Essentially, a computer science student was developing an app to help students look at their records for the college when he discovered a security flaw that gavie him access to more information than he should have been able to see. He reported the flaw the college that opened a can of worms resulting in his expulsion. The story reports that the offense was his use of a security tool against the college servers that they regarded as an attack.
Is this justified? He did come forward with his findings and didn't seem to be trying to hide what he was doing from the college. I have personally been guilty of letting my curiosity go a little too far and doing an inadvertent test of my company's security. I was thanked for demonstrating that the security worked and told never to do it again. (It was the first time that I'd ever run a port scanner, nmap.)
Cyber security is a big deal. A quick glance at the IBM Security Solutions list shows a vast array of solutions for various situations. As more and more of our world goes digital and virtual we are much more likely to be victims of cyber crime than physical ones... and those crimes are potentially more impactful. Good security can't rely on obfuscation. You have to be able to know something is there and still not be able to get it. I imagine that those who safeguard the most sensitive information have a number of sleepless nights as the tools available to the average hacker become more sophisticated. Of course, the vast majority of hackers are as Ahmed (the man in our story) claims to be. They are technology enthusiasts who want to see things work well and eliminate mediocrity when they find it. Of course, some of that crowd feels that the lesson needs to be humiliating to be effective, which tends to attract more anger than solutions.
Are any of my readers amateur security sleuths? If you found a vulnerability would you feel comfortable in bringing it forward? Does our current ant-terrorism client create a harsher environment for the good guys?
I caught an article today: "Linux users targeted by mystery drive-by rootkit". I stand by my believe that Linux is the most secure environment that I have used and I enjoy the freedom from many of the security issues that friends experience. However, it would be ridiculous to imagine that Linux–or any environment–is immune from attack.
You probably already know the security basics. Don't hang out at weird websites and let anything and everything run. Use things like Adblocker in Firefox to help cut out little scripts and things that you don't want to run. When things pop up saying would you like to install or run something that you don't understand, don't click "Yes". How do you know you're OK, though?
First, pay attention! You can tell when your system is not behaving normally. When the network seems clogged or processes start getting chunky that could be a sign that things are running on your system that you don't know about. Don't ignore that. Do something about it.
The first step is to look at the processes that are running. In Linux a basic ps -aux will give you information about what is running. If you tinker a lot, like I do, you may bet all kinds of things turned on when you installed them to play with them. The other day I noticed that I had a web server and two database servers that had been left active after playing around with them. Often when you install that kind of software it will set itself to automatically start. These are the kinds of things that can create danger for you if you don't realize they are running.
For seeing how the system resources are running, top is a good quick check. It is a console-based system monitor that will show you what is using resources on your machine. Here's a sample:
Based on my snapshot my audio and firefox are the biggest pgs. I also note that I have mongod running, which is a database enging that I thought I had disabled. It may be that something is using it, or I may not have shut it off correctly. I need to look into that. As a "basic user" I probably don't need to know about all of these processes... but as a "technical user" I really should understand them, at least well enough to know that they are normal.
Dealing with root kits and other nasties
Keeping an eye on all of your running processes is probably not what you want to do. It's good to know that you can spot check with things are misbehaving, but you want to be proactive and stop things before they start. Here are a few things that might help.
Clam Antivirus — Clam was the first anti-virus software that I discovered for Linux. It runs on othe rplatforms as well and seems to be pretty good stuff. Clam does what any intivirus system does. It scans files and compares them with signatures of known viruses. Of course, the value is only as good as the definitions. Clam definitions seem to be updated pretty regularly and it's easy to automate the process. At the very least you should have something like this available. Admitedly, the only virus files that I've ever found with this have been dormant Windows viruses that someone sent me in emails... but it's good to know that.
chkrootkit – This is a common tool available throught Linux distributions. It looks for a number of common exploits and reports issues.
rkhunter – another popular root kit detector that was available through the Ubuntu repositories. This tool works best if you install it onto a "clean" system, i.e. one that you know is uninfected. Ideally you would set it up immediately after installing the operating system and let it initialize. rkhunter looks for unexpected changes to system files and alerts you to possible mischief.
Of course, if you are serious about digging into root kit detection, you will want to look deeper than just running a tool. Here is an excellent article on Symantec's web site: "Detecting Rootkits And Kernel-level Compromises In Linux" which goes into quite a bit of detail about the technical side of this sort of forensics.
Cyber attacks seem to be the way of the future. No one is immune, but you can make yourself less of a target. Some say that eternal vigilance is the price of freedom, and this probably goes for software too.
Clearly people did not get as excited as I did about the Bossies, the Open Source Software awards, that I wrote about in my last entry. Perhaps it's just not very compelling, or perhaps there is just a general lack of curiosity in such things.
