Entries in Life

Note: The following is from a posting I made to the local Linux User’s Group mailing list.

I’ve done a lot of thought over the years about the Internet and security and, while I am not a security expert, I’ve come to the conclusion that this paranoia about cleartext passwords isn’t justified. People see a social problem (protecting your information) and figure it has a technical solution (encryption). Encryption can help, but it has to be used correctly. And it can’t replace careful thought and action.

Now, by no means am I advocating cleartext passwords. I’m SSLed, TLSed, SSHed, and GPGed out the wazoo. But, there is a negligible difference between the amount of work necessary to get your cleartext password as it travels over the wire and capturing your keypair.

There are a couple of reasons I’ve come to this conclusion.

1. The primary risk is not how or if the password travels over the wire.
2. The wire is relatively secure from taps.

`

The second item first: Today’s switched networks mean that access to the packets going over the wire involves compromising some hardware — most likely one of the endpoints.

That is, I have more reason to fear someone who compromises a server I connect to than someone who compromises MAE East. Why? Because my traffic at MAE East is statistically insignifigant. Anyone with a password sniffer there is going to be overwhelmed with data. Besides, my data isn’t going through MAE East.

If someone compromises the server that I’m connecting to, I’m still not too worried if all they do is put up a password sniffer. That’d be a pretty stupid cracker. Whoop-ti-doo. A bunch of random passwords. In most places, that’s meaningless — they already have access to the server and all the data on it.

And if I can break into the server you’re using, then who’s to say I can’t break into your box and steal your keys?

I’m more afraid of the cracker who compromises the server and replaces the binaries to log all of my activity.

But, the reality is that while break-ins should be prevented, most break-ins cause very little harm other than loss of time and (rarely, you do have backups, don’t you?) loss of data. Usually, the cracker just wants a jumping-off spot.

And, anyway, as I said, the real risk is not cleartext passwords. It’s user stupidity.

If I’m a malicious guy who’s out to cause you damage, then it is far more effective for me to call you or your spouse up on the phone, pose as someone you should trust, and rob you blind.

Yes, all that encryption is important, but it isn’t that important. It’ll only stop the idle script kiddie. The people you should really be afraid of won’t even bother with it.

And, get this: No one really cares about your shell account.

That’s what all this is about anyway.

Figure out who you’re afraid of and why so you can make sensible decisions about what you’re doing. Otherwise, you’ll put your passwordless keypair on a USB key and forget the key at your friend’s house.

And your friend has more reason to be interested in what’s on the key than most people do.

Heck, I used to regularly get requests from random individuals who wanted to know if I could to hack into the account of a wife, a friend, or a lover. You have more reason to fear people those people (who have access to your unprotected keypair) than you do from the script kiddie sniffing passwords.

Remember, using a passphrase involves one extra step, but adds an order of magnitude (or more!) of protection. Use ‘em!

Part of getting large organisations to use Open Source or Free Software is getting them to recognise it officially. Looks like that is happening, finally.

In particular, a Census website, State and County QuickFacts, runs on a platform that is Open Source from front to back.

I submitted a story to use Perl; for PerlWiki. Hopefully, people will begin to use it.

Perl gets flack because it is such a good language for managing and using regular expressions. The reality is that anyone who uses regular expressions will write code that some will use the pejorative “line noise” against.

To drive the point home, look up “python one liner” on Google. The first hit will contain this gem:

    [dict(re.compile('(?s)([^\n:] ): (.*?)(?=\n[^ \t]|\Z)').findall(item))       for item in s.split('\n\n')]  

Looks like line noise to me!

And, yes, Perl’s implicit variables and use of regular expressions in the language core make the equivalent slightly shorter:

    [{/(?s)([^\n:] ): (.*?)(?=\n[^ \t]|\Z)/g}      for split("\n\n")]  

Note, though, that the “line-noise” portion of the code is practically identical.

Regular expressions are a little language that you can use in lots of places. I think the above example shows the truth of this statement. Don’t let people scare you off of them. Don’t be scared by them. Learn them and love them.

According to this posting on Bugtraq, pornographers have hacked into home computers with fast network connections to host their dirty pictures.

I suppose, though, that the Porn business isn’t that good, though, since they’ve also used the same sites for a PayPal scam.

