tag:blogger.com,1999:blog-52403598267065455102012-02-16T20:38:39.798-08:00Disclaimer The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br> Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.Thomasnoreply@blogger.comBlogger1451100tag:blogger.com,1999:blog-5240359826706545510.post-87347260631078465952011-11-14T02:46:00.000-08:002011-11-14T03:14:13.350-08:00My wife stumbled of a <a href="http://techrights.org/2011/10/09/thomas-biege/">weird blog posting</a> about a blog entry from myself explaining that I change the position in my department. In this weird posting the author claims that I left SUSE and become a Professor... uh?!? :-D<br /><br /><span style="font-weight: bold;">Update</span>: Ah, the "Professor part" was about another colleague. Too bad ;)<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8734726063107846595?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-32891371039996067272011-09-22T00:06:00.000-07:002011-09-22T00:09:14.133-07:00My submission to the <a href="https://www.owasp.org/index.php/German_OWASP_Day_2011">4th German OWASP Security Day</a> was accepted. Now let's see if we can accept their OWASP license that needs to be signed...<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3289137103999606727?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-61926559194672539522011-09-21T02:14:00.000-07:002011-09-21T02:25:20.028-07:00After 12 years I am leaving the SUSE Security-Team... just to support them! :-)<br /><br />Like a satellite I was spun-off from mother earth. Flying around the SUSE Security Team as project-manager to take care of our products before they get released working hand-in-hand with Marcus and his team that (mostly but not exclusively) takes care of the security of already released products.<br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6192655919467253952?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-37907943251902514942011-07-26T02:10:00.000-07:002011-07-26T04:08:50.772-07:00David and Flavio created a new <a href="https://github.com/openSUSE/scanny">github project</a> to replace my ror-sec-scanner. "<a href="https://github.com/openSUSE/scanny">Scanny</a>" doesn't uses regex but the AST and emits fewer false positives. So lets start adding rules/checks to it to become more powerful.<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3790794325190251494?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-83190606203581197562011-06-17T02:38:00.000-07:002011-06-21T00:38:04.804-07:00Last Friday we released a security update for SUSE Manager. It eliminates four vulnerabilities which I will describe in detail here:<br /><ol><li>CSRF (CVE-2009-4139): This is the most dangerous issue fixed by this update. It was found during a penetration-test executed by me before we released the SUSE Manager. You may wonder why we released the fix after the "gold master" (GM) and why it has a CVE-ID from 2009. Red Hat was informed about this issue in 2009 already (by another person) and after some back and forth we decided to release it together with Red Hat and not earlier. But not only the release date was coordinated, we also coordinate fixing and testing.</li><li>The default SSL ciphersuite configuration that comes with our apache2 package (this also affects the SM proxy) was made up to support as much and as old client as possible. This results in a config that is insecure because it support "export ciphers", SSLv2, short keys, etc. If you install this update before you configured your SM you will have a up-to-date and secure config. Use <span style="font-family:courier new;">sslscan</span> to verify your setup. If it is still insecure go to <span style="font-family:courier new;">/etc/apache2/ssl-global.conf</span> and change it to something like:<blockquote>ssl_protocols TLSv1</blockquote><blockquote>ssl_ciphers ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH</blockquote></li><li>Open Redirect (CVE-2011-1594): A hidden field named "url_bounce" allows HTTP redirects and therefore phishing attacks. Found during penetration-test, released after GM because it was too minor to hold release.<br /></li><li>XML remote denial of service (CVE-2011-1755): jabber2 server can be dos'ed ("billion laughs attack"), not found by us.</li></ol><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8319060620358119756?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-28771112730854913292011-06-07T12:16:00.000-07:002011-06-07T12:22:19.666-07:00<p class="mobile-photo"><a href="http://3.bp.blogspot.com/-3bbIYMUdb_U/Te56bCaGQAI/AAAAAAAAAfk/3IgUr4UMhBA/s1600/07062011143-739667.jpg"><img src="http://3.bp.blogspot.com/-3bbIYMUdb_U/Te56bCaGQAI/AAAAAAAAAfk/3IgUr4UMhBA/s320/07062011143-739667.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5615560390298976258" /></a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2877111273085491329?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-57139511995725454082011-05-24T00:00:00.000-07:002011-05-24T11:14:00.338-07:00Three weeks ago the SUSE Studio team had its first "Security Day" to fix the possible security vulnerabilities found by <a href="https://gitorious.org/code-scanner/ror-sec-scanner">ror-sec-scanner</a>. (a Rails static code analyzer)<br />The team eliminated:<br /><ul><li>161 false positives<br /></li><li>28 real bugs</li></ul>Thank you folks! :-)<br /><br />Note: Earlier this year another team consolidated its forces to fix potential security problems in their code and reduced the number of bugs per KLOC to 0.<br /><br />I hope we can have a "Security Day" prior every new release.<br /><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p><br /></noscript><br /><noscript></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5713951199572545408?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-52630080563476265452011-05-03T12:57:00.000-07:002011-05-04T01:43:04.103-07:00Last night I stumbled over some old docs of the Security Review Board. More than 5 years ago T.G. puts much effort in enhancing the development processes to create more secure products. I never saw numbers about that project to compare pre and past states of the products. Unfortunately she left a few years later but AFAIK some of her work is still in use today.<br /><br />Today I browsed Google Docs and found a 2 year old presentation I wrote during a train journey from Nuremberg to my home town. I never want to show the slides to other people I just brainstormed about how we could integrate security into our products. Let me show you some slides here because they describe where we were 2-3 years ago. As I said I forgot the slides but funnily various things from them are real now or are on my TODO list.<br /><br /><span style="font-weight: bold;"></span><blockquote><span style="font-weight: bold;">Slide 1: Where we are.</span><br />- We have four different sources of code<br />-- 1.) Mainly FLOSS<br />-- 2.) In-house development<br />-- 3.) 3rd-party commercial free binary code (like RealPlayer, acroread, etc.)<br />-- 4.) 3rd-party code developed by contractors<br />- We review FLOSS code but there is too much and we have not much<br />influence on the developers beside sending patches upstream<br />- We have much influence on our own developers but we have to develop<br />a better security awareness as well as technical knowledge<br />- We have no influence on the 3rd-party free binary code and just need<br />to trust it.<br />- Code developed by contractors can be reviewed by us<br /></blockquote><br />Today source 1. is still the main source for code contributions, the in-house development (2.) increases a lot over the past years, we try to reduce (openSUSE is completely free of them, see the <span style="font-style: italic;">NonFree</span> repo) the number of binary-only packages (3.), I am not aware of current contributions from source 4.<br />In the past we provided workshops for secure programming (C, C++, Shell, Perl, Ruby on Rails, Web-security in general).<br /><br /><blockquote><br /><span style="font-weight: bold;">Slide 2: Where others are.</span><br />- Microsoft<br />-- founder of the Secure Software development Life Cycle (SDL)<br />-- Separate, specialized teams<br />-- Own and optimized tools for stress-testing (fuzzing) as well as code analysis<br />-- See BSIMM study [<a href="http://www.informit.com/articles/article.aspx?p=1592389">1</a>], [<a href="http://www.cert.org/podcast/show/20090331mcgraw.html">2</a>]<br />- Cisco<br />-- <a href="http://blogs.cisco.com/security/the_cisco_secure_development_lifecycle_an_overview/">CMSDL</a><br />- Adobe<br />-- See BSIMM study [<a href="http://www.informit.com/articles/article.aspx?p=1592389">1</a>], [<a href="http://www.cert.org/podcast/show/20090331mcgraw.html">2</a>]<br />- Google<br />-- specialists/teams working on research topics and develop tools as well as guidelines<br />-- See BSIMM study [<a href="http://www.informit.com/articles/article.aspx?p=1592389">1</a>], [<a href="http://www.cert.org/podcast/show/20090331mcgraw.html">2</a>]<br />- Red Hat<br />-- Specialized teams/persons<br />-- Much more people working on security<br />-- Better contact to developers?<br />-- Only re-active not pro-active AFAIK<br /></blockquote><br />Currently we are introducing secure SDLC techniques and testing tools for our in-house products. Teams are planned to grow.<br /><br /><span style="font-weight: bold;"></span><blockquote><span style="font-weight: bold;">Slide 3: We need to catch up because...</span><br />- Releasing patches for avoidable bugs is a big waste of money and time<br />- Customers critically watch software vendor's product quality and security vulnerabilities<br />- These observations play a big role in buying new products or continuing support contracts because installing patches costs the customer money (see study "The Total Cost of Security Patch Management") and therefore increases the cost of the product.<br /></blockquote><br /><blockquote><br /><span style="font-weight: bold;">Slide 4: What we can do now!</span><br />- Increase awareness by:<br />-- Showing consequences by providing examples of security problems in our code<br />- Increase code quality by:<br />-- Online teaching of security best practice rules for common programming languages like C, C++, C# and Java (see CERT's SDI)<br />-- Adopt secure SDLC processes for our in-house development<br />-- Provide a standard development environment that includes easy-to-use code analysis tools for our programmers<br />-- Teach how to use this tools.<br />-- Do more sophisticated code analysis</blockquote><br />We are on the right track.<br /><br /><span style="font-weight: bold;"></span><blockquote><span style="font-weight: bold;">Slide 5: What we need to do in the future.</span><br />- Develop/acquire better tools for code analysis, fuzzing, etc.<br />- Incrementally refine our coding standards<br />- Have separate teams for handling bugs (response team), create new tools and keep track of current software security development (research team), a team for shepherding code development (mentor team) and a pen-testing team to verify in-house, FLOSS code<br />- Being part of secure development initiatives/groups/workshops<br /></blockquote><br />Well different teams is a dream that will never become true, but we will try to reach our goals using another way.<br /><br /><span style="font-weight: bold;"></span><blockquote><span style="font-weight: bold;">Slide 6: Where we should be.</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-K13_Izrznso/TcBvGGrqjrI/AAAAAAAAAfY/_SXtks2NLFY/s1600/Secure_Development_at_Novell.jpg"><img style="cursor: pointer; width: 385px; height: 280px;" src="http://1.bp.blogspot.com/-K13_Izrznso/TcBvGGrqjrI/AAAAAAAAAfY/_SXtks2NLFY/s320/Secure_Development_at_Novell.jpg" alt="" id="BLOGGER_PHOTO_ID_5602600087112552114" border="0" /></a><br /></blockquote><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5263008056347626545?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-21320139550848525162011-03-25T10:33:00.000-07:002011-03-25T05:36:23.211-07:00Most people know that smoking causes cancer, that eating too much and not doing sports increases the probability of a cardiovascular disease, that drinking too much is bad for your psyche and lever and so on.<br /><br />But does just knowing about it change their behavior? No, it does not!<br /><br />The reason is that these "invisible" negative effects do not influence their living, the integrity of their reality is intact until it is too late and the disease dramatically decrease the quality of their life.<br /><br />Only a few people are clever and strong enough to reflect about their bad behaviors and change them. I assume more people change their bad habits as soon as they <span style="font-weight: bold;">see</span> what happens to their body. Seeing means measuring the cardiovascular levels, taking x-ray pictures of organs, making chemical analysis of body liquids and tissue and so on.<br /><br />I see a strong analogy here to software development and security.<br /><br />Developers and project-managers often do not have security in mind, or do not have the technical background and daily practice to make the resulting product a nightmare for penetration-testers and hackers. (How often do you read this already?)<br /><br />Let's not stress this doctor vs. patient analogy too far. This blog entry is not about good vs. bad or dumb vs. clever... it's about the experience I made and psychology.<br /><br />First of all, measurement (of the right things) is the key to success! You do not have to create a bulletproof plan, just some goals, continue measurement, and adapt your plan (Hello agile development/management!).<br /><br />I hold three talks/workshops in 2010, every talk has the same topic: "secure design and development" and I got the same result: <span style="font-weight: bold;">Code quality did not increase!</span> The number of potential security bugs per 1000 "physical" LOC (Hits/KSLOC) stayed the same or even increased.<br />Based on the responses from my audience I experimented with the content and with the methodology. The first workshop was very long and mostly theoretical with threat models, potential problems in Rails, risk assessment, showing some tools (which gets the most attention, because it potentially helped solving their problems).<br />The second one was much more practical, I had shown real examples from the in-house software projects, real attacks and presenting some tools. The session was much shorter and caused more attention by the developers and a bit more attention by the technical managers (Still, tools caused the the most attention). And the last one... the last one was a wake-up call, less technical, analogies and examples, cost of security updates (Attention!) and I hit the target.<br /><br />Result: The first talk was a waste of time, my statistics had shown no decrease in the potential vulnerabilities, the second one also had no affect on quality but the awareness and communication (developers) increased, and the third talk... well the code quality did not increase but awareness and maybe acceptance in the upper food chain increased.<br /><br />Retrospectively I can say I should have done the talks/workshops in reverse order but when I started is was a "fire-fighter job" and I had no time for a real plan.<br /><br />Code quality is still a critical issue and therefore I took the next, more aggressive step by sending the (cleaned-up) results of my code scanner to the developers mailing list. And at least one team responded to it and we reduced the number of potential security problems and false positives to a minimum within just two weeks. In the meanwhile all teams responded in some way and I hope code fixing will start soon.