Weblog of Paul Stepowski : Weblog

Tuesday Sep 04, 2007

Is Altruism and Wanting a Better World the Key to Open Source?

NOTE: This post was inspired by this link in response to Simon Phipps and Jack Newsom's thoughts.

My own world view values altruism on my own part and on the part of others. I think open source ties in nicely with this perspective. The real value of open source to humanity is that each project is a contribution to a universal body of knowledge.

I'll use the analogy of building a bridge. A bridge to where? A bridge to Utopia, enlightenment, Zen, Terabithia, the end of evolution bell curve...wherever! Wherever we want to go, open source can take us there. Each open source project is a brick. Each brick fits perfectly with all the other bricks. We can put these bricks together to build a bridge. Each brick depends on those below it and assists those above it. Each brick is important in it's own right but much more important in the context of the bridge.

You have to see the bridge to understand the value of open source. Closed source software companies are also in the brick business. The problem is that they only see the bricks and the short term profit made for selling bricks. They see only the bricks and not the bridge. The bricks produced by closed source companies are the wrong shape, type or color to fit into the open source bridge.

Sometimes, these odd bricks are used to start building other bridges, but these bridges never get built beyond the level of the riverbed. In a short time, builders desert these bridges and they are forgotten. Sometimes deserting closed source brick layers come to work on the open source bridge and find they like the work, and they stay. Work on the open source bridge never falters.

The longer we build, the more bricks we lay, the further away we get from wherever it is we're ultimately trying get to. Paradoxically, this is a positive thing. Put another way; the demand for bricks will *never* wane. The opposite is true. The more we build the bridge, the more bricks we need to extend the bridge even further, to get to the next exit on the highway to...wherever we want to go.

There will *always* be a demand for open source bricks. And, because we've been building the bridge for years now, the structure of the bridge has become complex. We need skilled engineers and construction workers to keep building the bridge. Society will pay good money for people with these skills.

I'm sure some people will read this and shake their heads. They don't get it. That's OK. The open source community knows it's a pretty good millenium to be an open source brick layer.

Posted at 12:50AM Sep 04, 2007 in category Philosophy |

| | | |

Thursday May 24, 2007

AusCERT 2007 - Day 3

This was the last day of AusCERT 2007 for me. I wasn't able to get into any tutorials this year due to budget constraints which was a bit of a shame. Day three had a number of excellent presentations including:

White is the new Black - User-Friendly Whitelisting of Web Sites by Greg Castle. Greg presented some software he developed that allows users to dynamically white list sites they wish to visit. The idea is that malware doesn't have the smarts to jump the extra hurdle of adding a web site to a whitelist, which effectively stops malware from downloading evil payloads. This is an extension of one of AusCERT's themes this year that "blacklisting is dumb".

Lessons in Open Source Security: The tale of a Zero-Day Incident by Andrea Barisani. Andrea works with the Gentoo Linux project. During his presentation he analysed in detail a zero-day exploit that was used to successful compromise a web server used by the Gentoo Linux project. I found this a fascinating post mortem. The points that bear repeating are: log everything you can (including full packet dumps of IDS alerts) and log it remotely, and always keep your patches up to date (even if it didn't directly help in this case). It was inspirational to see the team work between various open source community members that lead to the quick isolation and fix of this vulnerability.

Making Source Code Analysis Part of the Security Review Process by Roger Thorton of Fortinet. I've heard some really good reports about Fortinet's source code analysis software and it was demonstrated for us in this presentation. Unfortunately, the presentation wasn't long enough to get into the nitty gritty of what the software could really do and how it works but I was reasonably impressed. It was good to see Fortinet focus on the development process as well as the shiny news toys. If only I could get my hands on a free copy.

Network Awareness and Network Security by John McHugh. I read a number of papers by John McHugh as part of my honours research. He's been in the IT security game for decades now and it was great to hear him speak. He outlined a project he is working on which is based on datamining network flow information to do long term analysis of anomylous network traffic. I was quite impressed by the results of the work. The 3D graphs of network activity give you amazing insight into the odd things that are going on around the network. I'd like to see QUT's Information Security Institute get something like this going.

Well that's all from me for AusCERT 2007. The last three days went by so fast. I'm looking forward to next year's AusCERT, which promises to be the biggest and best yet. If you're attending, come and say G'day.

Posted at 07:20AM May 24, 2007 in category Security |

| | | |

Tuesday May 22, 2007

AusCERT 2007 - Day 2

Day two kicked off with a keynote presented Mark Grantz, FBI and a US Secret Service employee. While I cannot comment on the specifics of the presentation, it was fascinating to hear their perspectives on fighting cyber crime, particularly computer fraud. The impression I got from the presentation was that law enforcement generally feel they are fighting a losing battle against cyber criminals. It seemed there was a feeling of helpless desperation about the situation. Successful prosecutions are few and far between. Changes need to be made on multiple fronts including legislation, security technology and education to achieve any significant improvement in this area.

