Everything is a Freaking DNS problem - security http://127.0.0.1:8080/blog/taxonomy/term/814/0 en Appliance or Not Appliance http://127.0.0.1:8080/blog/appliance-or-not-appliance <p>That's the question <a href="http://blog.rootshell.be/2011/01/05/security-diy-or-plugnplay/" rel="nofollow">Xavier</a> asks in his blog entry titled<br /> Security: DIY or Plug’n'Play</p> <p>To me the answer is simple, most of the appliances I ran into so far have no way of configuring them apart from the ugly webgui they ship with their device. That means that I can't integrate them with the configuration management framework I have in place for the rest of the infrastructure. There is no way to automatically modify e.g firewall rules together with the relocation of a service which does happen automatically, and there is always some kind of manual interaction required. Applicances tend to sit on a island, either stay un managed ( be honest when's the last time you upgraded the firmware of that terminal server ? ) , or take a lot of additional efort to manage manually. They require yet another set of tools than the set you are already using to manage your network.<br /> They don't integrate with your backup strategy, and don't tell me they all come with perfect MIB's.</p> <p>There's other arguments one could bring up against appliances, obviously people can spread fud about some organisation alledgedly paying people to put backdoors in certain operation systems.. so why would they not pay people to put backdoors in appliances , they don't even need to hide them in there .. but my main concern is manageability .. and only a web gui to manage the box to me just means that the <a href="http://queue.acm.org/detail.cfm?id=1921361" rel="nofollow">vendor</a> hates me and dooesn't want my business</p> <p>A good Appliance (either security or other type) needs to provide me an API that I can use to configure it, in all other cases I prefer a DIY platform, as I can keep it in line with all my other tools, config mgmtn, deployment, upgrade strategies etc.</p> <p>Mabye a last question for Xavier to finish my reply ... I`m wondering how Xavier thinks he kan achieve High-availability by using a Virtual environment for Virtual Appliances that are not cluster aware using the virtual environment. A fake comfortable feeling of higher availability , maybe.. but High Availability that I'd like to see.</p> http://127.0.0.1:8080/blog/appliance-or-not-appliance#comments automation devops infrastructure opensource puppet security Wed, 12 Jan 2011 20:28:58 +0000 Kris Buytaert 1028 at http://127.0.0.1:8080/blog Call For Abstracts : NLUUG Fall Conference on Security http://127.0.0.1:8080/blog/call-abstracts-nluug-fall-conference-security <p>For all the security experts : the NLUUG has published it's <a href="http://www.nluug.nl/activiteiten/events/nj10/cfp-en.html" rel="nofollow">Call For Abstracts</a> for it's Fall conference.. as you might have guessed the topic is Security, we welcome all abstracts tackling security in a broad sense.</p> <p>Possible topics include:</p> <p> * cloud security<br /> * online privacy<br /> * rfid hacking<br /> * secure programming<br /> * programma-analysis-tools<br /> * web services security<br /> * web browser security<br /> * embedded hardware hacking<br /> * incident response and forensics<br /> * malware and rootkits<br /> * responsible disclosure<br /> * legal response<br /> * fighting spam<br /> * patch policies<br /> * identity management<br /> * central point of administration<br /> * DNSsec<br /> * VPN based WANs<br /> * etc.</p> <p>The NLUUG fall conference is scheduled on 11 November 2010 in De Reehorst in Ede, the Netherlands.</p> <p>Hint.. maybe a talk on secdevops would be welcomed too :) </p> <p>Disclaimer : I`m on the program committee</p> http://127.0.0.1:8080/blog/call-abstracts-nluug-fall-conference-security#comments cfp conference devops nluug secdevops SecOPS security Tue, 01 Jun 2010 17:53:08 +0000 Kris Buytaert 1006 at http://127.0.0.1:8080/blog Some people just don't get it http://127.0.0.1:8080/blog/some-people-just-dont-get-it <p>I mean, we are heading towards 2010 , some of us have been using Open Source for decades, the Open Source vs Free Software discussion was like last millenium, and we've been doing open source consultancy for over a decade, yet today companies still think their customers are stupid,</p> <p>Fancy this story on <a href="http://news.zdnet.co.uk/itmanagement/0,1000000308,39760362,00.htm?s_cid=260" rel="nofollow">ZDNet</a> today .. there's actually companies out there claiming that "Bind" because of it's FreeWare nature , yes that's right you've Read FREEWARE , (hadn't heard that word for over 5 years..) , is less secure than their proprietary offering in the Cloud. So the very nature of their Secure product is offering Security by Obscurity in an insecure environment .