Archives

Categories

Blog Posts Should Stand Alone

I believe that apart from some exceptions (such as “links” posts) each post should stand alone. A reader should be able to read a single blog post and understand the author’s point without needing to visit any external sites.

A common mistake is to write a post that can not be understood without following the links. This means that if one of the links gets taken down then the post can not be interpreted. Also if a reader has Internet access problems that deny access to the other site (which is not uncommon) they will be unable to find the original source and thus miss the point.

It’s quite common for people to download copies of blog content before going out of net access (I routinely load a Planet feed of the blogs I read before travelling). Some people read blog content via email, for such people reading blogs without net access will be even more common. If a blog post can’t be immediately understood then a significant number of readers will just skip it. If too many posts from one RSS feed (where “too many” is a subjective value that varies from reader to reader) have this problem then they may just unsubscribe from the feed.

Also even people who do have good net access will sometimes skip posts which require them to visit an external site. It takes more time and if they aren’t sure that the content will be of interest then they skip it.

Finally writing an explanation of your point tends to result in more clear communication. At the shallow end of the blog pool it’s quite common to see posts which link to web pages and express disagreement with them. If the web page which is referenced makes several points (it’s very rare to find pages which strictly make a single point with no sub-points and no chain of logic to support the point) then it can be difficult or impossible to determine what the blogger specifically disagreed with. A post which summarises a page and gives specific reasons for agreeing or disagreeing with it gives little potential for confusion or miscommunication.

Related posts:

  1. Citing References in Blog Posts A significant problem with the old-fashioned media is that as...
  2. Lazyweb Posts A common practice in the blog space is to write...
  3. lemonup and blog license I have just updated my previous post about licenses and...
  4. Categories for Best and Most Popular Posts I have just added two new categories to my blog,...
  5. Plans for Future Posts I have created a new blog page for suggestions for...
April 6th, 2008 | Tags: | Category: Blogging | 4 comments - (Comments are closed)

Trust and My SE Linux Play Machine

Currently my SE Linux Play Machine [1] is running as a Xen DomU. So if someone cracks it they would also have to crack Xen to get access to directly change things on the hardware (EG modifying the boot process). As documented in my last post [2] a user of my Play Machine recently managed to change my password. Of course this was just two days after the vmsplice() kernel security flaw had been discovered [3]. Of course any machine that offers shell access to remote users (or the ability to run CGI-BIN scripts or other programs that users can upload) is immediately vulnerable to such exploits and while SE Linux has blocked local kernel exploits in the past [4] there will always be the possibility of kernel exploits that SE Linux can’t block or which can be re-written to work in a way that is not stopped by the SE Linux policy. So it’s best to assume that SE Linux systems are vulnerable to kernel exploits.

At the time that the vmsplice() exploit was announced there was a claim that it could be used to de-stabilise a Xen Dom0 when run within a DomU. It’s best to assume that any attack which can make some software perform in an unexpected manner can also be used to successfully attack it. So at the time I was working on the assumption that the Dom0 could have been exploited.

Therefore I reinstalled the entire machine, I firstly installed a new Dom0 (on which I decided to run Debian/Unstable) and then I made a fresh install of Etch for the Play Machine. There is a possibility that an attacker could compromise the hardware (changing the BIOS or other similar attacks), but this seems unlikely – I doubt that someone would go to such effort to attach hardware that I use for demonstrating SE Linux and for SE Linux development (it has no data which is secret).

If someone attacks my Play Machine they would have to first get root on the DomU in question and then crack Xen to get access to the hardware. Then the machine is on a separate Ethernet segment which has less access to my internal network than the general Internet does (so they would not gain any real benefit).

One thing an attacker can do is launch a DOS attack on my machine. One summer a Play Machine overheated and died, I suspect that the extra heat produced by a DOS attack contributed to that problem. But losing a low-end machine I bought second-hand is not a big deal.

When discussing the machine there are two common comments I get. One is a suggestion that I am putting myself at risk, I think that the risk of visiting random web sites is significantly greater. Another is a challenge to put the machine on my internal network if I really trust SE Linux, as noted I have made mistakes in the past and there have been Linux kernel bugs – but apart from that it’s always best to have multiple layers of protection.

