaks"){
      set beresp.grace = 365d;
   }
}
 

You can save that to /etc/varnish/default.vcl and reload varnish.
Or, if your Varnish instance has other sites on it, you could save it to /etc/varnish/wikileaks.vcl and add the following near the top of your default.vcl:

include "/etc/varnish/wikileaks.vcl";

Isn’t it beautiful?
You may not be able to set up a full mirror, but now you can go set up your varnish to cache Wikileaks!

PS.
The opinions expressed here are not necessarily those of my employer nor anyone else associated with me, Varnish or anything really.

OSSEC to the rescue

Wednesday, October 20th, 2010

I’m not going to brag about being online for 16 years without being hacked. It simply wouldn’t be truthful and more to the point even if I convinced myself there is little you or I can do to verify the claim. Rather, I’d like to think that by being a little paranoid I’ve managed to avoid some badness. Actually even if you like to think so, it’s rather optimistic to believe in one’s own infallability. The infallability of computer systems? Don’t even get me started.

Computer security is about turning that trend around, about saying OK where and how did the bad guy get in, lets kick him out and make sure it doesn’t happen again. It’s about fixing the problems before they become really bad. Security is also about not putting all your balls in one basket, not trusting your single point of failure, and being very picky about the things you trust. Because automated systems fail automatically, security is about putting youself in the loop too.

If you haven’t read this year’s Verizon data breach report [1], the gist is basically that 2/3 hacks are from 3rd parties, that leakage usually occurs 3 minutes into the breach and that most attacks are still discovered by a third party. What more, almost all attacks were made on servers, most of the attacks aren’t even that difficult to do, they leave traces in the log files and the security holes are even easier to fix!

Now if you’ve been paying attention to the Stuxnet infestation [2], the Microsoft hack[3] or the recent Depnet failure[4], there is no guarantee that your skilled and educated IT staff is on top of that stuff… because they’re too busy delivering the features you demand.

The problem here is one of control. If you are an admin, you may know what you’ve done on any particular server and you might be on top of what your team has been doing, but the second someone gets in and starts changing things they shouldn’t have, the bets are off. Files get changed: logs get nuked, commands get replaced, databases get UPDATE’d.

Let me tell it to you straight: a virus, worm, piece of malware is basically a really cool software update.

What you need is an eventuality: something that leaves a central, verifiable audit log, checks a number of different sources, stores who logged in where how and monitors system integrity. You need something flexible, with 90% of the job already done for you, something that can deal with a bunch of computers on a bunch of different platforms at the same time, and while leaving you in the loop does this in a managable way, so you don’t get overblown by a zillion messages.

You need something that can respond to its environment, something that sits on every host, something that can take action on its own.

OSSEC[5] has this three-pronged approach that fits the bill: rootkit checks, file integrity and logfile watching.

It does these things according to a configurable ruleset. The rules can run on all your computers (yup, windows boxes too) and report to a central OSSEC server securely. OSSEC is also able to respond to alerts, for example by blocking an attacker that is trying to guess the password repeatedly (an everyday occurance).

What more, GPL open source makes it possible to audit and patch the code of OSSEC, and gracefully sidesteps the problem of vendor lock-in.

Now that I’ve played with it and tuned it for sufficiently long, it’s started to compliment my IDS nicely and beats old approaches like tripwire, fail2ban[6]/sshguard[7] and logwatch[8]. Don’t get me wrong, OSSEC is not the silver bullet[9], then again nothing is and thus we must stay vigilant.

So, with the advent of Week of OSSEC year 2 I took the opportunity to tell you about this fine piece of software, and to show you the real nugget: my debian install and update script for ossec which you can use standalone, or together with my budding and passably simple configuration system gone, which I will introduce another day in another post.

0K out.

References in all their undistractingly subscripted glory:
[1] Verizon data breach report
[2] Talk on stuxnet the SCADA worm by kwy
[3] Microsoft confirms Russian pill-pusher attack on its network
[4] Regjeringen utsatt for dataspionasje
[5] OSSEC
[6] Fail2ban
[7] SSHguard
[8] Logwatch
[9] Abusing OSSEC

backtrack to install a backtrack

Thursday, September 9th, 2010

BackTrack is your daddy.
BackTrack accepts no compromises, yet it is all compromising.
Because really, when is the last time you *didn’t* need those auditing tools? That penetration suite? Total privacy to break other people’s privacy? All that and a packet of crisps wrapped with razor sharp menus – it’s the kind of stuff you can only dream of on core. And I hear Fedora Core is the shitzitz now, adopting new [1] and exciting[2] features. Oh hey debian doesn’t have binary deltas for packages *yet* [3], but we’ve been talking about it way longer than those dudes have.

