a good security design for an office

day 32 of the beard

One issue that is rarely considered is how to deal with office break-ins for the purpose of espionage. I believe that this issue has been solved reasonably well for military systems, but many of the military solutions do not apply well to civilian systems – particularly the use of scary dudes with guns. Also most office environments don’t have the budget for any serious security, so we want to improve things a bit without extra cost. Finally the police aren’t interested in crimes where an office is burgled for small amounts of cash and items of minor value, it gets lost in the noise of junky burglaries, so prevention is the only option.

Having heard more information about such break-ins than I can report, I’ll note a few things that can be done to improve the situation – some of which I’ve implemented in production.

The most obvious threat model is theft of hard drives. The solution to this is to encrypt all data on the drives. The first level of this is to simply encrypt the partitions used for data, support for this is available in Fedora Core 6 and has been in Debian for some time. The more difficult feature is encrypting the root filesystem, encrypting root means that important system files such as /etc/shadow are encrypted. Also if the root filesystem is encrypted then an attacker can’t trivially subvert the system by replacing binaries. An unencrypted root filesystem on a machine that is left turned off overnight (or for which an unexpected reboot won’t be treated seriously) allows an attacker to remove the drive, replace important system files and then re-install it. If the machine is booted from removable media (EG USB key) which contains the kernel and the key for decrypting the root filesystem then such attacks are not possible. Debian/unstable supports an encrypted root filesystem, but last time I tried the installer there did not appear to be any good support for booting from USB (but given the flexibility of the installer I think it’s within the range of the available configuration options). I have run Fedora systems with an encrypted root filesystem for a few years, but I had to do some gross hacks that were not of a quality that would be accepted. With the recent addition of support for encrypted filesystems in Fedora it seems likely that some such patches could be accepted – I would be happy to share my work with anyone who wants to do the extra work to make it acceptable for Fedora.

Once the data is encrypted on disk the next thing you want to do is to make the machines as secure as possible. This means keeping up to date with security patches even on internal networks. I think that a viable attack method is to install a small VIA based system in the switch cabinet (no-one looks for new equipment appearing without explanation) that sniffs an internal (and therefore trusted) network and proxies it to a public network. This isn’t just an issue of securing applications, it also means avoiding insecure protocols such as NFS and AoE for data that is important for your secrecy or system integrity.

An option for using NFS is to encrypt it with IPSEC or similar technology. AoE can be encrypted with cryptsetup in the same way as you encrypt hard drive partitions, it doesn’t use IP so IPSEC won’t work but it is a regular block device so anything that encrypts block devices will work. I have been wondering about how well replay attacks might work on an encrypted AoE or iSCSI device.

Security technologies such as SE Linux are good to have as well. An attacker who knows that a server has encrypted hard drives might try cracking it instead. A thief who has stolen a laptop and knows that it has an encrypted drive can keep it running until future vulnerabilities are discovered in any daemons that accept data from the network (of course if you have enough technology you could sniff the necessary data from the system bus and from RAM while it’s running – but most attackers won’t have such resources). I have considered running a program on my laptop that would shut it down if for a period of 48 hours I didn’t login or un-blank the screen, that would mean that if it was stolen then the thief would have 48 hours to try and crack it.

Prevent access to some hardware that you don’t need. If you allow the system to load all USB drivers then maybe a bug in such a driver could be exploited to crack it. Remember that in a default configuration USB drivers will be loaded when a device is inserted (which is under control of an attacker) and the device will use data from the attacker’s hardware (data of low integrity being accessed by code that has ultimate privilege). Turning off all USB access is an option that I have implemented in the past. I have not figured out a convenient way of disabling all USB modules other than the few that I need, I have considered writing a shell script to delete the unwanted modules that I can run after upgrading my kernel package.

Once these things have been done the next issue is securing hardware. Devices to monitor keyboard presses have been used to steal passwords. The only solution I can imagine for this is to use laptops on people’s desks and then store them in a safe overnight, unfortunately laptops are still quite a bit more expensive than desktop machines and consequently they are mostly used as status symbols in offices. Please let me know if you have a better idea for solving the key-logging problem.