I've had my world shaken and stirred a little with recent events-- in a good way. The first has been my involvement in developing a Knowledge Path for System Z (mainframes) where I have had to dive a little bit into that mysterious world. I remember when I worked at the Texas Lottery Commission and the mainframe guys were "over there". The operators were pretty decent, but the admins were scary dudes.
Picture a scene from an old Clint Eastwood spaghetti western. The sysadmin is dressed in black, with an ornate, but well-used six gun prominently displayed on his hip. I wander up as a wide-eyed kid dressed like Huckleberry Finn. "How do I learn more about the mainframe?" I would ask.
This is met with either a steely-eyed stare as the sysadmin says through clenched teeth "You don't... and pray never have to." He then strides away, the wind whipping his long coat around him, but miraculously having no affect on his hat. Later, there are gunshots.
It has been very nice to come into contact with much less scary people in the mainframe world. People who are excited about mainframes and who reward curiosity, but it is still a precious and rare resource and there are many gateways. It's a shame, because there are many interesting ways in which a mainframe could take the place of a number of computing resources, consolidating them together. Imagine a Bring Your Own Device (BYOD) world where I don't have to worry so much about your device being completely secure because I'm not actually running my software there... I'm providing a central resource and using your device as a fancy terminal. How could that make a difference?
In any case, this is very exciting to me and I'm enjoying the chance to see the outstanding engineering that makes the System Z what it is. It is amazing that people were able to think things through so completely... a vast difference from today's rush to market.
The other thing I am working with is a group of hgh school students in a security contest called CyberPatriot. The idea is to get kids interested in technology to have a greater appreciation for how computer security works. I'm a mentor in the group, drawn in because of my Linux background. (Apparently the team was hit with an Ubuntu image last year and they were very confused by being met with a console prompt and a blinking cursor.) It's been interesting, but so far all of the samples have been Windows-based... forcing me to dust off some of my brain cells, since I haven't really had to administer Windows machines with any seriousness for a while now! (There are advantages to being a long-haired techno-freak.)
One of the things that has intrigued me is the difference between how young people approach technology today and how I remember approaching it in my youth. I suppose that part of working with technology in the Eighties was that you really had to know how to make things work or it didn't. Windows was a ways off yet and the blinking cursor on my Commodore 64 or the school's Apple IIe (or the TRS80s) gave you no comfort, no clues as to what to do next. You really had to know something about the moving parts. Interestingly, many of those parts are still there, but buried within all the menus and icons.
It intrigues me that some of these students, who are clearly clever and interested in technology, seem to be experiencing these moving parts fo the first time. Ports and processes were always a part of my computing world. Some of them seem to be discovering these things for the first time. How is that possible? All of them embrace the knowledge eagerly and they are doing great, but it amazes me that one could learn about technology without developing an understanding about how these things work... especially if you are more of a techie type.
Curiosity is one of our most valuable assets as humans. We have always dug deeper as a species, finding out how things work and new ways to apply what we learn. We take things apart. We invent. We misapply what we know in wonderful ways to create new discoveries. It seems to me that some of this curiosity is waning. We seem to be waiting for experts to tell us what to do. Experts are great, but how do you know if they're right unless you've tried on your own?
I encourage everyone to try to dig a little deeper into technology. Don't let anyone tell you that you don't need to understand something and that it will all be handled by "top men", especially in these BYOD days! What you don't know can be used to exploit you in so may ways. Bad guys use it to steal your information and resources. Employers use it to make you give up your Facebook information and spy on your personal computers and phones. Governments and commerical interest use it to accumulate information about you and game you. I don't mean to be alarmist and I think that much of this is done with good intentions... but you can't defend yourself or make your own decisions unless you engage a little.
Technology is our servant. We should all be able to take advantage of mainframes or keep our email safe from bad guys. Solutions are there for the using, but we have to be curious and we have to not take "No" for an answer. Go do a search right now for a technical topic that you don't but would like to understand. The first two or three things may be way over your head, but you will ifnd something that introduces it to you correctly. (Don't be surprised if some of the better ones are on developerWorks.) Dig, learn, play, ask questions, get answers. You will be amazed at what you can find and do.
Before I get to the BOSSies (Best Open Source Software awards), I saw this article today: "Brand-new hardware -- now with malware pre-installed!" That's a terrific time saver! Imagine being able to participate in denial of service (DoS) attacks and SPAM profligation without all the pesky poking around in malicious web sites.
The author concludes that you should stick to the big players when buying hardware. I conclude that you should always take control of your own security. That's why I like building things from scratch and why the first thing I do when I get a system is erase the drive and load Linux. With the way things are today, manufacturing and assembly spread all over the world, you should make no assumptions about your system when you get it. Do some verifications on your own.
