Older blog entries for mjcox (starting at number 130)

Today a "Role Comparison Report" from Security Innovation was published which has a headline that Red Hat fix security issues less than half as fast as Microsoft.

Red Hat was not given an opportunity to examine the "Role Comparison Report" or it's data in advance of publication and I believe there to be inaccuracies in the published "days of risk" metrics. These metrics are significantly different from our own findings based on data sets made publically available by our Security Response Team. I work with these stats on a daily basis and frequently publish reports based on them. I've put some sample reports, including ones for the distribution and timeline examined in the report on my Red Hat page along with the perl script we use to do the analysis so you can judge for yourself.

Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, the headline metrics treats all vulnerabilities as equal, regardless of their risk to users. The Red Hat Security Response Team publish complete data sets allowing calculations to be made taking into account the severity of each flaw. Red Hat prioritise all vulnerabilities and fix first those that matter the most.

For example out of the dataset examined by the report there were only 8 flaws in Red Hat Enterprise Linux 3 that would be classed as "critical" by either the Microsoft or Red Hat severity scales. Of those, three quarters were fixed within a day, and the average was 8 days. A critical vulnerability is one that could be exploited to allow remote compromise of a machine without interaction, for example by a worm.

But let's put these metrics into context - with the current threat landscape it is no longer sufficient for operating system vendors to just respond to security issues. We've had a firewall enabled by default in our products since 1999. We've digitally signed all software updates from Red Hat since 1996. As part of our overall security strategy Red Hat is continually innovating to create new technologies that proactively help reduce the risk of unpatched or as yet undiscovered vulnerabilities. That's why you see things like Exec-Shield ,which proved it's ability in Fedora Core to reduce the risk of some exploits, accelerated into the Enterprise product, and why you see us work on integrating technologies such as SELinux configured and enabled by default.

Roy Fielding sent out a message reminding us all that the Apache web server just celebrated it's tenth birthday.

In January 1995 I found a security flaw affecting the NCSA web server and I'd forwarded my patch on to Brian Behlendorf. The flaw affected the Wired.com site he was the administrator of. He told me about the Apache project and and I was invited to join the group and share the numerous patches I'd made to NCSA httpd, so my first post was back in April 1995. I can't believe that was ten years ago!

Anyway in my official Red Hat blog I've been posting stuff about the recent comparisons of security issues in Microsoft and Red Hat, and we've published a ton of useful data. See Counting Teapots and Real Data.

My girlfriends computer (made up of lots of bits of my old computers) has been acting weird for some time in a way that defied logic. Swapping around the memory would cause it to crash randomly, but the memory was okay. Sometimes the machine would fail to turn itself off. Sometimes the machine wouldn't turn itself on. Sometimes it hung for no reason at all. After swapping various hardware, changing BIOS settings, and playing around for months on and off with no effect I finally gave in and bought her a new PC from DELL. We plugged it in last night and it showed almost identical symptoms, wacky. Upstairs it worked fine. In her office it didn't. Is the power downstairs (on a separate circuit) dodgy? Was it the mains leads? No. It turned out to be the fairly old CRT monitor. Use a different CRT and the machines act normally. Plug in the old CRT and they start behaving erratically. The monitor was the last thing I thought of that would have been causing these problems.

What happens if you combine an old 32Mb USB key with a Geocaching travel bug dogtag and 50g of epoxy? A USBUG emerges. I thought that rather than the usual selection of TY toys or computer parts attached to travelbug tags I'd actually build a memory travel bug, fill it with mp3's, and see if it gets any interest. (Yes, legal mp3s)

Having spare potting compound is very dangerous however. When all you have is potting compound, everything looks like it needs to be covered in epoxy ;) Anyway let's see if Tesco can still read my clubcard.

20 minutes to comply

Back in the UK, and last night in the Red Hat earnings call Matthew Szulik mentioned some statistics on the survivability of Red Hat Enterprise Linux 3. In August 2004, SANS Internet Storm Center published statistics on the survival time of Windows by looking at the average time between probes/worms that could affect an unpatched system. The findings showed that it would take only 20 minutes on average for a machine to be compromised remotely, less than the time it would take to download all the updates to protect against those flaws. We tried to do the same comparison with RHEL3 but found you can't because there were no worms or exploits that a full install with default configuration could have taken advantage of without user interaction.

I'm standing in the middle of Target when my phone vibrates to tell me there is an incoming SMS message, the message is from my home automation system and tells me that the alarm has been triggered. Then a second text to show it's a confirmed alarm. There's really not much I can do about it being a few thousand miles from home apart from try calling my partner or the neighbours. If I was in the UK I'd be able to bring up a little picture from the house cameras to see what was going on, but GPRS wasn't enabled for whatever roaming partner we have in New Hampshire. Anyway it turns out my partner had triggered it without noticing and she had left the house. The mobile conversation went along the lines of "oops - how do you cancel this thing?" "Sorry, Can't hear you, all the sirens in the background" "What?" "Hello?" "helloooo?" Anyway I'd forgotten that even after turning it off you had to reset the alarm to clear the events, and until then the HA system continued to shreak, wail, and flash the lights, probably to the delight of everyone in the chocolate isle of Target.

