lucky13

I was playing around with conky, setting up some RSS feeds and trying to decide if I wanted that junk forked into my background. Then I saw the news. Excellent!

OpenBSD is getting WPA/WPA2 support. It includes several chipsets including malo, bwi (new Broadcom 43xx support in OpenBSD 4.3 and DragonFlyBSD), ral, zyd, and others. More on the way. I wrote on my BSD blog that I would give the new bwi driver a shot but I haven’t gotten around to it yet. I definitely will now.

BTW, I decided one instance of conky is enough so the RSS one goes.

Apple’s Leopard lasts ‘30 seconds’ in hack contest:

“It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over,” said Miller….Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.

“We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard,” Miller said.

Miller further elaborated, “I use a MacBook all the time and that’s what I used in the contest to attack the MacBook Air. I like Macs. That’s the reason I went for it; it’s in my best interest for them to be as secure as possible.”

Meanwhile, the Fujitsu with Vista (and Vista’s SP1) remained unscathed until late in the day yesterday when Adobe Flash was installed. Shane Macauly, who with the collaboration of Dino Dai Zovi pwned the Mac in last year’s pwn2own, used a new Flash 0day exploit to claim the Fujitsu and $5000.

Readers of my blog know I’m a proponent of flashblock and other extensions for Firefox (and Seamonkey) that help users whitelist trusted sites. Flash has proven susceptible to malevolence too many times to be allowed to run promiscuously, if at all. FWIW, I only use flash temporarily — install it, use it, remove it; so I use it only as needed — for dealing with youtube content.

Mozilla fixes 10 Firefox flaws, half seen as ‘critical’:

Mozilla also patched potential identity leaks, spoofing bugs and cross-site scripting vulnerabilities in 2.0.0.13. But the fix that caught Storms’ eye was detailed by 2008-18, a fix for LiveConnect, a feature that harks back to Firefox’s predecessor, Netscape Navigator. LiveConnect lets Java applets call a Web page’s embedded JavaScript, or JavaScript access the Java runtime libraries, and it is used by both Firefox and Apple Inc.’s Safari 3 browser.

“Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don’t have the latest version of Java,” Mozilla said in the advisory.

“Here we have Firefox putting out a mitigation step for a bug in Java,” said Storms. “It’s a welcome addition when one vendor can help out another.”

All 10 vulnerabilities were also patched by the SeaMonkey Project, a separate open-source initiative that develops a multifunction browser suite.

The Thunderbird e-mail client, meanwhile, is affected by the five critical flaws listed in 2008-14 and 2008-15. “Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail,” read the first of the two bulletins. “This is not the default setting, and we strongly discourage users from running JavaScript in mail.”

A release date for Thunderbird 2.0.0.13 to fix the flaws has not been set. According to David Ascher, the head of Mozilla Messaging, the e-mailer’s update will follow Firefox’s by “several weeks.” In a post to his blog last week, Ascher cited several reasons why a simultaneous release of Thunderbird and Firefox updates was impossible. “Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training,” he said.

Ascher defended the lag by noting that while JavaScript is turned on by default in Firefox, it is not in Thunderbird. “We could delay releasing Firefox until Thunderbird was ready, in the interest of mitigating the risk of someone using knowledge from the Firefox release to try and attack Thunderbird users,” said Ascher. “But that would mean leaving over 150 million users vulnerable. So, applying the correct math, we release Firefox security updates as soon as possible, and Thunderbird security updates as soon as possible.”

Nice that the Firefox people can help cover Sun’s asses but not Thunderbird’s.

Firefox update fixes critical security vulnerabilities:

A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.

Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version 2.0.0.13 and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.

I was surprised by this when I fired up Windows today and was informed 2.0.0.13 was ready to install. User beware…

CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada:

Three targets, all patched. All in typical client configurations with typical user configurations.You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize. Targets (typical road-warrior clients):

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

My bet is that the MacBook Err is first to go. Not just because it’s a nifty, thin lightweight machine many people crave but because Apple’s security blows. I won’t be surprised if the Fujitsu is last to go unless someone uses an identical expolit in the Apple, much like last year’s vulnerability was cross-platform. Since the Fujitsu will include iTunes, Safari, and QuickTime, I expect whomever pwns the Mac will immediately share the same exploit on the Fujitsu (or vice versa if it’s related to Apple’s insecure software). The rules stipulate one laptop per contestant.