The BOSSies are in, and the winners are...
Every year, InfoWorld presents the BOSSies, awards for the Best Open Source Software in a variety of categories. While this is as scientific as about any awards system out there (which is to say not very), it is a great way to see what's making waves in the Open Source world. I get validation on things I already use and introductions to stuff I haven't yet discovered.
These are presented as slide shows, which is a little annoying. Here are the winners:
WordPress and Joomla are my two default content management environments for quick web sites. I want to like Drupal, but have just not had as much success with it. I'll keep tinkering, though. Typo3 looked interesting too.
I've worked with SugarCRM and liked it. Right now I don't have as much need, but if I have to do that sort of tracking again I will likely make use of it. vTiger might also be worth a look. I may also be tinkering with Magento for some things.
I'm perpetually curious about accounting systems. I'll probably look at FrontAccounting.
I'm also curious about Diaspora. There were several other tools that looked really interesting but dealt with situations outside of my world.
I've heard quite a bit about OpenStack. I don't know that I'll get to do much with it, but it intrigues me. CloudStack as well. We've had a little article coverage on Cloud Foundry, so I will probably look at it too. Lots of options!
Puppet seems like my style. I may actually have a project where it could be useful. I'm curious about Juju and Chef as well. I'm intrigued about deployment automation since I oversaw the Y2K rollout at the Texas Lottery Commission.
OpenRemote is intriguing and may offer some solutions to problems unique to my household.
Fun gaming options in 0 A.D., Warzone 2100 and Stella . Naev also reminds me of a game I used to play on my Commodore 64. I can't remember its name, but I enjoyed it quite a bit. (I'm sure someone will remind me. It's just on the edge of my memory.
I loveCalibre using it with my Kindle, and my Sony Book Reader before that. Outstanding application. Be warned, it gets an update constantly. I wish they would set it up to auto-update and save me the trouble.
An Arduino kit is sitting, waiting for my attention. I really want to play with it. Upcoming articles about that too.
I'll probably check out Lightworks as well when the Linux version is available.
I have no idea if you have heard about this. Sometimes there are things that I think are wide-spread news that others have never seen. (Of course, people are shocked when I don't know who won American Idol.) Recently, technical writer Matt Honan was hacked, hard. They destroyed all of the data on his laptop, his ipad and his cloud storage, apparently as part of the road to playing around with his Twitter account. The attack took advantage of his doing what we all do, having some alignment between our accounts in different places, and using the differences between the different organization's policies to get inside. Once they are in one, it's easier to get into the others. It's similar to the ideas in this World War II cartoon about keeping secrecy. (WARNING: This video is a reflection of its time and contains some caricatures which are inflammatory and frankly racist. I show it for its historical context and the lesson it discusses about how people can piece together bits of information. Not only does this video not express IBM's opinions, it doesn't even express my own... but it does show how long these ideas of security have been around.)
Matt's story is unsettling. It is regretful on so many levels. I imagine that the companies involved especially regret that it happened to a technical writer.
So, what does it mean to you and me? It means that it's time to get serious about security. We have to get serious about our own security because if something slips it is our memories and our creations that are lost forever. That's just too hard to consider.
Security = inconvenience
The first thing we need to accept is that any level of security demands a certain level of inconvenience. I'm not talking about the security theatre that we experience at the airport. I'm talking about things like having to type in a password every time you want to use your computer. I'm talking about having to change your security codes periodically and making them long and complex. These things are requirements for modern security. Just like you have to take time to unlock your door and maybe disarm the security system, you are going to have to take a few extra steps.
The first step that I have taken is to make all of my passwords a significant length. I've set them to 25 characters for all that can accept it. Anything that doesn't go up to 25 I take to the maximum it will take. I'm using a mixture of upper- and lower-case letters with numbers and special characters. I am enforcing my own policy of changing these at least every three months. I have made all of my passwords completely different from each other. This is a huge pain... but until there is some sort of biometric standard that will apply just to me, I have no choice.
Crank up the security
Do you have all of the verification policies turned on that are available? Do you grumble when someone asks to see your ID? Take a look at the options available to you and see what else you can do. For example, Google has a 2-step verification which authorizes access by device. When you use a browser, or certain other apps, Google will send a numeric code to you by phone. This code must be entered or you may not access your Google tools through that device. For things which cannot use this process Google creates an application-specific password for that application and device.
On my account, I had to set up my long password on my Google account and verify it in the browser, and separately in the browser on my phone. I also had to enter a separate password for the GMail app on phone, Thunderbird on my laptop and my instant messaging software. I only need to do this once, but I'll have to recycle them later on when I do my password revisions.
