The operating system oriented security debate is restarted – Phase 2


The operating system oriented security debate is restarted – Phase 2
Examples of what I was saying.

Some days ago I was saying:

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices

As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them.

First, Google Desktop. As you can read in the New-York Times:

The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw – a security weakness that emerges when separate components interact. “When you put them together, out jumps a security flaw,” said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. “These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw,” Professor Wallach said

It’s probably one of the best examples of the phenomenon I was talking about two days ago. It’s sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isn’t just in function of his code quality. Two programs can be without security flaws but together, security holes appear.

A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you don’t have any way to check their authenticity.

What’s cool with Firefox is that it’s a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment.

Finally I don’t say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares.

The operating system oriented security debate is restarted.


The operating system oriented security debate is restarted.
Please stop your child plays.

I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is:

  1. 0.17 bugs per 1,000 lines of code in the Linux kernel
  2. 20 to 30 bugs per 1,000 lines of code for commercial software

These statistics have been collected by the Carnegie Mellon University’s CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. It’s sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. It’s exactly the present situation.

What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it.

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices.

How can they resume computer security risks with lines of code? Is anyone can tell me this?

Security saw by the History – Quotes that pass the time.


Security saw by the History
Quotes that pass the time.

I was playing around with quotations websites. I searched for the term “security” and found interesting results.

This exercise is interesting in the point of view of history; how historical characters saws security in their everyday life. By knowing their history you?ll learn more on their thoughts, at this time, about security.

—–

Quote that describes the state of security. Knowing that security and safety are not immutable will possibly preserve you from many unsolicited situations:

The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved.

Confucius

Chinese philosopher & reformer (551 BC – 479 BC)

—–

Overconfidence can lead you to many unsolicited situations:


Better be despised for too anxious apprehensions, than ruined by too confident security.

Edmund Burke

Irish orator, philosopher, & politician (1729 – 1797)

—–

Is opportunity creating your security?

There is no security on this earth, there is only opportunity.

General Douglas MacArthur

US WWII general & war hero (1880 – 1964)

Too many people are thinking of security instead of opportunity. They seem more afraid of life than death.

James F. Byrnes

US jurist & politician (1879 – 1972)

—–

Will you miss things of live if you paranoid with security measures? There is a comfortable zone where it worth it but there is also a gap to not cross.

Life is either a daring adventure or nothing. Security does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than exposure.

Helen Keller

US blind & deaf educator (1880 – 1968)

Security is mostly a superstition. It does not exist in nature…. Life is either a daring adventure or nothing.

Helen Keller

US blind & deaf educator (1880 – 1968)

Security is a kind of death.

Tennessee Williams

US dramatist (1911 – 1983)

Security is when everything is settled. When nothing can happen to you. Security is the denial of life.

Germaine Greer

Author (1939-today)

—–

Think about the weakest link. If he is present, the whole chain will break.

There is no security for any of us unless there is security for all

Howard Koch

U.S. screenwriter (1901-1995)

—–

Is security a brake to progress?

He who is firmly seated in authority soon learns to think security, and not progress, the highest lesson of statecraft.

James Russell Lowell

American poet, critic, and editor (1819-1891)

—–

Security over freedom?

Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one.

Benjamin Franklin

American statesman, scientist, philosopher, printer, writer and inventor. (1706-1790)

—–

Innovation in insecurity?

It’s an old adage that the way to be safe is never to be secure. Each one of us requires the spur of insecurity to force us to do our best.

Harold W. Dodds

American educator (1889-1980)

—–

Finally for the paranoids.

Security gives way to conspiracy.

William Shakespeare

British dramatist, poet. (1564-1616)

The Survivor Personality by Al Siebert, Ph.D – Are you a survivor?


The Survivor Personality by Al Siebert, Ph.D
Are you a survivor?

As you can see in my last posts, I’m more oriented on personal security and physical world security posts these days. There is another post on the subject. Are you computer security oriented? Then read these posts. You can learn things that will be applicable in your security domain. Security is a process, most people know it. Personally I don’t think that security is domain oriented. Security is a graph where each domain is nodes. You can travel each node but principles will follows in each of them. Technicalities are node dependant but principles apply to the whole graph.

A month ago I read a passionate book on survival personality wrote by Al Siebert, Ph.D. It’s a really interesting read. I wrote an excerpt of the book that resumes it in a couple of points. If you don’t understand some of them I encourage you to buy and read it.

“What you can do is create self-managed plan for acquiring qualities and skills that will improve your ability to handle change, unexpected developments, and disruptive crises that come your way. In you personal plan you may want to include some of the following:

