Archives

Categories

Security Blogging Contest

It seems that my blogging contest idea is a failure. Could the interested people please meet me near the LCA registration desk at the start of the lunch breakh today for a post-mortem.

Any last-minute entries can be submitted by telling me the URL then.

Free Textbooks

I am going to make some suggestions to a company that might possibly sponsor development of free electronic text books for schools (suitable for running on an OLPC machine).

I would appreciate any suggestions for things I should include. I will make my suggestions as a blog post summarising all input I receive and send the URL to the company in question.

Suse and LCA

I previously wrote about how I gave a talk about SE Linux at a conference spot when a talk about AppArmor was scheduled. It turned out that the Suse people had notified the LCA people some time in advance about the fact that John would not be attending the conference. The LCA people had removed the entries from their databases and when the conference schedule was printed it had no reference to such a talk.

The problem occurred when another tutorial (which had occupied the slot that was previously assigned to John) was moved to a different part of the schedule. For some reason the CMS that they use did not leave the slot in question empty but instead restored earlier contents (which was the Suse tutorial). No-one at LCA noticed this error and from that time on the web page generated by the CMS was used as the authoritative source of information about the issue by delegates and most of the LCA team.

My LCA Talk

Last year at LCA Crispin Cowan suggested to me that I make a joint offer of a combined tutorial on SE Linux and AppArmor as a way of publicly comparing the two technologies. I ended up not accepting the challenge, among other things I had a long-term project going in production in early December that needed some ongoing support.

Crispin’s plan B was to just give a lecture about AppArmor. Recently Crispin joined Microsoft [1] and John Johansen of Suse was going to give the talk in his place. The LCA people made a minor mistake by having the conference web site give the description of the tutorial option [2] (which I don’t believe was ever going to happen as I had not accepted the offer), but it’s easy to understand the webmaster copying the wrong description when the one person makes two offers (which I believe is not a common practice).

So this morning I and about 150 other people were waiting in the main lecture theatre and no-one from Suse turned up.

Being fairly audacious when the announcement was made that the event was officially cancelled I stood up and asked if anyone would like an impromptu talk about SE Linux instead. The audience received that idea quite well.

My talk wasn’t as good as I had hoped, not having had a proper breakfast or any caffeinated drinks reduced my mental stack space. So I could talk well on one topic but when questions diverted me to a side topic I found it difficult to remember the previous point I was making. Fortunately when giving an impromptu talk with no notes or presentation materials the audience expectations for a consistent plan of the talk seem reasonably low. ;)

I started by talking about my SE Linux Play Machines. Some of that material had been covered in previous talks at other conferences (such as at a previous SE Linux Symposium), but some things (such as my use of Xen) I had not previously covered, but none of it had been mentioned in a talk in Australia for a while. Having given an hour-long talk about SE linux yesterday to an audience with many of the same members I wanted to start by talking about something that they hadn’t heard before, and I was also wearing a Play Machine T-shirt (with the root password printed on it) [4]. After I finished talking about my Play Machines and started covering some of the same material as yesterday about a quarter of the audience left (which was fair enough).

I then spoke about general SE Linux issues, largely in response to questions. I covered the differences between the policies (including the history of policy development), the JFFS2 XATTR development (and how SE Linux couldn’t be used on an iPaQ without it), issues of disk space usage for XATTRs for SE Linux labelling on various filesystems and how it drives the use of context mount options, poly-instantiated directories (including some discussion on how the actual storage location for such directories can be on a different filesystem and how this could be convenient when using encrypted filesystems), how Apache/PHP work in a SE Linux environment, and a lot more.

I couldn’t resist mentioning to the audience the irony that I had declined a challenge for a joint presentation and then got a sole presenter spot (and a large audience) due to the Suse guy not showing up.

For future situations I plan to load lecture notes from all my common talks on my iPaQ. Then next time I have such a speaking opportunity I can give a better prepared talk.

Update: It turned out that the LCA people had been informed that the Suse talk was cancelled and had made a mistake, see this link for details.

Talking Fast

My previous post about my LCA mini-conf talk received an interesting comment from Christopher Neugebauer.