For servers there is also a problem with keyboard sniffing. Maybe storing the server’s keyboard in a safe would be a good idea.

Security monitoring systems are a good idea, unfortunately they can be extremely expensive. There has already been at least one recorded case of a webcam being used to catch a burglar. I believe that this has a lot of potential. Get a webcam server setup with some USB hubs and cameras and you can monitor a small office from all angles. When the office is empty you can have it GPG encrypt pictures and send them off-site for review in the case of burglary. You could also brick the server into a wall (or make it extremely physically secure in other ways) so that the full photo record would be available in the case of damaged phone lines, and to give more pictures than the upload bandwidth of an ADSL link would allow (512Kb/s doesn’t allow uploading many pictures – no-where near the capacity of a few high-resolution web-cams).

This is just a few random thoughts, some things I’ve done, some things I plan to do, and some that just sound like fun. I expect comments telling me that I have missed some things. I may end up writing a series of articles on this topic.

PS I’ve uploaded day 32 of the beard (which was taken yesterday). Last night at a LUV meeting I was asked to stand in front of the audience to show them my beard. I had imagined that they might have seen it enough through my blog, but apparently not.

review of Australian car web sites

It seems that Toyota isn’t alone in having non-functional web sites. In fact it’s better than some, the basic information on the cars is available and it is possible to get contact information for car dealers, also they have a feed-back form on their web site (to which I submitted my previous blog post). Incidentally the Lexus site had much the same problem as the Toyota site (hardly surprising as Lexus is the luxury marque from Toyota). But I expect that if I phoned Lexus to ask about their vehicles I would get a better call-center experience which would make me less inclined to blog about them.

Daihatsu vehicles are sold by Toyota. Their web site doesn’t use Flash, but it has so little content that it doesn’t count.

I decided to quickly review the web sites of car manufacturers that sell in Australia for a fair comparison. I found three sites worse than Toyota, two sites that were equal (counting Lexus), and six that were better than it.

Holden has the worst site, they don’t display any information if you don’t have flash, they don’t even display a phone number! I wonder how much Adobe pays web programmers to pull this sort of stunt. I can’t imagine Holden management saying “if a customer comes to our web site and doesn’t have Flash then don’t display our phone number or any other contact information, they can use Flash or buy a Ford instead”. Obviously some web monkey has run amok and done their own thing without following directions. Probably some people need to be sacked in the Holden web development group.

Volvo Cars has a very bad site. Most of the content is involved with Flash in some way and refuses to load. There is a mailto reference that is broken, and the overview page for the S60 seems to have a JavaScript loop (I aborted the load after it loaded 245 pictures and was still going). The Volvo page for their other business is quite functional although minimal.

Hyundai has a bad site. The front page works OK, but some of the sub-sites to display information on vehicles redirect to sites such as evolveddriving.com.au which are “optimised for 1024×768” and require Flash and Quicktime while others do strange things like changing the size of the browser window. Overall it’s a very bad site, but at least I could find the contact details for my nearest dealer, and it has a feedback form.

Subaru has an OK site. The only thing I couldn’t access without Flash is information on their AWD (All Wheel Drive) technology. Unfortunately they provide no email address and no form for sending feedback.

The main Ford web page claims that Flash is required, but their site just works without it. In a quick test I was unable to find any functionality on the Ford site that is missing because of not having Flash. Ford have a well designed site.

The Volkswagen site makes no mention of the fact that I don’t use Flash, it does however have some strange unused spaces in the middle of the screen. I guess that it recognised that I don’t have Flash and made a semi-successful attempt to work around it. I could get all information I wanted including dealer contact details.

The main Mazda web page displays a message about Flash not being installed and offers a link to a non-Flash version of the site. The Flash section is at the center and the buttons at the sides work if you don’t have Flash. This seems to be a well implemented site.