Anecdtotally, I spilled a glass of water on my laptop the other day. Naturally, the glass went half empty in an instant: my poor lovely x41, I screamed. As it turns out the laptop casing made sure all the water was rather cleverly funneled into the x41′s only 1.8″ harddrive, which proceeded to go completely bananas (due presumably to rust, because clean water doesn’t conduct, right?). The data? I believe trusty old dd_rescue did rescue at least part of it, but I then misplaced the image file somewhere.

The system?
It was a thrifty, untrusted yet trusty Windows XP install that I’d been keeping on there on the mercy of actually booting every time since I bought the machine despite having been licked by more than its fair share of virii, malignant updates and accidental hard resets. Most of the programs I ran were portable[4] versions so all I lost were some documents and lots of music[5].

The hardware?
I disassembled and metricuously dried every little component, and in the end only the disk drive was bust. The 1.8″ IDE drive that is impossibly ridiculously expensive to replace (5$ per GB? What the foo? Shut up!). Still, I needed the laptop so I exploded booting from USB. Despite (misguided?) efforts I haven’t bloody well been able to boot windows off USB, so I bootstrapped BackTrack 3 instead and bob is your uncle.

I mean really, I think I had that thing running like that for three months before I started missing stuff like apt. Didn’t really mind starting fresh every boot, I even invented a whole little schpiel for getting online as fast as possible, none of that Network Manager madness.
Persistent settings are all right in BT3 but booting into RAM is a lot more fun. After the first 3 seconds of boot you can pull the USB plug, everything goes zippety fast and your footprint is nada. Only thing that can get your ass is a cold boot attack.

BT3 is real cool and still a good recommend if you want to wardrive and do proper wifi phreaking due to the embedded injection drivers, but in the end I wanted new libs, a decent compiler and window dressing, and so I rolled BackTrack 4.

Granted, kde sucks, but if I cared enough I’d switch to openbox or something awesome in like 4 minutes. These days all I need is a shell and a browser.

For those of you fortunate enough to have a harddrive, BT4 ships with an install script to turn your system into a permanent BackTrack fixture. It’s based off Ubiquity, but dd’ing off the USB and onto your disk drive might be better if you’re interested in being able to boot your system into RAM, well I dunno because you want to do some advanced powersaving[6], or want to kill your system without worrying about unclean shutdowns, or want to maximise the life span of your solid-state device by nearly never writing to it.

For my own part there was a happy ending on DealExtreme, as they ship IDE44 to CompactFlash interfaces that fit in the x41 1.8″ bay… which leads to a whole slew of unexplored possibilities thaaat (drum rolls) I will explore in the next installment of how to break your machine.

BackTrack 4 R1 has released :-) [6]. Anyone know where I can score the BlackHat Edition?

[1] http://fedoraproject.org/wiki/Releases/FeaturePresto
[2] http://fedoraproject.org/wiki/Features/systemd
[3] http://samba.anu.edu.au/rsync/rsync-and-debian/rsync-and-debian.html
[4] http://portableapps.com/
[5] http://drownedinsound.com/community/boards/music/4179554
[6] http://kacper.blog.linpro.no/archives/13
[7] http://www.backtrack-linux.org/

CPM: Reliable multiuser password management

Monday, August 2nd, 2010

Sup all,
summer is drawing to a close and vacation is definitely over, but I for one welcome the chance to think and act again. Some time ago our managed services department started complaining about various shoddy password management solutions. Truth be told we already had a good solution, CPM (“Console Password Management”) but the software had fallen into disrepair due to seldom and untidy updates from its author. A new maintainer was desired and a project to fix the software was decreed and the result fell into my lap so to speak.