<br /><br />On balance:<br /><ul><li>If you want to increase awareness, invite the right people and omit technical details, speak the language of the audience, use numbers (costs) and statistics, use analogies instead of theoretical information. Melt realities by creating feelings and concernment! (The last point is not easy to do of course.)<br /></li><li>If you want to increase code quality, use tools that directly show the problematic code with a description and help fixing it! Don't create too much confusion and don't steal the developer's time.</li></ul>BTW, the increase of awareness or the expertise of the developers resulted in adding security features and fixing existing security features...<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2132013955084852516?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-6555688221921848082011-03-18T03:43:00.000-07:002011-03-18T03:44:37.047-07:00<a href="http://www.rsa.com/node.aspx?id=3872">http://www.rsa.com/node.aspx?id=3872</a><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-655568822192184808?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-21555353328557496692011-03-16T08:02:00.000-07:002011-03-18T07:42:28.546-07:00I just stumbled over a piece of code that might be interesting for you as well. A web-app let's click you on a "forgotten password" link and will send a token to the (valid/known) email address you specified. When you return to the web-app and provide the token that was mailed to you, and the token was found by looking it up for ANY user, you are allowed to set a new password. So, theoretically (I didn't test it) this code is vulnerable to a <span style="font-style:italic;">birthday attack</span> (random pair collision), the impact depends on the number of users and the length of the token.<br /><br />For example, and I hope I get the math correct here, if the token is 8 bit long (8 bit of entropy, equally distributed) an attacker only needs to call the "forgotten password" functionality for 16 (birthday bound, 2^{n/2}) users and try 16 different tokens to have a probability of success close to 50%.<br /><br />The solution is to look-up the user by email address or another unique identifier and verify if the token for this user matches or not.<br /><br />Here is an example diagram for a 16 bit token (DNS TRXID) to compare <span style="font-style: italic;">brute force</span> vs. <span style="font-style: italic;">birthday attack</span>.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/-un8k-4vIBTw/TYM16SXMdvI/AAAAAAAAAeY/7dhAdj5ed3Q/s1600/Birthday_vs_conventional_attack.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="http://3.bp.blogspot.com/-un8k-4vIBTw/TYM16SXMdvI/AAAAAAAAAeY/7dhAdj5ed3Q/s320/Birthday_vs_conventional_attack.jpg" alt="" id="BLOGGER_PHOTO_ID_5585367238347355890" border="0" /></a><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2155535332855749669?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com3tag:blogger.com,1999:blog-5240359826706545510.post-24712595129346135052011-03-10T02:15:00.000-08:002011-03-10T02:23:03.679-08:00Just recognized that the web-app for Comdirect online banking does not ask for another TAN if you choose back and change the bankwire details like the recipient. Execution flow:<br /><br />Enter bankwire details ---> click next ----> asked to enter TAN n ---> click back ----> change bankwire details ----> click next ---> again asked for TAN n<br /><br />I would generate a new TAN...<br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2471259512934613505?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-65182696435026480662011-01-28T06:08:00.000-08:002011-01-28T06:10:17.267-08:00This mail was sent out to some <span style="font-style: italic;">opensuse</span> mailing lists to increase awareness.<br /><br /><blockquote>Dear community members and contributors,<br /><br />in the last few month we saw security breaches at gnu.org[1], at<br />sourceforge.net[2] and at fedora[3].<br /><br />Even if it is believed that the integrity of the hosted projects<br />was not affected I want to take the opportunity to remind you to<br />always verify the cryptographic checksums of downloaded archive<br />files, review patches and keep a healthy relationship/communication<br />to the upstream authors.<br /><br />It is good practise to change your password from time to time and make<br />it hard to guess[4][5]. Take extra care using public wifi hotspots,<br />crowded places[6], like trains, and other peoples computer etc.<br /><br />Cheers,<br />Thomas<br /><br />[1] http://blog.sucuri.net/2010/11/savannah-gnu-org-hacked-and-currently-offline.html<br />[2] http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/service-downtime/<br />[3] http://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html<br />[4] http://en.wikipedia.org/wiki/Password_strength<br />[5] http://sourceforge.net/projects/pwgen/<br />[6] http://en.wikipedia.org/wiki/Shoulder_surfing_%28computer_security%29</blockquote><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6518269643502648066?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-77118933628277259422011-01-12T05:44:00.000-08:002011-01-12T06:06:26.096-08:00A happy new year!<br /><br />I quickly hacked a test-suite based on the OWASP testing-guide. You can find the code here: <a href="http://gitorious.org/sectestsuite/websec">http://gitorious.org/sectestsuite/websec</a><br /><br />Take care, this time it is untested, incomplete and unfancy.<br /><blockquote><br />prompt> src/websec.pl myconfig.ini output=short<br />=====> OWASP_CM_001::sslv2: CWE-XYZ (): code = 0 (msg = 'PASS')<br />=====> OWASP_CM_001::weak_ciphers: CWE-327 (Use of a Broken or Risky Cryptographic Algorithm): code = 0 (msg = 'PASS')<br />=====> OWASP_CM_008::http_dangerous_methods: CWE-749 (Exposed Dangerous Method or Function): code = 0 (msg = 'PASS')<br />=====> OWASP_CM_008::http_arbitrary_methods: CWE-749:CWE-650 (Exposed Dangerous Method or Function:Trusting HTTP Permission Methods on the Server Side): code = 1 (msg = 'FAIL:HTTP arbitrary/dangerous methods allowed (UNLOCK)')<br />=====> OWASP_CM_008::http_bypass_head: CWE-650 (Trusting HTTP Permission Methods on the Server Side): code = 0 (msg = 'PASS')<br />=====> OWASP_AT_002::user_enumerate: CWE-204 (Response Discrepancy Information Exposure): code = 0 (msg = 'PASS')<br />=====> OWASP_AT_002::uri_probing: CWE-204 (Response Discrepancy Information Exposure): code = 1 (msg = 'FAIL:URI probing emits different HTTP status code (200 vs 404)')<br />=====> OWASP_AT_007::user_really_logged_out: CWE-672 (Operation on a Resource after Expiration or Release): code = 1 (msg = 'FAIL: Still able to access private page even after logging out.')<br /> OWASP_AT_007::session_timeout_used: wait for 120 + 10 seconds<br />=====> OWASP_AT_007::session_timeout_used: CWE-613 (Insufficient Session Expiration): code = 0 (msg = 'FAIL: Private page was still accessible after timeout (120 + 10 secs).')<br />=====> OWASP_AZ_001::path_traversal: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')): code = 0 (msg = 'PASS')<br />=====> OWASP_SM_002::cookie_security: CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute): code = 1 (msg = 'FAIL:Path attribute points to '/'')<br />=====> OWASP_SM_003::session_fixation_public: CWE-384 (Session Fixation): code = -2 (msg = 'INFO: Unable to get Cookie from public page')<br />=====> OWASP_SM_003::session_fixation_private: CWE-384 (Session Fixation): code = 1 (msg = 'FAIL:Vulnerable to Session Fixation Attack by authenticated users')<br />=====> OWASP_SM_004::cookie_not_fresh: CWE-323 (Reusing a Nonce, Key Pair in Encryption): code = 1 (msg = 'FAIL: Vulnerable of re-using session cookies')<br />=====> OWASP_SM_004::cookie_secure_storage: CWE-312:CWE-613 (Cleartext Storage of Sensitive Information:Insufficient Session Expiration): code = 1 (msg = 'FAIL:'Expires' header not set:Cache-Control header not set.')<br />=====> OWASP_SM_004::cookie_via_get: (): code = 0 (msg = 'PASS: Unable to login via GET.')<br />=====> OWASP_SM_005::csrf: CWE-352 (Cross-Site Request Forgery (CSRF)): code = 1 (msg = 'FAIL:Vulnerable to CSRF Attack (HTTP code 200)')<br /><br />17 test in 155 secs.</blockquote><br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7711893362827725942?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-12228854045290959492010-12-03T01:49:00.000-08:002010-12-06T06:40:54.804-08:00I told you that future isn't predictable, that it is dominated by change. So here is what has to change: First (maybe) <span style="font-weight: bold;">you</span>!<br /><br />Power is what most people lack of, people that feel the time for a change is now, or that see the disadvantages in their private and/or working life, often are too powerless. Either their psyche/mind is powerless, or maybe they don't have the executive power, or they do not have ever made the social connections to the right people with the power and mind needed to go a new way.<br /><br />Well your way of getting your job and more done should be based on a strong mind. If your psychological hygienic is in a bad shape you are lost either way. Stop reading here! Go and change (or start loving!) the ill parts of your character before it is too late.<br /><br />Will I come to a point in this post. Yes! Read on... :-)<br /><br />When you are not happy about the security awareness in your company's software department or alike and your boss does not equip you with the power to do the job, the alternative is not to bury your head in the sand but <span style="font-style: italic;">just do it</span>! (Warning: In big companies games are played differently as in small companies, means: Changes in big companies are often not wanted because they introduce risk. "Loser's Game" vs. "Winner's Game")<br /><br />Of course you cannot go up to the software development department and force them to change their processes to an industry standard (MS SDL, SAMM, etc.). But you can offer the project- or team-leads your HELP. By it I mean you can offer them the parts of your favorite secure code development process that don't cost them much time and money, this means they cost your time of course. Go ahead!<br /><br /><span style="font-weight: bold;font-size:130%;" >Starting points.</span><br /><br />The most less invasive and helpful tasks IMO are:<br /><ul><li>doing code reviews and filing bugs in their bug tracking system</li><li>provide security documents (secure coding, secure design, helpful links) in a wiki or any other internal CMS<br /></li><li>offer security trainings directly related to their work</li><li>ask project leaders to include you in the application design process</li></ul>Take care: Don't be a nit-picker or too restrictive. :)<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Tips: Presentation, Training</span></span><br /><br />What I found most useful and which is no magic is:<br /><ol><li>be short</li><li>only the most dangerous/important vulnerabilities</li><li>don't get lost in details<br /></li><li>many examples, try use the team's code</li><li>live-sessions<br /></li></ol> The secure development trainings are really important (I often miss that *sigh*) because you stay in-front of the team and can influence their view on security and the way they develop code in the future. So, be friendly and helpful but also mandatory. Take a look in your soft-skill toolbox to see what techniques might be useful. (I always forget it... unfortunately)<br /><br /><span style="font-weight: bold;font-size:130%;" >Techniques: The appeal.</span><br /><br />Five steps to formulate a clear appeal:<br /><ol><li><span style="font-weight: bold;">introduction</span>: In the introduction phase you have to set the context by telling your dialog partner (dp) about the topic you are talking about. <span style="font-style: italic;">"I beg you to keep security in mind when developing our applications because security updates cost everybody's time, costs money, and put the customer at risk."</span></li><li><span style="font-weight: bold;">facts</span>: Who should do what when exactly. But take care with the competencies here. Sounding too harsh is too easy. <span style="font-style: italic;">"During my penetration-test I saw simple flaws with high impact like cross-site scripting bugs in our social-network solution. Additionally I also stumbled over design issues like sending credential over the network without using SSL. Please review your code to fix all cross-site scripting vulnerabilities before the next beta-release. Tools for testing and descriptions of the bug as well as possible solutions are described in our Intranet wiki. For the next major version or re-design of our product xyz, I can offer you to be part of it and review the design."<br /></span></li><li><span style="font-weight: bold;">context</span>: People accept and fulfill additional tasks better if they know about he corresponding context. <span style="font-style: italic;">"When we deliver the code as-is with all it's big security holes, hackers will have a lot of fun stealing personal information easily from your customer's servers . We will chip away our image and have additional work releasing security updates. Not releasing bugs is cheaper than providing security updates."</span><br /></li><li><span style="font-weight: bold;">comprehension</span>: Do not ask so called closed questions like <span style="font-style: italic;">"Is everything clear?"</span> or <span style="font-style: italic;">"Is something unclear?"</span> you will get <span style="font-style: italic;">"Yes."</span> respectively <span style="font-style: italic;">"No."</span> as a reflex from your dialog partner. Better use open questions: <span style="font-style: italic;">"I know this kind of vulnerability is very abstract. Where are open questions I can answer for you?", "What can I do for you to make this work?", "Which questions do you have?" </span>And after each question make a long pause, this encourages your dp to react.<br /></li><li><span style="font-weight: bold;">acceptance</span>: At the end you need to verify if your appeal was really accepted by your dialog partner. There is a gap between understanding and accepting. The first 4 steps of a clear appeal try to bridge over this gap and at the end you need to verify if you were successful. If you don't like it you can omit this final step and hope for the best. You may also received signals from your dp that shows acceptance or reluctance and adopt the final step based on that. The easiest way would be to ask: <span style="font-style: italic;">"Will you fulfill this task until the next beta-release?"</span> This is of course not the right way if you work on an equal footing. Alternatives might be: <span style="font-style: italic;">"Where can I help you to get this done until next beta-release?"</span> etc.<br /></li></ol>I should start following my own advises and... also never write a novel. ;)<br /><br /><span style="font-size:78%;"><span style="font-weight: bold;"></span>(for the topic see the <a href="http://www.stlyrics.com/lyrics/littlenicky/changeinthehouseofflies.htm">following lyrics</a>)</span><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1222885404529095949?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-67540698667334716232010-11-24T00:40:00.001-08:002010-12-06T04:50:19.255-08:00<p class="mobile-photo"><a href="http://4.bp.blogspot.com/_YYeA-lwcHBA/TOzPbOS9wHI/AAAAAAAAAXs/jKCADTllAPc/s1600/22112010036-711460.jpg"><img src="http://4.bp.blogspot.com/_YYeA-lwcHBA/TOzPbOS9wHI/AAAAAAAAAXs/jKCADTllAPc/s320/22112010036-711460.jpg" alt="" id="BLOGGER_PHOTO_ID_5543033307987296370" border="0" /></a></p>... Deftones at the Live Music Hall in Cologne.