Related posts:

  1. SE Linux Play Machine and Passwords My SE Linux Play Machine has been online again since...
  2. New SE Linux Play Machine Online After over a year I have finally got a SE...
  3. How SE Linux Prevents Local Root Exploits In a comment on my previous post about SE Linux...
  4. Linux Resource Controls Using the “ulimit” controls over process resource use it is...
  5. An Ideal Linux Install Process for Xen I believe that an ideal installation process for Linux would...
April 3rd, 2008 | Tags: , | Category: Security | Comments are closed

SE Linux Play Machine and Passwords

My SE Linux Play Machine [1] has been online again since the 18th of March.

On Monday the 11th of Feb I took it offline after a user managed to change the password for my own account (their comment was “ohls -lsa! i can change passwordls -lsals -lsa HACKED!“). Part of the problem was the way /bin/passwd determines whether it should change a password.

The previous algorithm (and the one that is currently used in Debian/Etch) is that if the UID of the account that is having it’s password changed doesn’t match the UID of the process that ran /bin/passwd then an additional SE Linux check is performed (to see if it has permission to change other user’s passwords). The problem here is that my Play machine has root (UID==0) as the guest account, and that according to the /bin/passwd program there is no difference between the root account (for unprivileged users) and the bofh account (which I use and which also has UID==0). This means of course that users of the root account could change the password of my account. My solution to this was to run chcon on the /bin/passwd program to give it a context that denied it the ability to change a password. The problem was that I accidentally ran the SE Linux program restorecon (which restores file contexts to their default values) which allowed /bin/passwd to change passwords, and therefore allowed a user to change the password of my account.

The semanage tool that allows changing the default value of a file context does not permit changing the default for a file specification that matches one from the system policy (so the sys-admin can’t override compiled in values).

I have now fixed the problem (the fix is in my Etch SE Linux repository [2] and has been accepted for Debian/Unstable and something based on it will go into the upstream branch of Shadow. See the Debian bug report #472575 [3] for more information.

The summary of the new code is that in any case where a password is not required to change the user’s password then SE Linux access checks will be performed. The long version is below:

The new algorithm (mostly taken from the Red Hat code base which was written by Dan Walsh) is that you can only change a password if you are running as non-root (which means that the pam_unix.so code will have verified the current password) or if you are running as root and the previous SE Linux security context of the process is permitted access to perform the passwd operation in the passwd class (which means it is permitted to change other user’s passwords).

The previous context (the context before one of the exec family of system calls was called) is used for such access checks because we want to determine if the user’s shell (or other program used to launch /bin/passwd) was permitted to change other user’s passwords – executing a privileged program such as /bin/passwd causes a domain transition and the context is different) than the program that was used to execute it. It’s much like a SETUID program calling getuid(2) to get the UID of the process which launched it.

To get the desired functionality for my Play Machine I don’t want a user to change their own password as the account is shared. So I appended password requisite pam_deny.so to the file /etc/pam.d/passwd (as well as the chfn and chsh commands) so that hostile users can’t break things. The new code in /bin/passwd will prevent users from taking over the machine if my PAM configuration ever gets broken, having multiple layers of protection is always a good thing.

The end result is that the Debian package and the upstream code base are improved, and my Debian Etch repository has the code in question.

Related posts:

  1. New SE Linux Play Machine Online After over a year I have finally got a SE...
  2. Can SE Linux Stop a Linux Storm Bruce Schneier has just written about the Storm Worm [1]...
  3. MySQL security in Debian Currently there is a problem with the MySQL default install...
  4. Linux Resource Controls Using the “ulimit” controls over process resource use it is...
  5. How SE Linux Prevents Local Root Exploits In a comment on my previous post about SE Linux...
April 2nd, 2008 | Tags: , , | Category: Security | 3 comments - (Comments are closed)

SE Linux Etch Repository for AMD64

My Etch back-port repository of SE Linux related packages (which I documented in a previous post [1]) now has a complete set of packages for AMD64. From now on I aim to make AMD64 and i386 be my main supported platforms for SE Linux development.

There is a guy who may be able to give me a stack of well configured PowerMacs (2gigs of RAM), if he comes through with that then I may add PPC-32 to the list of architectures I support. If that happens then probably the machines will have their hard drives smashed for security reasons, so I’ll want to swap some G3 PowerMacs for hard drives.