He said that he had some trouble understanding me because I speak quickly, he wasn’t the first person to make that complaint (it’s the most common complaint I receive). If a talk goes well then I have a lot to say and little time to say it and end up speaking quickly if I don’t concentrate enough on speaking slowly. If a talk doesn’t go well then I get nervous and speak quickly.

When a speaker talks too quickly it is appropriate to call out a request for them to speak more slowly. I know I’m not the only person who has difficulty in speaking slowly enough and I expect that others also wouldn’t mind such requests from the audience.

Chris suggested giving a talk with a small number of words used on the projector, it’s an interesting idea and may be worth a try. However I have recently watched Lawrence Lessig’s talk published on TED.com [1] which used that technique, I was disappointed in the result. His talk appeared to be very well received by the audience, I’m not sure whether that is because the audience was less familiar with his ideas than I am or whether it’s a technique that works better for an audience than for a video.

I would appreciate further suggestions in this regard.

Update: It’s interesting to note that Bruce Schneier’s keynote for LCA had no presentation material, he spoke from written notes.

Change of Rules for the Blogging Contest

Due to the lack of entries so far I am amending the rules. It is no longer required that an entry be on the blog of the person who submitted it. Being on any blog that is aggregated by the conference Planet will do.

This is known as a “guest post“. All it requires is that you email the post content to a blogger who you trust and they post it crediting you as the author. Guest posts are fairly common among serious bloggers, a google search will surely give more information.

LCA 2008 Security Miniconf

Today I gave a talk about Debian security at the security mini-conf of LCA.

Before I started the talk I asked for suggestions as to how to get more entries in my security blogging contest [0]. During the talk I asked for suggestions as to how to get more people involved in security development. One suggestion was to offer incentives. I’m experimenting with that with my blogging contest and may do future variations of the same thing.

I started with describing some of the history of security in Debian (primarily things that involved me in some way):

In 2003 I suggested that exec-shield be a standard feature in Debian kernel images [1]. I created a kernel-patch-exec-shield package in 2003 and Marcus Better took it over in 2004. We are hoping to get it included in Lenny. AMD64 architecture doesn’t need exec-shield as the CPU has separate write and execute bits in the page table, but it would be nice to get exec-shield included before the last P4 machine gets decommissioned.

A presentation at the security miniconf at LCA 2005 on the topic of stack smashing is interesting [2]. At the time Adamantix was a distribution based on Debian which used PaX (similar to exec-shield). Adamantix has gone away. Hardened Gentoo has been available with Pax for all this time (but is not widely used). RHEL and Fedora have been available for all this time with exec-shield…

In mid 2002 I demonstrated the first SE Linux Play machine at a conference in Germany. It was fully operational with root as the guest user. At that time SE Linux support in Debian was essentially complete. Since that time the scope of the SE Linuc project has increased slightly (EG controlling DBUS access) so the amount of work required for full support is greater. Most of that support is in Debian and Etch is basically working with SE Linux (although not quite as well as it was in 2002 due to lack of support for the strict policy). The aim is to have Lenny SE Linux become as functional as SE Linux in Fedora Core 5. While FC5 has more SE Linux features than the SE Linux project supported in 2002 it’s still a great disappointment that it’s taken so long.

FC5 had pam_namespace to polyinstantiate directories such as /tmp. Lenny will hopefully have it.

I described the current status:

The hardening-wrapper package in unstable allows environment variables starting with DEB_BUILD_HARDENING_ to be used to control execution of GCC. Documented on the Debian Hardening Wikipedia page [3]. It’s still a little experimental and may change in the near future, but it works.

Lucas Nussbaum is working on automatically building Debian packages with warnings for security related issues. The aim is to build all packages and maintain a central location for the logs to allow DDs to find and fix the problems in their packages.

The Alioth Hardening project [4] will hopefully get some action soon (the people involved are busy doing work but not updating the project). The current plan is to base the Debian Hardening work around it.

SE Linux in Debian is something that I want to get working correctly. There are still some significant issues that make strict policy unusable (such as correct labelling of /etc/passwd) as of last time I tested it.

Finally I described the future plans. There were many questions about usability features for SE Linux, I mentioned in concept the features that Red Hat and Tresys people are developing (which I often don’t use as I prefer vi for policy editing).