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6754069866733471623?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-38473213437798693652010-11-08T06:24:00.000-08:002010-11-08T06:26:05.332-08:00http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/<br />http://www.railsinside.com/tips/486-14-bare-minimum-security-checks-before-releasing-a-rails-app.html<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3847321343779869365?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-26248474225616840312010-10-29T05:29:00.000-07:002010-12-03T07:37:27.893-08:00plain, simple, stupid, unfancy, working. <a href="http://gitorious.org/brute-forcer/web-bf">Get it from gitorious.org</a>.<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2624847422561684031?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-38867493973491189502010-10-28T06:17:00.001-07:002010-12-03T07:37:36.906-08:00Well I did it again. I didn't find a spider tool that fits my needs and wrote my own. <a href="http://gitorious.org/code-scanner/spider">Check it out at gitorious.org</a>.<br />It crawls a web site to a defined depth, downloads docs, sheets, multi-media files, etc, checks if a URL is fuzzable or accessible without authentication (CWE-425, Forced Browsing).<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3886749397349118950?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-72848078407781759642010-10-27T00:29:00.001-07:002010-10-27T00:50:43.155-07:00<p class="mobile-photo"><a href="http://4.bp.blogspot.com/_YYeA-lwcHBA/TMfUxiYYvBI/AAAAAAAAAXk/cPAUyx8kJjk/s1600/18102010013-749369.jpg"><img src="http://4.bp.blogspot.com/_YYeA-lwcHBA/TMfUxiYYvBI/AAAAAAAAAXk/cPAUyx8kJjk/s320/18102010013-749369.jpg" alt="" id="BLOGGER_PHOTO_ID_5532624614755712018" border="0" /></a></p><p class="mobile-photo">My last working week was really busy and started at Sunday noon because I was in Nuremberg to hold a web-security workshop for my colleagues at Monday morning. Traveling at Sunday feels a bit strange, no business people, but much party people with hangovers. OOo Impress hung X completely by eating up all available resources. Nevertheless the live sessions worked better than expected and seem to be the salt in the stale slide soup.<br /></p><p class="mobile-photo">The "it-sa Sicherheitsmesse" (security trade show), OWASP conference, and the openSUSE conference were the overlapping highlights of this week. Unfortunately I missed the OWASP conference... :(</p><p class="mobile-photo">This week is the last chance to do web-application penetration-testing of in-house products before I have to take over the incidents handling next Tuesday.</p><p class="mobile-photo">I still need to find a good way to bring threat modeling and secure development to Web 2.0 without using bloated text documents and reusing text blocks all the time.<br /></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7284807840778175964?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-62288564528996471982010-10-26T08:15:00.000-07:002010-12-03T07:37:43.200-08:00just found none that worked for me and wrote my own. <a href="http://gitorious.org/fuzzer/fuzz-xss">check out fuzz-xss</a><br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6228856452899647198?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-46722033561761090122010-10-25T05:44:00.000-07:002010-10-25T06:07:00.721-07:00pseudo code:<br /><pre class="bz_comment_text" id="comment_text_0"><span style="font-family:courier new;">def change_pwd</span><br /><span style="font-family:courier new;"> if !@http_user</span><br /><span style="font-family:courier new;"> <span style="font-family: courier new;font-family:monospace;" >ERROR</span></span><br /><span style="font-family:courier new;"> else if not params[:login] or not params[:password]<br /> ERROR<br /></span><span style="font-family:courier new;"> end</span><br /><span style="font-family:courier new;"> unless @http_user.is_admin? or params[:login] == @http_user.login</span><br /><span style="font-family:courier new;"> ERROR</span><br /><span style="font-family:courier new;"> end</span><br /><br /><span style="font-family:courier new;"> login = URI.unescape( params[:login] )</span><br /><span style="font-family:courier new;"> newpassword = Base64.decode64(URI.unescape( params[:password]))</span><br /><br /><span style="font-family:courier new;"> # change password in users db</span><br /><span style="font-family:courier new;"> @user = User.find_by_login(login)</span><br /><span style="font-family:courier new;"> @user.password = newpassword</span><br /><span style="font-family:courier new;"> @user.save!</span><br /><span style="font-family:courier new;">end</span><br /><br /><br /><blockquote>URI.unsecape("thomas%OO") --> "thomas"</blockquote><br /></pre><br /><br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-4672203356176109012?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-12059385242049158292010-09-23T01:28:00.000-07:002010-09-23T01:49:58.849-07:00Ah, sorry this is not about exploiting off-by-ones or a like. It is about carelessness and pain... mental pain not physical pain... so, I am also sorry for you black robed guys and gals.<br /><br />Well I have 1TB USB HDD with XFS and the kernel module crashes several times per day and additionally the HDD does not wake up from sleep. Neither shaking nor kissing helped here. *snore*<br /><br />Ok, no problem: Lets re-format it. I made a huge tar file (about 400GB) on my internal HDD with "tar cf /tmp/1tb.tar" which took some time, I formated the disk and want to replay the tar to the USB disk.<br />"But what is that, can it be!" ^c^c^c^z^z^z^c^c Too late! I typed "tar cf" again instead of "tar xf". Zero bytes, zero! That is the size of my 400GB backup. Just before I want to go to bed. All the pictures, music, qemu images, backups... ALL GONE!<br /><br />I let ext3undel run over my internal HDD and hope I will find the deleted tar. I found several hundred tar files all seem to include just a bit of the 400GB archive, just a bit... only 2GB. What a mess!<br /><br />But funnily I found a lot of Anime pictures and photographs of Asian people too. The machine is just a few weeks old and the HDD is from Samsung. Seems Samsung employees "test" their hardware by putting pictures on it. ;)<br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1205938524204915829?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-15677805327182273042010-09-14T03:35:00.000-07:002010-10-27T00:52:45.007-07:00JFYI: http://netifera.com/research/poet/PaddingOracleBHEU10.pdf<br /><br />cite slide 15:<br /><blockquote>Vulnerability: encrypt and decrypt functions.<br />Use encrypt_and_sign and decrypt_and_verify instead.</blockquote><br /><br />CVE-2010-3299<br /><br /><span style="font-weight: bold;">Update</span>: I am not sure that this claim is really true because the <span style="font-style: italic;">encrpyt</span> function is not mandatoy and there is still a digest at the end of the cookie string to ensure integrity. Still waiting for an answer from the authors... stay tuned!<br /><br /><span style="font-weight: bold;">2010-10-27</span>: No clarifying answer from the authors yet. We assume this is a non-issue for Rails.<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1567780532718227304?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-60841940863661108422010-08-26T08:51:00.000-07:002010-09-29T01:48:49.220-07:00<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_YYeA-lwcHBA/S-2Wln5vtsI/AAAAAAAAARw/VkVR9lKRTWU/s1600/shieldbadge_red-3d.png"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 78px; height: 117px;" src="http://1.bp.blogspot.com/_YYeA-lwcHBA/S-2Wln5vtsI/AAAAAAAAARw/VkVR9lKRTWU/s400/shieldbadge_red-3d.png" alt="" id="BLOGGER_PHOTO_ID_5471194695435531970" border="0" /></a>What does SAD mean? I will clarify it later, it does not matter now... don't be sad about it.<br /><br />Since some years big software companies like <a href="http://www.microsoft.com/sdl">Microsoft</a> (2002) or <a href="http://blogs.cisco.com/security/comments/the_cisco_secure_development_lifecycle_an_overview/">Cisco</a> (2010) start changing their software development procedures to address the massive amount of vulnerabilities in their products. MS seems to be <a href="http://www.microsoft.com/security/sdl/resources/faq.aspx">successful with this strategy</a> and all the charts, numbers and articles look promising. "But what about the open-source world, the world of Linux distributions, what did they do?" you might ask. Led me shed some light on it.<br /><br />It is much different for us and I will go into the details later. Let me first enumerate some vital steps in the secure development process that correlate to the steps of various software development "philosophies":<br /><ol><li>secure system design principals</li><li>risk assessment (aka threat modeling or security profiling)</li><li>choosing the right technology (programming language, compiler, etc.)</li><li>secure-coding training for developers</li><li>security-testing training for testers</li><li>tools (static analysis and compilers with security options) for developers</li><li>security-related testcases and tools (fuzzers, scanners, etc.) for the QA team</li><li>partial code-review by specialists</li><li>penetration-testing by specialists</li><li>maintenance (update publishing, customer notification)</li></ol>All steps are important and some, like secure design and risk assessment, are even so important that without it an application can never be secure without completely re-writing large parts of it.<br /><br />If you develop code in-house you have influence on each of the development steps (not for free of course). But if you are a distributor of open-source software you just collect the software, bundle it and hand it over to your customers (I hope no one will bash me for this simplification). This puts us in the <a href="http://www.ranum.com/security/computer_security/editorials/dumb/">penetrate-and-patch</a> wheel (aka "hamster wheel" by A. Jaquith) which is known to be costly and ineffective. But you can be sure our "hamster wheel" is well oiled and our teams of "hamster-engineers" is in good shape. Maintenance is one of the main and most important services we provide because software will never come without bugs... that is the reality.<br /><br />We, as distributor, could of course be so crazy and try to force open-source developers to follow a set of principals of secure software development by letting them answer questionnaires and verify their code quality. And if they fail, we will drop their package(s). Believe me, this would neither help us nor the community nor any enterprise customer. SUSE: "Oops, we have to drop X and the kernel. Well, be it so...", developer: "SUSE sux!" (BTW, untrue... we dropped "sux".)<br /><br />What really helps in this situation is:<br /><ol><li>a healthy and effective communication between distributions, and between distributions and the OSS developers as well as the user community/customers<br /></li><li><a href="http://old-en.opensuse.org/Security_Features">kernel, glibc and gcc options to avoid memory corruptions, enable non-executable memory sections, address space randomization etc.</a></li><li><span style="display: block;" id="formatbar_Buttons"><span class=" on down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);">security-related testcases and tools (fuzzers, scanners, etc.), for example for the QA team<br /></span></span></li><li><span style="display: block;" id="formatbar_Buttons"><span class=" on down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);">secure default configuration of the system and its services by enforcing our security policy for all packages<br /></span></span></li><li><span style="display: block;" id="formatbar_Buttons"><span class=" on down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);">code review and pen-testing of high-risk components<br /></span></span></li><li><span style="display: block;" id="formatbar_Buttons"><span class=" on down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);">processes and interfaces well-known and accepted by customers<br /></span></span></li><li><span style="display: block;" id="formatbar_Buttons"><span class=" on down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);">and a highly optimized "hamster wheel", vulgo: maintenance (bug fixing, update publishing, customer notification)</span></span></li></ol>So much for the process and current state. Let me dive into the shiny waters of history before I will take a look into the future.<br /><br />About 12 to 10 years ago, when Marc (ret.), I and Sebastian (chronological order) started working for S.u.S.E., our main focus was code-reviews (our <span style="font-style: italic;">wu-ftpd</span> was great!) and to establish a process for security updates.<br />We improved the way code reviews were done in the last decade and came to something like <a href="http://en.wikipedia.org/wiki/Threat_model">Threat Modeling</a> (Security Profiling) but in a much less noisy way by combining design reviews, results of code reviews and runtime (penetration) tests with real bugs (incl. severity rating). Beside of that there is a real change in code quality of high-profile open-source software, we found much less simple or severe bugs. The bugs in libraries, client- as well as in web-applications increases dramatically (remember PHP, PDF libs, font libs, ImageMagick, ...).<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_YYeA-lwcHBA/THYmUAEJ0AI/AAAAAAAAAXE/1jcXmF2TrWQ/s1600/statistics-lowlevel_vs_web-bugs.jog.jpg"><img style="cursor: pointer; width: 373px; height: 273px;" src="http://2.bp.blogspot.com/_YYeA-lwcHBA/THYmUAEJ0AI/AAAAAAAAAXE/1jcXmF2TrWQ/s320/statistics-lowlevel_vs_web-bugs.jog.jpg" alt="" id="BLOGGER_PHOTO_ID_5509633319191040002" border="0" /></a><br /></div><br /><br />But code-reviews alone did not protect you against unknown bugs. A secure default configuration (SUSE Linux Enterprise Server as well as openSUSE) is vital. Our strict policy (processes and technology) is mainly enforced by Ludwig and Marcus.<br /><br />The general security awareness in our company as well as in the whole digital society changed positively compared to the time before the <a href="http://en.wikipedia.org/wiki/Dot-com_bubble">dot-com bubble</a> imploded. ("A long, long, long, long time ago - Before the wind before the snow ...")<br />And therefore we receive more security bug reports from customers, community memebers and colleagues as well as from code reviews by others people and companies. And that is good.<br /><br />A negative effect of the massive web-based (web 2.0) development is complexity and openness. Todays web-applications are highly exposed, have different standard and non-standard interfaces, talk to several other semi-trusted systems, are dynamic and mainly process untrusted data. They are always the low-hanging fruit... imagine what would happen if the paradise was full of apple trees!<br /><br />New challenges to counter!<br /><br />(Ah, I promised to take a look into the future, I can't! :) The only constant in life is change. Enjoy!)<br /><br /><br /><br /><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6084194086366110842?