FWIW, my heart would be set on the Fujitsu (on which I’d probably install FreeBSD) even though I’m a diehard ThinkPad fan. I’d take an x300 with its twice-better battery life (not to mention easy battery accessibility) and more USB ports and better connectivity and everything else over the single-battery (you have to disassemble the thing to replace it, which will reportedly take 48 hours at an Apple Store — no carrying spares) MacBook Err and the Vaio and the Fujitsu. Oh yeah, and then there’s the best part of all — the x300 doesn’t come loaded with Mac OSX.

If anyone at Lenovo wants me to review the x300 in a Linux/BSD environment, please contact me. I’d love to see what it can do.

I’m not exactly a road warrior, but most of what I do is in the field. I’ve written in various forums that there are a few applications and utilities essential to me and “how I roll.” One of them is GNU screen. Another is SSH. These two allow me to work from the same session anywhere without ever stopping.

I’m also a huge fan of sshfs. This is a FUSE filesystem that allows a user to mount a remote home partition via SSH as though it were local.

Here’s a little tip if you’re working on a laptop in a situation where you have limited space on its hard drive, or if you’re in an area where there’s significant risk of losing your data through computer theft or some kind of disaster. It’s also cheaper than buying a new laptop hard drive.

Let me give an example. Let’s say you’re on your laptop at the university. There’s significant risk of theft of laptops and everything else. You need to work on your project but you want to insure you don’t lose all your effort in case your laptop “disappears,” if it gets dropped, whatever. You can lose an entire semester’s (or longer) work if something bad like that happens.

WIth sshfs, you can keep your work on your desktop (or server) computer at home. It doesn’t end up on your laptop’s hard drive, but you still have the easy and fast access as though it were because it uses the Unix idea of “everything as a file” in joining remote to local.

You would only need to run ssh on the computer at home so that you can access it remotely (and as securely or insecurely as you desire). On the laptop, you would run the fuse module and then enter the command:
% sshfs username@path.to.desktop.or.server: laptop.mountpoint/

So if your account name at home is “lucky” and you want to set a mount point (directory) on the laptop for “remote” it would look something like this:
% sshfs lucky@my.home.network: remote/

You’re asked to enter the password for user lucky and then that mounts the entire /home/lucky directory on the other computer to ~/remote on the laptop. Once you do that, you can transfer files back and forth as though it were all local — the same as any other files or filesystems mounted on your computer.

If you have a similar/compatible set of applications on both computers, you can also just get with it and use your remotely stored data files with your local applications. If you’re using Open Office’s calc or Gnumeric for your spreadsheets, you would just open whichever files from the remote computer on the local one. Then when you save, you’re saving remotely.

This minimizes the need to sync files between laptop, desktop, and/or server or keep up with multiple versions of the same data because you can use the same version universally. You can get by with less space on your remote/laptop hard drive if you have large files to work on. Just use your larger (cheaper) hard drive on your desktop/server for all your storage.

When you’re finished and want to unmount the remote system and terminate SSH, you enter:
% fusermount -u ~/remote/

Since it uses SSH, it’s more secure than a lot of other options including keeping data on tiny USB devices that can disappear even easier than laptops. And while there can be risk of theft of your desktop computer while you’re away, that risk is much lower if you use a bulky old (cheap) computer for such purposes. The more stuff you put in it to weigh it down (six combined floppy and optical drive slots don’t have to be filled with working — or even connected — drives), the less likely a thief will be interested in carrying it. Instead of adding another working computer (or broken floppy and Zip drives) to your local landfill, why not put it to good use?

It doesn’t need to be bleeding edge, you just need to be able to shell into it to access your safe data and have enough storage to make it worthwhile. It also doesn’t have to be big and heavy as described above — you could carry a “craptop” on campus and leave your good laptop in the safety of your home. Whatever you use can serve other duties as well if you put your mind to it.