Citroen has an OK site, no flash that I noticed (although there were large blank areas on the screen at times indicating that something was missing), the information was all available and browsing was reasonably easy. One thing that annoyed me was that there were movies available but only through some sort of JavaScript that tried to play them in my browser. I have never bothered setting up my web browsing machine for playing movies (among other things it has no speakers) so this is a problem for me.

Peugeot has a good site. No apparent flash and it’s reasonably easy to use. It has more pictures than Kia but the JavaScript navigation stuff is fancy. One nice feature is a single page with pricing summaries for all models. If you have $X to spend on a Peugeot you will easily discover which ones you can afford.

Kia has the best site I saw! Not only is there no flash, but it’s well designed, easy to navigate and it loads quite quickly. Please review the Kia site as an example of how to do it properly!

Let me know if I’ve missed any makes and I’ll post an update.

SAK, ctrl-alt-del, and Linux keyboard mapping

A common problem with Linux systems is when Windows users press CTRL-ALT-DEL at the login prompt and reboot the machine.

To fix this some people change the ^ca line in /etc/inittab to just disable the reboot function. However this is not desirable because sometimes you want to reboot a machine with a simple keypress.

Another problem that has not been widely considered is the use of fake login prompts by attackers. This can be implemented in either text mode or graphics mode. All the fake login prompt has to do is display something that looks like a real login prompt, accept a user-name and password, verify the password (a localhost ssh connection is a good way of doing this) and then abort. In the case of a text-mode login the user will think that they entered the wrong password, in the case of a GUI login via an XDM program the user will think that the login program just crashed. Then the attacker has access to their account.

The solution to the fake-login problem is the use of the Secure Attention Keyboard (SAK) feature. When invoked this feature makes the kernel kill all processes that are on the virtual console in question. If you make CTRL-ALT-DEL the SAK combination then pressing those keys will cause the kernel to kill any processes that are attached to the current virtual console and preventing the ability of hostile programs to forge a login prompt (which is the same as it’s purpose in Windows).

The next thing to do is to make another combination used for system boot. A reasonable combination seems to be CTRL-ALT-BREAK as those keys are widely separated and the combination is not used for anything else.

If you put the following in a file named sak.map (or whatever you want to call it) then the command loadkeys sak.map will apply the change. Note that when creating a keyboard map you should do it on a machine for which you don’t mind being forced to perform a hardware reboot. It’s easy to make a mistake and give yourself a keyboard mapping that is not usable. Another possibility is to do such testing on a machine that allows ssh logins, you can then login via ssh and run loadkeys -d to correct any errors you might make.

control alt keycode 119 = Boot
control alt keycode 83 = SAK
control alt keycode 111 = SAK
control altgr keycode 119 = Boot
control altgr keycode 83 = SAK
control altgr keycode 111 = SAK

Note that the above covers both ALT and ALT-Gr keys as well as the numeric keypad and regular versions of the delete key.

dumpkeys -l gives you a list of all possible keyboard combinations. showkey will display the number matching any key you press and will exit after 10 seconds of inactivity.

Ethernet bonding

Bonding is one of the terms used to describe multiple Ethernet cables used to form a single virtual network link. This can be done for performance or reliability.

Bonding for performance used to be common when 100baseT was the fastest network technology that was commonly available. In 1999 servers could usually sustain considerably more than 10MB/s so a single 100baseT network interface was a performance bottleneck. At that time I worked with Cisco switches and Solaris machines that had up to four 100baseT links bonded for performance.

Nowadays Gigabit Ethernet is commonly available, most laptops have Gigabit Ethernet on the motherboard. Gigabit PCI cards are as cheap as $35, and Gigabit switches can be purchased for as little as $139. Server hardware is a little more expensive, but it’s still quite cheap and commonly available.

Most people don’t need more than Gigabit speed, in fact most systems can not saturate a Gigabit link due to poor application design, a slow operating system, or slow disks used to provide the data. So at this time there is little speed for bonded Gigabit networking for performance.

There is still the issue of reliability. Often you want to have two ethernet cards and cables configured so that if one breaks the network won’t go down.