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-20800611894917626042010-08-16T02:33:00.000-07:002010-08-16T02:40:07.195-07:00<a href="http://avdi.org/devblog/2010/08/02/using-and-and-or-in-ruby/">http://avdi.org/devblog/2010/08/02/using-and-and-or-in-ruby/</a><br /><br />If you review Ruby code you might want to have a look at this blog post, it describes the differences between <span style="font-family:courier new;">&amp;&amp;</span> and "<span style="font-family:courier new;">and</span>" as well as between <span style="font-family:courier new;">||</span> and "<span style="font-family:courier new;">or</span>". In Ruby "<span style="font-family:courier new;">and</span>" and "<span style="font-family:courier new;">or</span>" have a lower precedence as the boolean operators. This might lead to different flow control...<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2080061189491762604?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-88081772368672868142010-07-23T02:53:00.000-07:002010-07-23T13:43:25.950-07:00enjoy and enhance!<br /><br /><a href="http://en.opensuse.org/SDB:Secure_coding_checklist:_C_and_C%2B%2B">Secure Coding Checklist: C and C++</a><br /><a href="http://en.opensuse.org/SDB:Secure_coding_checklist:_Ruby_on_Rails">Secure Coding Checklist: Ruby on Rails</a><br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8808177236867286814?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com6tag:blogger.com,1999:blog-5240359826706545510.post-25338854587372430082010-05-21T03:31:00.000-07:002010-05-23T23:55:26.433-07:00Just a short note: We switched back from <span style="font-style: italic;">upstart</span> to the good old <span style="font-style: italic;">sysvinit</span> and everything works fine.<br /><br /><!-- BlogCounter Code START --><p></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2533885458737243008?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-91331576327331771992010-05-14T00:16:00.000-07:002010-05-26T10:15:05.977-07:00Hm, our entries in www.osvdb.org are incomplete, I submitted updated contact information...<br /><span style="font-weight: bold;">Update</span>: <a href="http://osvdb.org/vendors/search?name=suse">http://osvdb.org/vendors/search?name=suse</a><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-9133157632733177199?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-53010041459785306992010-05-07T05:40:00.000-07:002010-06-15T00:59:42.469-07:00<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.youtube.com/watch?v=qksTlo_1Tpw"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 440px; height: 440px;" src="http://www.track4-info.de/blog/wp-content/uploads/2010/03/Deftones-Diamond-Eyes.jpg" alt="" border="0" /></a><br />http://www.deftones.com/news/2010/05/06/dortmund-show-tomorrow<br /><br />I am rocking tonight to one of my favorite bands!<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5301004145978530699?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-56631989868236817182010-05-06T05:36:00.000-07:002010-05-07T03:40:10.415-07:00The good news first: No, your shiny new LED doesn't have pixel failures!<br />The dot you see at the end of the file permissions of the ls(1) output comes from additional ACLs, in this case SELinux.<br /><br />http://www.gnu.org/software/coreutils/manual/coreutils.html states:<br /><blockquote>"Following the file mode bits is a single character that specifies whether an alternate access method such as an access control list applies to the file. When the character following the file mode bits is a space, there is no alternate access method. When it is a printing character, then there is such a method.<br />GNU ls uses a ‘.’ character to indicate a file with an SELinux security context, but no other alternate access method"<br /><p><br /><br /><!-- BlogCounter Code START --></p><p><a style="" href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;"></span></a></p></blockquote><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5663198986823681718?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-15815633656410266492010-05-04T00:47:00.000-07:002010-05-04T01:00:30.338-07:00I just installed milestone 6 to test our SELinux functionality... it works! :)<br /><br />What little steps were solved?<br />- migration from <span style="font-style: italic;">sysvinit</span> to <span style="font-style: italic;">upstart</span> by adding <span style="font-style: italic;">load_policy</span> to <span style="font-style: italic;">mkinitrd</span><br />- enhance <span style="font-style: italic;">yast2 bootloader</span> to also enable <span style="font-style: italic;">pam-selinux</span> and if "Enable SELinux" was chosen<br />- add additional checks to the<span style="font-style: italic;"> selinux-ready</span> script which is part of the <span style="font-style: italic;">selinux-tools</span> package<br />- updated selinux packages by Pavol<br /><br />TODO<br />- automatically enable <span style="font-style: italic;">restorecond</span> and run <span style="font-style: italic;">fixfiles -F relabel</span> etc.<br />- automatically run <span style="font-style: italic;">setsebool -P init_upstart=1</span><br />- a working policy ;-)<br /><br />Enjoy!<br /><br /><p><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1581563365641026649?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-7906136614681787742010-04-08T08:10:00.000-07:002010-04-10T03:25:17.566-07:00<p>Well there was a lot of work done regarding SELinux this week.</p><p>The first step was to bring the next milestone of 11.3 to the level of 11.2 by adding <span style="font-style: italic;">load_policy</span> to the <span style="font-style: italic;">mkinitrd</span> scripts. The patch was submitted to <span style="font-style: italic;">Base:System</span> a few hours ago. This work-around was needed because we switched to <span style="font-style: italic;">upstart</span> which does not contain native C API calls to <span style="font-style: italic;">libselinux</span> to load the policy from within <span style="font-style: italic;">init</span>.<br /></p><p>The next step fixed the file permissions of <span style="font-style: italic;">/etc/selinux/config</span> to be 644 and to add some functionality to the <span style="font-style: italic;">selinux-ready</span> script. Both are in <span style="font-style: italic;">security:SELinux</span> now and on their way to <span style="font-style: italic;">opensuse:Factory</span>.</p><p>The last essential problem to solve was enabling <span style="font-style: italic;">pam_selinux</span> and disabling <span style="font-style: italic;">pam_apparmor</span> when you choose "Enable SELinux" in the yast2 bootloader menu. Mission accomplished. Jozef submitted a fresh new <span style="font-style: italic;">yast2-bootloader</span> package (2.19.11) to OBS.</p><p><span style="font-weight: bold;">Update</span>: I submitted a new version of the <span style="font-style: italic;">selinux-ready</span> script a few seconds ago to verify if <span style="font-style: italic;">restorecond</span> was enabled in runlevel 3 and/or 5.</p><p>Note: Without a working policy for openSUSE and more beta-testers SELinux is still no option for common users.<br /></p><p>Far from perfect but a little step ahead! Thanks to everyone involved.<br /></p><p><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-790613661468178774?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-69752445220538069322010-03-30T06:21:00.000-07:002010-03-30T06:27:07.689-07:00<p>Hello Ruby coders,</p><p><!-- BlogCounter Code START -->you may <a href="http://guides.rubyonrails.org/security.html#regular-expressions">already know the differences</a> between <span style="font-family:courier new;">^</span> and \A as well as $ and \z but a colleague found additional oddities that can lead to unexpected results when using \w. Have a look at this <a href="http://lists.opensuse.org/opensuse-ruby/2010-03/msg00000.html">posting to the opensuse-ruby list</a>.<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6975244522053806932?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-9486907731516433972010-03-30T01:19:00.000-07:002010-04-01T06:40:38.207-07:00<p>Before I start I want to address my words to you - the openSUSE user and community member. If you have input regarding SELinux write me an email or, even better, open a bug report at <a href="https://bugzilla.novell.com/">https://bugzilla.novell.com</a> and put me (thomas AT novell.com) in CC.<br /><!-- BlogCounter Code START --></p><p>In 11.3 we have at least to address the following issues<br /></p><ol><li> the <a href="https://bugzilla.novell.com/show_bug.cgi?id=582399">problem that transition to roles</a> did not work</li><li> <a href="https://bugzilla.novell.com/show_bug.cgi?id=582366">pam_selinux.so is missing</a></li><li> and <a href="https://bugzilla.novell.com/show_bug.cgi?id=581505">policycoreutils is broken</a></li></ol>Helping hands/minds are welcome!<br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-948690773151643397?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-73901751733012932372010-03-30T00:29:00.000-07:002010-03-30T00:36:18.423-07:00<p>Hi,</p><p><!-- BlogCounter Code START -->Andreas Bogk posted an<a href="http://seclists.org/fulldisclosure/2010/Mar/519"> advisory about a weakness in the Session-ID generated by PHP</a> and proved my <a href="http://thetoms-random-thoughts.blogspot.com/2007/10/php-session-ids.html">doubts about the system mentioned some years ago</a>. A cheer for the engineer! :)<br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7390175173301293237?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-18820910881809282992010-03-26T02:23:00.000-07:002010-03-26T02:45:07.970-07:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_YYeA-lwcHBA/S6x-HbPDTzI/AAAAAAAAAQ4/AAYDjQVJhQo/s1600/25032010116.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 320px; height: 240px;" src="http://3.bp.blogspot.com/_YYeA-lwcHBA/S6x-HbPDTzI/AAAAAAAAAQ4/AAYDjQVJhQo/s320/25032010116.jpg" alt="" id="BLOGGER_PHOTO_ID_5452871914873900850" border="0" /></a><br /><p>Hello,</p><p><!-- BlogCounter Code START -->this is our last day in Prague. My wife, Marcus and I traveled to Prague on Monday to meet our colleagues and for holding a lecture about secure application design and secure coding in Ruby on Rails.</p><p>Session overview:</p><ol><li><span style="font-style: italic;">Wednesday morning</span>: secure design principals, attack surface reduction<br /></li><li><span style="font-style: italic;">Wednesday afternoon</span>: threat modeling, life-session threat modeling<br /></li><li><span style="font-style: italic;">Thursday morning</span>: web-security basics, secure coding &amp; best practices for Rails<br /></li><li><span style="font-style: italic;">Thursday afternoon</span>: life-session Rails code scanning and XML API fuzzing</li></ol><br />Now it is time to say goodbye...<br /><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1882091088180928299?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-49893696079508020092010-03-01T00:02:00.000-08:002010-03-01T00:36:50.063-08:00<p>To better update my code and to improve collaboration I pushed my code to <a href="http://www.gitorious.org/">gitorious</a>.<br /><!-- BlogCounter Code START --></p><ul><li>fuzz-cmdline: Unix command-line tool fuzzer: <a href="http://gitorious.org/fuzzer/fuzz-cmdline">http://gitorious.org/fuzzer/fuzz-cmdline</a></li><li>fuzz-xmlrpc: XML-RPC, RESTful, HTTP file upload, POST/PUT URL fuzzer: <a href="http://gitorious.org/fuzzer/fuzz-xmlrpc">http://gitorious.org/fuzzer/fuzz-xmlrpc</a><br /></li><li>ror-sec-scanner: Ruby on Rails source-code vulnerability scanner: <a href="http://gitorious.org/code-scanner/ror-sec-scanner">http://gitorious.org/code-scanner/ror-sec-scanner</a></li></ul><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-4989369607950802009?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-49790363440257837242010-02-17T12:15:00.000-08:002010-02-18T03:58:48.721-08:00<p><a href="http://blogs.msdn.com/user/Profile.aspx?UserID=56729">Shawn Hernan</a> from Microsoft <a href="http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx">spills some oil in the closed-source vs. open-source fire</a> again. How boring you think ...?<br /></p><p>I think so too - boring - and want to give a view of this topic that is more in touch with reality than the unsuccessful attempt to put open-source in a bad light by using ancient Greek logic (which is used wrong by the way b/c it is based on statistical/conditional premises not on axioms), random cites from MS-biased people as well as wisdoms (Voltaire - I think it was him - once said: "A wisdom is no proof." - I really like the contradiction in it :) )</p><p>Shawn also stumbles over his own rebuttal and says MS code is more secure because:<br /></p><blockquote>And it’s not like Microsoft source code is restricted to Microsoft personnel. There are more than a <a href="http://www.microsoft.com/resources/sharedsource/Licensing/default.mspx" mce_href="http://www.microsoft.com/resources/sharedsource/Licensing/default.mspx">dozen different programs</a> through which organizations and individuals can gain access to Microsoft source code.</blockquote><br />Well this is rounded off by too many wrong assumptions and biased thinking... no problem, this is what happens if you are not open. (Sorry can't resist.)<br /><br />Well let's stop comparing apples with oranges here.<br /><br />It has to be recognized that the mindset as well as the fundamentals of open-source and closed-source software are too different that nobody should try to compare them regarding security. But we can learn from each other. To repeat: I like the SDL and MS (and others) can only benefit from opening their code (Solaris would be dead for a long time if it just stays closed). Fact is that open-source does not make software more secure by default but this is especially true for closed software. But openness increases trust, adaptability, autonomy and agility - it is modern and democratic! And that is the main fact that matters for me! And for you?<br /><br />This is just my personal opinion but hopefully not mine alone. ;)<br /><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-4979036344025783724?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-85788433984188731522010-01-06T00:44:00.001-08:002010-01-06T00:47:04.343-08:00<p>An ODF fuzzer is available at: <a href="http://gitorious.org/odf-fuzzer">http://gitorious.org/odf-fuzzer</a><br /><!-- BlogCounter Code START --></p><p>It was written by Ravipriya Thushara... feel free to use it and report bugs! :-)<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8578843398418873152?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-69308360945019828262010-01-05T06:00:00.000-08:002010-01-05T06:28:24.326-08:00<p>Happy new year!</p><p><!-- BlogCounter Code START -->On my train travel to Nuernberg I heavily rewrote fuzz-cmdline while testing it by fuzzing several setuid command-line tools on openSUSE 11.2.</p><p><a href="http://www.suse.de/%7Ethomas/projects/fuzz-cmdline/index.html">fuzz-cmdline Beta 2 can be downloaded</a> and tested now. Your comments are welcome.</p><p>What is new:</p><ul><li>removed Fuzzled framework and use own Fuzz.pm (this, unfortunately, disables the reload option of beta 1)<br /></li><li>more fuzzing data</li><li>combination of different fuzz types<br /></li><li>better configuration</li><li>improved crash logging</li><li>...</li></ul>TODO:<br /><ul><li>'reload' option</li><li>also send data to stdin and local IPC constructs</li><li>better crash detection</li><li>more fine-tuning of fuzzing data</li><li>beep on crash (?)</li><li>re-enable gdb usage (?)<br /></li><li>...<br /></li></ul><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6930836094501982826?