Archive for the ‘internet security’ Category

Update 20110723 – CentOS 6, Sabayon, Slackware, NetBSD, Etc.

July 23, 2011

Long time no see, haters. Since my last update earlier this year, I’ve been pretty busy. Usual stuff: family, work, and sports injuries.

I have a shiny new Lenovo laptop. One of the reasons I chose this one is because I was able to get a list of the hardware and checked it against lists of supported devices. It’s all supported very well under Linux and the BSDs (Net, Open) I looked at.

First thing I did was reduce the very large NTFS partition someone formatted it with (I never have booted this into Windows 7) so that it’s actually quite small. Then I installed a release candidate for Scientific Linux 6 on it, as that was the first available RHEL6 clone. I’ve since changed that over to CentOS 6 using a net install. And since I have no interest in booting the pre-installed OS, I changed my grub menu.lst to no wait, no options, just load that one in a freaking hurry.

As usual, I found some nits to pick about how certain other things were configured and I had to make some changes to get simple things to work. This goes for software as well as hardware.

First the hardware side of it. I thought the inkjet printer I keep in my room was supported out of the box despite noticing the printer would “eat” up paper upon finishing the job — not fully ejecting it before pulling it back in to the printer. It was only the past few days, though, I realized there was more wrong than met the eye. I needed to make some quick scans and xsane reported back I had no scanner. Hmmm. I checked it via scanimage and it was detected. I also double-checked the drivers and saw that the sane backends for hp and usb were there. I decided to see if the hplip site had a newer RPM than is available in any of the repositories I’ve enabled. I entered the relevant information and downloaded an up-to-date RPM with new drivers. Installing it required removing old RPMs. Then I had to set some permissions so I could use the scanner without escalating my privileges to root. The new hplip RPM also resulted in better printing and no more “eating” paper.

There was a variety of software I installed from the normal as well as third-party repositories. Most of it has been without any trouble — only a couple things from a more bleeding edge repository (EPEL) have conflicted with packages from others. Some of the configuration issues have been simple and straightforward. I’m coming around to accepting pulseaudio, especially as it makes some things easier. My Bluetooth headphones work fine and are able to remotely control playlists in totem. Haven’t tried yet in rhythmbox but mplayer (from rpmforge) needs remuco to work.

Even though I’d be exaggerating to call RHEL6 or its clones bleeding edge, it’s still new enough that repositories lack certain packages that I wanted to install. One solution (other than “wait”):

sudo yum groupinstall 'Development Tools'

I’ve recompiled things that bugged me as well as things that were either unavailable or that I wanted to update. I wanted liferea so I had to compile it myself. Dittos sylpheed (NOT claws) and mew (emacs e-mail client). I also wanted an update of org-mode for emacs, but I’ve also played around with compiling other emacsen. This morning, I decided to try sxemacs.

I wasn’t impressed with the clunky xaw widgetry, let alone the faces available on my laptop (trust me, terminus looked only a little better), and I decided against installing GTK1 headers just to see if that would look any better. Not even some minor color changes helped. I usually run emacs from console anyway because it’s easier to run it in screen and then shell in and out, locally or remotely, as needed. The faces (fonts) bother  me a lot more than the widgets — it’s not about the aesthetics as much as if I can clearly see what the hell I’m doing.

I’m going to try this for a while and see how much work it’ll take to get it working the way I use GNU emacs. Just remembered I forgot to change EDITOR=emacsclient to EDITOR=gnuclient. Also, this (last line!) has to go in the init.el to keep from opening a new sxemacs GUI instance:

(require 'gnuserv)
(gnuserv-start)
(setq gnuserv-frame (selected-frame))

Sheesh! Recompiled –without-x. Much better, too, after removing background color (transparent terminal over black wallpaper).

Now the fun of getting my other emacs stuff to work correctly with this.