I need to review my options on Facebook. For now, at least, I have significant passwords on them. Of course, using truly secure passwords has caused me to need a password manager. I'm using keepass because it is available in Linux and Android and I have a way to share the database between devices. My database encryption password is also significant (20+ characters), and something I have to remember and type in each time I need to access the passwords. It will also need to change periodically, which will be a pain. Right now, though, I'm betting that I have less chance of someone hacking my password manager database than I do a company accidently dumping my information over the Internet or allowing themselves to be socially engineered into compromising my account.
Could we do better?
We could absolutely do better in our security! The standards and tools for doing good security are available. In many cases, regular application of what is freely available could make a difference. Key-based authentication with a biometric as the password would allow me to control my keys, have different keys for different purposes and never have to remember anything. The protocols for key exchange already exist. It could work.
It's not going to happen that way, though. There are too many people who don't want to understand these things and don't want to be bothered. Companies and governments do ultimately do what they are directed-- but often in a "malicious genii" sort of way. "OK. You wish for a mountain of gold, which falls from the sky and buries you."
We need to be more demanding about the protection of our accounts and identities. We need to be more tolerant of the process required to verify our identities and we need to be willing to actively participate in the process. I'm guessing that overall there is more money to be made by everyone for fraud than there is for security which works... which is a real shame.
I hope you'll consider what happened to Matt, and what you would do if it happened to you. Now... how are you going to prevent it, and how are you going to teach the others?
I've still been fighting to get my life back to normal after SXSW 2012. If you missed out on all of that you can still catch up on the action from the developerWorks team at the developerWorks SXSW Adventure 2012. I've also uploaded my live video broadcasts from that week onto my YouTube channel. There will be more broadcasts in the future. Right now I just need to type this out without worrying about how my hair looks. (I'm afraid I'll never trulhy have TV hair.)
Open Source summons demons and creates flesh eating zombies
I hesitate to point you to the source of my rant, and I'm afraid it's going to be a rant today, because it will add hits to their site and make them feel that people want to see more of this garbage. I've got it! I'll point you to a cached version of the article.
Are they saying that open source software is more plauged with security flaws than commercial software? No. Are they saying that open source developers refuse to consider security when they develop? No. Are they saying that open source developers are less skilled at security than commercial developers? No.
They are saying that developers who use open source projects don't always keep up with the latest version of libraries to take advantage of the security updates, or that they let their code stagnate on older versions of a library. I know I'm probably knee jerking on this, but I'm really irritated at this sort of sensationalized approach to talking about good IT and development habits. The truth is that in general open source projects do a pretty good job of keeping up with security vulnerabilities if there is sufficient interest to keep the project running. True, some projects decline, but I'm sure there are people running older versions of commercial software who haven't updated either. (Are you telling me you've never seen someone running an application on something like Foxpro 5 because the guy who wrote the project is long gone and they don't have anyone else to update it? Besides... it's working just fine.)
The real point that is being made here is that if you are going to be security conscious you must be update conscious as well. If, as an individual developer or company, you decide that it is too much trouble to keep something up to date then you probably should stop distributing it, or open it as a community project so that others can step in and pick up the slack. As a user, if you find that you cannot use a product because it requires you to load back-leveled libraries to make it work, you should become suspicious and factor that into your decision.
Software is a constantly moving target. The best way to keep yourself up-to-date is to use a distribution that has a supported automatic update system, and only use projects that fit into that scheme. I use Ubuntu, which has an excellent package system. Red Hat and SUSE have good ones too. For the most part, the projects that I really use are either a part of that repository or support me adding their own site to my update list.
One should also factor the risk. Many pieces of software have unusual vulnerabilities. If you look at hacking sites you find some really strange and surprising ways that software can be compromised, but often under very specific conditions. The trick is to get the user to create those conditions or find where they exist. Awareness that bad things can happen and paying attention to the warning signs will keep you out of a lot of trouble.
If I titled that article it would say "Lazy system administrators and developers propgate security flaws". I think that's a little closer to the truth.
[Remember that even though I work for IBM I am an individual with my
own thoughts and ideas. Anything I write here may not necessarily
represent the views of the IBM Corporation or its partners... though I'm
hoping that's only a matter of time before they catch up.]
Lately I've seen a number of articles like "Why malware for Macs is on its way"
talking about the discovery of a malware kit designed for Macintosh
systems. For those who don't know, there are actually toolkits that are
sold to help people design attacks on systems. If you've heard of
"script kiddie" attacks, then this is the sort of thing that they mean.
Basically someone who doesn't know a lot about hacking into a system
uses one of these kits, much as you or I would use a library to do draw
graphics, and focuses on their core business of ripping off credit card
numbers or what have you.