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-71658984785946508702009-12-03T09:47:00.000-08:002009-12-04T08:06:01.064-08:00<p>Am 24. November haben die<a href="http://www.stud.fh-dortmund.de/forum/index.php?topic=15699.0"> Studenten der TU und FH Dortmund den Hörsaal 1</a> an der Emil-Figge-Straße besetzt, um gegen Studiengebühren und das Bachelor-Master-System zu protestieren.<br /></p><p><!-- BlogCounter Code START -->Nun trifft sich am selben Wochentag (Dienstag) auch immer der <a href="http://www.debado.de/">Debattierklub Dortmund</a> für seine wöchentliche Debatte. Da lag es nahe den Studies die Zeit zu verkürzen (oder zu verlängern) und eine Debatte über Studiengebühren vor ihnen zu führen. Es wurde im OPD-Format debattiert, und ich war als zweiter Redner der Opposition (zufällig gewählt und in dem Fall <span style="font-weight: bold;">für</span> Studiengebühren, als Sie es merkten war der Applaus vorbei ;)) damit beauftragt die protestierende Masse davon zu überzeugen, dass Studiengebühren wirklich wichtig und sinnvoll sind. Spaß, Spaß, Spaß! :-) Leider habe ich keine Fotos... :(<br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7165898478594650870?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-65543972931588930092009-12-03T09:09:00.000-08:002009-12-03T10:10:24.382-08:00<p>I want to sell my <span style="font-style: italic;">HTC Touch Diamond</span> on eBay, it contains a 4GB internal storage which I cleared and formated by using Settings->Clear Storage.</p><p><!-- BlogCounter Code START -->In the past I never trusted this tool therefore I cleared the storage, copied a big random file to the phone and cleared it again. This time copying the random 4GB file tooks very long and I want to make sure I do not waste time with being too paranoid here.</p><p>Therefore I used my <a href="http://www.suse.de/%7Ethomas/projects/jpeg-extract/index.html">jpeg-extractor</a> tool to extract everything that looks like a JPEG file from a raw disk/mem image of the internal storage. And after some minutes pictures popped up which are not on the original ROM but are images from podcasts and from the cam etc.</p><p>You, like I, already expect it, but this is the proof:</p><p></p><blockquote>Cleaning Windows Mobile Phones leaves personal Data on the Device.</blockquote><p></p><p>Take care what you sell on the Internet.</p><p>BTW, I always put a back-door on the phones I sell... just kidding. :-)</p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6554397293158893009?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-34843291592198959072009-11-19T01:41:00.000-08:002009-11-19T23:27:37.579-08:00<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_YYeA-lwcHBA/SwWFK1GQMPI/AAAAAAAAAOk/EqhfjWtkbjQ/s1600/dscn1241.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 240px; height: 320px;" src="http://3.bp.blogspot.com/_YYeA-lwcHBA/SwWFK1GQMPI/AAAAAAAAAOk/EqhfjWtkbjQ/s320/dscn1241.jpg" alt="" id="BLOGGER_PHOTO_ID_5405873348826640626" border="0" /></a><br /><p>Good Evening,<br /></p><p>you may not have recognized it yet because of the bland climate (at least here in Germany) but X-MAS is approaching.</p><p><!-- BlogCounter Code START -->It is the time of beginning, looking ahead, family and wishes.</p><p>I am nipping hot tea from a big cup and want to hear about your wishes... the wishes from our openSUSE community, our SLES customers, the SUSE family if you like.</p><p>What should the SuSE Security-Team improve for you and your business in the future?</p><p><a href="http://www.suse.de/%7Ethomas/contact/index.html">Write me a mail</a> or leave me a comment!<br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3484329159219895907?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-78115496430519862602009-11-19T01:35:00.000-08:002009-11-19T09:31:47.563-08:00<p>Dear Readers,</p><p><!-- BlogCounter Code START -->you already may have recognized that we start using the CVSS v2 base score in our patch descriptions, security advisories and summary reports. If you want to know the details of CVSS, have a look at the <a href="http://www.first.org/cvss/cvss-guide.html">FIRST CVSS Guide</a>.</p><p>We should go away from our old and incomplete "Security Metric" which is a stupid^Wsimple metric I "invented" some years ago just to fill the gap.</p><p>CVSS is an industry standard which is used by other major vendors too. This allows our customers to rank the security updates we deliver and compare them to updates from other vendors that also use CVSS etc.</p><p>To not cause any additional work for us we use the base score as calculated by the people from the <a href="http://web.nvd.nist.gov/view/vuln/search?execution=e2s1">National Vulnerability Database</a> (NVD) and no additional scoring for our system configuration (which even could change from version to version, therefore each SLES/openSUSE version would need an own CVSS score).</p><p>HTH<br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7811549643051986260?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-36141576495699098282009-11-16T22:41:00.001-08:002009-11-20T02:57:30.201-08:00<p>I am surprised - positively of course :) : Sun released an update for a denial-of-service problem in virtualbox-ose:</p><p><a href="http://sunsolve.sun.com/search/document.do?assetkey=1-66-271149-1">http://sunsolve.sun.com/search/document.do?assetkey=1-66-271149-1</a></p><pre class="bz_comment_text" id="comment_text_6">CVE-2009-3940<br /></pre><p><!-- BlogCounter Code START --></p><p>Details:</p><p></p><blockquote>On 10/08/09 13:44, Thomas Biege wrote:<br />> Hi,<br />> just a question: Is this a real bug?<br />><br />> VirtualBox-3.0.6_OSE/src/VBox/Additions/linux/module> grep -n -E "XXX.*denial.*" *<br />><br />> vboxmod.c:1032: rc = VbglGRAlloc(&amp;reqFull, cbRequestSize, reqHeader.requestType); // XXX tom: denial of service! better use cbVanillaRequestSize?</blockquote><br /><br /><p></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3614157649569909828?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-70091998579743818782009-11-12T06:44:00.000-08:002009-11-12T08:03:38.964-08:00<p>There are two ways to scramble private data on your hard-drive.</p><ol><li><!-- BlogCounter Code START -->encrypt the device</li><li>clean sensitive files securely</li></ol>In the past I used <span style="font-style: italic;">secure delete</span> to remove browser caches+history, tmp files, image thumbnails for preview etc. while shutting down my system and periodically using <span style="font-style: italic;">cron</span>.<br /><br />The pros of this method are:<br /><ul><li>better recovery of data in case of hardware failure</li><li>easy automatic backup</li><li>remote access to private data possible<br /></li><li>no performance impact</li><li>no crypto algorithm dependency</li><li>...<br /></li></ul>But because the tool overwrites the same file several times with random data without caching and without delays the HDDs crash very early in their life. After three completely destroyed HDDs I decided to switch to HDD encryption. ;-)<br /><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7009199857974381878?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-30591504689172325622009-11-10T23:37:00.000-08:002009-11-10T23:52:42.374-08:00<p>Yesterday Marcus reminded me that I have written a <a href="http://www.suse.de/%7Ethomas/projects/fuzz-cmdline/index.html">Fuzzer for command-line tools</a>... honestly I forgot this little PoC tool and it slept in my CVS repository for nearly 1.5 years. Until now, I put it <a href="http://www.suse.de/%7Ethomas/projects/fuzz-cmdline/index.html">online</a>. Beta-testers are welcome.<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3059150468917232562?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-58469929299087173632009-11-05T02:08:00.000-08:002009-11-05T02:55:03.094-08:00<p>Um den thematischen Bogen zu meinem Blog zu spannen, es geht um "Security Awareness" und "Risk Assessment"... und natürlich nur um meine eigene Meinung. :)</p><p><br /></p><p><span style="font-style: italic;">Wo fange ich an, am Besten in der Vergangenheit.<br /></span>Bevor die Impfphase los ging, wurde von "den Ärzten" (dem <a href="http://www.rki.de/">Robert-Koch Institut</a>, rki) eine bessere Hygiene propagiert: "Wer satt und sauber ist, hat nichts zu befürchten." (sinngemäß)<br /></p><p>Hier wird also eine Kausalkette (satt+sauber --> keine Schweinegrippe) suggeriert, die dazu führt, dass sich die Leute häufiger als sonst - was gut ist - die Hände waschen, denn nur dann brauchen sie keine Angst vor einer Influenzainfektion zu haben. Angst! Tod! Sauberkeit! Da legen sich Schalter in unserem Kopf um...</p><p>Dieser Effekt wird natürlich durch Berichterstattung verstärkt: Nichts, bis zu 3000 Neuinfektionen in Dt.ld., am selben Tag dann schon 7000 allein in NRW, immer mehr Opfer der Grippe, nun werden die kranken Promis ins Rampenlicht der öffentlichen Meinungsbühne gezerrt, Menschen ohne Vorerkrankung (was auch nicht stimmt, siehe <a href="http://www.rki.de/DE/Content/InfAZ/I/Influenza/IPV/Schweineinfluenza__Situation.html">rki</a>) sterben, immer mehr Leute lassen sich Impfen.</p><br /><span style="font-style: italic;">Nun der zweite Schritt, die Gegenwart.</span><br />Personen, die viel Kontakt mit kranken/schwachen Menschen haben werden sich Impfen lassen (Vorschrift, Gruppenzwang, Unsicherheit). Sie impfen sich aus zwei Gründen: zum Einen können sie selbst nicht mehr erkranken und zum Anderen sind sie nun keine Überträger mehr. Aber gerade das ist falsch! Hier liegt der gedankliche Fehler, der das Problem u.U. verschlimmert.<br /><br /><span style="font-style: italic;">Und damit kommen wir zum dritten Schritt, was in Zukunft kommen könnte.</span><br />Mit der Impfung ist die Kausalkette zerstört. Die Gefahr existiert nicht mehr, also wird die eigene Hygiene wieder vernachlässigt. Und es ist doch evident, dass man immer noch Überträger der Krankheit ist, denn auch wenn man die Viren nicht mehr tröpfchenweise beim Niesen und Husten verteilt, verteilt man sie passiv durch Körperkontakt, wenn sie sich auf der Haut/Handschuh/Kleidung/Material befinden.<br /><br />Ein Beispiel: Dr. Dampfmann geht zu Patient Müller, der H1N1 fröhlich in seiner Umwelt verteilt. Dr. Dampfmann bekommt eine Ladung infektiösen Schleimes beim Händeschütteln gratis zur Begrüßung auf Art der alten Schule dazu. Aufgrund mangelnder "Security Awareness" (Achtung Bogen!) dank Impfung, wird die Hand nicht zwischen den Patientenvisiten gewaschen und zur nächsten Hand von Patient Meyer, der sich beim Monolog von Dr. Dampfmann nachdenklich an Kinn und Mundwinkel kratzt, weitergegeben.<br />Es müssen natürlich nicht immer Ärzte sein, Sportkollegen, Kassierer/-innen, Postboten, Aufzugknopf, Türgriffe, Bedienungen, usw.<br /><p>:)<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5846992929908717363?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-91573386337287208902009-10-15T02:12:00.001-07:002009-10-15T02:18:24.781-07:00<p>Today I tried to get a twitter account for the second time. But man, I am not able to read this captcha words, they are too heavily scrambled.. may I need glasses? 8-|</p><p>And if I click "create account" it shows me my URL but it is already used, why doesn't the web-app tell me to try another username... but I am not sad about it, twitter increase the risk to say something stupid because it is fast and easy to use. ;-)<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-9157338633728720890?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com1tag:blogger.com,1999:blog-5240359826706545510.post-11117047683282095452009-10-06T21:56:00.000-07:002009-10-22T07:31:40.284-07:00<p>Our maintainer requested to set the sbit for <span style="font-style: italic;">VBoxNetAdpCtl</span> but a quick code review revealed that the code is vulnerable to shell command injection via <span style="font-style: italic;">popen(3) </span>and a possible buffer overflow. Both bugs were fixed <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-66-268188-1">upstream by Sun</a>.</p><p>Unfortunately there were no CVE-IDs assigned to this issues yet.</p><p>And to avoid confusions: We do not ship this tool setuid. :-)</p><p style="font-weight: bold;">Update:</p><pre class="bz_comment_text" id="comment_text_16">CVE-2009-3692 for popen()<br />CVE-2009-3704 for strncpy().<br /><br /></pre><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1111704768328209545?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-71341860854780353922009-08-24T06:44:00.000-07:002009-08-24T06:45:55.589-07:00<p><br /><a href="http://en.opensuse.org/SELinux">SELinux can be enabled via YaST's bootloader module easily now</a>.</p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7134186085478035392?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-81830119354118830052009-08-04T01:47:00.000-07:002009-08-04T02:18:06.678-07:00<p>I had to hack a small perl script last weak and encountered a situation were the content of a <span style="font-style: italic;">my</span> variable from function <span style="font-family:courier new;">a()</span> was somehow accessible from function b()... which seems to be a bug in the perl interpreter, but today it turned out it wasn't a bug in the interpreter but in my code. Here is the heavily reduced code:</p><p><!-- BlogCounter Code START --></p><blockquote>#!/usr/bin/perl -tw<br />use strict;<br />use Data::Dumper;<br /><br />sub a()<br />{<br />my $archive_type = "unknown";<br />my $mime_type = "unknown";<br /><br />$mime_type = "application/x-tar";<br />print $mime_type, "\n";<br /><br />$_ = $mime_type;<br />$archive_type = "plain" if(/application\/x-tar/);<br />$archive_type = "gzip" if(/application\/x-compressed-tar/);<br />$archive_type = "bzip" if(/application\/x-bzip-compressed-tar/);<br /><br />print $archive_type, "\n";<br /><br />my %code_dir = ();<br />$code_dir{'dir1'} = "dir1";<br />$code_dir{'dir2'} = "dir2";<br /><br />return %code_dir;<br />}<br /><br />sub b(%)<br />{<br />my %code_dir = $_;<br /><br />print Dumper(%code_dir);<br />}<br /><br />#<br /># MAIN<br />#<br />my %code_dir = a();<br />b(%code_dir);<br />0;</blockquote><p></p><p>This produces:</p><p></p><blockquote>> ./lala.pl<br />application/x-tar<br />plain<br />Odd number of elements in hash assignment at ./osssi.pl line 32.<br />$VAR1 = 'application/x-tar';<br />$VAR2 = undef;</blockquote><br /><br /><p></p><p><br /></p><p>The content of <span style="font-family:courier new;">%code_dir</span> in function b() is from function a().<br /></p><p>Did you see what happened?</p><p><br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8183011935411883005?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-74943873054980814852009-07-24T11:33:00.000-07:002009-07-24T12:21:57.646-07:00<p>This week was HackWeek, unfortunately I didn't had the time for hacking something because SELinux does not work in Milestone 4.</p><p>It looks like the new kernel in Milestone 4 for 11.2 needs some special switches to be pushed to enable SELinux.</p><p><!-- BlogCounter Code START -->The kernel config defines "apparmor" as the default security framework which denys loading the "selinuxfs" etc.</p><p>Therefore you need to add the following parameters to the kernel boot parameter: "security=selinux selinux=1 enforcing=0"</p><p>I started working on a yast module for SELinux but I doubt I will finish it... if somebody wants to take over, let me know! :-)</p><p>Additionally a new <span style="font-style: italic;">libselinux</span> package was submitted that includes an updated <span style="font-style: italic;">selinux-ready</span> script. Pavol also submitted a new <span style="font-style: italic;">policycoreutils</span> package to fix a build failure.