I also converted my previous laptop over to CentOS 6. I did a minimal net installation, installed xfce from EPEL, and then added some of my own packages (including dwm and jwm because I decided I don’t care for xfce). My ridiculous Acer Aspire One is still running SL6 and still having issues with the fucking Atheros wireless card. When it starts to flake out on me, I pop in a zyd-based USB wireless adapter. Voila. I should blacklist the module for the Atheros card but, honestly, the AA1 has been such a pain in the ass that I seldom use it. I recently updated XP (30-something packages!) after not even booting it for like half a year and suffered some USB-related issues as a result. The good news is under the RHEL6 clones, all the other AA1’s hardware — including both internal card readers — work properly, without having to boot one side with a card inserted.

Okay. The headline mentions other distros and NetBSD. I’m considering some changes on the other laptop because a lot of stuff I’ve compiled for it would be just as easy from scratch instead of using source RPMs or new source. I tried to get a measure of how many packages are installed by default on a minimal install of various distros. I figure RHEL clones will have the most, followed by Debian, and on the other side of the scale will be Slackware and Gentoo (I haven’t used Sabayon before but I like the option of using a binary or portage depending on my tastes — this is why I’m also considering a BSD and pkgsrc).

There are certain distros I’ve taken off my radar list despite having a fondness for them. As I now use laptops, netbooks, and other portable devices — including portable USB storage — about 90% of the time, encryption is very important to me; one of my parents’ was a victim of identity theft in the past couple years and I was already a bit paranoid about what kind of information could be found in plaintext on my computers. On all my computers, I like the option of installing to, or easily setting up, one encrypted LVM which includes at the very least my /home, /var, /etc, and swap. I used to think it was adequate to encrypt just /home and swap but I’ve changed my mind after auditing “identifying” information available elsewhere on an unencrypted system. For example, plaintext wifi passwords in /etc/wpa_supplicant/wpa_supplicant.conf (or elsewhere on a “non-standard” system) or stuff stored in /tmp. I also think it’s not enough that the “core” of the operating system be protected from threats, such as over the Internet; the biggest vulnerabilities usually stem from applications and user choices, and you can’t reboot those problems away — they’ll still be there if (or because) /home and /usr/local are RW, not read-only. When storage is measured in GB and TB and speedy multi-core processors, it’s harder for me to choose to run my OS in some “embedded” style.

Still on my TODO list is my post about what I use instead of OpenOffice.org. Also, I’ll try to write a post about the minimal install I did with more specifics (need to edit my gnote version of it — wish I could import that into this without reformatting) in the near future. As usual, no promises on time lines.

Advertisements

Disabling Flash and Other Addons in IE8

March 19, 2010

Flash is ubiquitous, and that means it’s going to be one of the targets used by the criminal class to attack users. Most users allow it to run full stop regardless of whether they trust sites or not. This is probably not a good idea given the frequency of Adobe’s need to patch Flash. Flash should only be allowed to run from trusted sites, and probably only as needed.

I wanted to see if I could find something that would allow me to control when and where Flash works while using IE8 on my Aspire One. Turns out you don’t need an add-on to control your other add-ons — Microsoft enables such granularity within IE8.

Go to Tools-Manage Add-ons. Find Flash (you may have to select the “show all” option to find it). When you open the settings, you can “remove all sites” (the * wildmark is probably listed). Once you do that, you’ll be able to set new rules for which sites can run Flash on your computer.

When you hit a site with Flash content, you’ll get a notice on the top part of the browser area asking if you want to enable it. Select yes and you’ll allow Flash from that particular site. Don’t do anything and you’ll only be prompted again in the future.

You can (should) periodically review which sites you allow and remove ones you don’t want to permanently run Flash without interaction. This gives you, the user, ultimate control over which sites do what with your browser. And it’s not limited to Flash — you can set up and control all your add-ons the same way.

Google Buzz: No Privacy By Default

February 12, 2010

I was incredulous when I first read that Google was opting gmail users into their new Buzz social networking service. I was even more incredulous when I found out that contacts are included by default as “followers” and, thus, are made public. By default.

WTF…

I don’t want to do “social networking.” I sure as fuck don’t want my contacts made public so that anyone — stalkers, employers, family, etc. — can see who’s in my address book.