Related posts:

  1. My SE Linux Etch Repository deb http://www.coker.com.au etch selinux The above sources.list line has all...
  2. installing Debian Etch A few days ago I installed Debian/Etch on my Thinkpad....
  3. SE Linux in other Distributions Recently a user has been asking about SE Linux support...
  4. Debian SE Linux Status At the moment I’ve got more time to work on...
  5. installing Xen domU on Debian Etch I have just been installing a Xen domU on Debian...
April 2nd, 2008 | Tags: , | Category: Security | Comments are closed

Debian SE Linux Status

At the moment I’ve got more time to work on these things than I have had for a while.

I’ve got Etch support going quite well (see my post about my Etch repository [1]), the next step is to back-port some packages for AMD64 to get it working as well as i386.

I’ve got an i386 Xen server for SE Linux development (which is also used for my Play Machine’s [2] DomU – so it’s definitely not for anything secret). I can give accounts and/or DomU’s to people who have a good use for them (the machine has 512M of RAM so could have 4-5 DomU’s).

Currently it seems that the 2.6.24 kernel in Debian doesn’t work for Xen (at least on with an i686 CPU). I have filed bug report #472584 about it not working as a DomU [3]. This combined with the fact that according to bug report #466492 it doesn’t work as a Dom0 (which I have verified in my own tests) [4] makes the package linux-image-2.6.24-1-xen-686 unusable.

Due to the inability to use 2.6.24 Xen I can’t do SE Linux development for Lenny in a DomU (Lenny tools build policy version 21 and the Etch kernel I’m using only supports policy version 20). So I have repurposed one of my servers for Lenny (unstable) development. I can give user accounts on that machine to anyone who has a good reason (and there are some people who I would give root access to if they need it).

The current policy packages in Unstable are built without MCS support. This is a problem as converting between a policy which has MCS or MLS and one which doesn’t is rather painful (purge policy, reinstall policy, and reboot are all required steps). I have filed bug report #473048 with a patch for this – my patch may not actually be much good (I don’t understand some aspects of Manoj’s code) but it does achieve the desired result [5]. I won’t be making Apt repositories for such things as I expect that the changes will get into Debian fast enough.

The next thing I am starting to work on is MLS support for Debian (currently it only supports the Strict and Targeted policies). See the Multilevel Security Wikipedia page for some background information on the technology [6].

I don’t expect that many people will use MLS on Debian in production environments, and it wouldn’t surprise me if no-one used it on a production server (although of course it would be impossible to prove this). But I still believe that it’s worth having for educational purposes. I am sure that there are packages in Debian of a similar size that will get less use so it’s not a waste of disk space on mirror servers!

The only real down-side to adding MLS support is that it will increase the build time for the Debian SE Linux policy packages, currently they take 13 minutes to build on a 1.1GHz Celeron system (the Xen server I mentioned previously) and I expect that the machine in question will have build times greater than 20 minutes with MLS included. I will probably need to set up an Unstable DomU on a dual-core 64bit machine for the sole purpose of building policy packages. I will also have to investigate use of the “-j” option to make when building the policy to take advantage of the dual cores. I often do small tweaks to policy and it’s annoying to have to wait for any length of time for a result.

The version of Coreutils that is currently in Unstable will have ls display a “+” character for every file when running SE Linux (I have filed bug report #472590) about this [7]. It is being actively discussed and at this stage it seems most likely that the functionality from Etch in this regard will be restored (which is using “+” to represent ACLs only not SE Linux contexts). It seems likely to me that I will find a few other issues of a similar nature now that I have started seriously working on Unstable.

For the benefit of Debian and upstream developers who get involved in such discussions, please do not be put off if you join a discussion that is CC’d to the NSA SE Linux mailing list and have your message rejected by the list server. The code of conduct is much the same on most mailing lists, and the SE Linux list is not much different to others. The difference is that before your get your email address white-listed for posting you have to agree to the terms of service for the list. The people who run the list server appear to work more than 40 hours a week so there should not be a great delay. If anyone wants to get a message about Debian SE Linux development sent to the list without delay on a weekend then they can send it to me for forwarding.

