OpenBSD in the Enterprise
Posted by creining | Filed under Linux/BSD
A thread on the OpenBSD PF mailing list surrounding running OpenBSD PF as an Enterprise firewall brings up an interesting challenge that most enterprises face in exploring the feasibility of deploying open source software. The technical people suggest using some solution like PF as a firewall over some commercial solution like Checkpoint, and take that to the suits. The suits come back with the argument that they don’t want to use that open source PF stuff because there is no real tangible entity that they can point the finger at if something goes wrong and possibly bring a lawsuit against. Well, if something goes wrong, yes, you do have a support contract with Checkpoint or Netscreen or whoever, but from my experience the timeframe on reporting a bug to resolution of that bug is going to be *much* longer with a commercial company than it will be working through a similar bug on the PF mailing list. The second argument of mounting a successful lawsuit against a company like Checkpoint is just plain silly, it will never happen.
The best ipod accessory: a Beemer
Posted by creining | Filed under Linux/BSD
This NPR talk examines the combination of digital music integration into cars. The audio choice on NPR’s site that I used to listen to the audio file was Realaudio (tough to use WindowsMedia on a linux box). I had not set up Realplayer yet on my FC2 machine but found it too be quite simple. I downloaded the Realplayer 10 RPM for Linux, installed it, and voila it showed right up in ‘about:plugins’.
Bigstring.com email
Posted by creining | Filed under Security
I just heard on the radio an advertisement for an email service called Bigstring.com which offered the ability to erase, recall, and edit any sent email. After thinking about how this service works, I came up with the only way it would be feasible – by sending an HTML email with an IMG link to a “picture” of the email that resides on Bigstring’s servers. The recipient’s MUA simply renders the email off of Bigstring’s server at the same time allowing the sender to easily delete the email (remove the IMG) or edit the email (edit the IMG) from their Bigstring email account. Novel? Not really. Works with Mutt/Pine/etc? No. Appealing to Joe Sixpack? Likely. Breakable? Right-click, Save image as…
Bruce Schneier weblog
Posted by creining | Filed under Security
The Schneier on Security weblog offers the same commentaries on security as the once a month Crypto-Gram in a more frequently updated form. I’m going to unsubscribe from the email based Crypto-Gram and move to the RSS feed.
XP SP2 failures
Posted by creining | Filed under Security
This rant entitled “Writing Trojans that bypass Windows XP Service Pack 2 Firewall” on the Full Disclosure mailing list is well worth a read.
Marcus Ranum rants on patching and COTS software
Posted by creining | Filed under Security
On Marcus Ranum’s website (Marcus being Senior Scientist at TruSecure Corporation) he has posted a piece he wrote entitled What Sun Tzu Would Say which is a “silly, whimsical, angry piece” about patching systems. He states to fundamentally get away from the patch treadmill, you need to do two things: run software that does not suck and limit internet facing services. I think that both of these are common sense in the security community but I foresee an issue with running software that does not suck. If competent security professionals had the option of picking all the software that a company ran, it would be feasible. However, at large corporations there are often many, many applications implemented and various commercial software vendors that have their tentacles all too engrained in the corporation. Now, I think the best bet would be in all future software implementations to have the security team have a say in what gets implemented (like Apache (or even thttpd) over IIS, for example). Ranum also mentions a couple examples of why buying “off the shelf software” does not in any way provide benefits over writing custom software in-house. One of the examples he provides:
“A client of mine works for a fairly large bank, which bought an E-banking app from a 3rd party. The E-banking app required months and months of HTML development, consulting, and customization before they could put it into test. When they were well into their testing, they hired me to come look at it and I was horrified to discover that the app (which cost $400,000) ran on an old version of NT, and required use of an old version of Microsoft IIS. When I got onto some con-calls with the provider they explained that my client could protect the NT server “with a firewall” and that they were focused on providing connectivity, not security: that was left as an exercise for their customer. It went live, of course, but only after tons more money was spent on remediation for what was fundamentally a poor choice of tools. What was the ROI on this project? I don’t want to think about it. Somehow, Prince Ciao has convinced himself that “Off The Shelf Software” is good while “Custom” software is bad. What Prince Ciao doesn’t understand is that that thing consultants do is called “customization” and by the time you’ve configured it with a lot of firewalls, patches, and 10,000 other fixes and hot-swaps it’s not exacly “off the shelf” software anymore.”
SGUIL Win32 Installer
Posted by creining | Filed under Security
Michael Boman created a SGUIL Client 0.5.2 Win32 Installer using NullSoft’s Installer System, which, for instance, Snort for Win32 uses. Michael was looking for feedback so I downloaded the installer, checked the md5sum (I use md5sum.exe on Windows), and started the install. Less than a minute later, I had Sguil installed. The install places a “SGUIL Client” icon on the desktop and menu items Start->Programs->SGUIL Client->{SGUIL Client, uninstall, website}. In order to make changes to the sguil.conf file you have to navigate to the C:\Program Files\SGUIL Client\ directory. I made two suggestions to Michael: adding the TLS OpenSSL extension to Tcl library and having the sguil.conf file editable under Start->Programs->SGUIL Client->(wordpad.exe+sguil.conf) or something similar rather than making the user navigate to C:\Program Files\SGUIL Client in order to make a configuration change.
Useful Firefox extensions and RSS feeds
Posted by creining | Filed under Uncategorized
I found the Firefox extension Bookmarks Synchronizer to be really useful for having my bookmarks available to me at both work and home. I installed the extension on my main home and work machines and it uploads/downloads via FTP (HTTP/S also available) the Firefox bookmark file, xbel.xml, from a publically available server. The 0.9.6 version of Bookmarks Synchronizer does not work with Firefox 1.0PR but I found the authors website had a version called bookmarksftp.xpi here compatible with 1.0PR. In other Firefox news, I really enjoy using the extension Sage, the RSS/Atom feed aggregator. Firefox 1.0PR introduced live bookmarks, which is an RSS reader but I still prefer Sage as it’s a bit more mature. A couple recent additions to my feeds include the one provided by mp3blogs.org which I find useful for discovering new music, Netflix finally offers RSS feeds so I can follow new releases, and watchcow.net offers a feed builder to track Amazon products or wishlists.