Fucking assholes. This is why I always thought Google was a bigger problem than Microsoft — Google has a lot more control over data and accessing it, and they seem to have enough amoral fucktards working for them who don’t understand that most people don’t want their entire private lives to be open books for the world to read.

Google, please do the right thing and make this stupid service opt-in and, at the very least, stop the practice of automatically adding contacts to anything visible by the public. What’s next — showing my Google search history alongside my contacts? If I wanted to do any social networking and share my life with the whole fucking world like that, I want to do it on my own terms — not yours.

Goddamn, I’m mad now.

Update 20100209 – Debian Lenny, TinyCore, emacs, ratpoison, oroborus, and security of small distros

February 9, 2010

AA1
I’ve intended to sell this thing but haven’t yet. I updated my AA1 page last week to reflect the fact that I really don’t run Linux on it anymore. I still have {Tiny,Micro}Core set up on it, but I’ve booted that maybe three times in the past few months including once this morning to get my emacs-related files. I don’t know if the issues with wireless were related to the network stack, the ath5k driver itself, wpa-supplicant, or a combination of factors. For the last time, it’s NOT a hardware issue because the problem never happened (meaning started) under Windows; it only happened (started) under Linux and persisted after rebooting. I occasionally boot TinyCore from a USB stick on my other computers (see below).

New Desktop/Workstation
It came with Windows XP Pro installed. I first installed Scientific Linux 5.4 via the live CD, which provides a Gnome desktop. I’ve already posted about adding an old hard drive that had OpenBSD 4.3 on it, on which I installed NetBSD 5.0.1 after backing up $HOME. I’ve been too busy to even update SL54 (which I know has updates because I was also running it on my new-old laptop for a while), let alone configure NetBSD beyond the basics (e. g., setting up my network card even though it’s not yet networked, SSH, etc.). I’d hoped to set it up further this past weekend but I’ve been eye-deep in a stack of reports to edit and charts to generate.

New-Old Laptop
I’m still using Debian Lenny, which I installed using net install. I let it go ahead and install the default Gnome desktop even though I initially thought about just doing a minimal installation and adding what I wanted. One of the reasons I did that is because life has been so hectic the past 18-24 months that I care a lot less about bloat than I do about the convenience factor and having everything ready to roll. Otherwise I’d already have the other computer set up and ready to roll, no?

I have switched some apps around, though. I was using xemacs but decided instead to revert to GNU emacs 21.4 from backports so I’ll have more of the modes I’ve come to take for granted and which require either finding via apt or from their developers. I’m posting this now via weblogger.el (which I’ll have to clean up later) from within emacs. I’ve also installed oroborus and am using it instead of metacity within Gnome (edit ~/.gnomerc to include a line “export WINDOW_MANAGER=oroborus”); this is RAM-sparing to some degree but not nearly enough. I already have ratpoison installed as well, and will more likely than not start paring down on the Gnome bloat as I find time. I’ve been running ratpoison mostly under another user account.

Other Computers
My ancient ThinkPad got a minimal install of Debian Lenny several months ago but hasn’t been booted in at least a month. I may use it for TinyCore. Or as I’d intended with Lenny just to be a temporary HTML/blog server for home use. I may just use MicroCore if I do that.

Nothing to report on my old MMX box. I haven’t booted it in so long I don’t even remember what it has on it.

Unfinished Business
Speaking of {Tiny,Micro}Core, I started on a screencast/presentation back before Christmas that I alluded to at least once here. I’ve been too busy to finish it. It’s in response to a question that was asked at the TCL forums about using TCL as an enterprise Linux replacement. I wanted to demonstrate beyond the more obvious answers why I thought it was unsuitable and worked out a quick and dirty concept to show how vulnerable such a distro — based basically on one file — could be. This kind of goes beyond the security of the image being read-only and, accordingly, being able to reboot into its original state; instead, I wanted to see how difficult it would be to take advantage of the fact that the image is on a read-write partition which can be mounted by user tc locally or remotely and then replaced. My little POC requires user interaction at this stage (which was in maybe 20 minutes’ work) to basically get a corrupt image to replace the original so that each subsequent booting of it isn’t actually the “pristine” original tinycore.gz image but instead the corrupted one (which could have any variety of “reconfigurations” in it, but mine basically pings another computer when it has an IP and has a message stored in a file stating what changes have been made to the original image).