And you can get by without ever touching your laptop hard drive (or needing one). Some Linux live CDs, including Damn Small Linux, come with FUSE and sshfs. Since DSL contains extensions like Open Office, Abiword, Gnumeric, etc., it would be quite easy to work remotely like this.

Both FUSE and sshfs are available with nearly all Linux distributions or should easily be added if not, as well as for FreeBSD and NetBSD (possibly other smaller ones, but not to my knowledge in OpenBSD). More FUSE fun soon.

I read an article that the Mozilla folks are so proud of Firefox 3 beta 4 that they’re encouraging it for average users. So I decided I would give it a spin.

I downloaded the tarball and set it up in /opt. From a console, I opened it up. I got the first box asking if I wanted to import my bookmarks and settings from Seamonkey (which was installed by default in Vector, and which I manually upgraded rather than using their package because I didn’t want to slow my computer down with all the slick Vector imagery — an issue which I’ll address soon). I did. It then announced my settings were brought over and asked if I wanted the Mozilla search page or my existing home page. I selected my home page.

Then the fun began. Some Arabic writing appeared on the window title bar. And in the tab. My first concern was that I had downloaded an Arabic version instead of the American English one. Looked at it. Umm, nope. Got the right one.

Vector apparently opens to their website when browsers are fired up the first time. That’s another peeve of mine — when someone insists on including configurations that direct me to their sites (you think six links to different parts of the site aren’t enough? am I really important enough to count me when I run seamonkey and firefox the first time?). In the process I found out their site’s been hacked.

This is a later shot when I realized what was going on (and I left open a tab when checking on this to make sure the file I downloaded didn’t have any known issues). But you get the point.

When I realized what was going on, I decided to open the site in dillo and that’s when I found out the criminal did a bit more. Dillo displayed it, Firefox resulted in a 404.

Anyway, hitting a hacked site because the distro I’m using includes a hit to that page in the default install even if I don’t use their packaging has given me a more negative impression of Vector than Firefox. I’m sure others who are using Vector for the first time this evening have the same impression — maybe worse.

I haven’t had time to weigh how much better Firefox 3 behaves with respect to memory, nor have I had time to delve into any new features. So far I see a familiar interface that handles things identically to earlier versions. I’ll have more time this weekend to try it out.

This rant is targeted at those who run Windows as root (administrative users in NT, ME, XP, and Vista) exclusively. It also applies to those who run as root in Linux, BSD, and OSX as well. Or any other OS that runs as an all-powerful single user.

It really does make a difference how users run their computers when it comes to vulnerability levels. This is especially true with Windows because of the number of criminals focusing on the most popular platform. Many users either fail to read the documentation to understand how to maximize the security levels afforded by having different accounts or they choose the convenience of running as administrator all the time. So if and when they get some kind of malware in their admin account, it affects the entire computer.

That’s dumb. There’s no need to run entirely as root regardless of which operating system you choose to use.

Microsoft released a critical patch set yesterday for remote exploits that affect Office packages including Excel and Office Outlook. Mac versions of Office 2004 and Office 2008 are also affected by one of the vulnerabilities fixed in this set (that exploit involves a “maliciously crafted” Excel file granting remote control of a system).

Microsoft Patch Tuesday Fixes A Dozen Office Flaws:

Andrew Storms, director of security operations at nCircle, said this month’s patch cycle represented a “shining example” of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won’t be affected by these flaws as much as users running with full privileges.

Storms also said that Microsoft’s newer Office apps appear to be less vulnerable than its older ones. “When the support line for Office 2000 and Office 2003 drop off the board, we’re probably going to see a pretty significant reduction in Office vulnerability,” he said.

I think Microsoft has an unfair rap when it comes to security. How can they be blamed for (a) user choice when it comes to running with root privileges and/or without firewalls and other sensible measures or (b) their market share which makes them big targets for cybercriminals? If things were reversed and Apple had dominant marketshare, we’d hear a lot more about how vulnerable their operating system and applications are because that’s where the criminals’ attention would be focused.

