Yesterday I gave a presentation at OSDC in Melbourne about my Postal mail server benchmark suite. The paper was about my new benchmark program BHM for testing the performance of mail relay systems and some of the things I learned by running it. I will put the paper on my Postal site in the near […]

biometrics and passwords

In a comment on my post more about securing an office someone suggested using biometrics. The positive aspect of biometrics is that they can’t be lost, no-one is accidentally going to leave a finger or an eye in their car while they go to a party while other authentication devices are regularly lost in such […]

more about securing an office

My post about securing an office received many comments, so many that I had to write another blog entry to respond to them and also add some other things I didn’t think of before.

One suggestion was to use pam_usb to store passwords on a USB device. It sounds like it’s worth considering, but really […]

a good security design for an office

One issue that is rarely considered is how to deal with office break-ins for the purpose of espionage. I believe that this issue has been solved reasonably well for military systems, but many of the military solutions do not apply well to civilian systems – particularly the use of scary dudes with guns. Also […]

The benefits of SE Linux

Today I discovered a bug in one of my programs, it called system() and didn’t correctly escape shell eta-characters. Fortunately I had written custom SE Linux policy for it which did domain_auto_trans(foo_t, shell_exec_t, very_restricted_t) so there was no possibility of damage.

The log files (which were not writable by the daemon by both SE Linux […]

Ruxcon and SLUG

This weekend I was in Sydney for Ruxcon. Ruxcon is a computer security conference with a focus on penetration testing and related skills.

The presentation on Unusual Bugs by Ilya van Sprudel was particularly interesting. He spoke about a number of issues that could do with some improvement in Linux, I will file some bug […]

SAK, ctrl-alt-del, and Linux keyboard mapping

A common problem with Linux systems is when Windows users press CTRL-ALT-DEL at the login prompt and reboot the machine.

To fix this some people change the ^ca line in /etc/inittab to just disable the reboot function. However this is not desirable because sometimes you want to reboot a machine with a simple keypress.

Another […]

tcpdump and ps

Today I was doing some network tracing and figured out how to track the start and end of TCP connections. The following tcpdump command will get all SYN, FIN, and RST packets on port 80 and all ICMP packets:

tcpdump -i bond0 -n “port 80 and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0 or icmp”

Also recently […]

sendmail – the MTA for insecure systems

Sendmail is the most prevalent Unix MTA. It is the oldest MTA and is still one of the most powerful ones that are available. However it has never been known for being secure.

Most of it’s bad reputation comes from regularly having serious security holes. The above URL has the most recent one. Neither […]

SE Linux is like a moat filled with sharks with laser attached head gear

Here’s an interesting blog entry comparing SE Linux and AppArmor. It has some amusing comments, one of which I used for the title of this entry.

There are two things I don’t like about AppArmor. One is that it doesn’t label Inodes but instead bases it’s access control on file names. This means that renaming […]