I am aware of some discussions about SE Linux and the Debian installer. I have not responded to them yet because I wanted to get some serious coding done first as an approach of “I haven’t done much coding recently but trust me I’ll fix the problems for you” might not be accepted well. I will start investigating these issues as soon as I have my Debian/Unstable server working well in enforcing mode.

Update: I’ve just filed bug report #473067 with a patch to enable MLS policy builds [8].

Related posts:

  1. My SE Linux Etch Repository deb http://www.coker.com.au etch selinux The above sources.list line has all...
  2. SE Linux in other Distributions Recently a user has been asking about SE Linux support...
  3. Lintian and Executable Stacks Debian has a program called Lintian that is used to...
  4. MySQL security in Debian Currently there is a problem with the MySQL default install...
  5. Debian SE Linux Yesterday Erich Schubert blogged about reducing Debian SE Linux work...
March 28th, 2008 | Tags: | Category: Security | One comment - (Comments are closed)

The Inevitability of Victory

I just read an interesting blog post about Montenegro [1]. Apparently a key to the process of becoming a country was acting like it was inevitable.

It seems that this method can be applied to many areas, one of which is the contest between Linux and some proprietary OSs.

For many years monopolists have convinced people that it was inevitable that they would monopolise all areas of software development. Why use any other software (even if it is more reliable, faster, has more features, and is cheaper) if a monopolist is about to dominate the market? The monopolist changes sometimes, the monopolist from ~1990 to now is different from the monopolist of the 1970’s, but the tactics of a computer monopolist remain the same.

The way to beat this is largely to just ignore them. There is an ongoing debate in some circles about when Linux will be “ready for the desktop“. I’ve been running Linux as my primary desktop environment since about July 1998, it’s almost 10 years of having Linux as my primary desktop environment. It seems inevitable that the Linux will take over the desktop – it’s far better for desktop use than it was 10 years ago when I switched.

Some people claim that Linux lacks driver support. Every piece of hardware that I’ve wanted to use over the last 10 years has had adequate support. Often second-hand hardware works best with Linux, hardware vendors have no reason to continue to support their old products on newer operating systems (they make more money if you buy new hardware to run the new OS). Not only is hardware support for Linux adequate, but long-term support is far superior (and I often get to use cheap second-hand hardware). Now that an increasing number of hardware vendors are supporting Linux for their new hardware (Intel, AMD, and most laptop vendors are doing some good work in this regard). It seems that everyone who has tried both says that writing drivers for Linux is easier than writing drivers for proprietary OSs, so it seems inevitable that Linux will end up with better driver support by all metrics.

Linux is designed for users. DRM (Digital Restrictions Management) is not something that interests Linux developers. Run Linux and your computer will obey you and give full quality audio and video. It seems inevitable that Linux will dominate the AV section of the market (it already dominates the computer work involved with creating movies).

Free software (of which Linux is merely the most famous and popular example) is based on the principles of open design and open standards. When you use a free software program to save a file then you can be reasonably sure that you will be able to read it back again in a few decades. Most free software uses file formats that are well documented and standardised. Sometimes there are bugs in programs and new versions will use files in a different way, this is sometimes a case when you rely on a bug in an old version. Using the older version of the software is sometimes required to properly access old data. Fortunately when you have the source to the older programs they can be compiled on new systems (so different types of CPU won’t matter). Also the lack of DRM means that an OS image can be virtualised. One thing that is on my todo list is to create a set of virtual machine images of some of the most commonly used distributions of Linux so I can easily compare distributions of 10 years ago with modern distributions – it’s not technically challenging and there is no particular technical or legal obstacle to doing this. This would also mean that if someone gave me a file in some strange format from 10 years ago I would have a better chance of reading it. It seems inevitable that as the value of data increases the desire to avoid OSs that prevent people from accessing their own data will also increase, and that will eventually squeeze out most closed software from the market. This doesn’t mean the end of proprietary software, merely the end of software that holds user’s data hostage.

The majority of the world’s population does not use computers. The computers that they end up using will be cheap because they can’t afford to waste so much money on new hardware. To make cheap machines means that there will be limited resources in terms of RAM, mass storage, and CPU power which require more efficient software. Also to properly take advantage of machines with small screens and other limitations changes to the design of the software will be required. It seems inevitable that the most open software will be adapted to such environments more readily than proprietary software.

