Note: This content is accessible to all versions of every browser. However, this browser may not support basic Web standards, preventing the display of our site's design details. We support the mission of the Web Standards Project in the campaign encouraging users to upgrade their browsers.
Thursday, September 30, 2004 12:03 // SANE 2004, RAY, Amsterdam, Nederlands // href
A talk by Wietse Venema
Wietse tells how he got into security in the early nineties at Eindhoven university, when trying to figuring out who was scanning their network, writing tcpwrapper in the process and learning lots about network programming.
In 1995 Wietse and Dan Farmer announced their automatic network scanner called SATAN in a white paper. For some people this announcement was introducing the death of the Internet. A lot of discussions happened about a sensible way to release such a dangerous software. Finally it was released on a limited basis first and then to every body at the same time. This was even featured on CNN. The whole excitement about the tool was totally overdrawn though, neither an increase nor a decrease of break-in activity was noted in the wake of the release.
This was just another episode in the ongoing debate over full disclosure or as a US Military put it: "If my systems have a problem, I would rather hear it from a friend."
Finally Wietse talked about his experience when writing PostFix. Work on PostFix started in 1996 out of frustration about the continued security problems of sendmail.
Quote: Some problems in software are found because and others are found because so many users use it.
Today PostFix is the standard in many Systems and building the cornerstone of many large organizations infrastructure.
The release of the PostFix mailer was touted by the IBM PR department in an article in the New York Times. This caused Lou Gersner (the CEO at that time) to start asking Questions about IBMs strategy in OpenSource. A year later IBM had fully embraced Linux from its smallest to its largest systems.
Quotes:
You can run from Windows but you can't escape from it. Suddenly you UNIX-based mail server because a major vehicle for email worms and other malware.
SPF is evil
Spammers don't destroy the infrastructure, it's the well-meaning people with poorly designed coutnermeasures.
On security of OpenSource vs. ClosedSource: You don't need source to find bugs.
The number of people who contribute source to PostFix I haven't got to spend much time fixing before integration is about two.
Security initiative are great, but only for new systems.
You can all layers of security around old systems, but these layers will also have bugs.
More on security (seclabs.cs.ucdavis.edu ...)
Thursday, September 30, 2004 16:04 // SANE 2004, RAI, Amsterdam, Nederlands // href
a presentation by Rüdiger Weis
My interpretation: TCG is basically a system for vendors who do not trust users. Even though the licenses which go with TCG enabled products with licenses that would not be valid in Europe to enforce it with hardware support. TCG 1.2 fixes some of the problems, but only some.
In principle a security infrastructure in every computer would be nice if it did not come with all the (evil) 3rd party interests and did not have all the problems still to be found in TCG 1.2.
The systems that prevent access to copyrighted songs can also be used to prevent any other documents. It would even be possible to prevent access to some documents at a later date by changing the appropriate access keys.
Imagine the copyright holder looses his keys, all copies of his work may become inaccessible.
The cryptographic foundations of TCG 1.2 stand on pretty week (new) legs cryptographically as many new methods are being employed in this system.
While TCG supports long keys of 2048 bits, it is still possible to use 512 bit keys and weak 160 bit sha-1 keys this raises questions regarding the cryptographic viability of this system.
Neat: https://www.trustedcomputing.org uses an invalid SSL certificate.
Bundesamt für Sicherheit in der Informationstechnik (www.bsi.bund.de ...)
Thursday, September 30, 2004 16:46 // SANE 2004, RAI, Amsterdam, Nederland // href
A presentation by Clifford Wolf
SubMaster is a system for distributed software development where every developer can develop on his own repository and then forward patches to a central repository. The patches received at the central repository go into a system from where their integration into the main repository can be controlled by the project maintainer using specialized tools.
With SubMaster you get a rich tool set for working in such an environment.
SubMaster uses SubVersion as its data repository but wraps it so that distributed development becomes possible.
SubMaster comes with two main scripts sm for maintaining local repositories and uploading patches and smap for applying the patches to the main repository.
Further information is available on (www.rocklinux.org ...)
Content © by Tobias Oetiker