Most of these kits have been centered around Windows, and they have borne much
fruit. As a Linux user I haven't really had much trouble with that
sort of thing. Neither have Macintosh users. An argument has floated
around for a while. Is it that the architectures of these environments
are somehow superior to Windows, or is it that the market share was
small enough that no one cared to exploit it? Well... we are about to
see. With the emergence of these kits there should be more attempts on
the Macintosh systems. Will theyhold up to the strain or will they fall and require the same sort of scrutiny that a Windows box requires?
Linux is obviously further down the line so I probably don't have to sweat things too much yet. However, the BSD
base of Mac OS X makes the environments hauntingly similar. If the
attacks are highly successful on Macs, then they might transfer easily
to a Linux environment.
Here are a few things that I plan to do to make sure that I have at least a little peace of mind:
Keep that firewall running. I try not to be a control
freak about that, but some basic blocking is always warranted. I might
do some digging and really harden it up. If the malware can't get out
then it can't do its job.
Keep an eye out for weird processes. I
do take a peek at my running processes from time to time, especially
when things seem to be slowing down. I have general familiarity with
what is connected to what and try to look into things that I don't
recognize. I suppose a bad process could hide itself, but at least
I'll catch the less stealthy ones.
Practice safe computing. Fortunately, being an open-source kinda guy, I don't tend to find myself hunting for pirated software (warez).
Usually I can get everything I need right from the Ubuntu repository.
However, I still end up poking around from time to time for other
stuff. I should be cautious about unknown binary packages and try to
get everything from the project site. If I am using a repository, make
sure that I look for news about it. If it's distributing bad stuff the
community will likely know and tell me... but I have to look.
Run ClamAV. The ClamAV software is free and easy to deal with. I'll keep it running and up-to-date.
It's a shame that we have to think about any of this. Computing
should be open and easy. But as long as the bad guys are out there and
our laws and conventions make it so easy for people to impersonate me
with a few numbers then I need to deal with it.
I really hope that the Mac and Linux environments prove a little tougher than Windows. I guess we'll see.
If you are a Firefox user, you may have heard about the vulnerability
discovered which could allow malicious web sites to steal passwords that
you have stored in your password safe. You didn't know that? It could
suck. I don't have the details, but you can get a hint in the
description of the session "Breaking Browsers: Hacking Auto-Complete" at
Blackhat conference. (That's were security-conscious people get
together and talk about bad-guy stuff.)
The upshot is that after this conference, the precise method for doing
this will be out in the open, and there may be a lot of enterprising
hooligans who immediately make use of it. Get your passwords out of
Firefox now! I found a handy tool that
will look pull the passwords from your local repository and help you
dump it into another format before you clear them out of Firefox. I
know that sounds alarming, but you save it to your local system and run
it from there. (It will warn you if you try to run it from the
Internet.) It will show you a list of your passwords and let you copy
them into another file. I dumped them into a spreadsheet. (ODS format, of course!)
So... what to do with this file. I don't feel much better having a
spreadsheet laying around on my system with passwords to everything.
True, it's much less likely that someone will poke around on my file
system than that people will mess with my browser... but it's still not
a good idea. It's time to crank up the encrypted file space!
I've talked from time to time about working with encrypted file
systems, but not much beyond that. But now it's pretty urgent and I
want to make sure that I have an easy-to-use space available right now
for this and other sensitive information for which I need better
habits. I know that encryption sounds hard, but it's really not that
bad. There's a lovely open-source, multi-platform tool called TrueCrypt that makes this all pretty easy to handle. Don't think encryption will make that much of a difference? Take a peek at this article
on how long it takes to break passwords of varying complexity. Good
encryption with a good password will likely surpass the attention span or statute of limitations for most situations.
How easy was this to do? I installed TrueCrypt, which took a few
minutes of downloading and script-running. I fired up the program
which, incidentally, had a nice GUI. I created a 1GB volume which
resides as a file on my file system. It's formatted internally just
like a file system and it mounts that way too. I could easily have put
it on a flash drive if I wanted to. TrueCrypt also supports encrypting
partitions. Now I have a moderately safe repository that I can save my
spreadsheet into. I can mount it when I need to and not have to do
anything too weird with it. I can also keep multiple things in it,
consolidating my secured items. In Linux, and Mac OSX as well, I
think, it's easy to make a relative pointer to a file. That means that
I can take some key configuration and data files and store them in my
encrypted area, but allow the applications to deal with them as though
they were standard. I can explain that in more detail if someone is
interested. There is probably a way to do that in Windows by now, but I just don't know what it is. Maybe someone can fill us in.