What sets CPM apart from other password management solutions is that it supports multiple users and goes to great lengths to keep your passwords secure while at the same time being very simple in its design: CPM locks its XML-formatted hierarchical password database in non-swappable private memory (so your passwords don’t get written in cleartext to disk while swapping), and encrypts the database with an arbitrary amount of GnuPG public keys.

All this makes CPM quite nice for storing and sharing secrets in a nice curses-based searchable console interface.

For the longest time I’ve been keeping the hundred-odd passwords I can’t remember on notepads and in random text files, thinking that surely I should start employing some sort of password management before I go crazy or my passwords leak. The congruence of my wishes with the scope of this project, so I picked up CPM and gave it a little love, and the result can be found at

GitHub CPM with CPM packages for debian in the downloads section.

CPM crash course

Requirements: Gnu Privacy Guard, and a GPG keypair.

First, install CPM:

dpkg -i cpm_0.25~beta-2debian2_amd64.deb

Then, create a password database, adding your key to the recipient list when prompted.

create-cpmdb

Then, use CPM from the console:

cpm

CPM should now ask you for you GPG key password and display an empty database.

CPM is controlled with the arrow keys, Enter and some control keys.
Hitting Control-H will bring you to the Help screen which explains the control keys.

By default CPM organises your passwords in a structure of hosts that have several services which may have one or more users. Hosts, services, users and passwords are nodes in the tree and a node is added by hitting Control-A and given an appropriate name.

For instance, if I were to add a password ch1ckens0up to user lolarun on the wiki service of host fragglepop.info, I would create the following node structure:

  host:fragglepop.info
      \-->service:wiki
              \-->user:lolarun
                      \-->password:ch1ckens0up

Of course there is no need to follow this anal layout, and you may even change the node structure by editing the template names in CPM by hitting Control-N or modifying the /etc/cpmrc config file.

To have CPM generate a random password for you, hit Control-P.
Your changes are not saved unless you hit Control-W or quit the program by hitting ESC enough times. Quitting through Control-C will not save the database.

Future work includes pushing the package into Debian.

What you don’t get (yet) is a GTK-based GUI, or a wrapper to pull the password database out of GIT and commit it again after modification nor integration with gpg-agent, probably (?) due to a bug in gpgme.

Enjoy this lovely piece of software and leave a comment after testing it!

PRADS 0.2.0 hits release

Monday, June 21st, 2010

PRADS – the Passive Realtime Asset Detection System has reached release with codename: “our two cents”.

It’s been far too long since last release and many things have happened that we thought we would share with you.
First off, PRADS has been rebuilt from scratch to handle high throughput and should work nicely on those fat pipes out there. This means it operates a little differently on the command line.
Our tool is now quite easy to use and has support for many more signature methods.

Changelog for prads 0.2.0-1
* PRADS release 0.2.0
* SYN,SYNACK,ACK,FIN,RST, IPv6, service, client, UDP, ICMP, ARP support
* added and fixed many signatures
* log to prads-asset.log
* eat pcaps (-r file.pcap)
* dump statistics on exit
* wirefuzz script
* prads2snort and other fun tools
* better IPv6 support
* better OS guessing
* awesome memory usage and stability
* l337 optimizations for high thruput
* code refactoring, cleanups & bugfixes and more

Quick start:
root@machine# prads -D
[*] Running prads 0.2.0
[*] Using libpcap version 1.1.1
[*] Using PCRE version 7.8 2008-09-05
[*] OS checks enabled: SYN SYNACK RST FIN ACK
[*] Service checks enabled: TCP-SERVER TCP-CLIENT UDP-SERVICES ARP
[*] Device: eth0
[*] Daemonizing...

To see the raw asset log file:

root@machine# tail -f /var/log/prads-asset.log
asset,vlan,port,proto,service,[service-info],distance,discovered
84.24.154.213,0,1268,6,ACK,[65392:118:1:0:.:A:Windows:XP],10,1277044697
109.87.38.106,0,56393,6,ACK,[16425:114:1:0:.:A:Windows:XP],14,1277044697
192.168.2.43,0,38359,6,SYN,[S4:64:1:60:M1460,S,T,N,W7:.:Linux:2.6 (newer, 7):link:ethernet/modem:uptime:2630hrs],0,1277044698
192.168.2.43,0,48065,6,ACK,[54:64:1:0:N,N,T:ZAT:Linux:2.6:uptime:2630hrs],0,1277044697
76.99.73.67,0,55834,6,ACK,[33069:48:1:0:N,N,T:AT:Linux:2.4(newer)/2.6:uptime:307hrs],16,1277044697
65.191.159.39,0,48747,6,ACK,[259:114:1:0:N,N,T:AT:unknown:unknown:uptime:20hrs],14,1277044697

Remember that ACK mode is and always will be rather unreliable.