One annoying thing about bonding in Linux (in 2.6.x kernels) is that the module has to be loaded separately for each bond interface, and the parameters for an interface can’t be changed without unloading and loading the driver (very painful if you log in to the machine via ssh over the bonded interface to do sys-admin work).

The parameters I have in /etc/modprobe.conf for bonding are:

alias bond0 bonding
options bond0 mode=1 arp_interval=500 arp_ip_target=192.168.0.1

This means that if there is no traffic on the link then every 500ms an ARP request will be sent for the address 127.128.129.130 (I used the address of my router but substituted a different value for this blog entry). An ARP request for a machine on the local LAN is a request that will always be satisfied if the machine in question and the network link are working.

The idea is that you have two switches and every computer that matters has two ethernet ports. If one port stops working (broken Ethernet card, cable, or router) then the other takes over.

The special file /proc/net/bonding/bond0 can be used to view the current configuration of the bond0 device.

Below are sample configuration files for Fedora and Red Hat Enterprise Linux to configure bonding:

/etc/sysconfig/networking/devices/ifcfg-bond0:
DEVICE=bond0
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
BOOTPROTO=static
# GATEWAY should be the IP address to ARP ping
GATEWAY=192.168.0.1
TYPE=Ethernet

/etc/sysconfig/networking/devices/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
ONBOOT=yes
SLAVE=yes
MASTER=bond0
TYPE=Ethernet

/etc/sysconfig/networking/devices/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
ONBOOT=yes
SLAVE=yes
MASTER=bond0
TYPE=Ethernet

Note that there is nothing preventing you from having more than two devices bonded together for reliability, but I doubt that you really need that.

Advice for speakers

I am not an expert at public speaking. Attending Toastmasters to improve my speaking skills is on my todo list. However having given hundreds of talks over the course of about 14 years and being paid for giving talks (the minimum criteria to claim to be a professional speaker) I think I can offer some useful advice, at least in regard to giving talks for free sofware audiences. I will cover some really basic things in this post, so experience speakers will find some of them obvious.

The most important thing of course is to know your topic really well. You can skip every other piece of advice and still do reasonably well at any Linux Users Group meeting if you know your topic well enough. Of course if you want to talk at a conference then taking some of the following advice would be useful.

Record your talk, it is useful to review the recording to learn from mistakes. Don’t worry too much about saying “um” or other common speaking mistakes – it takes a lot of practice and effort to avoid such things. When recording your talk record it from the start of the introduction (you never know when the person introducing you will say something particularly flattering ;) until after you have left the podium. It’s not uncommon to have question time, to thank the audience for their attention after the questions, and to then have another round of 15 minutes of questions afterwards. The only time when you can confidently stop recording at the scheduled end of your talk is when there’s someone scheduled next.

For recording a talk an iRiver is a good device to use. An iRiver will create and play MP3 files, and it’s not particularly expensive nowadays. Apparently some of the newer iRivers are polluted by DRM, I haven’t verified this myself though.

After your talk review the MP3 you made as soon as possible. You will always find mistakes in such a review, don’t be concerned about minor ones (everyone makes small mistakes when on a podium, unless you are famous enough to get media interest a few small slips don’t matter). If you make a significant mistake or if you were unable to answer some questions then you can send email or make a blog post about it later. You probably won’t remember most of what happens during your talk so your recording is the only way to follow up on questions (if you tell someone in the audience to ask you a hard question via email they won’t do it).

Summarise all questions during the Q/A part of the talk. This means that everyone in the audience will know what was asked, and also your recording of the talk will have a copy (usually an iRiver mic doesn’t cover the audience).

Before giving a talk learn as much about the audience as possible, and feel free to ask for advice from people who know something about the audience and people who are experts on the topic. The most important thing to learn is the expected skill level of the audience including the range of skills. Often when giving a talk about a technical topic it’s impossible to make all people in the audience happy. You will have a choice between making things too simple and boring the most experienced people or explaining the technical details and having the less experienced people be unable to understand. Sometimes due to the combination of topic and audience you will get 10% of the audience walk out regardless of which choice you make. You can’t please everyone.

