Archive

Category Archives for "Security"

National interest is exploitation, not disclosure

Most of us agree that more accountability/transparency is needed in how the government/NSA/FBI exploits 0days. However, the EFF's positions on the topic are often absurd, which prevent our voices from being heard.

One of the EFF's long time planks is that the government should be disclosing/fixing 0days rather than exploiting them (through the NSA or FBI). As they phrase it in a recent blog post:
as described by White House Cybersecurity Coordinator, Michael Daniel: “[I]n the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.” Other knowledgeable insiders—from former National Security Council Cybersecurity Directors Ari Schwartz and Rob Knake to President Obama’s hand-picked Review Group on Intelligence and Communications Technologies—have also endorsed clear, public rules favoring disclosure.
The EFF isn't even paying attention to what the government said. The majority of vulnerabilities are useless to the NSA/FBI. Even powerful bugs like Heartbleed or Shellshock are useless, because they can't easily be weaponized. They can't easily be put into a point-and-shoot tool and given to cyberwarriors.

Thus, it's a tautology saying "majority of cases vulns should be disclosed". It has no bearing on the minority of bugs the NSA is interested in -- Continue reading

Auto Renew Let’s Encrypt Certificates

I’m a big fan of Let’s Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let’s Encrypt doesn’t have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let’s Encrypt software client and the Let’s Encrypt web service.

Since the protocols that Let’s Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:

  • Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
  • Elevated privilege. At least one of the clients I saw required root permission. That’s a non starter.

I can’t remember how, but I discovered a very clean, very simple client called acme-tiny at github.com/diafygi/acme-tiny. This script was obviously written by someone who shares the same concerns as I do and I highly recommend it to others.

I used acme-tiny to request my initial certificates — and it Continue reading

Technology Short Take #70

Welcome to Technology Short Take #70! In this post you’ll find a collection of links to articles discussing the major data center technologies—networking, hardware, security, cloud computing, applications, virtualization…you name it! (If there’s a topic you think I’m missing, I’d love to hear from you.)

Networking

  • MTU in OpenStack Neutron has been, as this article by Sam Yaple points out, a bit of a touchy subject. Fortunately, it looks like progress has been made on that front, so check out Sam’s post for more details.
  • Jason Edelman has an article from back in January that describes the use of Big Switch’s Big Cloud Fabric (BCF) and Big Monitoring Fabric (BMF) in conjunction with Ansible (via some Ansible modules that Jason himself developed).
  • Dwayne Sinclair covers the basics of SpoofGuard in NSX, and how to interact with SpoofGuard via API, in this article.
  • This article is a bit more OpenStack-focused, but given that it focuses pretty heavily on Neutron I thought it’d fit better here in the “Networking” section. The article talks about how to use the --allowed_address_pairs extension to build a highly-available proxy server instead of using LBaaS.
  • Numan Siddique describes the native DHCP support available in OVN (Open Continue reading

I gamergate Meredith Mciver

One of the basic skills of hackers is "doxxing". It's actually not a skill. All you need to do is a quick search of public records databases through sites like Spokeo, Intelius, and Ancestry.com and you can quickly dox anybody.

During the Republican convention, Trump's wife plagiarized Obama's wife in a speech. A person in the Trump organization named "Meredith Mciver" took the blame for it. Trump haters immediately leapt to the conclusion that this person was fake, pointing out her Twitter and Facebook accounts were created after the controversy started.

So I'm going to go all gamergate on her and see what I can find.

According to New York public records, somebody named "Meredith Mciver" has been working for a company called the "The Trump Organization" as "Staff Writer" for many years. Her parents are Phyllis and James Mciver. Her older sister is Karen Mciver. She has an apartment at  588 W End Avenue in Manhattan (though I won't tell you which apartment -- find out for yourself). Through Ancestry.com, you can track down more information, such as her yearbook photo from 1962.

Now, all these public records could be fake, of course, but that would require Continue reading

The People Versus Security

PinkLock

It all comes back to people. People are the users of the system. They are the source of great imagination and great innovation. They are also the reason why security professionals pull their hair out day in and day out. Because computer systems don’t have the capability to bypass, invalidated, and otherwise screw up security quite like a living, breathing human being.

Climb Every Mountain

Security is designed to make us feel safe. Door locks keep out casual prowlers. Alarm systems alert us when our home or business is violated. That warm fuzzy feeling we get when we know the locks are engaged and we are truly secure is one of bliss.

But when security gets in our way, it’s annoying. Think of all the things in your life that would be easier if people just stopped trying to make you secure. Airport security is the first that comes to mind. Or the annoying habit of needing to show your ID when you make a credit card purchase. How about systems that scan your email for data loss prevention (DLP) purposes and kick back emails with sensitive data that you absolutely need to share?

Security only benefits us when it’s Continue reading

1 146 147 148 149 150 185