</p> <p>The sad part is that they probably get customers that believe their story, afterall it's hosted in the Cloud .. so it must be good not ?</p> <p>Oh well... <a href="http://twitter.com/mcgoverntheory/status/4312964980" rel="nofollow">James McGovern</a> had a nice comment on that earlier today "</p> <p>"The goal of the security market is to make money, not to ensure the customer's security"</p> <p>I'll keep my security infrastructure <a href="http://en.wikipedia.org/wiki/Open-source_software" rel="nofollow">Open</a>, thank you very much</p> <p>But afterall everything is a fine DNS Problem ...</p> http://127.0.0.1:8080/blog/some-people-just-dont-get-it#comments bind dnsproblem morons obscurity opensource security Wed, 23 Sep 2009 19:14:07 +0000 Kris Buytaert 937 at http://127.0.0.1:8080/blog Fun with Google Docs Urls http://127.0.0.1:8080/blog/fun-google-docs-urls <p>I`m not a big user of docs.google.com , but occasionally I use it sharing a public document to work on with friends or collegues.</p> <p>So we have this spreadsheet we're sharing with some family and friends to swap Disney stickers. Google Docs has the option to publish that document publicly as html for others to view.</p> <p>So I tried , and it generated me a very nice url</p> <p><a href="http://spreadsheets.google.com/pub?key=rtlvf2-JSU1Pw-oPtuIZBPg&amp;output=html&amp;gid=0&amp;single=true&amp;range=A1:C300" title="http://spreadsheets.google.com/pub?key=rtlvf2-JSU1Pw-oPtuIZBPg&amp;output=html&amp;gid=0&amp;single=true&amp;range=A1:C300" rel="nofollow">http://spreadsheets.google.com/pub?key=rtlvf2-JSU1Pw-oPtuIZBPg&amp;output=ht...</a></p> <p>My sleepy eye catched the A1:C300 ending part .. which was generated by the friendly popup that asked me if I wanted to show all Sheets, or just a range of the page.</p> <p>Dare I pasting that URL into another browser and change the range ? Like changing the range from A1:C300 to A1:D300 ?</p> <p>Suprise suprise .. that worked ! I could perfectly see the content of the other cells. </p> <p>Apart from pointing to the Google API the popup doesn't really mention that publishing only a range won't restrict the actual viewing off the other data.</p> <p>I can imagine some less technical savvy people to expect the rest of their data is secure... Well, it obviously it's not !<br /> Not sure if Google does this on purppose, or by accident.</p> <p>If it stops working next week it was by accident :)</p> http://127.0.0.1:8080/blog/fun-google-docs-urls#comments docs.google google googledoocs security url mangling Fri, 15 May 2009 18:16:22 +0000 Kris Buytaert 909 at http://127.0.0.1:8080/blog Security in Belgium http://127.0.0.1:8080/blog/security-belgium <p>With <a href="http://bart.vanherreweghe.com/" rel="nofollow">reports</a> about Belgium being the 3rd most insecure country in the world, only being beaten by Russia and China and our nice country featuring <a href="http://www.wired.com/politics/law/magazine/17-04/ff_diamonds?currentPage=1" rel="nofollow">in Wired</a> with what could be the plot for Oceans 17 ... </p> <p>Maybe it's time to refocus my career a bit more on security again ... </p> <p>Just maybe ...</p> http://127.0.0.1:8080/blog/security-belgium#comments diamonds sad security Mon, 16 Mar 2009 21:14:03 +0000 Kris Buytaert 887 at http://127.0.0.1:8080/blog Conference Time http://127.0.0.1:8080/blog/conference-time <p>Grab your calendars and mark the following dates : </p> <ul> <li> <a href="http://www.t-dose.org/t-dose/node/122" rel="nofollow">T-Dose 2009</a> will be held on 3 and 4 october in Eindhoven again. <p>Last year we had a nice Drupal track, some great MySQL talks and , a great unplanned Cloud talk , and different other interesting talks, so this year promises also to be very interesting.