I haven’t decided if I’ll go through and see if I can get it to work remotely without user interaction. Even if I do that, I won’t post it here. Sorry, kiddies.

Since these small image-based distros typically lack logging facilities, it would be trivial to pull this off and possibly leverage vulnerabilities in various packages to further make a mess of it. The smaller the distro’s base image, I think the less noticeable it would be. With my download speed, I can download the TinyCore image in just a few seconds.

Also, I tested this on USB. It’s trivial to test if something has been booted from sd{a,b} and contains a directory named boot containing a file called tinycore.gz. The same applies to other small distros which similarly use one file to store the operating system, allows full sudo (or, in the case of some like Puppy, root only), etc. Even though something is running from RAM, it’s still found on a storage device attached to the computer and can be mounted (unless it’s quickly removed). So I don’t think this is inherently more secure than anything else (or inherently secure at all), and the smaller size could be a disadvantage since it would take less time to download and be less likely to be detected by most users.

As improbable as it is that such things can be accomplished without some kind of user interaction or physical contact with a USB stick to install a corrupted image, it’s still possible. Add in potential vulnerabilities from various packages — including browsers, improperly set up servers, etc. — and the possibilities increase both locally and remotely.

No, the sky is not falling, but there is a potential for risk even though the image itself is read-only. The image may be, but its partition isn’t. The risk may be acceptable for most uses. It isn’t acceptable for enterprise use — not without some kinds of safeguards that enterprise distros have to help reduce problems like this from occurring.

I’m not knocking these small distros. I think they have a special niche, but too many people think they can be one-size-fits-all. Enterprise-grade distros — including RHEL and its clones, SLED, etc. — have a variety of safeguards that would be “bloat” in something designed to be small and minimal. Adding those things to a minimalist distro would seem to be counter to their very purposes. That includes everything from security enhancements to logging facilities (you really do want to know who logged into which computer at what time on what day, and having every user named “tc” can’t be of much use if you need a chain of custody for various computer records, file records, changes, etc.). Moreover, the packages or extensions these small distros offer typically don’t undergo the same level of testing as in enterprise distros, are more often than not bleeding edge rather than tested and stable versions, and aren’t signed. Even signed/trusted repositories aren’t free from trouble as the RedHat/Fedora people found out a couple years ago when their mirrors were compromised.

I’ll see if I can finish the presentation and get it posted soon. Then again, I thought I would’ve had that done a month ago. Stay tuned.

From Search Engine Referrals: What is Zero Day and Use TinyCore Instead of DSL

August 9, 2009

I’ve written before how sometimes I see things in my stats that interest me for some reason. Sometimes it appears to be a sign of frustration (search engine terms including profanity) or a subject which I either haven’t addressed or haven’t explained in some detail.

stats_bottom_interesting

This caught my eye this afternoon. A “zero-day” exploit means a vulnerability is already available (and usually being exploited) in the wild without any kind of warning or notice to the developer of a certain piece of software. It’s most unfortunate because such things are discovered reactively. In contrast, many security experts will disclose vulnerabilities to developers and give them adequate time to patch before going public with details. The disclosure of the DNS cache poisoning vulnerability affecting all operating systems last year is an example of the latter — Dan Kaminsky worked behind the scenes with a team of developers from different operating systems to find a solution before announcing to the world what he’d found. So “zero-day” means there’s no head’s up about a problem, and more often than not someone is already actively (ab)using it.

Also, to anyone who’s interested in Damn Small Linux on a netbook like the Aspire One, forget about it. For starters, it’s no longer under active development. Then there’s the whole problem with various drivers for new devices not in Linux 2.4 at all. So you’re looking at big dead ends right there. Finally, given the number of people who demand aesthetically-pleasing interfaces, you’re going to have the tiny X server in DSL compressing 1024×768 into 1024×600; the result is a squished-looking screen. There’s at least one full X server extension in MyDSL.