  1. Ask questions! Respond to change, new developments, threats, confusion, trouble, or criticism by asking “What is happening?” Develop a curiosity reflex. Practice reading each new reality rapidly.
  2. Increase your mental and emotional flexibility. Tell yourself “It is all right to feel and think in both one way and the opposite.” Free yourself from inner voices from your past that say you shouldn’t feel or think a certain way. Develop many response choices for yourself.
  3. Assume that change and having to work with uncertainty, ambiguity, and unknowns are way of life from now on. Learn to handle these with self-confidence. Practice making new developments work out well. In today’s world getting good results counts more than working hard.
  4. Become useful quicker and in more ways than other people. Ask yourself, “How can I interact with this so that things get better for everyone?” You ability to find ways to be useful makes you valuable. In every situation make it valuable than anyone thought it could be. Consider such efforts an investment in yourself.
  5. Develop empathy skills, especially with difficult people. Put yourself in the other person’s place. Ask “What do they feel and think? What are their views, assumptions, explanations, and values? How do they benefit from acting as they do?” Govern your actions not by your good intentions, but by the actual effect you have on others.
  6. Learn how to learn from experience. That way you are always becoming more capable, effective, and employable. Practice thanking people who give you unpleasant feedback. Consider viewing difficult people as your teachers in the school of life. Instead of trying to get difficult people to change, ask yourself “Why am I so vulnerable? What are my blind spots? How could I handle myself better with such people?”
  7. Resist labeling others; Practice observing and describing what others feel, think, say and do. Use negative nouns when you want to swear and positive nouns when you want to put someone on a pedestal, but recognize that the labels you put on others reflect your emotional state.
  8. Pause occasionally to silently observe what is happening. Take several deep breaths. Scan your feelings. Be alert to fleeting impressions. Notice little things. Be alert to early clues about what might be happening.
  9. Take time to appreciate yourself for the helpful things you do. Appreciate your accomplishments. Feelings of positive self-regard help blunt the sting of hurtful criticism. Your self-esteem determines how much you learn after something goes wrong. The stronger your self-esteem, the more you learn.
  10. When hit by adversity, no matter how unfair it seems, follow the survivor sequence: regain emotional balance, adapt and cope with your immediate situation, thrive by learning and being creative, then find the gift. The better you become, the faster you can convert disaster into good fortune.”

Finally, I’ll resume another thought of the book with an excerpt of Children of Dune by Frank Herbert:

“Muad’Dib’s teachings have become the playground of scholastics, of the superstitious and the corrupt. He taught a balanced way of life, a philosophy with which a human can meet problems arising from an ever-changing universe. He said humankind is still evolving, in a process which will never end. He said this evolution moves on changing principles which are known only to eternity. How can corrupted reasoning play with such an essence?”

Individual and Collective Security – From the SOE Syllabus of Lectures at Camp X


Individual and Collective Security
From the SOE Syllabus of Lectures at Camp X

I always enjoyed WWI and WWII writings. It’s always a good source of inspiration, knowledge and entertainment. All sort of stories have been written by and about many persons involved in these great wars. I was enjoining another writing from this epoch. I’m currently reading documents of STS-103 (Camp X, a SOE training camp in Canada). There is an excerpt on Individual and Collective Security taken from Syllabus of Lectures HS 7/55 in SOE documents in the National Archives.

====================================

INDIVIDUAL AND COLLECTIVE SECURITY

1. DEFINITION.

Security: ‘Precautions taken by the individual for his own personal protection and the protection of his Organization from the enemy’.

Without these precautions, it is dangerous to attempt regular and impossible to attempt irregular warfare alone or in conjunction with other people.

2. APPLICATION.

a) Apparent absence of enemy C.E. measures should never be allowed to engender over-confidence. (Cf. graph of agent’s confidence.)

b) Insecurity by an individual may jeopardize not only his own safety but the safety of the organization with which he is in contact.

3. INFORMATION.

Basis of your self-protection is good information. As much as possible provided before departure, but you must check and supplement on arrival. Information required on:

i) Local Conditions.

ii) Local Regulations.

iii) Enemy methods.

iv) Enemy personnel.

v) Your own subordinates.

4. INCULCATION.

a) Security cannot be taught by rule of thumb. It is a frame of mind attainable though self-discipline and self-training that will make the taking of precautions a ‘habit’. (Cf. crossing a road.)

b) What is a habit’ A single action committed so often as to become automatic. What precautionary actions must we practice so often that they become a habit’

5. COMMUNICATION.

The answer is ‘Communicatory Actions’. Secret and confidential information can reach the enemy through our carelessness in:

a) Speech.

b) Writing.

c) Behaviour.

a) Speech.

Adoption of hush-hush attitude through vanity.

Confiding in friends to ease nervous strain.

Mentioning facts you are not ‘outwardly’ supposed to know, or isolated facts which can be strung together.

Telling people more than they need to know.

Compromising telephone-conversations through misuse of conventions. (E.g. NOT ‘Three lambs with sweets and toys who need instruction in malaria’ BUT ‘Three chaps with some goods for Harry who need instruction in my subjects’.)

b) Writing.

Commit as little as possible to writing. Memorise if you can.

If you must carry documents, select what you must carry.

Burn all secret waste and carbons.

c) Behaviour.

Be inconspicuous. Avoid all limelight by being an ‘average’ citizen in appearance (height, clothes) and conduct (drink, women).

Be tidy. All engaged on secret work must be methodical in their habits ‘ e.g. it is mainly knowing exactly where he has placed his belongings and arranged his room that an individual can detect disturbance by police search.

Have good ‘Cover’ ‘ the innocent activity undertaken or invented to conceal the secret aspects of his activity. Good cover must be consistent with necessary overt behaviour and non-compromising.

(For application to operational Agent see A.4.)

Be observant. Observe and deduce. (E.g. face or voice seen or heard twice suggesting you are being followed. Smell or real coffee in France suggestion someone occupied in Black Market.)

Have foresight. See danger early. (E.g. axis agent in café, policemen checking papers.)

Plan for emergency. Alternative courses in case of accident (RV’s) pre-arranged conversation when talking to colleague in case of sudden interrogation. Danger signs.

====================================

Most of this information is always relevant and will be for decades. For example check out 2.b). It’s probably the best point when you deal with contractors or associate companies. All security experts will tell you it; the security policies of your associates and contractors need to be in harmony with yours. They need to be as strong as yours and followed by them as you follow yours. If he has a lack of security he will be a treat to your own security. It’s the fact for computer security but also for any other type of security. The point 4.a) relate what I always said before on this blog: education. People need to be educated in this way. Security can’t be a habit if never educated before.

I think that this excerpt is a good refreshment reading for any person that cares about his own security, the security of his relatives or if that person works in any field of security.