What
 · Technology
 · · Security

Dangerous Gems · Maybe I’m just being paranoid here, but I’m starting to get a little worried that RubyGems could be a nasty attack vector, given certain combinations of malice and stupidity ...
Tab Sweep · As usual, there isn’t a unifying theme. In this issue: lumpiness, stuff, microformats, eye candy, metaprogramming, beards, and psychology ... [1 comment]
Telnet SNAFU from the Inside · Well, yes, there was that embarrassing mile-wide hole in telnet (I haven’t used telnet in years except to debug Web protocols, but I guess someone must; seems to me anyone who leaves telnetd facing the Internet is exhibiting, uh, questionable judgment; but still.) Nasty security gotchas are nothing new in this world, but here’s something that is new: a first-hand report from the guy who got the call you don’t want to get, and then got the patch into the system. Actually, I don’t understand quite a bit of the jargon: “patch gate”, “RTI logging”, and so on; but it’s still a compelling story. [2 comments]
PHP Security · Perhaps someone who knows this subject can explain. Given some of the comments here (yeah, there are lots of morons, but some savvy-sounding hands-on PHPfolk too), and stories like this, I have a question: why isn’t this part of this? [10 comments]
Web Application Security · A pretty fierce debate has broken out on how to do security for Web-applications (REST, WS-*, whatever). I’m gratified that it seems to have started in the comments to S for Simple. The proponents are Gunnar Peterson and Pete Lacey, and what they have to say is interesting. I think Gunnar didn’t do a good enough job of filling in one of the bases of his position, although in private email he sent me a link to a PDF from eBankingSecurity.com which is worth a look. The point is that a significant proportion of Windows PCs are compromised with trojans and keystroke-loggers and other flavors of bad-ware; significant enough that the pretty-decent transport-level security provided by TLS is immaterial. Those of us who are technically-competent and don’t use Windows can feel individually secure, but that doesn’t mean Gunnar doesn’t have a point. [5 comments]
Security Hell · Tap, tap, tap, pause... “hmph”. Tap, tap, tap, pause... "grmph". [Ten minutes pass.] Tap, tap, tap, pause... “Hellfire.” Tap, tap, tap, pause... “Crap.” [Ten more minutes.] Tap, tap, tap, pause... “<multiple expletives deleted>.” Tap, tap, tap, pause... loud splat sound as the yellow-stickies pad impacts the far office wall. The cats, sensing trouble, have left the room. Is this the sound of: Trying to book a flight to somewhere attractive using points? Multi-threaded software being debugged? An attempt to write WSDL by hand? Solving a really nasty Myst-series puzzle? None of the above. Those sounds would be me trying to pick a new Sun LDAP password that meets the incredibly-stiff requirements of our new (SarbOx-driven, they say) security policy. The dictionary they check includes variant spellings of the names of little towns in the Lebanese mountains! I asked Lauren: “How am I going to remember this?” She said: “Go pick up that that yellow-stickies pad you threw across the room, write it down on one, and put it somewhere safe. Bruce Schneier says that’s OK.” While I generally approve of forcing people to avoid easily-stolen passwords, I do worry a little that these hard-to-guess things can also be hard to type, and perhaps thus vulnerable to prying eyes. But anyhow, if you were thinking of writing a program to guess anyone’s password here at Sun, well forget about it. [Update: I got a bunch of suggestions on how to deal with this, some of them good.] ...
Dangerous HTML · Via Rob Sayre (who’s co-editing the Atom Internet-Drafts), the disturbing realization that there doesn’t seem to be anywhere you can go read about all the things that can (and will) go wrong if you embed an HTML processor in your software. This is bad, because such embedding is getting very easy and common.
Regulate ISPs Now · I keep thinking about our experience at Christmas, when we set up my Mom for broadband, and the local ISP thought it was just fine to send her home with a DSL modem to plug into her Win98 box; no warnings, no education, no firewalls. This is just not OK. We have all sorts of regulation in place to ensure that drivers are equipped with reasonably safe gear and have some basic education on how to proceed safely. Similarly, we regulate residential construction and investment dealers and employers and manufacturers, and this is a good thing. So I think we need some legislation in place that says if someone’s computer gets hacked through no fault of their own and inflicts damage on some Internet user somewhere, the ISP is liable for that damage unless they can show they took some minimal effort to explain to their customers that the Internet is a dangerous place, but that you can be safe if you follow a few simple precautions.
Security Blanket · Today I turned on the FileVault thingie on my Mac, so every atom of my data is 128-bit encrypted (Pleasingly, there doesn’t seem to be any perceptible slowdown). On top of which, we’re running another 128 bits of encryption on the WiFi around the house, plus the link to the ongoing web host is via ssh which is RSA, uh I forget how many bits in my key. So these humble letters have been through a whole lotta bit-bangin’ along their route from my fingertips to your retina. Getting all this set up takes more work than it really ought to, but it’s getting easier, and once the arrangements are there, it totally doesn’t get in the way. Which is a good thing, because the Internet is a rough neighborhood, and in a rough neighborhood you don’t send your kids walking off to school alone. No more should you send your vulnerable little words out on its mean streets without some cryptographic Block Parents lending a hand.
Insecurity by Obscurity · There’s this big company out there whose name everyone knows. I’ll just call them “Example Corp” because this is a good example of how things can go wrong. What happened was, this morning I glanced at my server logs and saw hits from http://legal.example.com/blog; puzzled, I checked it out and was challenged for my email before it would let me in. They were fine with my ordinary address, and I found myself in their legal department’s internal blog, full of discussions of people suing them, reports to management, real juicy stuff. Nice Moveable Type group-blog setup; and they’d pointed to my recent bulleted-list rant, leaving a trail of crumbs back to their unprotected unmentionables. I saw that a few of the posts were by a jbloggs and Google, via a search for jbloggs@example.com, revealed that this particular Joe was their Senior Vice President and General Counsel. So I sent him an email saying “Er, your legal department blog is open to the public.” and a couple of hours later got friendly email from someone @example.com saying “I think we closed it, could you check?” and they had. A couple of details in the narrative have been changed to protect the guilty, but if I told you what went between legal. and .com you’d gasp. Anyhow, we already knew these things, but on the evidence it can’t hurt to say them again: First, security by obscurity just doesn’t work, and second, never assume something on a Web server isn’t Internet-visible until you’ve had somebody try from outside and prove it.
ongoing
What this is · Subscribe to ongoing
Truth · Biz · Tech
software · G & M · Dad author · colophon · rights
Random image, linked to its containing fragment

I work at Sun Microsystems. The opinions expressed here are my own, and neither Sun nor any other party necessarily agrees with them.