I caught Nelson Murilo de Oliveira Rufino’s presentation on Chkrootkit. He spoke in Portuguese which made it hard for the audience to ask questions without significant details being lost in translation. Nevertheless, it was a solid presentation. The one major gripe I have about rootkit scanners is they are based on black listing, which, as I mentioned in yesterday’s post, is a dumb idea.

Wade Alcorn’s presentation on Advanced Browser attacks was excellent. He described some of the latest attacks that can be launched from web browsers (including as IE and Firefox). The scary thing is how sophisticated these attacks are becoming. One example showed how an attacker could launch a TCP port scan from inside a browser using simple javascript. Members of an organisation typically have greater access to an organisation’s resources than an outsider. Attackers can effectively elevate their privileges by running attacks from a trusted user’s browser. With Web 2.0 gaining wide acceptance, these types of attacks are going to become a lot more common. The browser is new platform, with many browsers having powerful features comparable to operating systems.

After lunch I caught up with some friends from Queensland University of Technology from my honours days. Another session I attended that is worth mentioning was Aaron Hackworth’s presentation on Advanced Features of Botnets. Botnets have become increasingly advanced over the last few years. It is scary to see how streamlined the process is becoming and how large some Botnets are growing. This just reinforces the fact that, even if you think you have nothing worth hacking on your computer, you are still a target.

Stay tuned for the next update for AusCERT 2007.

Posted at 10:26PM May 22, 2007 in category Security |

| | | |

Monday May 21, 2007

AusCERT 2007 - Day 1

Day one is over and I was not disappointed. The opening keynote from Ivan Krstic of One Laptop per child was excellent. For a presentation that essentially said, "what have been doing in security for the last ten years is wrong", I thought the audience was quite receptive judging by the number of nodding heads and the thunderous applause he received at the end. He raised some very valid points, including:

The accepted "the program is the user" permissions model, which can be traced back to Kernighan and Richie's work on UNIX is showing it's age in today's networked PC environment. The operating environment needs better protection from the application and should run in its own virtual machine (container) rather than inherit full permissions of the user. e.g. Minesweeper should never need to open network sockets etc. This would solve many of the security problems we are seeing. I think most people agree we are fighting a losing battle with patching.

Blacklists are a dumb idea. This idea has been raised before, but it bears repeating. Anti-* solutions are just an extension of this dumb idea. See here for a really good article on dumb security ideas.

It's all about the user. You can't rely on the average end user to make security decisions. They will just click the "OK" button, which they translate as, "OK, let me get my work done!". Security professionals need to be prepared to make decisions for the end user instead of handing over responsibility. This model is not always applicable, but it generally holds true for desktop user environments. Server side applications would require a slightly different approach. In any case, I think most people agree that web browser SSL alerts regarding certificates are terrible.

Web browsers are the new operating environment with many browsers having powerful abilities comparable to some operating systems. This raises many security concerns and we, as security professionals, should all be very scared. The direction of Web 3.0 suggests it's going to get a lot worse before it gets better.

I think the best idea presented was that vendors have to be prepared to break backwards compatibility for us to really solve our current security problems. When this issue was raised at the Ask Microsoft session later in the day, all the Microsoft heavyweights balked at the idea. I think there's a long way to go before vendors will go down this path but the seeds have been planted. Maybe some of them will take root and grow.

Stay tuned for the next AusCERT 2007 update

Posted at 09:43PM May 21, 2007 in category Security |

| | | |

Saturday May 19, 2007

AusCERT 2007

Tomorrow I'm off to AusCERT again on the sunny Gold Coast. This is the biggest IT security conference of the year in Australia. It will be good to see what's new and catch up with some people I haven't see for a while. I'm sure I'll manage to squeeze in a visit to Conrad Jupiter's at some stage also. ;-)

This year promises to be as good as ever. There are plenty of interesting speakers to keep both blackhats and whitehats amused for hours. The program includes speakers such as David Litchfield (NGSSoftware), Nelson Murilo (author of chkrootkit), Anthony Nadalin (IBM and Higgins project), Paul Ducklin (Sophos), Howard A. Schmidt, John McHugh, David Thomason (Sourcefire), Johannes Ullrich (SANS), Aaron Hackworth (CERT) as well as researchers from Queensland University of Technology.

Stay tuned for updates on what should be an excellent three days.

Posted at 07:13PM May 19, 2007 in category Security |

| | | |

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« July 2008
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Today

Intient

Weblog of Paul Stepowski

Categories

Archives

Feeds

Search

Blog Roll

Navigation

ABOUT INTIENT

SUPPORT

FEEDS

Intient Swoosh ©