Now this doesn’t mean that we can take a break from development. In the free software community there are usually many different programs to perform a particular task with competition between the developers of the various projects. The fact that a monopolist is inevitably going to lose it’s position is of little relevance to the competition between the various free alternatives.

Related posts:

  1. The Inevitability of Failure The below document was reproduced from the NSA web site...
  2. Open Hardware – What Would Change I have just read an interesting post speculating about the...
  3. SE Linux in other Distributions Recently a user has been asking about SE Linux support...
  4. Linux support by politicians In two days time we are having a state election...
  5. Linux on the Desktop I started using Linux in 1993. I initially used it...
March 19th, 2008 | Category: Liberty | 9 comments - (Comments are closed)

Barack Obama wants a National CTO

I am just watching US Senator Barack Obama speaking at Google about his bid to become the next US president [1]. He has announced plans for allowing greater citizen oversight of the government including having all government data in open file formats (a great idea – the Australian Bureau of Statistics has a large amount of data online in Excel format). But his most significant item so far is to have a National CTO (Chief Technology Officer). It’s an idea that seems totally obvious now that I’ve heard it and leaves me wondering why I never thought of it before!

Barack understand technology, wants a functioning democracy, and gets a +5 Insightful from me for the CTO idea!

He also announced a plan to double federal funding for basic scientific research as part of a measure to make the US more competitive with other countries. He mentioned the US standing in the world as a problem (it’s the first mention of this that I’ve heard from anyone in the US government) and notes this as an issue which limits the ability of the US to save lives in regions such as the Darfur. He also claims that there is no clash of civilisations and cites his experience living in a Muslim country as helping to build bridges.

When discussing his reasons for running he said that he believes that he can bring his country together to solve problems better than other candidates. That’s the type of thing you often hear and ignore in political campaigns. It is often difficult to believe that someone wants to be famous and powerful for anything other than the most selfish reasons. But Barack gives me the strong impression that he is genuine.

He stated a plan to shut down Guantanamo bay (presumably just the prison and torture aspect – I’m guessing that he is not intending to close the military base) and to stop “rendition” (sending prisoners to other countries to be tortured).

His plans for education are innovative, as part of educating young children (0-3 years old) he stated an aim to teach parents to read so that they can read to their children! It’s sensible and obvious once you have heard it, but no-one seems to have publicised that idea before. He announced that he will increase teachers’ salaries.

He describes the US as having an “empathy deficit“, it’s obvious to almost everyone outside the US but not something that many people in the US realise.

He wants decisions to be based on facts and is determined to use facts when dealing with health insurance companies.

I just wish that we had some politicians like him in Australia. In terms of policy the Greens politicians would agree with him, but the combination of great policies, insight, and excellent delivery seems a lot better than any of the options in Australia.

Update: Changed the post (including the permalink) to have the correct spelling of Barack. Mental note – double check the spelling of everything in the permalink.

Related posts:

  1. Ron Paul A politician named Ron Paul is running for the Republican...
  2. The Squirrel and the Grasshopper There’s a story going around the neo-con blogs titled “The...
March 18th, 2008 | Category: Politics | 7 comments - (Comments are closed)

Unusual Ways of Helping the Environment

Unusual Things to Help the Environment

Have a party! Keeping a house at a comfortable temperature on days of extreme temperature takes a moderate amount of energy. If instead of having three houses that each contained two people you had one house with six people and two houses with the heater or air-conditioner turned off then the energy use would be reduced.

In winter a house with a large party may not need any heating. Each adult dissipates an average of 100W of heat [1]. 30 adults will dissipate about 3KW – equivalent to an electric heater used for heating a room, in my experience it’s not uncommon to open windows during a winter party to cool the house down.

In summer it’s often impossible to use an air-conditioner for a medium size party. A medium size air-conditioner can remove 3KW of heat so if there are 20 people plus some cooking or 30 people without any cooking then the house will be cooler if the windows are left open.

The most energy efficient parties would be family events, as they generally involve moving all the people from several houses into a single house.

I have previously written about the benefits of using water evaporation to assist a car air-conditioner (which reduces a/c use as well as making the car cooler) and of using ice to cool a room to avoid buying a larger a/c [2].