</p><p><br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7494387305498081485?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-14038754832411926842009-07-20T00:28:00.000-07:002009-07-20T00:32:37.479-07:00Bisher sind 2 S-Bahnen und ein ICE ausgefallen... Mal sehen was noch so kommt oder nicht kommt :)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1403875483241192684?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-53711545430739406512009-06-29T23:53:00.000-07:002009-06-30T00:15:56.306-07:00<p>The next openSUSE version is in the queue, milestone 3 of 11.2 was already released during LinuxTag last week.</p><p><!-- BlogCounter Code START -->We try to make 11.2 more SELinux-enabled than before. When you watch the <a href="https://build.opensuse.org/project/show?project=security%3ASELinux">security:SELinux (account needed)</a> repository you may have recognized some changes during the last days. What did we changed so far:</p><ul><li><span style="font-weight: bold;">mkinitrd</span> (Base:System): needs a little patch to mount <span style="font-style: italic;">/proc</span> of the root filesystem to make the SELinux functions in <span style="font-style: italic;">init</span> happy</li><li><span style="font-weight: bold;">selinux-policy</span> (security:SELinux): a new package that contains some sample policies as well as a config file (<span style="font-style: italic;">/etc/selinux/config</span>)</li><li><span style="font-weight: bold;">libselinux</span> (security:SELinux): now includes a script named <span style="font-style: italic;">selinux-ready</span> to verify if your system's configuration is suitable to run SELinux and give you hints of solving possible hurdles</li></ul><p>So far it is still needed to install the packages, adding the boot-parameters (<span style="font-style: italic;">selinux=1 enforcing=0</span>), and to make the directory <span style="font-style: italic;">/selinux</span> (we don't want to pack this dir in a package - FHS).</p><p>What is on our TODO list:</p><ul><li>I hope we can add a yast-module to 11.2 to enable SELinux by one or two clicks<br /></li><li>everything else that is needed to enable basic SELinux support (looking at F11 ATM)<br /></li><li>we will not provide a policy or enable SELinux by default for now, but hopefully later</li></ul>Volunteers are welcome. openSUSE:Factory is open now! :-)<br /><br /><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5371154543073940651?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-6897509757604737342009-06-29T23:51:00.001-07:002009-06-29T23:53:39.596-07:00<p>Last night I was at a <span style="font-style: italic;">Nine Inch Nails</span> concert with a friend... it was GREAT! :-)<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-689750975760473734?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-69192571642653687842009-06-26T01:37:00.000-07:002009-06-29T00:10:16.443-07:00<p>When you use our open build service (OBS) and build packages on your local machine, code from the network is executed as root. This is ok as long as you trust the packages.<br /><!-- BlogCounter Code START --></p><p>If you do not want the code to be executed with full access to your local files then you can use KVM.</p><p>Add the following lines to you <span style="font-style: italic;">~/.oscrc</span>:</p><p></p><blockquote>[general]<br />build-type=kvm<br />build-device=/tmp/KVM.root<br />build-swap=/tmp/KVM.swap<br />build-memory=254<br /></blockquote><br />But before this files can be used you have to create them:<p></p><p></p><blockquote><p>> dd if=/dev/zero of=/tmp/KVM.swap bs=1024 count=300000</p><p>> qemu-img create /tmp/KVM.root 6G</p><p>> su -c "mkfs.ext3 -c /tmp/KVM.root "</p></blockquote><p><br /></p><p>Now you can use <span style="font-style: italic;">osc build </span>without caring too much about your local security.</p><p>Thanks to Adrian to bringing this up.<br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6919257164265368784?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-39359907965177811872009-06-26T00:46:00.000-07:002009-06-26T00:57:25.960-07:00<p class="mobile-photo"><a href="http://1.bp.blogspot.com/_YYeA-lwcHBA/SkR9RQNZTnI/AAAAAAAAALc/T5nBOVHArEw/s1600-h/IMAGE_101-700673.jpg"><img src="http://1.bp.blogspot.com/_YYeA-lwcHBA/SkR9RQNZTnI/AAAAAAAAALc/T5nBOVHArEw/s320/IMAGE_101-700673.jpg" alt="" id="BLOGGER_PHOTO_ID_5351539992585391730" border="0" /></a></p>Greetings from Berlin (no, not Paris). I am hanging out at the openSUSE booth with my colleagues and community members.<br /><br />Yesterday we met the Red Hat security-team... they have quite a big team spread over 8 countries. Now we know how they provide 24x7 service. ;-)<br /><br />Last night was <span style="font-style: italic;">LinuxNacht</span> a big party near the Sony-Center... Funnily the beer was empty at around 10pm and the buffet wasn't vegetarian-friendly - but I seem to be the only person who complains. ;-)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3935990796517781187?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com1tag:blogger.com,1999:blog-5240359826706545510.post-62469668910865194752009-06-09T00:37:00.000-07:002009-06-09T01:14:45.600-07:00<p>Irgendwie wird mein Blog gerade etwas politik- und deutschlastig. Ich verspreche aber Besserung. ;-)<br /><!-- BlogCounter Code START --></p><p>Adenauer et al haben damals im Grundgesetz die 5%-Hürde aufgenommen, damit extremistische Parteien der Weg in die Parlamente verwährt bleibt und somit eine Machtergreifung, wie in den 1930-iger Jahren, nicht mehr möglich ist.</p><p>Das <span style="font-weight: bold;">Bundesverfassungsgericht</span> hat einer <a href="http://www.bundesverfassungsgericht.de/entscheidungen/ks20080213_2bvk000107.html">Klage <span style="font-style: italic;">Der Grünen</span> und <span style="font-style: italic;">Linken</span></a> (2 BvK 1/07) (man staune!) im Februar 2008 stattgegeben und die 5%-Hürde als Diskriminierung für kleine Parteien anerkannt. In Folge gab es diese Hürde bei den letzten Kommunalwahlen nicht mehr und hat dazu geführt, dass die <a href="http://www.spiegel.de/politik/deutschland/0,1518,629158,00.html">NPD Sitze in den Stadtparlamenten</a> erhält.</p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6246966891086519475?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com1tag:blogger.com,1999:blog-5240359826706545510.post-69761844379883057962009-06-08T03:05:00.000-07:002009-06-08T04:45:33.318-07:00<p>Schon gewußt?</p><ul><li><!-- BlogCounter Code START --> <span style="font-weight: bold;">Artikel 3</span> ("Gleichheitsartikel") schließt nicht die sexuelle Identität mit ein (<a href="http://www.artikeldrei.de">http://www.artikeldrei.de</a>)</li><li><span style="font-weight: bold;">Artikel 20</span> ("Alle Staatsgewalt geht vom Volke aus. Sie wird vom Volke in Wahlen und Abstimmungen [...] ausgeübt.") ist nicht komplett umgesetzt. Wir wählen zwar alle 4 Jahre aber das Recht auf Volksabstimmung blieb uns bisher (60 Jahre) verwehrt (mit Ausnahmen, bspw. Land Bayern). (<a href="https://www.mehr-demokratie.de/kampagne.html">https://www.mehr-demokratie.de/kampagne.html</a>)</li></ul><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6976184437988305796?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-27878418710694802052009-06-07T05:41:00.000-07:002009-06-07T05:42:41.082-07:00<p>Ich war da!</p><p><!-- BlogCounter Code START -->Warum Bleistifte zum Ankreuzen?</p><p>Warum keine Ausweiskontrolle?</p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2787841871069480205?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com6tag:blogger.com,1999:blog-5240359826706545510.post-36533551631674443432009-06-03T00:14:00.000-07:002009-06-03T02:02:39.552-07:00<p class="mobile-photo"><a href="http://3.bp.blogspot.com/_YYeA-lwcHBA/SiYkjc2hsQI/AAAAAAAAALU/Evf8FPsl9sE/s1600-h/IMAGE_090-709183.jpg"><img src="http://3.bp.blogspot.com/_YYeA-lwcHBA/SiYkjc2hsQI/AAAAAAAAALU/Evf8FPsl9sE/s320/IMAGE_090-709183.jpg" alt="" id="BLOGGER_PHOTO_ID_5342998199380586754" border="0" /></a></p>Die Gemüsewaagen beim Kaufland rufen die Kunden dazu auf ihre Partnerin zu wechseln. :)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3653355163167444343?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-77024654375312649912009-05-05T07:04:00.000-07:002009-05-05T07:05:43.590-07:00<p><a href="http://code.google.com/p/browsersec/wiki/Main">http://code.google.com/p/browsersec/wiki/Main</a><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7702465437531264991?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-26078891559981272832009-05-04T02:38:00.000-07:002009-05-04T02:39:46.378-07:00<p><br /><!-- BlogCounter Code START --><a href="http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf">Slides</a><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2607889155998127283?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-13478746314096773562009-04-27T06:54:00.000-07:002009-04-28T05:39:55.015-07:00<p>Today I finished my little project of creating an easy way to automatically verify the security settings of a new openSUSE/SLES.</p><p>Tools I used:</p><ol><li style="font-style: italic;"><a href="http://www.qemu.org/">qemu</a></li><li><a style="font-style: italic;" href="http://www.suse.de/%7Elnussel/setupgrubfornfsinstall.html">setupgrubfornfsinstall.sh</a> (script by Ludwig Nussel to make network installations, great tool!)</li><li><span style="font-style: italic;">lighttpd</span> to provide autoinstallation profile for...<br /></li><li><a href="http://en.opensuse.org/AutoYaST"><span style="font-style: italic;">autoyast</span></a> + add-on products (also a great tool)<br /></li><li>use an own and an <a href="http://download.opensuse.org/repositories/home:/mrdocs/openSUSE_Factory/">openSUSE repositories</a> to...<br /></li><li>install various shell scripts and tools (<a href="http://www.rootkit.nl/projects/lynis.html"><span style="font-style: italic;">Lynis</span></a>, etc.) for verifying local security settings of a Linux system</li><li>a button to press ;)<br /></li></ol>Now everything that I need to do when a new beta-testing phase starts is run <span style="font-style: italic;">setupgrubfornfsinstall.sh</span>, installing the beta in <span style="font-style: italic;">qemu</span>, letting <span style="font-style: italic;">autoyast</span> configure the system to include as many software packages as possible, create a <span style="font-style: italic;">root</span> and <span style="font-style: italic;">test</span> account, use the additional repos to install the security tools that run automatically at the end of the boot process. Fun! :)<br /><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1347874631409677356?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-86863414733137211162009-04-22T08:24:00.000-07:002010-02-17T23:04:20.665-08:00<p>Yesterday evening I cleaned up my wardrobe and I found an old business suit I never had worn. It is buisiness-grey with a business-blue shirt... an ugly piece of cloth.</p><p><!-- BlogCounter Code START -->I bought it for my first freelance job nearly 10 years ago. Well if you know me from 10 years ago you would doubt I wear a suit and you were right, I didn't. I was a skater boy with blue hair, I just started studying computer science and was more interested in "social events" than in sitting in the lecture hall.</p><p>Nevertheless I was offered a job to review Java code of a banking application and they probably may expect a more staid guy than me. ;-) That is why I bought the suit and didn't refreshed the color of my blue hairs (I didn't had enough time so they were blond with blue tips *eeks*) . Well at the end I put the suit back into my wardrobe and wear street clothes, the customer didn't had a problem with it... enough about my fashion history!<br /></p><p>More important was the code review. The company wrote a client application that runs on terminals in the bank's subsidiaries and had an encrypted connection over a VPN to a server in the network of an outsourced company - the server was therefore only partially trusted. Don't ask me about the reasoning behind it. ;-)<br /></p><p>Well as far as I remember I just found one bug. The server used a markup language to draw input masks on the client's terminal to display bank transfer information and allowed editing it.<br /></p><p>This feature leads to what CWE calls <a href="http://cwe.mitre.org/data/definitions/74.html">Failure to Sanitize Input into a Different Plane</a>: a <span style="font-style: italic;">Cross-Site-Scripting</span> vulnerability that can be exploited by malformed money transfer information ("Verwendungszweck").</p><p>10 years ago I thought it was just a minor issue, very special to this job and no-one will use it... just like my old business suit. :)</p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8686341473313721116?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-58794479948968513532009-04-01T08:08:00.000-07:002009-04-01T08:28:14.529-07:00<p>Today I stumbled over <a href="http://samate.nist.gov/index.php/Introduction_to_SAMATE.html">SAMATE</a> a NIST project established in 2004. The goal is to evaluate tools that analyze source-code, web-applications or binary-code. Interesting are the test-cases (<a href="http://samate.nist.gov/SRD/">SRD</a>) they provide, take a look yourself and <a href="http://samate.nist.gov/SRD/view.php">browse them online</a>.<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5879447994896851353?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-84787827299045905302009-03-24T08:28:00.000-07:002009-03-26T09:48:59.473-07:00Wer hat's nicht gehört oder sogar im TV verfolgt: Angela Merkel - unser <a href="http://www.spiegel.de/politik/deutschland/0,1518,614823,00.html">Staatsoberhaupt</a> ;) - war in der Sendung <a href="http://stream.ndr.de/bb/redirect.lsc?content=content&amp;media=ms&amp;stream=ndr/2009/0322/TV-20090322-2252-0701.wm.hi.wmv">ANNEWILL</a> zu Gast.<p></p><p>Natürlich wurde schon recht viel darüber berichtet aber ich werde auch noch meinen Senf dazu geben. Folg. Dialog:</p><p></p><blockquote><p>AW: Frau Bundeskanzlerin, sind sie für diese Krise die richtige?<br /></p><p>AM: Diese Krise ist da und ich bin die Bundeskanzlerin, und ich werde sie mit aller mir zur Verfügung stehender Kraft, und ich glaube, das ist eine ganze Menge, versuchen mit anderen zusammen zu meistern; undzwar so, dass Deutschland aus dieser Krise gestärkt hervorgeht und nicht geschwächt.</p><p>AW: Sind sie also die richtige?</p><p>AM: Ja, ich glaub' schon!</p></blockquote><p></p><br />Wow, was hat Sie also in diesem wunderhässlichen Schachtelsatz gesagt:<br /><ol><li> Sie ist zur falschen Zeit (Krise) am - ihrer Meinung nach - richtigen "Ort" (Bundeskanzlerin)</li><li>Sie kämpft mit all ihrer Kraft und sie glaubt, es sei ein ganze Menge. Sie "glaubt"? Also sie weiß es nicht?</li><li>Sie glaubt aber selbst nicht, dass ihre Kraft ausreicht, denn Sie sagt, dass Sie es nur mit anderen zusammen meistern kann.</li><li>Ist Sie die richtige? Sie glaubt dem ist so. Sie weiß es also wieder nicht...<br /></li></ol><br /><p><br /><!-- BlogCounter Code START --></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8478782729904590530?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com3tag:blogger.com,1999:blog-5240359826706545510.post-35624900824168699002009-03-22T06:42:00.000-07:002009-03-22T07:02:04.200-07:00<p>Was bei der täglichen Nachrichtenerstattung über Geldvernichtung und Geldentwertung leider untergeht, sind die politischen Folgen der Finanz- und Wirtschaftskrise: <span style="font-style: italic;">Der Zusammenbruch junger und ungeübter Demokratien</span>.