Everything is a Freaking DNS problem

That's the question Xavier asks in his blog entry titled
Security: DIY or Plug’n'Play

To me the answer is simple, most of the appliances I ran into so far have no way of configuring them apart from the ugly webgui they ship with their device. That means that I can't integrate them with the configuration management framework I have in place for the rest of the infrastructure. There is no way to automatically modify e.g firewall rules together with the relocation of a service which does happen automatically, and there is always some kind of manual interaction required. Applicances tend to sit on a island, either stay un managed ( be honest when's the last time you upgraded the firmware of that terminal server ? ) , or take a lot of additional efort to manage manually. They require yet another set of tools than the set you are already using to manage your network.
They don't integrate with your backup strategy, and don't tell me they all come with perfect MIB's.

There's other arguments one could bring up against appliances, obviously people can spread fud about some organisation alledgedly paying people to put backdoors in certain operation systems.. so why would they not pay people to put backdoors in appliances , they don't even need to hide them in there .. but my main concern is manageability .. and only a web gui to manage the box to me just means that the vendor hates me and dooesn't want my business

A good Appliance (either security or other type) needs to provide me an API that I can use to configure it, in all other cases I prefer a DIY platform, as I can keep it in line with all my other tools, config mgmtn, deployment, upgrade strategies etc.

Mabye a last question for Xavier to finish my reply ... I`m wondering how Xavier thinks he kan achieve High-availability by using a Virtual environment for Virtual Appliances that are not cluster aware using the virtual environment. A fake comfortable feeling of higher availability , maybe.. but High Availability that I'd like to see.

For all the security experts : the NLUUG has published it's Call For Abstracts for it's Fall conference.. as you might have guessed the topic is Security, we welcome all abstracts tackling security in a broad sense.

Possible topics include:

* cloud security
* online privacy
* rfid hacking
* secure programming
* programma-analysis-tools
* web services security
* web browser security
* embedded hardware hacking
* incident response and forensics
* malware and rootkits
* responsible disclosure
* legal response
* fighting spam
* patch policies
* identity management
* central point of administration
* DNSsec
* VPN based WANs
* etc.

The NLUUG fall conference is scheduled on 11 November 2010 in De Reehorst in Ede, the Netherlands.

Hint.. maybe a talk on secdevops would be welcomed too :)

Disclaimer : I`m on the program committee

I mean, we are heading towards 2010 , some of us have been using Open Source for decades, the Open Source vs Free Software discussion was like last millenium, and we've been doing open source consultancy for over a decade, yet today companies still think their customers are stupid,

Fancy this story on ZDNet today .. there's actually companies out there claiming that "Bind" because of it's FreeWare nature , yes that's right you've Read FREEWARE , (hadn't heard that word for over 5 years..) , is less secure than their proprietary offering in the Cloud. So the very nature of their Secure product is offering Security by Obscurity in an insecure environment .

The sad part is that they probably get customers that believe their story, afterall it's hosted in the Cloud .. so it must be good not ?

Oh well... James McGovern had a nice comment on that earlier today "

"The goal of the security market is to make money, not to ensure the customer's security"

I'll keep my security infrastructure Open, thank you very much

But afterall everything is a fine DNS Problem ...

I`m not a big user of docs.google.com , but occasionally I use it sharing a public document to work on with friends or collegues.

So we have this spreadsheet we're sharing with some family and friends to swap Disney stickers. Google Docs has the option to publish that document publicly as html for others to view.

So I tried , and it generated me a very nice url

http://spreadsheets.google.com/pub?key=rtlvf2-JSU1Pw-oPtuIZBPg&output=ht...

My sleepy eye catched the A1:C300 ending part .. which was generated by the friendly popup that asked me if I wanted to show all Sheets, or just a range of the page.

Dare I pasting that URL into another browser and change the range ? Like changing the range from A1:C300 to A1:D300 ?

Suprise suprise .. that worked ! I could perfectly see the content of the other cells.

Apart from pointing to the Google API the popup doesn't really mention that publishing only a range won't restrict the actual viewing off the other data.

I can imagine some less technical savvy people to expect the rest of their data is secure... Well, it obviously it's not !
Not sure if Google does this on purppose, or by accident.

If it stops working next week it was by accident :)

With reports about Belgium being the 3rd most insecure country in the world, only being beaten by Russia and China and our nice country featuring in Wired with what could be the plot for Oceans 17 ...

Maybe it's time to refocus my career a bit more on security again ...

Just maybe ...

Grab your calendars and mark the following dates :

• T-Dose 2009 will be held on 3 and 4 october in Eindhoven again.

  Last year we had a nice Drupal track, some great MySQL talks and , a great unplanned Cloud talk , and different other interesting talks, so this year promises also to be very interesting.
  (PS. Drupal Themers.. you might want to propose a new theme for the T-Dose site, who knows you'll even win something)

• For the first time , 2009 will be the year that Belgium will have it's own Security Conference, BruCon has just announced Christofer Hoff as a KeyNote speaker , BruCon will take place on 18 and 19 september... obviously in Brussels ;)
• While we mention VirtSec I obviously should plug my own upcoming VirtSec talk at the LSec Secure Virtualization seminar on next Friday 13th

@fredegre sent me a mail to tell me about the L-SEC Codebreakers and Enigmas's - Special Event , given the lineup I couldn't resist to register for the event ..

Security heroes like Bruce Schneier , Adi Shamir , Ron Rivest and off course our local experts...

Should be interresting

Cya there ..

There is this great post over at sans.org Teaching people how to to suck at Security, (actually a reprint of this post

Especially the remarks about security tools ..
On how not to implement them or how to neglect configuring, afterall the default values must be secure enough.

However My favorite

Hire somebody just because he or she has a lot of certifications.

I'd write Vendor Certifications however .. as independent certifications might have some use.. but if I`m looking for a security guy and he starts talking to me about his product certificatins, something is wrong..

Remember, security is a life style, not product you can buy ..

A lot of discussion is going on around yesterday major DNS upgrade push
Is it needed, is it overkill, are we fixing a new hot flaw or just reiterating over a 4 year old RFC

Yes Dan from DJB DNS already told us ages ago .. but Dan isn't the most loved person on the planet. Now as long as he doesn't head in the direction of that other unpopular filesystem guy :)

Anyhow .. CVS information is here and you can read up on some more background at Securosis

Add to that the fresh release of Unbound and security is back in style just like Chris Hoff said during the VirtSec debate :

“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”

Yesterday I took part in an interesting conf call with different Virtualization Security Industry leaders and Analysts

I`ll be processing the confcall logs and publish them over at Virtualization.com