Mapopolis is working really well once you get used to it, it's managed to get me out of a number of sticky situations and it doesn't endlessly complain like TomTom if I decide to take an alternative route, it just makes a happy "ching" sound and gets on with rerouting you.

Out in the USA for a week and I'm making myself at home. I'm watching "America's Funniest Home Videos" (which kind of makes me wonder how you could possibly find less funny videos). I'm drinking $1.25 bottled tap water. Really, this stuff actually says on it that it's taken from the public water supply. But I went and bought loads of Haloween Candy from Target, and the hotel has free wireless internet access, so it's not all that bad ;)

USB Power

I recently picked up a USB "charge anywhere" kit for the iPAQ; it's got a mains adapter with multiple plugs for UK/US/etc with a single little USB socket, and a USB charger lead. It also came with a car ligher adapter which gives a nice regulated 5v to a USB socket. I've already got a USB charger lead for my phone, and I just built one for my bluetooth GPS and it really cuts down on the number of chargers and leads to lug around when travelling. I wonder how long it will be before cars come with little USB sockets to charge and power goodies instead of ligher sockets? Of course all these gadgets violate the USB spec which says that you should only get 100mA unless you've negotiated with the hub for more (500mA). I guess adding the components to regulate and switch power to USB sockets isn't worth the expense or space to most designers, so all those USB lights and fans will probably keep working.

TomTom Navigator vs Mapopolis

I've been using TomTom Navigator 3 with a bluetooth GPS receiver around Scotland and it's been doing a pretty impressive job. Except it once wanted to take me off a motorway by using the private service exits for a service station. And today it sent us the wrong way up a wrong way street. Travelling to the US next week but couldn't get the TomTom add-on maps in the UK, so I ended up buying Mapopolis for about $99 that I could download online, and as well as the US maps downloaded Scotland too for comparison. Mapopolis isn't as polished a product as TomTom by far but it's technically more superiour - it knows the names of the roads and attempts to speak them

TomTom: After 300 yards turn right
Mapopolis: In 300 yards turn right into Cathedral Street. Cathedral Street is next on your right

If you want to drive and not look down, Mapopolis wins as it tells you exit numbers, road names, and so on. But for clarity TomTom wins as they supply really high quality audio for the small selection of possible words; Mapopolis has a primitive speech engine. Anyway I'm going to be driving in Boston with Mapopolis so it'll be interesting to see how it deals with all the buildings and new road layouts. I suspect i'll get used to it telling me to "turn around when possible".

Bling Blong

I'm fed up of keep missing the postman when he rings the doorbell and we don't hear it as we're in the kitchen or have the music on. It's one of those HA things I've never got around to - in my first student house 10 years ago the first thing we did was to hook the doorbell up to our shared-house Novell server (called Malawi since it lived inside a wood box with that label) so that it popped up on everyones computer when someone was at the door (and being students we'd just all just sit there and ignore it, perhaps sending popup messages to each other to find someone who would go answer it).

I use one of these RF doorbells (Friedland Libra) and picked up a identical spare unit from Ebay for 8 pounds. I made sure to get a battery one not one that plugs directly into the mains as they don't bother using a transformer to step down the voltage, so interfacing to it is more risky. Inside is a RF circuit and a PIC microprocessor and, fortunately, one of the output pins acts as a mute for the sound circuit. So one pin is high around 3v and is pulled low for a couple of seconds as the doorbell rings). I hooked this to a 3-pin DS2406, a one-wire device from Maxim that can monitor a single IO pin (a high is 2.2v or greater) and report on the status (and if there have been any transitions since you last spoke to it). These things are mad, a tiny package the size of a transistor with internal processor, 1Kb of EEPROM and an unique id. Pretty reliable too, one has been monitoring the heating system for the last couple of years. So one device, four wires, and now a Jabber bot announces within about a second when there is someone at the door. All for about 10 pounds of parts and an hours work.

Looking in all the wrong places

I went Geocaching again this weekend. One of the things I love about Geocaching is that it takes us to places we never knew existed, but are well worth exploring. An amazing short walk up past some waterfalls near Ayr took us to a rock, behind which, stuffed into a crevice, was the usual black bag containing the plastic box of swaps. The place wasn't deserted, near the cache were several discarded beer cans, but yet this box has sat in the hole for over a year without being disturbed by any of the thousands of visitors. No one has found it because no one was looking for it. Knowing there is a hidden box within a 10 or 20 metre radius it's then quite easy to find. You have an idea what you're looking for, and you have the knowledge that something is there to find.

As I thought about this on the walk back to the car, I was reminded of a conversation I had with a security researcher on Friday. We were discussing an upcoming serious vulnerability that he found this week in a common library. This issue is under embargo, to give the vendors and upstream authors a few days to prepare updates. But not only is the actual flaw confidential, but the fact that there is a flaw in this library is also confidential. Just like the cache which is hidden under your nose, if you know that there is a security flaw in some named library, even if you don't really know what it is or where it is, you know that if you search hard enough it has to be there somewhere.

121 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!