So, I'm sorry to bear the news. I rather like the convenience of
the password safe... but it's just not safe right now. And don't feel
that putting Firefox's password file in your encrypted volume will
help. The problem is that Firefox will give up your password if it's
asked in the right way. We need to make sure that Firefox doesn't know
the password. Ultimately I'm sure this will be fixed. Then it may be
safe to go back. There are also other password safe tools that might
be helpful... but for now, I think I'm going to go with the
old-fashioned copy and paste approach with the spread sheet.
I hope that all of you will take this stuff seriously and give TrueCrypt a try.
We really do need to start taking personal responsibility for securing
our communications. Government is too slow and to clumsy to do it for
us (not to mention that they don't want anything to be secured from them).
Manufacturers have too many points of view to accomodate to make it
automatic. It has to be the right solution for you. Start with this
and before you know it I bet you'll be asking me about encrypting your
There's nothing like a good government document. I think that from
now on, rather than counting sheep I'll count those blocky,
black-and-white documents that all look like IRS instructions telling
you want the US government is up to. Why can't they just all blog like
everyone else? Bruce Shneier turned me on to some interesting documents
about the government's look at cybersecurity. The first is GAO-10-466, or as
the kids like to call it "Cybersecurity: Key Challenges Need to Be
Addressed to Improve Research and Development." It talks about a lot of
the different government entities that are involved in Cybersecurity.
The list reads a little like the Department of Redundancy Department,
but I suppose that there are a lot of disciplines and appropriate
overlap. Within that document I was pointed to GAO-09-432T, or
"National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture." At first glance, it might seem that
government reports use a pretty dull and repetitive style guide for
titling things... and that impression is largely unchanged after a few
more glances, and even a long hard stare. Yet it is interesting to see
how ideas such as computer security is treated.
Both documents are interesting, but here is the list of the key points
that the work with in the second one:
Develop a national strategy that clearly articulates strategic
objectives, goals, and priorities.
Establish White House responsibility and accountability for
leading and overseeing national cybersecurity policy.
Establish a governance structure for strategy implementation.
Publicize and raise awareness about the seriousness of the
Create an accountable, operational cybersecurity organization.
Focus more actions on prioritizing assets, assessing
vulnerabilities, and reducing vulnerabilities than on developing
Bolster public/private partnerships through an improved value
proposition and use of incentives.
Focus greater attention on addressing the global aspects of
Improve law enforcement efforts to address malicious activities
Place greater emphasis on cybersecurity research and development,
including consideration of how to better coordinate government and
private sector efforts.
Increase the cadre of cybersecurity professionals.
Make the federal government a model for cybersecurity, including
using its acquisition function to enhance cybersecurity aspects of
products and services.
It's good that the government is getting involved, I guess.
Government can help mandate standards and provide a context for
research and development... but I've never seen government accomplish
what a curious group of technology enthusiast can do when they put
their mind to it.
Here's a gentle reminder of technologies that you can be using to
improve your security right now:
Your operating system: I admit that I always lean toward Linux,
but any operating system that you use today has basic security such as
name and password restrictions. If you're bypassing that login screen
for convenience then you have likely created a number of other holes in
your environment that leave your system more open to attack or snooping.
Learn a little about encryption. I know that encryption sounds
hard, but there are some fairly straight-forward ways of dealing with
it. Tools like Gnu Privacy Guard
(GPG) provide a pretty straight-forward way of encrypting and signing
just about anything digital. You don't have to buy a key. You can make
your own and register it with a public
key server so that others can find it and interact with you. (There
are also free locations to get certificates for your web sites, such as
SimpleAuthority.com and CACert.org.) There are also free
tools to encrypt your files and even create encrypted sections of your
hard drive. It's all very cool stuff. Some of it can be a little tricky
to set up, but once you develop habits of locking up your information,
they become second nature, like locking your car, or putting on your
Share your security-mindedness with your friends and family. If
only one person has a key to encrypt things, it doesn't work. Spread
your new discoveries. Help others to see the value in securing their
information and participate by sending your information back and forth
through an encrypted key.
Like I said, I think this is all pretty interesting stuff. If others
are interested we can share more together here. It's actually a good
section for the Real
World Open Source Wiki (which really needs more brains in it than
just mine). If you take a personal interest in cybersecurity you can
help usher in the world of more accessible, more personal technology
with more control for you and less danger to your information. Ask
questions if you want to get started and I'll do what I can to help get
you started right now.
I'm sure that all of you are focused individuals. I'm sure that all of you see tasks clearly laid before you and that you systematically work your way through them with the persistence of a census-taker... each one in turn until all the jobs are done. How wonderful that must be.