</p><p>Nach dem Fall der Mauer und dem Zusammenbruch der UdSSR war die Demokratie, vorallem in Ost-Europa, auf dem Vormarsch. Leider sind es gerade diese Demokratien, die noch wenig Erfahrung mit Krisensituationen haben und deren Bevölkerung nicht 100%-ig hinter dieser neuen Regierungsform steht (s. Weimarer Republik). Daher ist es Wahrscheinlich, daß diese Demokratien in den nächsten Jahren von der politischen Landkarte verschwinden werden. Schade!<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3562490082416869900?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-89820305188970582592009-03-16T09:05:00.000-07:002009-03-16T09:15:00.538-07:00<p>During my travel to Nuremberg I read an article about the BND (Bundesnachrichtendienst) in the magazin "Der Spiegel" 11/2009.</p><p><!-- BlogCounter Code START -->It is about BND "hackers" attack foreign countries computer systems and the problems that occur while reading eMails of German citizens and politicians of friendly nations.</p><p>German politicians said that the process of hacking (ger. "Online-Durchsuchung") needs to be more transparent and better controlled.</p><p><span style="font-weight: bold;">One rule was to NOT read eMails that end with ".de" because they must be used by Germans.</span><br /></p><p>Guess what addresses terrorists will use now... :-)<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8982030518897058259?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-85467141950916564872009-03-04T00:55:00.000-08:002009-03-04T01:02:14.941-08:00<p>Today I received an envelope with a sticker on it that the receiver could not be determined. There was my address on the back of the envelope (sender's addresss, Absender (ger.)) and I really wondered because I can't remember sending this. I opened the envelope and found a used briefcase in it that I never saw before. Unfortunately I wasn't able to read the receivers address but the letter was handled in June 2008.<br /></p><p><!-- BlogCounter Code START -->It must be that someone I sent this envelope before reused it to send the used briefcase (maybe an eBay auction) to someone else but did not removed my sender's address and therefore the letter was send back to me instead of to the real sender. :)<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8546714195091656487?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-28660455577807679952009-02-05T06:36:00.000-08:002009-02-08T23:44:17.378-08:00<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_YYeA-lwcHBA/SYxcwlnhzbI/AAAAAAAAAKk/puEcNZYt4Mk/s1600-h/enisa_german_flag.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 200px; height: 149px;" src="http://2.bp.blogspot.com/_YYeA-lwcHBA/SYxcwlnhzbI/AAAAAAAAAKk/puEcNZYt4Mk/s200/enisa_german_flag.jpg" alt="" id="BLOGGER_PHOTO_ID_5299712851309612466" border="0" /></a><br /><p>The <a href="http://www.enisa.europa.eu/">ENISA</a> have a publication online, in which they interviewed people of GB, Sweden and Germany about their Web 2.0 usage.</p><p><!-- BlogCounter Code START -->Look at the <a href="http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_survey_web2.pdf">results of the survey</a> yourself and tell me what flag it is that was used for Germany? :-)</p><p>gold-black-red, red-black-gold, black-red-gold... ?</p><p><span style="font-weight: bold;">Update</span>: The PDF was corrected.<br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2866045557780767995?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-59714606456321119262009-02-04T04:31:00.000-08:002009-02-05T03:28:34.324-08:00<p>The <a href="http://www-935.ibm.com/services/us/iss/xforce/trendreports/"><span style="font-style: italic;">X-Force 2008 Trend &amp; Risk Report</span></a> from IBM was published. It is published twice a year and provides the reader with a lot of numbers about software vulnerabilities, trends (comparison with previous year) and the author's opinion.<br /></p>The report starts with a criticism of current vulnerability severity classification - which I will go into detail later because it is interesting, provides an overview of all vulnerabilities counted by IBM's security team (ISS), talks about the attack targets (web applications, operating systems, client software like web browsers), and "attack" techniques.<br /><br />The author of the report correctly criticises (a) the lack of economical parameters in determining the severity of a vulnerability using the <a href="http://www.first.org/cvss/"><span style="font-style: italic;">Common Vulnerability Scoring System</span></a> (CVSS) and goes even further by taking the standpoint that (b) targeted/single attacks by amateurs are out-dated and large-scale attacks are the state-of-the-art threat. The economical considerations of cyber-criminals are - like in real economics - opportunity and cost, where the opportunity consists of<br /><ul><li>the number of potential targets and...<br /></li><li>the value gained by controlling the machine</li></ul>and the cost consist of<br /><ul><li>ease to exploit and...</li><li> monetize</li></ul>The report shows that vulnerabilities rated very high with CVSS aren't a big threat because they are not widely exploited (like Kaminsky's DNS attack (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447">CVE-2008-1447</a>))<br />These economical considerations are worth enough to be added to CVSS I think, but they are not as valuable as the author thinks. Let me explain why:<br /><ol><li>CVSS weights vulnerabilities and not threats (it can do it but not in the base score) this is a big difference and should therefore not be compared (context failure)</li><li>the presence of a high-profile mafia does not mean amateur shoplifters go the way of the dodo bird (see (b) above)</li><li>because of 2. we still have targets that are not the victims of organized cyber-criminals that do dupery (mostly windows client machines), like high profile targets like the government, research labs, companies. Therefore the economical view is not useful for every context.</li><li>and last, the point of criticism of CVSS being too technical is also the biggest argument against the economical metric introduced by the X-Force team, it stems from no facts but seems just to be a rating based on <span style="font-style: italic;">guessing</span> and <span style="font-style: italic;">belly-feeling</span>.<br /></li></ol>The third section (<span style="font-style: italic;">Vulnerabilities</span>) trys to explain the positive and negative peaks of disclosed vulnerabilities, which - for example - may be used for better planning of security response team resources.<br /><ul><li>on Tuesday most bugs are made public (reason: <span style="font-style: italic;">Windows Patch-Day</span>?)<br /></li><li>the lowest rate per week is at the week-end<br /></li><li>per year most vulnerabilities were disclosed during the holidays (x-mas, summer, thanksgiving) - this contradicts a bit with the "Patch-Day Theory" mentioned above<br /></li><li>severity increases</li><li>number of remotely exploitable bugs increase (unfortunately no relation to total increase of vuln.s given)</li><li>number of vulnerable web applications still increases (no relation to LOC or number of products etc.-)</li><li>more SQL injections (more automatization)<br /></li></ul>The report also lists the vendors with most vulnerabilities disclosed and correctly warns about the analysis because it does not take lines of code (LOC) or market-share into account. This is of course very important to make an effective comparison and should be remembered when you see these numbers in the news.<br />Note: Linux is not in the Top 10 list, thanks to buggy web applications but the Linux kernel is on the 3rd place in the Top 10 list of vulnerable operating systems (a result of the effectivity of open-source development and open communication I assume)<br /><br />Surprisingly the report states that about half of the vulnerabilities were not patched (even >70% for web applications); it only counts a bug as fixed if an announcement was released (problematic but reasonable). The reason for that could be that developers often release a new version of their software that fixes security and non-security failures and encourage their customers to upgrade instead of backporting patches... just a guess.<br /><br />The increase of appearance of a proof-of-concept (PoC) exploits at the same day as the vulnerability was disclosed <span style="font-weight: bold;">may be</span> an indicator for better coordination between vendors and bug reporters (or fun to exploit bugs, or automation of exploit writing); this should be examined in more detail I think.<br /><br />The rest of the report is about client-side and web-based attacks that is most interestingly for AV vendors I assume (it also matches the information from the <a href="http://www.gdata.de/uploads/media/G_DATA_MalwareReport_2008.pdf"><span style="font-style: italic;">GDATA Malware Report 2008</span></a> (not available yet, just saw a presentation)). But have a look yourself, the report is an interesting reading.<br /><br /><br /><br /><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5971460645632111926?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-1332654156085631822009-01-29T23:43:00.000-08:002009-01-29T23:44:01.689-08:00<p>This is so cool...<br /></p><p><a href="http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html">http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html</a><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-133265415608563182?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-54113847486167328752009-01-27T23:22:00.000-08:002009-01-27T23:39:33.762-08:00<p><br /><!-- BlogCounter Code START -->They cought me! Their bait was rediculous and delicious at the same time. But I snapped and now I am cought.</p><p>I had tried to sell my PowerBook at eBay for a fixed price and allowed to propose a price too. Someone proposed a bit over my fixed price and I thought s/he did make a mistake because s/he has 0 (zero) valuations and may not be familiar with eBay. Well, I should have known better but I accepted the price... still in doubt.<br /></p><p>The guy told me his address (at eBay the ZIP/PLZ was from Berlin, Germany) and - surprise, surprise - I should send it to Nigeria. So, time for asking Google... I found an article that explains a new scam at eBay that exactly describes my situation. Well what can I do... my PowerBook can be found at eBay again and I switched to "stupid mode" writing endless emails with the scammer to eat up his time and to have less time to harm more people... now he is the fish and I have the bait. Let's play!</p><p>(This scam only works if you send your goods before you received the money...)<br /></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5411384748616732875?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-19043109383585243762009-01-13T02:21:00.000-08:002009-01-13T02:53:44.510-08:00<p>The SANS institute has updated their list of the <a href="http://www.sans.org/top25errors/">top 25 programming errors</a>.</p><p>Some entries could be argued about but that doesn't matter.</p><p>The connection to the Mitre databases (<a href="http://cwe.mitre.org">CWE</a>, <a href="http://cve.mitre.org">CVE</a>, <a href="http://capec.mitre.org">CAPEC</a>), the examples and explanations make this list really valuable... but have a look yourself.<br /><!-- BlogCounter Code START --></p><p><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1904310938358524376?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com2tag:blogger.com,1999:blog-5240359826706545510.post-15038774283898009942008-12-21T12:14:00.000-08:002008-12-21T12:18:33.233-08:00<p>If you have a look at page 105 of "<span style="font-style: italic;">Der Spiegel</span>" edition <span style="font-style: italic;">Nr. 51/ 15.12.2008</span> you will see a picture of Obama in Berlin.</p><p>The crowd in that picture is just a collage of many different people cut-and-past'ed together.<br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-1503877428389800994?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-22873131015094136812008-12-10T06:53:00.000-08:002009-06-22T01:54:21.272-07:00<p style="font-family:trebuchet ms;"><span style="font-size:100%;"><br /><span style="font-weight: bold;">openSUSE</span> release <span style="font-weight: bold;">11.1</span> will be available in a few ticks. I tried the beta5 and RC1 and it seems that </span><span style="font-weight: bold;font-size:100%;" >11.1</span> will run fast, stable and comes with a good set of new software.</p><span style="font-size:100%;">From the security perspective one thing would be really interesting: </span><span style="font-style: italic;font-size:100%;" >SELinux</span><span style="font-size:100%;"> support<br /></span><span style="font-weight: bold;font-size:100%;" ><br />11.1</span><span style="font-size:100%;"> comes with all necessary patches to enable </span><span style="font-style: italic;font-size:100%;" >SELinux</span><span style="font-size:100%;"> but unfortunately it does not run by default. I hope to change it for </span><span style="font-weight: bold;font-size:100%;" >11.2</span><span style="font-size:100%;">.</span><br /><span style="font-size:100%;"><br />The following steps are needed to enable </span><span style="font-style: italic;font-size:100%;" >SELinux</span><span style="font-size:100%;"> on </span><span style="font-weight: bold;font-size:100%;" >openSUSE 11.1</span><span style="font-size:100%;">.</span><ol style="font-family:trebuchet ms;"><li><span style="font-size:100%;">patching mkinitrd to mount /proc</span></li><li><span style="font-size:100%;">add boot parameters</span></li><li><span style="font-size:100%;">install the </span><span style="font-style: italic;font-size:100%;" >selinux-refpolicy</span><span style="font-size:100%;"> RPM files, libraries and tools, mkdir /selinux<br /></span></li><li><span style="font-size:100%;">create a config file</span></li></ol><br /><span style="font-weight: bold;font-family:trebuchet ms;" >1. mkinitrd</span><br /><span style="font-family:trebuchet ms;">To allow the </span><span style="font-family:courier new;">init</span><span style="font-family:trebuchet ms;"> process</span><span style="font-size:100%;"><span style="font-family:trebuchet ms;"> to load the </span><span style="font-style: italic;font-family:trebuchet ms;" >SELinux</span><span style="font-family:trebuchet ms;"> policy the </span><span style="font-family:courier new;">/proc</span><span style="font-family:trebuchet ms;"> filesystem has to be mounted very early. This can be done as part of the booting process that happens with the </span><span style="font-family:courier new;">initrd</span><span style="font-family:trebuchet ms;"> ramdisk. All you need to do is adding the line "</span><span style="font-family:courier new;">/root/usr/bin/chroot /root /bin/mount /proc</span><span style="font-family:trebuchet ms;">" to /lib/mkinitrd/scripts/boot-boot.sh (see </span><a style="font-family: trebuchet ms;" href="http://git.opensuse.org/?p=projects/mkinitrd.git;a=commit;h=0984a1badcc3485846ea96a827c0e3d2e1dca389">git.opensuse.org</a><span style="font-family:trebuchet ms;"> for the </span><a style="font-family: trebuchet ms;" href="http://git.opensuse.org/?p=projects/mkinitrd.git;a=blobdiff;f=scripts/boot-boot.sh;h=be16d58aec22fdb1328b10d14f30816d9e4d7acf;hp=c60b95e4941bd22ece86608d8ee6541d6a7ba886;hb=0984a1badcc3485846ea96a827c0e3d2e1dca389;hpb=a7be75e000ca652f4101c3ac5f2ed4fa7f733ff4">patch</a><span style="font-family:trebuchet ms;">). After you modified the script just run </span><span style="font-family:courier new;">mkinitrd</span><span style="font-family:trebuchet ms;"> to replace the old <span style="font-family:courier new;">initrd</span> in </span><span style="font-family:courier new;">/boot</span><span style="font-family:trebuchet ms;">.