A better solution if you want a similar concept as DSL but more modular is to use TinyCore (if you can live with the aforementioned squishy screen) or MicroCore with one of the X extensions (if you want graphics). TinyCore is developed by a team with strong DSL ties (at one time it was called DSLCore). Your AA1 or other netbook will be much better supported with TinyCore. It’s not as easy to configure but it’s not too difficult if you read the documentation.

US CERT Security Advisory – Firefox 3.5

July 15, 2009

US Computer Emergency Readiness Team (US-CERT) has issued an advisory about a zero-day exploit involving the JIT compiler for the JavaScript engine in Firefox 3.5. CERT recommends disabling JavaScript until Mozilla can patch; disabling the JIT compiler will reduce JS performance.

Secunia rates this vulnerability as highly critical.

CanSecWest 2009 Pwn2Own and Misc Security Thoughts

March 20, 2009

This year’s pwn2own at CanSecWest hasn’t been targeted at operating systems but at browsers and mobile platforms. This has drawn some heat because it didn’t include Opera, which is increasingly popular on mobile devices. Rather, it was only IE, Firefox, and Safari on Windows and OSX as well as phones.

While I approve of targeting specific applications, especially given the role browsers now play in most users’ lives, there are significant enough differences between operating systems and how they’re used by most users that I wish contests like these would continue to include OS-specific targets.

Let me also say that to a certain degree, the change in this year’s format does better illustrate the bigger problem of software security which isn’t at the OS level but in the wider area of applications. As software is increasingly cross-platform, the problems are often not limited to one platform: a vulnerability in Firefox may or may not affect more than Windows, but it’s more likely than not going to affect Windows users for two reasons: Windows is the biggest target by nature of its widespread adoption and Windows has a more standardized set of libraries than other operating systems. Everyone wants to dish out on Microsoft (and I want to dish out on Apple, whose software I believe is tremendously less secure than Windows) but the magnitude of “problems” with it is due to the issue of critical mass — more people use Windows so it’s always going to be a bigger target for crackers.

Security  through obscurity isn’t security, it’s just obscurity. This is one reason why Linux wasn’t a target at pwn2own this year. It’s not that Linux is invulnerable to cracking or to malware like rootkits, it’s that hardly anyone in the aggregate uses it on desktops. Not security, obscurity.

If you want more security that way, use an even more obscure OS. Something nobody else is using, like BeOS or Haiku.

Change the topic from desktop to server and then look at the market share Linux has in that category and it’s a different story: where Windows desktop machines are great for botnets, they’re often herded from cracked Linux servers. Where Linux has less obscurity, it’s bigger target.

The number of compromised Linux servers — which  can only be estimated from the number of botnets shut down or observed to be operating (another part of security through obscurity that is dangerous is the feeling of invulnerability and the lack of tools to detect system compromise) — attests to the real problem with security: it’s not OS-specific, but rather a problem of buggy software and poor implementations and procedures. Just as it’s bad practice to use unpatched software on a Windows desktop, it’s bad practice to use unpatched software on a Linux server. And vice versa — buggy Linux desktops are just as bad as buggy Windows servers. Just as it’s poor procedure to run everything as administrator in Windows, it’s equally poor procedure to implement shoddy permissions in Linux (and some Linux CD-based distros run only as root). The problem really isn’t the OS, per se, but what’s being run on it and how it’s being run. The problem is really the user, the weakest link in the chain of security.

Desktop Linux users also tend to fit a less than lucrative target profile. While many people do choose Linux and BSDs for more than the free-as-in-beer reason, Linux users tend to fall in a very small demographic and it’s not a financially lucrative one. Whom would you target if you wanted money, someone who can afford to purchase a license or someone who brags about how Linux can run on cheaper, older hardware and doesn’t cost more than the cost of the installation media? People who try to rob cheapskates usually starve. In comparison, Bernie Madoff’s client list wasn’t filled with kids living in Mom’s basement but with celebrities and high society types and groups with considerable assets. Willie Sutton famously said he robbed banks because that’s where the money is; cybercrime targets Windows users because that’s where the money is — both in the aggregate (over 90% of desktops) and in the user demographics (above median income).