I've always been full of curiosity. I seek knowledge and experiences of all kinds, which has led me in many interesting directions. It's probably also the reason that I'm so drawn to open-source, because there is always something new to discover. Recently, I came across this article: Work Smart: How to Make Procrastination Productive
I like the way this person thinks. Procrastination isn't so much laziness, or fear of action. It's a sort of intuitive prioritization where things get done, just not in the way that some would consider logical. Are there out there who suffer from my fascination with the next shiny thing moving at the corner of vision? Does this broaden your reach or weaken your grasp?
One of the things that I've been exploring in my distraction is what one can do with a Web Cam. (Great! Some of you are already writing your own jokes. Fine! Laugh it up.) I hadn't looked to seriously at webcams because I just didn't have a specific need for one. Additionally, most equipment like that tends to be pretty Windows-centric and, while I can usually find the right piece and get it to run OK under Linux, I just wasn't motivated. Then, I'm in a big-box technology store beginning with an F where I normally don't shop because I don't find that the cheap prices are worth all of their other hassles. (I might as well order on-line!) Yet, there I am, looking for an adapter for my Droid, that I thought I need to have that day. I happen by the webcam section and start looking at the different models. I find a Creative Live! Cam Socialize HD, which actually lists Linux as an option under it's system requirements! I'm so pleased and surprised that I find myself taking it home.
I connect the camera and it works right out of the box! Yay. I talk to my dad and convince him to get a web cam as well. The next night we experiment a little and decide that for bed time we'll let Grandma and Grandpa join us for story time. It's pretty cool. My daughter read her story (she always reads one to us too) and she would read the text and show the pictures to the camera. Another night we did it again and Grandma and Grandpa had a story for us. What a wonderful way to reach out and touch bases with each other. As someone with a home-office I appreciated the value of being able to have some virtual presence and sharing seemingly insignificant things.
Now something weird has started. Skype, which is what we were using, has suddenly decided to only use my camera at 15 FPS, rather than the 30 that it will do, and all of the settings and adjustments are shielded from me in Skype. I can make it work fine with the other, open applications that talk to the camera. I did some digging and found that this was not unusual for the Linux version of Skype. I don't know if they are behind on the video technology that's available through the Linux kernel, or what. Perhaps they are doing some of that intuitive prioritizing. In the mean time I'm looking for other options that are more open that will also be easy for my dad to use. I've even toyed with setting up my own SIP server using Kamailio, but I haven't had a chance to learn the in and outs of how it works. Too many shiny things... like getting articles done, drawing a paycheck and other things that.
Maybe soon my intuitive priorities will align and I'll be able to share with you the secret formula for doing this yourself. In the mean time I'll share a little hint with you: You don't need a fancy service to connect to your computer from anywhere. You can do it with SSH and a system that you leave connected to the Internet. I'll give the basics for the adventuresome and maybe write up a more substantial tutorial later:
Set up the openssh server on your home system. Make sure that you have a port opened to the Internet for ssh. I recommend choosing something other than 22 or you'll just get your log files clogged by script-kiddie attacks. I also recommend setting it up so that you require key authentication for a good connection. It's a little bit of a pain to deal with the keys, but it makes your setup exponentially more secure.
Get a dynamic DNS address and configure your home network to update that address whenever your home IP is reset. Now you can get to the home system by domain name rather than having to know the IP.
On your "work" system set up ssh and vnc. Whenever you want your system to be reachable set up a reverse-port-forward (-R) of the vnc port (590x) back to your home system. At that point, only your home system will be able to connect back to the work system through VNC.
If you want to connect from another machine, establish another ssh connection from, say, your laptop to your home PC, doing a standard port forward (-L) to the same port that you reverse-forwarded. Now you Use VNC to go from the laptop through the home PC to the work machine. Here's a brief example:
Connecting Work PC to home: ssh -i mykey -R 35900:127.0.0.1:5900 email@example.com Connecting from Home PC to Work PC through encrypted channel: vncviewer localhost::35900 Connecting from remote laptop to Work PC: ssh -i mykey -L 35900:127.0.0.1:35900 firstname.lastname@example.org vncviewer localhost::35900
That's the sort of expert view. Maybe some of you can use it. Selecting a higher port like 35900 helps avoid firewall issues where lower ports are blocked.
Ooo! Something shiny! I'm just going to take a moment and--
I read an interesting article today: Hackers aren't as sneaky as you think.
Ah! The good old days. I grew up on the hacker culture. I remember
the inspiration of the movie War Games and the almost romantic vision
of young, smart people getting past the system and into the secret
world of government and big business. Of course, the truth underneath
was a little less glorious. Cracking computer security is now much
more about vandalism and identity theft. Yet, that early curiosity
gave me an awareness of computer security and steps that could be taken
to protect one's self. Most computer crime is result of sloppiness on
someone's part. It could be the system administrator who's not a big
fan of browsing logs and running patches. There's not too much that
you can do about that. However, you can do things about your own
I've thought about a few ways that I do to keep
safe, and they're not too hard to do. Yes, you have to make some
changes to your behavior, and you will have to learn a few things, but
it's not any more difficult than the things that you have learned to
keep yourself safe on the motorway. I'm sure that some will argue with
a few of my conclusions, but at least they'll be thinking about it!