<br /> (PS. Drupal Themers.. you might want to propose a new theme for the T-Dose site, who knows you'll even win something) </p> </li><li>For the first time , 2009 will be the year that Belgium will have it's own Security Conference, <a href="http://brucon.be/" rel="nofollow">BruCon</a> has just announced <a href="http://rationalsecurity.typepad.com/blog/" rel="nofollow">Christofer Hoff</a> as a KeyNote speaker , BruCon will take place on 18 and 19 september... obviously in Brussels ;) </li><li>While we mention VirtSec I obviously should plug my own upcoming VirtSec talk at the <a href="http://www.lsec.be/index.php/whats_happening/event/secure_virtualization_seminar/" rel="nofollow">LSec</a> Secure Virtualization seminar on next Friday 13th </li></ul> http://127.0.0.1:8080/blog/conference-time#comments conferences drupal mysql open source security t-dose virtsec Sun, 01 Mar 2009 20:22:52 +0000 Kris Buytaert 883 at http://127.0.0.1:8080/blog Codebreakers http://127.0.0.1:8080/blog/codebreakers <p><a href="http://twitter.com/fredegre" rel="nofollow">@fredegre</a> sent me a mail to tell me about the <a href="http://www.lsec.be/index.php/whats_happening/event/codebreakers_and_enigmas_special_event/" rel="nofollow">L-SEC Codebreakers and Enigmas's - Special Event</a> , given the lineup I couldn't resist to register for the event ..</p> <p>Security heroes like <a href="http://www.schneier.com/" rel="nofollow">Bruce Schneier</a> , <a href="http://en.wikipedia.org/wiki/Adi_Shamir" rel="nofollow">Adi Shamir</a> , <a href="http://en.wikipedia.org/wiki/Ron_Rivest" rel="nofollow">Ron Rivest</a> and off course our <a href="http://en.wikipedia.org/wiki/Bart_Preneel" rel="nofollow">local experts</a>...</p> <p>Should be interresting </p> <p>Cya there ..</p> http://127.0.0.1:8080/blog/codebreakers#comments adi shamir bruce schneier encryption events l-sec ron rivest rsa security Wed, 11 Feb 2009 14:38:44 +0000 Kris Buytaert 877 at http://127.0.0.1:8080/blog How to suck at Security http://127.0.0.1:8080/blog/how-suck-security <p>There is this great post over at <a href="http://isc.sans.org/diary.html?storyid=5644" rel="nofollow">sans.org</a> Teaching people how to to suck at Security, (actually a reprint of <a href="http://www.zeltser.com/security-management/suck-at-security-cheat-sheet.html" rel="nofollow">this post</a></p> <p>Especially the remarks about security tools ..<br /> On how not to implement them or how to neglect configuring, afterall the default values must be secure enough.</p> <p>However My favorite<br /> <cite><br /> Hire somebody just because he or she has a lot of certifications.<br /> </cite><br /> I'd write Vendor Certifications however .. as independent certifications might have some use.. but if I`m looking for a security guy and he starts talking to me about his product certificatins, something is wrong..</p> <p>Remember, security is a life style, not product you can buy ..</p> http://127.0.0.1:8080/blog/how-suck-security#comments certification false feeling of security life style security Sun, 18 Jan 2009 13:05:03 +0000 Kris Buytaert 859 at http://127.0.0.1:8080/blog Major DNS Update http://127.0.0.1:8080/blog/node/681 <p>A lot of discussion is going on around yesterday major DNS upgrade push<br /> Is it needed, is it overkill, are we fixing a new hot flaw or just reiterating over a <a href="http://www.ietf.org/rfc/rfc3833.txt" rel="nofollow">4 year old RFC</a></p> <p>Yes Dan from DJB DNS already told us <a href="http://cr.yp.to/djbdns/forgery-cost.txt" rel="nofollow">ages ago</a> .. but Dan isn't the most loved person on the planet. Now as long as he doesn't head in the direction of that other unpopular filesystem guy :)</p> <p>Anyhow .. CVS information is <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447" rel="nofollow">here</a> and you can read up on some more background <a href="http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/" rel="nofollow">at Securosis</a></p> <p>Add to that the fresh release of <a href="http://ostatic.com/162565-blog/unbound-wants-to-challenge-the-dns-monoculture" rel="nofollow">Unbound</a> and security is back in style just like <a href="http://rationalsecurity.typepad.com/" rel="nofollow">Chris Hoff</a> said during the <a href="http://virtualization.com/interviews-interview-talk/2008/06/11/quotes-from-our-upcoming-story-on-virtsec/" rel="nofollow">VirtSec</a> debate :</p> <p>“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”</p> http://127.0.0.1:8080/blog/node/681#comments djbdns dns security unbound Thu, 10 Jul 2008 18:48:11 +0000 Kris Buytaert 681 at http://127.0.0.1:8080/blog Virtsec , a real problem , or surfing on the hype ? http://127.0.0.1:8080/blog/node/674 <p>Yesterday I took part in an interesting <a href="http://www.stacksafe.com/blog/virtualization-security-hits-center-stage/06/04/2008/" rel="nofollow">conf call</a> with different Virtualization Security Industry leaders and Analysts</p> <p>I`ll be processing the confcall logs and publish them over at <a href="http://virtualization.com/" rel="nofollow">Virtualization.com</a></p> http://127.0.0.1:8080/blog/node/674#comments security virtsec virtualization Thu, 05 Jun 2008 18:38:38 +0000 Kris Buytaert 674 at http://127.0.0.1:8080/blog