There were some questions about how SE Linux works. More than half the audience indicated that they had used it so I assumed some basic knowledge of SE Linux when describing how SE Linux works in regard to minimum privilege and the benefits of MAC in terms of limiting the scope of attack. I noted that every program has bugs and every program which performs security related tasks (which includes serving data to the net without being owned) should be assumed to inevitably have security related bugs (see the The Inevitability of Failure paper []).

Based on the Twilight of the Books [5] article I decided to give this talk with no slides as an experiment. I talked from notes that I wrote and advised the delegates to read my blog for the details. Not presenting any slides meant that the room lights were all left on, which made things much easier when answering the many questions (I prefer an interactive format to my talks and have more questions than most speakers). It will be interesting to get some feedback from delegates about how they regarded this.

Write Intent Bitmaps

When previously writing about how I partition disks [1] I mentioned that I use smaller RAID partitions than the maximum size to reduce reconstruction time in the event of a crash.

Linux software RAID has a feature known as write intent bitmaps which means that every time some data is about to be written the region of the RAID array is marked as dirty. Then after a power failure all that needs to be done to ensure that all disks in the array have matching data is to check the regions that are listed as dirty not the entire disk. So instead of spending an hour or more checking the data there would only be a few seconds of work required.

To enable this feature you use the mdadm option -binternal (for an internal bitmap – most people would never want an external bitmap). This can be done at array creation time or at any other time via the grow option. For example if you want to enable this feature on /dev/md0 then you would use the command mdadm -G /dev/md0 -binternal.

Here is an example of /proc/mdstat when it’s not enabled:
Personalities : [raid1]
md1 : active raid1 hda2[0] hdb2[1]
38981632 blocks [2/2] [UU]

md0 : active raid1 hda1[0] hdb1[1]
96256 blocks [2/2] [UU]

Here is the same system with the feature enabled:
Personalities : [raid1]
md1 : active raid1 hda2[0] hdb2[1]
38981632 blocks [2/2] [UU]
bitmap: 3/149 pages [12KB], 128KB chunk

md0 : active raid1 hda1[0] hdb1[1]
96256 blocks [2/2] [UU]
bitmap: 0/12 pages [0KB], 4KB chunk

The down-side to this feature is that it will slightly reduce performance. But when comparing the possibility of a few percent performance loss all the time and the possibility of a massive performance loss for an hour or two after a crash it seems that losing a few percent all the time is almost always the desired option.

Other Planet LCA 2008

The Planet installation for the Linux.Conf.Au (the main Linux conference in Australia and one of the biggest and best Linux conferences in the world) is designed to only syndicate posts about the conference. I think that this is a bad idea, people who attend the conference actually see things and don’t have a great need to read blog posts about the conference. I believe that the benefit in having a Planet installation related to a conference is to allow delegates to easily read the blogs of other delegates. Then they can track down the bloggers if they want to discuss the blogs, or add them to their favourite feed reader so continue reading after the conference.

So I created my own Planet for it [1]. I started the installation with a feed from the official Planet LCA 2008 [2], then added the full feeds for people who appear to only have a partial feed aggregated on the official Planet. I also added Bruce Schneier’s Cryptogram [3] blog (Bruce is the opening keynote speaker for the conference).

If you have a partial feed of your blog syndicated on Planet LCA 2008 then please let me know so I can syndicate your blog’s full feed.

Update:
Atom feed of my Planet [4].
RSS 2.0 feed of my Planet [5].

Organic Food in Melbourne

Yesterday when walking down Flinders St I noticed that a new store has opened up selling organic food. It’s Flinders Organics and the address is 260 Flinders St Melbourne VIC 3000 (just across the road from Flinders St Station, not far from the Swanston St intersection). I bought some fruit, some Green and Black organic hot-chocolate powder (recently I’ve been making hot chocolate with Green and Black dark chocolate – the milk needs to be heated a lot and some stirring is needed – it is easier with powder) and some fruit juice. The fruit juice was good, one litre for about $4.50 which is significantly cheaper than any of the juice-bars which offer freshly squeezed juice (but not organic). Being sold in a bottle that can be re-sealed meant that I could carry it around the city and drink some whenever I was thirsty.

People who are attending LCA might want to keep this in mind, both for food that they want to prepare themselves (EG making sandwiches in their hotel room) and for take-away stuff such as bottled juice. The location is almost within walking distance of the conference.