I also don’t think open source is always the answer when it comes to these kinds of security issues. I remember some of the exploits discovered in Open Office, including the infamous French military analysis: “A number of the problems described in the report have to do with the basic design of the software. For example, OpenOffice.org does not perform adequate security checks on the software it runs, the researcher said. And because of the extreme flexibility of the free office suite, there are many ways for writers to create malicious macros, the researchers found.”

Yes, much of that changed in subsequent releases. No, the threat is not over. The Open Office website has its own security section, just like Microsoft’s site does. The Open Office site admits that their project “is a complex piece of software developed by various teams” and accordingly “it can contain security relevant bugs.”

Similarly, there are many Linux users who run as root — the thirteenth most popular distro in Distrowatch’s list (as I write this) runs exclusively as root and I can think of a few more live CD-based distros that do as well. I don’t buy the safety of a read-only OS that restores when the system is rebooted: data on any hard drive or mountable partition is vulnerable both locally and remotely. I also can’t tell you how many times I’ve seen Macs run in single-user mode as root — seems to be the norm rather than the exception. And they’re using insecure public hotspots!

As long as there’s money to be made from spambots and identity theft or pleasure to be gained from pwning someone else’s system, there will be threats regardless of which operating system and software packages are most popular. The solution isn’t a one-size-fits-all adoption of open source or falling prey to stupid ad campaigns that anthropomorphize computers. The solution is in educated users who are on top of their systems regardless of what they choose to run.

FBI tries to fight zombie hordes:

The FBI is contacting more than one million PC owners who have had their computers hijacked by cyber criminals.

The initiative is part of an ongoing project to thwart the use of hijacked home computers, or zombies, as launch platforms for hi-tech crimes.

Maybe the FBI should contact the ISPs the known affected computers are connected instead and free up the agents for more important tasks than recommending anti-malware suites.

I responded in the DSL Forums to a question about AV software. The other person made a point about preferring an open source product, and my answer was that I have a different criteria for security software than for other things. After all, this isn’t like the difference between text editors or image editing programs.

Nothing can be more important when it comes to anti-virus and anti-malware software than if it works well. What good is it to make a “principled” stand for open source software if it’s not one of the best possible options?

I’m sure ClamAV does quite well in many circumstances. As I noted, I can recommend the PortableApps version of ClamWin for those who need a quick and dirty AV tool on a known-clean partition (in this case, USB stick).

But in nearly every test I’ve seen it compared to closed-source offerings from Kapersky, BitDefender, AVG, Avast, MacAffee, and others, it has come in far short of what the others do. (The lone exception was a test run by someone pushing ClamAV — not an independent test, but a conflict of interest.)

I posted a link to this article at PC Mag that showed results from an independent test. ClamAV had a detection rate of 63.81%. The median of the 29 AV products tested was 90.97%. ClamAV came in 27th.

When it comes to the security of my computers or those of people I know and love, 27th of 29 isn’t good enough. It’s not about open versus closed source, it’s not about blindly adhering to principles. It’s about being practical. It’s about being safe.

During my search for other tests, I found this site which runs weekly tests. My link to it is sorted by rank. ClamAV in this past week’s test wasn’t the worst by far, but it detected 17% of viruses. Compare that to other AV programs that beat it in the other test I linked. BitDefender detected 51% — triple the rate of ClamAV.

As good as a lot of open source software is, it isn’t a panacea. Sourceforge and other sites are filled with half-fulfilled open source ambitions that are fully realized in the world of proprietary software. You’re not just buying someone else’s code with proprietary software, you’re also buying measures of accountability and assurances that the company producing it intends to continue improving their product so that it works as it’s supposed to. Companies that keep their code closed aren’t limited to small staffs of volunteer programmers who work on things as they have time, this is their real job.

Sometimes you really do get what you pay for. Or would have to pay for if the free personal versions of the better proprietary applications weren’t readily available. ClamAV may be free as in freedom and free as in beer, but that’s pointless if you’re not going to audit their code and make changes. Much better free-as-in-beer AV software is available. Same price. Works better.

You can have your own principles. So can I. One of mine is being open-minded and practical enough to use the best available tool for the job.