Blog on Cyberterror

Project Eva

2006-01-20T02:45:00.000-05:00

I've began work on "Project Eva," a personal project to design a new, secure Linux distribution. This is not a typical distribution; it will base neither on Red Hat, Gentoo, or Debian GNU/Linux. Instead, I will be building from the ground up, using a package manager I'm designing and coding myself in a project called "Project Coon Fox." Project Eva will not be a simple hack-up job of

Java v. C continued

2005-10-12T02:14:00.000-04:00

Looks like I got slashdotted on that one. I wasn't trying to particularly bash Java, more the concept of one language being "secure" over another. Java just makes a good example of a language people believe will solve all their problems for them. With the responses I've seen both here and on slashdot, I feel I should make a follow-up post. I'll point out a few interesting things that have

Security in a language?

2005-10-06T17:46:00.000-04:00

Lately I've taken more notice into the debates over programming languages. People often claim that Java is inherently more secure than C; C is faster than Java; C++ is easier than C; C++ is slow and has an over-bloated syntax that makes it confusing; or any number of other things about languages. Looking at C and Java, I'd like to make a quick point. In gcc 4.1, a re-implementation of

Virtual worlds

2005-09-24T00:57:00.000-04:00

Here's a question. If you found a virtual world in a video game, would you think much of what you did in it? What if you found a computer in the virtual world? What if that computer ran like an actual computer and you were able to get X up and run OpenOffice.org? I wonder, really I do, about the implications of a computer game that would spawn computers inside it using, say, a hypervisor

Revisiting copy protection...

2005-09-12T22:13:00.000-04:00

I e-mailed the MPAA today on their Report Piracy Hotline about copy protection. Pretty much, I'm annoyed by it, and it's useless. Now we all should know that any copy protection can be broken; and track records for breaking it typically range from several months before a copy protection method is deployed in a product to a few weeks after something on the market uses it. Millions of dollars

Mozilla and Firefox dumping SSL2.0

2005-09-04T19:54:00.000-04:00

Well, it looks like Mozilla is dumping SSL2.0, and with that comes the loss of SSL2.0 in Firefox as well. This means supporting code will be gone, and a very few sites will break; but fortunately, most sites support SSL3.0. I say good riddance to bad rubbish, and may it rot in Hell forever. Some info about SSL2.0, it can be attacked a lot easier than SSL3.0. A man-in-the-middle attack can

Zombie Hacker Survival!

2005-08-07T23:02:00.000-04:00

I have just read Jon Erickson's excellent book, Hacking: The Art of Exploitation published by No Starch Press; followed closely by Max Brooks' The Zombie Survival Guide: Complete Protection from the Living Dead published by Three Rivers Press. Coming from someone who hates reading books, these are two select reads. The first was a detailed but introductory technical reference on exploiting

Phresh Phish

2005-08-07T19:01:00.000-04:00

I recently posted a bug on mozdev about TrustBar. TrustBar is an anti-phishing toolbar that tells you when the current loaded https:// page is using a valid certificate; who verified it; and who it was verified as. This means that when you log into something like eBay or ThinkGeek, you're told that you are indeed logging into them. What TrustBar will not do is check who a regular http://

I Will Be Out of the Office

2005-08-04T23:13:00.000-04:00

I haven't blogged in a long time. I guess I should have caught up with this blog with the recent goings on, specifically the OK to commit that a cleaned-up version of ProPolice, the IBM stack smash protector research project, got from the gcc mailing list. As of late I've been working and not working (depending on mood) on a paper about designing a secure and user friendly operating system.

Wireless Discoveries

2005-06-17T17:07:00.000-04:00

I bought myself a Linksys WRT54G Router-AP last night and wired it up, giving a good kick to my network and finally getting behind a dedicated device rather than a Windows workstation pretending to be one. I decided to give it a spin, and found a few nice things in it. The first thing I noticed was that my Internet connection was visibly more responsive, something I had not anticipated.