One more thing about this at it relates specifically to Linux. Tipping Point gives away computers and a few thousand dollars. These exploits have significant market value, more than a few thousand and an inexpensive laptop. There may be some prestige among colleagues in the security field for being able to crack something. But it pales to what others are willing to pay for exploits on the open market, whether from government agencies or from criminals. It’s folly — a non sequitur — to suggest that the lack of Linux-specific or even -targeted exploits at events like this indicate there are none or even few.

Back to pwn2own news… 

Day One was exciting with four zero day exploits against the targets. The first victim, and as usual the easiest and fastest one, was OSX via Safari. Charlie Miller won the MacBook for the second consecutive year. Then IE8 fell to “Nils,” whose three exploits netted him a Vaio (for being first to crack IE8 this year) and $15k (at a rate of $5k per demonstrated zero day exploit).

Day Two, with relaxed rules, proved less eventful. At last report, there were no more zero days demonstrated and few, if any, attempts to pwn phones.

CanSecWest closes today.

Red Hat, Fedora Hacked

August 22, 2008

This Secunia notice answers some of the questions raised last weekend about why Fedora issued a warning for users to not update their systems until further notice. The source for Secunia is Red Hat, not a third party this time. It reads:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)…

More updates sure to follow. Does anyone else remember the quick dismissals about the small study that said this was possible? This appears to be limited but how many mirrors are ever checked and how frequently?

More Thoughts on Linux Security

August 20, 2008

One of the reasons I took strong exception to Linus Torvalds’ recent comments about security is because there’s no longer a separate kernel line for development, as there were in earlier versions with an odd numbered line (e.g., 2.3 and 2.5) for development and even for stable. For all intents and purposes, the 2.6 mainline is serving dual function for development and stable (though “stable” here is very much open to debate).

While this may be practical for many things, security isn’t one of them.

I added an image in the right side panel on this blog to keep track of security issues arising in the 2.6 kernel. These aren’t the “less important” issues like wonky drivers crashing, these are issues that lead to system compromise via local and/or remote vulnerability.

Don’t get me wrong — I do agree with Linus that all bugs are serious and merit consideration. Where he’s wrong is in his suggestion that OpenBSD’s coding paradigms ignore “less important” issues in the interest of security, as though those are separate issues. In OpenBSD, the primary focus is on doing things clearly and cleanly. If you do it right, you’re a lot less likely to need to revisit it because it opens holes to remote or local exploit or because it crashes (if it even works again).

This was evident recently with the effort by Reyk Floeter when (re)writing drivers to include newer hardware and assuring they don’t break backwards compatibility. The call went out to test his diffs on older hardware before sticking it into a release. That’s not primarily security-oriented, but it does demonstrate the differences between Linux’ and OpenBSD’s focuses. In Linux, such a driver would be thrown into a minor version and repeatedly patched for fuck-ups in subsequent versions; in OpenBSD, there’s a concerted effort to get it right the first time. Maybe Torvalds and the Linux 2.6 developers could learn a thing or two about not breaking stuff when adding new features or new drivers, masturbating monkeys or not.

While BSD development does have its ups and downs, those things are generally done distinctly from -release/-stable trees. The idea is for stability and security — not separately because each is in some measure a function of the other. So you don’t often see new drivers thrown in capriciously the way you see done in Linux. And that’s become even more startling with the move to simultaneous development/release in one kernel line.

For example, it’s increasingly common to get security advisories affecting kernel versions going back 8-10 releases like this one I got in my NVD feed:

CVE-2008-3276 (Kernel)
Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.

So that affects (some) Linux users way back to 2006 to current. Linus deems it as trivial as any other bug. Maybe that’s why it’s a couple years old and present in so many kernel versions.

I think Linus can’t have it both ways. You can’t merge or run -development and -release in the same tree and expect it to be secure. When you add the mix of bits and pieces without much consistency between the myriad distros — except the crazy race to release versions of everything with the highest release number — you have a general climate of insecurity. The pace of Linux development and the tendency to use latest release versions is such that this is probably the tip of the iceberg with Linux insecurity.

