Embracing Chaos

A couple weeks ago, Dan Kaminsky found a flaw in DNS. Without getting into details, this flaw enables a malicious attacker to fool your web browser into connecting to the wrong computer to get your web pages. So when you type www.facebook.com into your browser, you might actually go to Joe Hacker’s site, even though your browser says http://www.facebook.com/ in its address bar just like it should. Dan, being a “good guy”, tried to keep the details of this hack quiet for long enough for network operators to patch their systems and close the loophole. He wanted everybody running a…

...full article

It was pretty late at night at my friend Miller’s birthday party last week. She had asked everybody to do something good for the world in lieu of birthday presents. The awake were discussing options as I was dozing off. I overheard somebody say “If you’ve got an old linux box that you’re using as a firewall drawing 400 watts continuously, consider spending $30 on a dedicated router.” I thought about the headless Pentium 3 box in my office closet which is running the IP Cop Linux firewall distro. I thought about the four matching ethernet cards I’d put in…

...full article

Every time we sign up for a new service on the net, we have to make a new account and pick a password to go with this account. We’re going to be stuck like this until something like OpenID becomes dominant which is going to take years. Until then we’re stuck remembering which password goes with which site, which is an age-old problem. I think very few of us actually use a unique password for every account we have. For sanity’s sake, we re-use passwords, or at least password themes. Personally, a couple of times I’ve had throw-away passwords get…

...full article

Why it’s good to break the MVC pattern Bruce Perens hit on a really good thing when he wrote a package for Ruby on Rails called Model Security. It’s too bad the project is gathering dust. But even if you don’t use the whole thing (I haven’t been able to) there are some really valuable ideas and chunks of code in there. The idea behind Model Security is to centralize security rules in the model classes. Certain objects can only be accessed by certain users. Perens talks about multi-layered security. But in my mind the real benefit is that you…

...full article

I’ve often heard that “security through obscurity is no security.” I don’t agree with this one bit. After all a password is only useful in that its value is obscure. DRM schemes rely on obscurity — they are only effective because the public doesn’t know where or how the secure media’s decryption keys are stored. Similarly, it actually does help to use a non-standard port number for exposing a service to the public net that you really don’t want outsiders using — it significantly reduces the number of people who will notice that the service is exposed and even think…

...full article

Here’s the best reason I’ve heard to upgrade your browser in a long time. Apparently a number of people are finding their gmail accounts wiped clean. This is potentially linked to a known security flaw in Firefox 2.0 which was fixed in 2.0.0.1 related to cross-site scripting (XSS). So upgrade your firefox, yo. I’ve heard from security experts that FF has way more problems than IE does, but it just doesn’t get attacked as much. I hate to say it, but we’re probably already living in a world where all software not only has bugs but has security bugs too….

...full article

Here’s a little food for thought about hacking into a development system. If you wanted to gain control of somebody’s network how would you do it? Well, you’d probably try to figure out a way to get one of the computers on the inside of their firewall to run some code for you. If you could get it to run an arbitrary block of code that you wrote, then you’re probably pretty close to 0wning it. Now think about the continuous integration server in your development farm. What does it do? Whenever anybody checks in new code, it runs all…

...full article