Hardened Ubuntu officially Hardened Ubuntu

2005-03-18T23:40:00.000-05:00

Nobody had a laptop or projector at BaltoLUG this tuesday, so I didn't manage to give my presentation there. Next month I will try again, April 19 guys. :) I also might pick up The Art of Intrusion and The Art of Deception, just nice books to have (even though I hate reading). You may have noticed I've been fairly obsessed with Ubuntu Linux. I was a Hardened Gentoo user originally,

Firewalls aren't so magic

2005-03-07T12:43:00.000-05:00

A recent post on Slashdot brings the LAND attack, an attack from eight (8) years ago in which a connection is initiated to a service with a SYN packet with the source and destination IP address set to the server's address. These attacks cause the server to infinitely loop and become nonresponsive for 15-30 second. Repeted attack can prove to be a fairly effective DoS. In response, the

PaX changing hands

2005-03-05T10:00:00.000-05:00

Due to a spectacular fuckup, PaX will be changing hands on April 1, 2005. The GrSecurity team will be picking up the PaX code base after then. A little background, PaX and GrSecurity are each run by one developer, in reality. "The PaX Team" is made up of a single anonymous entity who took the initiative in 2000 to create what may very well be capable of stopping over half of security

Blogging in Real Life

2005-03-04T23:13:00.000-05:00

I will be speaking at BaltoLUG on Thursday, March 15. Originally I didn't want to do it; but this is a good public speaking opportunity and would look very nice on my resume. I may even give the speech a few more times and refine it afterwards. I've been working on a paper for my presentation, from which I will be taking my major talking points. I will be distributing the paper at BaltoLUG

Which OS is more secure?

2005-02-22T15:06:00.000-05:00

Well, the argument came up again. I've been busy playing Xenosaga 2, and haven't been blogging much; but not much has been happening, unless you want me to start blogging security notices or something. In that case you can just check the RSS feeds, which are visible if you click the text above the ads on this blog; icetalk should suffice for that. The main argument I keep hearing is between "

The buddy system

2005-02-09T14:59:00.000-05:00

Recently I've been exploring extreme programming, a concept I was introduced to by college students, and was recently reminded of by some comments on a slashdot post. Today I would like to propose a pair programming utility to help apply the concept of pair programming to a distributed working team, such as those which drive most Open Source Software. Pair programming is a simple

Non-root viruses for Linux

2005-02-05T13:13:00.000-05:00

I had earlier mentioned that local exploits are remote exploits, and now come back to finish that thought. To complete the idea, I'll bring in the concept of computer viruses, which in general rely on local users running them. This is unlike worms, which propagate on their own via e-mailing themselves around or using remote exploits. Today I've chosen a simple local root exploit and a

Smoke and Mirrors Awareness Day

2005-01-27T15:45:00.000-05:00

Today is Smoke and Mirrors Awareness Day! No, not really, but I'd like to point out various pieces of junk that pretend to be secure. We've already passed over Microsoft's Data Execution Prevention and why it doesn't work without real Address Space Layout Randomization. This is because a simple ret2libc attack can be used to evade normal memory space protections that systems such as

GrSecurity as kernel hooks

2005-01-24T17:08:00.000-05:00

I don't know why I did it, I don't know how I did it, but somehow I managed to reverse part of GrSecurity into a set of kernel hooks—only three right now—to implement GrSecurity with. I know Brad isn't going to go along with it, nor will Linus; it's purely academic. It took me about 5 minutes to design a stacking mechanism that modules don't have to be aware of, and 10 minutes to

There's no such thing as a local exploit

2005-01-19T18:57:00.000-05:00

Some people feel safe knowing that they have zero or only one remote exploit, even though they have 400 local ones, because they're the only local user on their local desktop box. This is a falsehood. Local exploits are just as dangerous if not moreso than remote exploits. A remote exploit doesn't always mean root access. If an attacker exploits Firefox or XMMS, he can get local user

Most of it can be stopped now

2005-01-17T01:31:00.000-05:00

To aid the Hardened Debian project, I wrote up an analysis of the Ubuntu Security Notice list. The results are nice to look at, and a blog on them is deserved. It appears that most USNs contain vulnerabilities which can be decreased to Denial-of-Service attacks, precluding any privilege escallation with simple crashes. Below is a table aggregating the analysis of the first 60 USNs.