Caffeine can help you stay alert enough for a talk. In email and even in IRC there is time to stop and think. When giving a lecture to an audience answers are expected immediately. In the space of about 5 seconds you want to compose an answer for any question that gets thrown at you or determine that it’s something that needs more consideration and has to be answered via email.

One of the problems you face when giving a talk is going through the material too quickly because of being nervous. If you feel that happening to you then drinking some water or your favourite fizzy drink is a socially acceptable way of taking a few seconds to compose yourself. Asking for questions from the audience is another way of getting a talk back on track if you have started going through the material too fast. Also if you are in the audience and observe this happening then try and interject some questions to get things back on track, it doesn’t matter what the questions are, ask lame questions if necessary, anything to stop the talk from finishing too soon. I was once in the audience for a talk that was scheduled for 60 minutes and ended up taking about 5, it finished before I could even think of a question to ask. :(

I find that questions help to estimate how well the audience is following the presentation, and I prefer to take questions during my talk. Some people prefer to give a talk to a silent room and then take questions at the end. I think that preferences in that regard are determined by whether your speaking experience is based in universities that strictly enforce a code of conduct for lectures, or whether your speaking experience is based in LUGs where heckling from the audience is common.

Go to the toilet before giving a talk. Speaking for an audience is stressful and you never know when you might feel more nervous than usual. If consuming a caffeinated drink then you will have even more reason to go to the toilet before the talk. This is not a joke!

Having a copy of your presentation notes on a USB device (preferrably in multiple formats) is handy. It’s also convenient to have the device formatted with the VFAT filesystem. One time I had a lot of hassle from a Linux conference (that I won’t identify) due to the fact that the organizers only used Linux for servers. They wanted to print my lecture notes for all members of the audience and were unable to get a Windows machine to read my ext3 formatted USB device and then had problems with the OpenOffice file.

All my advice in this post is based on personal experience. Don’t feel afraid about public speaking because of these things. Everyone makes mistakes when starting out and even experienced speakers have talks go wrong on occasion. Also keep in mind that a talk which seems to have failed when you are on the podium might get great reviews from the audience. The aim of a technical lecture is to impart information about the technology, you can achieve that aim even if you make some mistakes in the presentation.

PS Please give talks for your local LUG. They need speakers and it’s a good way of gaining speaking experience in a friendly environment. Remember, they heckle you because they like you. ;)

uplift

For a long time I’ve enjoyed reading books by David Brin. Not only does he have some good sci-fi ideas and a good writing style, but he’s also a cool guy when you meet him at a signing. One of the core concepts in a number of his books is the idea of uplift, whereby advanced races use a combination of breeding programs and genetic manipulation to raise animals to a similar level to humans in terms of intelligence and ability to use tools.

I believe that it’s a necessary step in the development of the human species to encounter other species as equals. It seems obvious that a person who was raised in isolation would not be able to reach their full potential (there are many examples of children being abandoned and living with animals, the results are not positive). It also seems obvious to me that a species that is raised in isolation without interacting with other equal species will also be unable to reach their full potential. I believe that the human race needs to meet with another species of an equal level as the next stage in the development of our civilization.

Given the lack of success of SETI programs it seems that uplifting a species such as dogs, monkeys, or dolphins is likely to give better results in this regard than trying to contact non-human intelligent creatures.

Dogs might be a good first choice for uplift because they are well domesticated, this means that you are permitted to own them in residential areas without a license and there are good veterinary services for them. A possible way of starting an uplift program would be for people around the world to buy dogs of some particular breeds and then measure them by some objective scales. There are intelligence tests for animals that could be applied to dogs, the ones that get the best scores would be permitted to breed. Also we would want to breed them for communication ability (the ability to talk) and dexterity (evolve their toes into fingers). The statistics of the dogs and their lineage (don’t want in-bred dogs) could be stored in a database and the breeding program could be done in an open-source manner over the net.