Please try and think of the most unusual ways of helping the environment and let me know by comments or by a post on your own blog. Overall it’s most effective to use more fuel efficient cars, set your home thermostat to a temperature which is closer to the outside temperature, and to recycle as much as possible and reduce needless consumption. But if you are interested in science then it’s more fun to discover unusual ways of doing things even if they don’t do as much good overall.

Having twice-yearly “Environment Parties” on the hottest day of summer and the coldest day of winter would also be a good way of spreading the idea that we need to do something about environmental problems.

Related posts:

  1. cooling Recently there has been some really hot weather in Melbourne...
  2. Hot Water A response to a post I wrote about things to...
  3. things to do for the environment I got the idea for this from Ben Hutchings. A....
  4. Fluorescent vs Incandescent lights Glen Turner writes about silly people who think that fluorescent...
  5. War is Bad for the Environment I just read a nutty post claiming that Neo-Conservatism is...
March 17th, 2008 | Tags: | Category: Uncategorized | 9 comments - (Comments are closed)

Not Visiting the US

I won’t be visiting the US in the forseeable future.

For some time I have been concerned about the malfunctioning legal process and other related issues that arose from the so-called “War On Terror“. But the most recent news is that the TSA may just copy all the contents of your laptop or even steal it [1].

Law enforcement agents can search property if they see evidence of a crime in progress or if they have a search warrant. They can seize property as evidence in a trial, but if the property in question is not illegal then it will be returned afterwards.

The TSA take property from travellers without any reason for doing so and do not return it. This is not law enforcement, it is banditry.

It’s bad enough catching a late train while carrying a laptop and risking a junkie trying to steal it. When bandits have police protection (as the TSA do) then it becomes an unacceptable risk.

The TSA have recently apologised for making people remove iPods and other devices from their luggage [2]. Strangely this has been interpreted by some people to mean that the TSA won’t be stealing data and hardware from travellers. I’m sure that if the TSA was going to stop searching laptop hard drives and confiscating laptops then they would have announced it.

From now on I will avoid entering US territory (even for connecting flights), except in the unlikely event that someone pays me an unreasonably large amount of money such that I am prepared to travel without electronic gear.

I know that some people in the US won’t like this (some people flip out when anything resembling a Boycott is mentioned). I am not Boycotting the US, merely avoiding bandits. If the fear of bandits hurts your business then you need to get a law enforcement system that can deal with the problem.

On a related note, check out the TSA Gangstaz [3] video, funny.

Related posts:

  1. laptop security on planes There has been a lot of discussion recently about how...
March 13th, 2008 | Tags: | Category: Terrorism | 18 comments - (Comments are closed)

Links March 2008

Dan Bernstein wrote an interesting paper about the security of Qmail [1]. Of particular interest to me are the sections about things that might do differently if he was to do it again and the mentions of language features for security. Bruce Schneier has some interesting comments about this [2].

Interesting paper by Jessica Walpaw Reyes about the link between lead in petrol and crime [3]. The research indicates that “the reduction in childhood lead exposure in the late 1970s and early 1980s is responsible for significant declines in violent crime in the 1990s, and may cause further declines into the future“. It makes me wonder about what other health measures could be used to reduce crime.

Paul Wayper writes about a wax that is used in both floor and car polish as well as food [4].

The Australia Institute [5] has some interesting papers. Here’s a PDF about over-consumption in Australia [6]. It states that 46% of people who have household incomes greater than $70,000 say that they can’t buy everything that they really need. It uses the term affluenza to describe the tendency of middle-class people to try and emulate the life-styles of the rich. I wonder whether Gear Acquisition Syndrome [7] is related to this.

The site Unbelief.org – exposing the religious “right” in Australia [8] has some interesting information. I didn’t realise that the problem was so bad here.

Related posts:

  1. Links November 2007 The web site www.CheatNeutral.com offers cheaters the possibility of paying...
  2. Gear Acquisition Syndrome I have just read an interesting post about Gear Acquisition...
  3. Porn vs Rape Chris Samuel blogs about a plan to censor porn from...
  4. LCA 2008 Security Miniconf Today I gave a talk about Debian security at the...
  5. Other Planet LCA 2008 The Planet installation for the Linux.Conf.Au (the main Linux conference...
March 4th, 2008 | Category: Links | 5 comments - (Comments are closed)
« Newer Entries  
  Older Entries »