Time for a new Linux kernel development model

2005-01-14T14:08:00.000-05:00

Earlier, I had discussed why changes to the Linux kernel development model were needed to better support third party development. Now I feel it's time to sit down and discuss what key issues the current development model raises. Brad Spengler of GrSecurity criticizes the Linux 2.6 development model in a post to Bugtraq. He gives the following expression of his distaste for the model in

A DEP evasion technique

2005-01-13T13:03:00.000-05:00

In an earlier post, I pointed out a possible way to evade Data Execution Prevention in Microsoft Windows XP Service Pack 2. I feel this deserves its own blog post, so I've decided to go on here. I'd like to first point out that this is a speculative method to evade hardware-enforced DEP based on various documentation. There is not yet a

Review of Microsoft's DEP

2005-01-12T13:46:00.000-05:00

After reading through a page on memory protection changes in Windows XP SP2, I e-mailed Microsoft's Technical Support for XP SP2 and requested confirmation on my understanding of the product. This resulted in a support contact sending me a link to a detailed description of DEP. The given page doesn't conflict with or add to my understanding of DEP, so I assume I have a fair grasp on how it

Hardened 2.6.10 kernel from Gentoo soon

2005-01-10T21:17:00.000-05:00

Linux users fall into three basic groups when it comes to the kernel. First, there are those who just use what the distribution supplies. Second, there are those who chose or build their own patchset. And finally, there are vanilla users who just grab whatever from kernel.org and use that. From a security standpoint, it is usually better to use a patchset, whether it be your

A living kernel

2005-01-09T01:54:00.000-05:00

Recently, Jake Moilanen announced a set of patches to add a genetics algorithm library to the Linux kernel. These patches supply functionality to modify the kernel's behavior experimentally and tune for peak performance. The base patches can be combined with patches that enhance the Anticipatory IO Scheduler and the CPU scheduler (zaphod patch required) with the algorithms. The last

Ubuntu Technical Board Meeting 2004.01.04

2005-01-04T23:36:00.000-05:00

Ubuntu Linux has a strong community structure which involves the community in the development process via two types of meetings. Ubuntu Linux Meetings take place every week on#ubuntu-meeting on freenode, and alternate between Technical Board and Community Council meetings. Today was the Technical Board meeting, a discussion of the Ubuntu Linux technical direction. The meeting was

Finally a new PaX

2005-01-03T01:12:00.000-05:00

PaX has been stuck at Linux 2.6.7 for a while now. The author has been fairly active on the 2.4 branch; but 2.6 has been too volatile. Between 2.6.7 and 2.6.8, major VM changes were put in which changed how PaX had to be written. This delayed the release of a new PaX for 2.6 ever since, although the 2.4 branch still gets regular releases. The PaX Team needs to do more work than just

Policy on Web content

2005-01-02T02:32:00.000-05:00

You may not think about it, but content filtering is a security issue! Filtering out pornography is a major enforcement aid for many businesses and public institutions which do not allow access to such material from their network. It is therefor interesting from a security standpoint that tools exist to facilitate the control and filtering of pornography, violence, and racist content, and

Hardened Ubuntu

2005-01-01T14:41:00.000-05:00

Earlier I had blogged on a more secure setting that would be suitable for wide-spread distribution. Such an environment can be created in Gentoo Linux relatively easily, if you're already a Gentoo user. Unfortunately, the learning curve needed for Gentoo is out of the reach of many people, and Gentoo is not always feasible anyway. Other distributions have to take up these enhancements in

Spinning a secure setting

2005-01-01T02:55:00.000-05:00

I've been a Hardened Gentoo user for a while. I don't use the full set with SELinux/GrSecurity, Prelude, and whatever else they like to throw at people; but instead use a few basic things like a security hardened gcc that produces PIE binaries with stack smash protection (paper). It may come as a surprise to you, but these weren't terribly painful for me to get on my system. I won't say

Blogging on Cyberterror

2005-01-01T02:10:00.000-05:00

The Blog on Cyberterror is now up. This blog is made by the same person who runs the War on Cyberterror Web site, an informational site which attempts to pool together information related to security and security efforts. The purpose of the Blog on Cyberterror is to give me a place to vent and talk about things going on. This is a very informal setting; I may get into observations that