Most domesticated dogs are in-bred to some degree so we would want to cross-breed them to some extent. Poodles are reasonably intelligent and live for a long time so may be good for a start to this program, also blue-heelers, terriers, and labradors are reasonably smart and could be included.

common mistakes in presentations

I attend many presentations and have seen many that had a lower quality than they should have. Some things are difficult to change (for example I have difficulty speaking slowly). But there are some things that are easy to change that many people seem to get wrong and I will list some that stand out to me.

Unreadable presentation notes. You have to use a reasonably large font for it to be read by most people in the room. This means probably a maximum of about 16 lines of text on the screen. I have attended some presentations where I couldn’t read the text from the middle of the room!

Too many slides. On a few occasions I have heard people boasting about how many slides they are going to use. An average of more than one slide per minute does not mean that you have done a good talk, it may mean the exact opposite. One of my recent talks had 8 slides of main content plus an introductory slide while waiting for people to arrive and a Q/A slide with my email address and some URLs for the end. The speaking slot was 30 minutes giving an average of a slide every 3-4 minutes.

Paging through slides too quickly. If you have 60 slides for a one hour talk then you will have no possibility of going through them at a reasonable speed (see above). Even if you have a reasonable number of slides you may go through some of them too quickly. On one occasion a presentation included a slide with text that was too small to read, I tried to count the lines of text but only got to 30 before the presenter went to the next slide.

Using slides as reading material for after the lecture. Sure it can be useful for people to review your notes after the lecture, and it’s generally better to give them the notes than to have them be so busy writing notes that they miss somehting you say. But if you want to have something verbose and detailed that can’t be spoken about in the lecture then the thing to do is to write a paper for the delegates to read. Serious conferences have papers that they publish (minimum length is generally 4 solid A4 pages) which are presented by a talk of 30 to 60 minutes. That way people get a talk as an introduction and they get some serious reference material if they want to know more. Also people who miss the talk can read the paper and get much of the value. Is it not possible for slides to take the place of a paper.

Bad diagrams. Diagrams should be really simple (see the paragraph about readable text). It is OK to have diagrams that don’t stand alone and need to be described, a lecture is primarily about talking not showing pictures.

When simplifying diagrams make sure that they still represent what actually happens. Simplifying diagrams such that they don’t match what you are talking about doesn’t help.

Animations. The only thing that is animated in the front of the room should be the person giving the presentation. Otherwise just do the entire thing in flash, publish it on the web, and don’t bother giving a talk.

Staged content, particularly when used as a surprise. Having a line of text appear with every click of the mouse forces the audience to stay with you every step of the way. This may work for primary school students but does not work for an intelligent audience. Give them a screen full at a time and let them read it in any order that they like. This is worst when they someone tries to surprise the audience with a punchy line at the end of every paragraph. Surprising the audience once per talk is difficult. Trying to do it every paragraph is just annoying.

One final tip that isn’t as serious but is not obvious enough to deserve a mention. Use black text on a white background, this gives good contrast that can be seen regardless of color-blindness and with the bright background the room is lit up even if all the lights are off. The audience wants to see you and sometimes this is only possible by projector light. Also the more light that comes out of the projector the less heat that builds up inside, it can really mess up a presentation if the projector overheats.

fair trade is the Linux way

I have recently purchased a large quantity of fair trade chocolate. Fair trade means that the people who produce the products will be paid a fair price for their products which will enable them to send their children to school, pay for adequate health-care, etc. Paying a small price premium on products such as coffee and chocolate usually makes no notable difference to the living expenses of someone in a first-world country such as Australia, but can make a huge difference to the standard of living of the people who produce the products. Also fair-trade products are generally of a very high quality, you are paying for the best quality as well as the best conditions of the workers.

I will share this chocolate at the next LUV meeting, hopefully the people who attend will agree that the chocolate is both of a high quality as well as being good in principle and that they will want to buy it too.