Technical details of the trojan as published by LURHQ.

  # dh-make-perl --cpan Acme::Buffy --build --install  

A lot of Linux destop users seem to be under the impression that they are safer from exploits simply because they are running Linux. They seem to believe that software written for Linux is just going to be better. Fact of the matter is, most programmers are still human. And, programmers as a whole couldn’t care less about security.

The question I see is not “Are there existing exploits for Evolution’s bugs?”. The answer to that is “Of course!”. The question I see is “Are those exploits being used and are they causing damage?”. As you said, “there have been exploits for Elm and Pine”. Here is the breakdown as I see it:

• All Software has bugs.
• Virus writers want notoriety, not obscurity.
• Virus writers will choose popular software instead of obscure software to write their malware for.
• Windows is more popular than Linux.
• Outlook is the most popular MUA on Windows.

Thus:

• Outlook has a lot of viruses written for it.

Consider that Eudora has exploitable bugs, but it remains a safer choice than Outlook because it isn’t as popular. Outlook’s popularity (driven, in part, by the popularity of Exchange) means that most virus writers will use it.

Of course, we’d like to think that Linux is immune to this kind of thing (exploits, that is. A lot of us wish it weren’t immune to popularity), but there are still bugs that can be exploited. Even on UNIX/Linux, a lot of programmers don’t care about security. Now consider:

• Evolution is probably the most popular Linux MUA (among new users).
• Linux growth on the desktop is slow.
• Virus writers still don’t have a large userbase to exploit on Linux.
• The Linux/Evolution userbase is even smaller because most old Unix hand already have an MUA that they like.
• Evolution and Linux still have bugs.

Thus:

• Any viruses that get written for Evolution are just proof of concept. The real virus writers don’t care about Linux.

Hey, if the Emacs/Gnus combination were really popular, there would be exploits for it. It ain’t popular, though, so I’m quite safe from anyone who hopes to gain notoriety from writing a virus.

Don’t think for a second that you are safer simply because you are running a UNIX-like OS. There are plenty of exploitable bugs and plenty of exploits. You can make yourself safer by choosing less popular combinations of software (e.g. using Debian instead of RedHat), but Linux, in and of itself, does not mean you are immune to the whims of the virus-writers. Sendmail used to be the only MTA out there. And, in 1988, we got to see the consequences of that.

The reality is that security is an unimportant part of most projects. This is a “worse is better” world and the most popular software is written by programmers with a “worse is better” mindset. They’ve got some code they want to hack or a job that’s been given to them. Nine times out of ten, their focus is not security. It’d be nice if we were all as obsessed with security as D.J. Bernstein, but, c’mon, we’ve got real work to do here.

A consulting firm did a security audit on the company I work for. Of course, we had to have a way to manage our new security policies once the audit was done. (That is, we would have to have a way to manage the policies if we had them, which we don’t, but that’s another story.) So, they sold us software that they valued at around $50,000 to do this. A nice little web-based utility, written in Tomcat/Apache with an Oracle backend and running on Solaris.

Now, since I try to be security concious, I reduced the Solaris install to the core OS. In fact, this is one of the things they recommend: reducing the software on a machine to only what is needed.

I mentioned this to the consultant they sent to help with installation and he was shocked.

“Don’t do that!” he said.

“It works, doesn’t it?” I replied.

“I guess, but we don’t test it that way.”

The irony should be obvious.

I can never get anything done. So, instead of sleeping, I wrote about the revelation I had regarding REST, did (not)Echo in Perl, and released my trackback for Emacs implementation.

If none of that geeky goodness intrests you, check out Eve Andersson’s New Orleans pictures. She’s an interesting person in her own right, too (“I didn’t know what to do with the small bread wafer that I was given, so I put it in my purse.“) By the way, she hates to sleep, too.

My day job is at a company that builds oil rigs in the Gulf of Mexico. This most recent storm must have been a lot of fun — at least according to the pictures. Keep in mind that this was “just” a tropical storm. They told all non-essential people to leave downtown the day the storm hit shore. A little wind and rain is all I saw. Looks like it was much worse out in the gulf.

We’re supposed to get another one of these in about a week or so.