I wrote on another blog the other day in a thread about Red Hat and their primary markets that a distro like Ubuntu doesn’t stand a chance in enterprise use because it’s too bleeding edge and too unstable for most businesses to take it seriously. I don’t think Ubuntu is alone in this regard (more about the consequences in a moment). One of the reasons Ubuntu and its offspring have stormed ahead of Debian is because a certain class of user, having a very different set of demands than enterprise users do, have further driven the momentum towards unstable app, insecure kernel, and buggy toolchain releases. This fills a niche that Debian-stable has left unfufilled (and rightly so!) and spawned parallels among other Linux distros (i.e., bleeding edge sub-distros) but it’s also ensuring that most Linux distros are unviable options for enterprise desktop use.

I think it’s a vicious cycle. Kernel development no longer has a -development tree but is all-in-one. The most popular distros increasingly are those with the latest releases — which is sometimes a good thing when an older version has security issues but not good if the latest (and untested) version has even more. There’s less and less sanity between releases as developers race to add features, which correlates (sometimes it seems exponentially) to new vulnerabilities. So my security feeds have mushroomed so that each day I have a mix of updates for various things.

Guess which distros have the most reports and updates. The ones that tend to focus on the bleeding edge. Including the Linux kernel. Yet these are the ones touted as “Windows killers” or somehow being appropriate for desktop adoption in enterprise. They clearly aren’t.

I’ve written several times why I still prefer to use the 2.4 kernel over 2.6. Not only is it smaller and lighter on resources (simplicity is a beautiful thing!), it’s been much more stable and secure. That’s in some degree because it benefited from having separate -dev trees (2.3, 2.5) and backports from 2.6. Yet there’s little active development in 2.4 anymore and most distros have totally abandoned it.

As long as Linus insists on running -development and -stable in the same tree, he should expect — and receive! (which is where the whole discussion about masturbating monkeys originated) — flack about security. As long as advisories are released on as frequent a basis as they are, and often without much disclosure when patches are released to signify their gravity, he should expect and receive complaints.

And as long as Linux (in the broader sense of distributions) is peddled with bleeding edge applications and utilities — and yes, also kernel versions — users shouldn’t wonder why companies are loath to run it on their desktops. You may not care if you’re pwned at home or if your kernel breaks support for some device that worked before you updated your kernel, but others who rely on computers to run their businesses do.

Security and other issues do matter, and they go hand in hand. Rather than suggesting others don’t get that, maybe Linus should practice what he preaches. Then he might applaud and even try to emulate OpenBSD development rather than attack it.

Charges Filed in Massive TJX Breach

August 6, 2008

Alleged TJX hackers charged:

The Department of Justice indictment alleges that, after the gang collected the information from the different chains, members concealed the data in encrypted computer servers in Eastern Europe and the U.S. They allegedly sold some of the credit and debit card numbers via the Internet to other criminals in the U.S. and Eastern Europe. The stolen numbers were “cashed out” by encoding card numbers on the magnetic strips of blank cards; the defendants then used these cards to withdraw tens of thousands of dollars at a time from bank machines, according to the Department of Justice.

The alleged criminals are:
Albert “Segvec” Gonzalez, Christopher Scott, and Damon Patrick Toey, all from Miami, Florida.
Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine.
Aleksandr “Jonny Hell” Suvorov, of Sillamae, Estonia.
Sergey Pavolvich, of Belarus.
Dzmitry Burak and Sergey Storchak, both of the Ukraine.
Hung-Ming Chiu and Zhi Zhi Wang, both of China.
a John Doe known only by the online nickname “Delpiero.”

Gonzalez, Yastremskiy, and Suvorov are the only ones in custody. This isn’t Gonzalez’ first brush with the law. He’s acted as an informant in the past for similar crimes involving access device fraud. He now faces life in prison.

According to reports, the brazen criminals left encrypted messages to each other on TJX’s networks.

Note to those of you still using WEP to secure your wireless networking: so was TJX. WEP is easily crackable. Use a stronger encryption scheme, such as WPA.