The Fair Trade chocolate I bought cost $6.95 per 100g. I went to Safeway (local bulk food store with low prices) to get prices on other chocolate to compare. Lindt (cheaper Swiss chocolate) costs $3.09 per 100g and has a special of $2.54. The Lindt and the Fair Trade chocolate are both 70%, but the Fair Trade chocolate is significantly smoother, has a slightly better aroma, and a better after-taste. So the Fair Trade chocolate costs slightly more than twice as much as Lindt, but I believe that it has a quality to match the price. Then I compared the price of a cheap chocolate, Cadbury Old Gold chocolate is also 70% cocoa and costs $4.29 for 220g, this makes it between 3.5 and 4.4 times cheaper than the Fair Trade chocolate. But if you like chocolate then Cadbury products probably aren’t on the shopping list anyway. I believe that the Fair Trade chocolate I bought can be justified on the basis of flavor alone without regard to the ethical issues.

All Linux users know what it’s like to have their quality of life restricted by an oppressive monopoly. We are fortunate in that it only affects us in small ways, not in our ability to purchase adequate food and health care. As we oppose software monopolies that hurt us in the computer industry we must also oppose monopolies in the food industry that hurt people in third-world countries. The fair trade programs are the best way I know of doing that. Hopefully after tasting the chocolate many LUV members will want to buy it too.

invasive vs inconvenient security

The recent news from the UK gives us an example of invasive security. Preventing passengers carrying on any hand luggage (even wallets) and frisking all of them is the type of treatment you expect for criminals and visitors to maximum security prisons. It’s not what you expect for people who are involved in routine (or what used to be routine) travel.

The security measures offered by SE Linux are sometimes described as invasive. I don’t believe that this is an accurate description. I admit that sometimes minor tweaks are required (such as setting the correct context of a file). But for most users (corporate users and typical home users) the distribution takes care of all this for them. A default Fedora install should just work for the typical home user and a default Red Hat Enterprise Linux install should just work for the corporate user.

The main reason that it’s so easy to use is that the default domain for user sessions and for daemons that are not specifically configured in the security policy is unconfined_t. This means that programs for which there is no policy and programs run from a user session do not have SE Linux access controls. The default configuration of SE Linux only restricts programs that are known to be at risk.

The most common case of SE Linux access controls causing inconvenience is the policy for Apache (the daemon with the most configuration options). There are a set of configuration options (known as booleans) that can be used to determine what aspects of Apache will be confined, generally it only takes a few minutes to determine and specify the correct settings to support the desired operation.

Next time you are being frisked at a UK or US airport and are facing the prospect of a long flight with books and all other forms of entertainment banned keep in mind that airlines have invasive security and should be avoided if possible. SE Linux offers security that is at most a minor inconvenience (usually not even noticed) and should be embraced.

the waste of closed lists

As I mentioned in my first post the amount of effort I’m prepared to invest in posting to a small group of people is limited. I don’t think that I am the only person with this opinion.

I also believe that the number of people who refuse to post to open lists is quite small, and that on many lists they aren’t the people who contribute much. I believe that they are outweighed in both number and contributions by the people who want open lists and who are unwilling to spend a large effort on posting to a closed list.

When posting to an open list you have to be concerned about your online reputation. Some lists are closed because of having NSFW content that people don’t want known by their colleagues and managers, I guess that this makes sense for some lists.

IMHO the only good reason for closed lists is for discussion of truly sensitive information. This ranges from security problems in software that have not yet been fixed to medical and psychiatric problems. There are many lists which should not be publicly archived, but for general discussion of computers there is no such motivation.

For a list with a primarily technical focus on answering basic questions secrecy does no good, it merely protects people who want to post off-topic messages and create pointless arguments about issues that they don’t understand.

My solution to some of these problems is to use this blog to comment on such things. I expect that my solution will also be adopted by other people on some of the closed lists that I use.

Also it has occurred to me that blogging about issues may improve the quality of list discussion. If instead of responding to a message in point-form you write an article about the general issue then it may reduce the level of personal dispute. I think it would be difficult to have a flame-war by blog.

Finally while on the topic I have to mention that I don’t believe in anonymous posting to technical forums. Any content that is worth having should come with someone’s name attached. IRC nicks etc are OK, but the person writing the content should be identifiable.