Start with a safe vehicle
I quit using Windows. I know that not everyone will do this, but I
simply had repeated problems with viruses (should that be virii?) and
other issues that I just could not keep a handle on. When I discovered
Linux and started making it work for me all of those issues went away.
I have had zero virus infections. I also got a lot more information
through logs as to what people were trying to do to attack my system
and came up with ways to complicate that. I think of it this way...
when driving on a dangerous highway, which would you rather have
between you and the idiots: a Pinto or a Volvo? If you decide that you
must stay with Windows, then
make sure that you have all of the safety features installed. You
should have firewalls, virus scanners, spyware scanners and make sure
that they are always up-to-date.
Maintain your vehicle
It's great to have a solid vehicle, but if you don't keep it running
smoothly then it will cease to be reliable. The most critical thing is
to keep your patches and software up-to-date. Elderly software tends
to be behind the times on security issues. If cost is what is
preventing you from staying current, then you really should consider
finding a freely available solution. The Open Source World provides a
good number of solutions that you should consider. If cost is not what
is holding you back, then set up a regular procedure for making you are
up-to-date. Many software packages have ways to automatically check
for updates. Turn this on.
Pay attention to how your computer is running. A slow computer may
mean that you're just overloading it with software and outgrowing the
system. It may also mean that your computer may be doing a lot of work
on behalf of a SPAM-bot or something else. If nothing has changed on
your computer, no major software changes or changes to how you are
using it, then it is not normal for your computer to suddenly start
running more slowly. If you were driving on a straightaway and your
car suddenly started losing acceleration you would be concerned.
Computers are the same. When you see signs of problems, check them out.
Keep a look out
A while back I got SPAM from my sister's email address. I wrote to
let her know that I had gotten it. Generally if SPAM comes from
someone and it's a random mix of email addresses (usually alphabetical)
then it's just someone spoofing that email address. The SPAM did not
actually come from your friend's computer. However, if the SPAM was
sent to people from their address book, then you are likely dealing
with something that is more of an attack. The computer needs to be
checked out. Don't ignore it when something suspicious happens. Tell
the people who need to know. They can't do anything about it if they
Accept that security may require some inconvenience
Yes, it's nice to be able to turn on your computer and get to work. But that also means that anyone
can turn on your computer and get to work. Are you sure that the kids
aren't on there when you're not around doing things that they aren't
supposed to? How about your spouse or your roommate. If you keep
something on a computer that you would not leave laying around for
people to read at a party then you should probably close the door on
your computer with a password. It's not just your personal
information, either. Maybe you have nothing to hide, but what if this
other person goes poking around in places that they shouldn't. They
see the warning that says "Are you sure that you want to activate this
malicious program that will steal your identity?" and they click "OK"
because they just want to get to the video.
If you'r going to have a password it should be a good one. When I
was working as a system tech supporting a company I was called to do
some work on a workstation in the security department. She had left,
even though she knew that I was coming and her screen was locked--
which was good. She had a Corn Huskers football plush sitting on top
of her monitor and a few other Huskers things laying around. I took a
guess and typed "huskers" and I was in! I left her a note telling her
that it was pretty easy to guess and she made it more secure. The best
passwords are phrases with numbers and letters. Abbreviations that
only you would know are good too. "H0w much is that doggie in the
wind0w?" would be a pretty difficult password to guess. Names of
family, birth dates, etc are terrible password. Take a line from your
favorite song in High School. Many security requirements demand that
you change your password regularly, but once you find a way to pick
things you can remember you will find it easier to change and maintain.
There are many ways now to encrypt information. Encryption turns
things into secret code so that no one else can read it. You can do
this with emails (and most people should) so that email to you can only
be read by you. You can also do it with file systems, so that you have
a section of drive that requires a password to access what's in there.
Encryption is a larger subject than I'm prepared to cover here, but you
should take a look at what can be done with the Gnu Privacy Guard,
which is free and powerful encryption software. You can hook this
functionality automatically into your applications and make encryption
easy to deal with.
Is that it?
There is a lot more ground to cover to keep yourself from being
cracked, but these things right here will make a dramatic difference in
your vulnerability. If there is more interest in this topic,
especially about specific practices or solutions I'd love to write more
about it. Shoot me a note and we'll try to cover more detail. If it's
enough conversation it might be worth a group on My developerWorks to
help everyone participate in the conversation.