To get a better view of the detected systems, run the following command:

prads-asset-report | less
13 ------------------------------------------------------
IP: 109.87.38.106
OS: Windows Server 2008 (R2 Standard 64-bit) (60%) 1
[..crop..]
104 -----------------------------------------------------
IP: 192.168.2.43
OS: Linux 2.6 (newer, 7) (100%) 3
MAC(s): 00:DE:AD:BE:EF:2F (2010/06/20 16:39:00)

Port Service TCP-Application
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
80 CLIENT @www
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
443 CLIENT TLS 1.0 Client Hello
443 CLIENT TLS 1.0 Client Hello
3218 CLIENT rtorrent/0.8.6/0.12.6
6667 CLIENT @irc
6667 CLIENT @irc
6667 CLIENT SSL 2.0 Client Hello
50005 SERVER Bittorrent
50005 SERVER Bittorrent

Port Service UDP-Application
53 CLIENT @domain
53 CLIENT @domain
123 CLIENT @ntp

105 ------------------------------------------------------

[..snip..]

Packages are available for debian and ubuntu, for everyone else there is source.
Get PRADS now!

Report issues and feature requests to: http://github.com/gamelinux/prads/issues

For suggestions, help, contributions and general banter go to the PRADS mailing list.

never ask for root again

Monday, August 17th, 2009

just a short note to all of you:

linux is not secure. Passwordless root is here :-*

Yes, it has been published elsewhere, but I’ll do mine to push this meme to you: there can be no “untrusted local users” nor do I believe that your services aren’t exploitable.

Two seconds later I have root on your box.

Despite LSM. Despite SELinux. Despite jails and virtualization. Despite all your assumptions.

You will need some very fine security gents and a little of your own smarts to secure your nets. Call us :-)

The best link on this issue so far has been:

cr0: bypassing linux with null pointer

Do you want security? Go run carpal-tunnel-inducing OpenBSD, swell swell if only it smelled well FreeBSD, or, *drum rolls*

drop-in up-to-date secure and invulnerable grsec kernel for ubuntu and debian

Only disadvantage I can see is that they don’t provide amd64 and desktop builds.

Dilligence and perseverence is the path to victory,
and although paranoia may not be the path to safety
noone should leave their front door open.

In other news, and probably a little lame for those of you coming thru the planet feed, security.vcl is here – properly used, understood and abused it could save you some worries, making sure no “untrusted user” went “local” in the first place.

Also, tell your friends: there is a Facebook virus about. It sends links to you from your friends accounts. If you click on the link, you too will be sending your friends links.

Yeah, I know, that sounds like what I do on facebook all day. Except the difference is you don’t know you’re sending links.

So watch out.

And tell your less savvy friends.

politiet sliter

Tuesday, March 17th, 2009

Politiet sliter med datasystemene sine. En kollega har allerede nevnt saken. Det er skremmende men slett ikke overraskende. Det tar nok mer enn to uker før de får kontroll på viruset, spør du meg.

Jeg lurer på om vi på Redpill-Linpro ikke kunne hjulpet dem litt.
Gode forslag flyr rundt på kontoret:

Vi kunne brannvegget de så viruset ikke sprer seg. Vi kunne satt dem opp med tynnklienter og MultiFrame. Vi kunne fått orden på deres skrivbare shares med litt samba-magi. Vi kunne fått deres applikasjoner over på wine, eller virtualisert dem. Vi kunne stuntmigrert dem ved hjelp av noen usbnøkler og/eller litt PXE-foo – og så, ikke mere virus.

En ting er bra sikkert: det kommer til å ta dem ukesvis bare å få kontroll hvis de fortsetter med det nåværende systemet.. og de utsetter seg for at noe lignende skjer igjen og igjen og igjen.

Bonusen er at våre løsninger er åpen kildekode, så klart!