<br />(Note: the script <span style="font-family:courier new;">/etc/init.d/boot</span> will try to mount<span style="font-family:courier new;"> /proc</span> again and fails, you can remove the lines if you like)<br /><span style="font-weight: bold;">Update:</span> The line to be added was updated to "<span style="font-family:courier new;">/bin/mount /root/proc</span>" (see <a href="http://git.opensuse.org/?p=projects/mkinitrd.git;a=commit;h=4ca00ccf2270f0da3f1a4c07ac2d5b56e3a2d651">git</a> and <a href="http://git.opensuse.org/?p=projects/mkinitrd.git;a=commitdiff;h=4ca00ccf2270f0da3f1a4c07ac2d5b56e3a2d651;hp=7583c3cc047edc3e8f1a06e8b7925bd27ac0228c#patch2">patch</a>)<br /></span><br /><span style="font-weight: bold;font-family:trebuchet ms;" >2. boot parameter</span><br /><span style="font-family:trebuchet ms;">Two boot parameters are needed: </span><span style="font-family:courier new;">selinux</span><span style="font-family:trebuchet ms;"> and </span><span style="font-family:courier new;">enforcing</span><span style="font-family:trebuchet ms;">.</span><br /><span style="font-family:trebuchet ms;">Just use </span><span style="font-style: italic;font-family:trebuchet ms;" >yast2 -> System -> Boot Loader</span><span style="font-family:trebuchet ms;"> to modify the "Optional Kernel Command Line Parameter" field by adding "</span><span style="font-family:courier new;">selinux=1 enforcing=0</span><span style="font-family:trebuchet ms;">" (enforcing should enabled after all policies work smoothly)</span><br /><br /><span style="font-weight: bold;font-family:trebuchet ms;" >3. reference policies</span><br /><span style="font-weight: bold;font-family:trebuchet ms;" >openSUSE 11.1</span><span style="font-family:trebuchet ms;"> does not come with default policies but you can add the </span><a style="font-family: trebuchet ms;" href="http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/">SELinux openSUSE_Factory repo</a><span style="font-family:trebuchet ms;"> that provides you with the following RPM files:</span><br /></span><ul style="font-family: trebuchet ms;"><li>selinux-policy-refpolicy-standard</li><li>selinux-policy-refpolicy-mls</li><li>selinux-policy-refpolicy-mcs</li></ul><span style="font-family:trebuchet ms;">The following tools are in the default <span style="font-weight: bold;">11.1</span> repo:<br /></span><ul style="font-family: trebuchet ms;"><li>checkpolicy</li><li>policycoreutils</li><li>selinux-tools<br /></li><li>setools-*</li><li>libselinux1</li><li>libsepol1</li><li>libsemanage1</li></ul><span style="font-weight: bold;">Update</span>: And well, don't forget to <span style="font-style: italic;">mkdir /selinux</span>.<br /><br /><span style="font-weight: bold;font-family:trebuchet ms;" >4. config file</span><br /><span style="font-family:trebuchet ms;">The <span style="font-style: italic;">SELinux</span> config file is at "</span><span style="font-family:courier new;">/etc/selinux/config</span><span style="font-family:trebuchet ms;">" and should have the following content:</span><br /><blockquote style="font-family: courier new;"># This file controls the state of SELinux on the system.<br /># SELINUX= can take one of these three values:<br /># enforcing - SELinux security policy is enforced.<br /># permissive - SELinux prints warnings instead of enforcing.<br /># disabled - No SELinux policy is loaded.<br />SELINUX=permissive<br /><br /># SELINUXTYPE= can take one of these two values:<br /># targeted - Only targeted network daemons are protected.<br /># strict - Full SELinux protection.<br />SELINUXTYPE=refpolicy-standard</blockquote><br /><br /><span style="font-family:trebuchet ms;">Reboot your machine. Log in as root and run </span><span style="font-family:courier new;">setstatus</span><span style="font-family:trebuchet ms;"> the output should be:</span><br /><blockquote style="font-family: courier new;">SELinux status: enabled<br />SELinuxfs mount: /selinux<br />Current mode: permissive<br />Mode from config file: permissive<br />Policy version: 23<br />Policy from config file: refpolicy-standard</blockquote><br /><br /><span style="font-family:trebuchet ms;">Now that should be all. Let me know if it does not work or if you have other comments.</span><br /><br /><p></p><p><br /><!-- BlogCounter Code START --><br /><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2287313101509413681?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com4tag:blogger.com,1999:blog-5240359826706545510.post-52441475197987538602008-11-24T03:02:00.000-08:002008-11-24T03:03:09.217-08:00<p class="mobile-photo"><a href="http://1.bp.blogspot.com/_YYeA-lwcHBA/SSqJ7eMD7VI/AAAAAAAAAJk/HfeK2CnAwhk/s1600-h/IMAGE_316-789218.jpg"><img src="http://1.bp.blogspot.com/_YYeA-lwcHBA/SSqJ7eMD7VI/AAAAAAAAAJk/HfeK2CnAwhk/s320/IMAGE_316-789218.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5272177968599526738" /></a></p>This is a view from my office window of a white backyard... Snow! :)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5244147519798753860?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-37972723248686901602008-11-11T07:57:00.001-08:002008-11-11T08:05:16.634-08:00I just finished reading the book from Prof. Andreas Zeller mentioned in the title and it was great. One of the best and inspiring books I ever read.<br /><br />A cite for fun (not sure if it is from Zeller):<br /><span style="font-size:130%;"><span style="font-weight: bold;"></span></span><blockquote><span style="font-size:130%;"><span style="font-weight: bold;">The Devil's Guide to Debugging</span></span><br /><span style="font-weight: bold;">Find the defect by guessing</span>. This includes:<br /><ul><li>Scatter debugging statements throughout the program.</li><li>Try changing code until something works.</li><li>Don't backup old version of the code.</li><li>Don't bother understanding what the program should do.<br /></li></ul><span style="font-weight: bold;">Don't waste time understanding the problem</span>. Most problems are trivial, anyway.<br /><span style="font-weight: bold;">Use the most obvious fix</span>. Just fix what you see.</blockquote><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3797272324868690160?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-76358581086922250962008-11-09T23:44:00.001-08:002008-11-09T23:46:24.489-08:00The title says it all, so have a look at the 20 pages yourself:<a href="http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf"> http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7635858108692225096?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-31426629717659639152008-11-07T11:21:00.000-08:002008-12-10T08:46:12.258-08:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_YYeA-lwcHBA/SRSXlgQbvDI/AAAAAAAAAHo/PoHYPRDRO1g/s1600-h/gremlins.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 200px; height: 200px;" src="http://4.bp.blogspot.com/_YYeA-lwcHBA/SRSXlgQbvDI/AAAAAAAAAHo/PoHYPRDRO1g/s200/gremlins.jpg" alt="" id="BLOGGER_PHOTO_ID_5266000534872767538" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_YYeA-lwcHBA/SRSXFAZ-iHI/AAAAAAAAAHg/e2c-jbb9lHo/s1600-h/holbein_testamenten.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 400px; height: 324px;" src="http://1.bp.blogspot.com/_YYeA-lwcHBA/SRSXFAZ-iHI/AAAAAAAAAHg/e2c-jbb9lHo/s400/holbein_testamenten.jpg" alt="" id="BLOGGER_PHOTO_ID_5265999976567048306" border="0" /></a><br /><p><br />I saw a picture by Hans Holbein The Younger named "An Allegory of the Old and New Testaments". And surprise, surprise in the lower, right corner I saw a Gremlin. But see yourself... they are alive and real! ;-)<br /></p><p><br /></p><p><br /></p><p><br /><!-- BlogCounter Code START --><br /><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-3142662971765963915?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-21087329668216466902008-11-04T23:48:00.000-08:002008-12-10T10:59:42.514-08:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_YYeA-lwcHBA/SRFQFxvBORI/AAAAAAAAAHY/UhidjyUMurQ/s1600-h/george_w_bush_goofy_inside_out_umbrella.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 327px; height: 400px;" src="http://4.bp.blogspot.com/_YYeA-lwcHBA/SRFQFxvBORI/AAAAAAAAAHY/UhidjyUMurQ/s400/george_w_bush_goofy_inside_out_umbrella.jpg" alt="" id="BLOGGER_PHOTO_ID_5265077499552938258" border="0" /></a><br /><p>Nah! Only sometimes... :)<br /></p><br /><br /><br /><br /><br /><table nosave="" border="1" cols="3" width="100%"><tbody></tbody><tbody><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2108732966821646690?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-61482941379255361742008-10-31T06:33:00.000-07:002008-10-31T07:07:44.279-07:00<p>Bad news, most of you know the book series "The Art of Computer Programming". When you find a failure in it Donald Knuth sends you a check to get some $US as reward. Unfortunately it seems that a special number on this check was used several times to steal money from Knuth's bank account. </p><p>http://www-cs-faculty.stanford.edu/~knuth/news08.html<br /></p><p><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6148294137925536174?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-50003907489756899482008-10-30T01:33:00.000-07:002008-10-30T01:54:55.812-07:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_YYeA-lwcHBA/SQl1w4EkvHI/AAAAAAAAAHQ/WqjtJWTcC1Y/s1600-h/Dead+Mighty+Mouse.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 300px; height: 400px;" src="http://3.bp.blogspot.com/_YYeA-lwcHBA/SQl1w4EkvHI/AAAAAAAAAHQ/WqjtJWTcC1Y/s400/Dead+Mighty+Mouse.jpg" alt="" id="BLOGGER_PHOTO_ID_5262867122104876146" border="0" /></a><br /><p>My wife uses a Mighty Mouse and the scroll ball does not work anymore. So, I decided to open the mouse and to clean the ball. Man, it wasn't an easy task, fortunately I found a description in the web with pictures. After some sweat and rude words I was able to disassemble the device and cleaned it. Well done! But I was not able to re-assemble the mouse anymore. Nothing was broken, I just was not able to place the side-buttons in the original position. And guess what... I did not find a good description of putting all parts together again! :-( </p><p>My wife laughed and said: "You know, Apple is releasing this descriptions in the net without providing a way to re-assemble the device to make you destroy it and buy a new one." Maybe she was right... nevertheless, now I know where to spend the next 49 bugs. :)<br /></p><p><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-5000390748975689948?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-40136910070381064922008-10-30T00:24:00.001-07:002008-10-30T00:28:35.714-07:00<p>Today I recognized a new(?) service from Google, their web-protocol/log-book. It archives all search queries etc. that I used in the past when I was logged on to my Google/Blogger account (which happens automatically with Cookies)... I can't remember switching it on, so it must be activated by default. Thumbs down for Google!<br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /> <center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-4013691007038106492?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-88110675782734633262008-10-16T05:58:00.001-07:002008-10-16T05:58:46.948-07:00<p class="mobile-photo"><a href="http://3.bp.blogspot.com/_YYeA-lwcHBA/SPc6h8dy27I/AAAAAAAAAHI/RUoKapA-JO8/s1600-h/IMAGE_260-726950.jpg"><img src="http://3.bp.blogspot.com/_YYeA-lwcHBA/SPc6h8dy27I/AAAAAAAAAHI/RUoKapA-JO8/s320/IMAGE_260-726950.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5257735444819532722" /></a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8811067578273463326?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-67505776896620779682008-10-10T03:52:00.000-07:002008-10-10T03:56:55.439-07:00<p>We have a power outage at the Nuremberg HQ... :-(</p><p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_YYeA-lwcHBA/SO80yaYhuDI/AAAAAAAAAHA/YfdnI0NcRb8/s1600-h/candle-753717.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://4.bp.blogspot.com/_YYeA-lwcHBA/SO80yaYhuDI/AAAAAAAAAHA/YfdnI0NcRb8/s400/candle-753717.jpg" alt="" id="BLOGGER_PHOTO_ID_5255477330844956722" border="0" /></a></p><p><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6750577689662077968?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com1tag:blogger.com,1999:blog-5240359826706545510.post-60527304445686627212008-10-09T23:20:00.000-07:002008-10-09T23:33:03.762-07:00<p>Hm, I wasn't able to find much information about this issue but it seems a computer failure at the NASDAQ was responsible for GOOG to be in a free fall to Ø.</p><p>The<a href="http://www.computerzeitung.de/articles/computerfehler_bringt_google-aktie_zum_absturz:/2008041/31675137_ha_CZ.html?null"> Computerzeitung (german)</a> and the <a href="http://www.tickerspy.com/post.php?pi=92899">tickerspy</a> documented it.</p><p>If you have more information let me know, it looks like an interesting case that may not be a mistake but intention.<br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-6052730444568662721?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-25653873326028733692008-10-09T09:22:00.000-07:002008-10-09T23:06:48.248-07:00<p>Have a look at this nice article about <a href="http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/">SQL statement truncation attacks</a>: Stefan said that it is new, but I know at least two guys at SuSE which take care of this kind of vulnerability since several years now. :-) *boast*<br /></p><p>Frankly, injection and truncation attacks are "a natural thing" and there is nothing to explore or to find new here. It doesn't matter what language is used, what backend-systems handle the request etc..<br /></p><p><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2565387332602873369?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com1tag:blogger.com,1999:blog-5240359826706545510.post-24959308993473597362008-09-25T23:58:00.000-07:002008-09-26T00:07:02.292-07:00<p>I ordered a clock via Amazon's Marketplace and yesterday it arrived. Funnily the wrong receipt was in the package. The receipt was for the major of the little city (over 100km away) my wife is from. He ordered the same clock an they mixed up the receipt. :-)<br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /> <center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2495930899347359736?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-72831672722258954012008-09-24T12:49:00.000-07:002008-09-24T14:25:12.736-07:00<p>Ich habe mir die Mühe gemacht und das SCHUFA-Merkblatt meiner Bank durchgelesen. Zwei Punkte fand ich interessant:</p><p></p><blockquote><p><span class="Apple-style-span" style="font-weight: bold;">Welche Daten werden der SCHUFA übermittelt?</span></p><p>1...</p><p>2...</p><p>3... Widerspruch zur SCHUFA-Klausel.</p></blockquote><p></p><p>und</p><p></p><blockquote>Unabhängig von der Einwilligung erfolgt die Übermittlung von Daten über eine nicht vertragsmäßige Abwicklung durch Kreditinstitute an die SCHUFA nur dann, wenn die Datenweitergabe zur Wahrung berechtigter Interessen des Kreditinstituts, eines Vertragspartners der SCHUFA oder der Allgemeinheit erforderlich ist und dadurch schutzwürdige Belange des Kunden nicht beeinträchtigt werden.</blockquote><p></p><p>Die erste Klausel sagt also aus, dass die SCHUFA benachrichtigt wird, wenn man genau <span class="Apple-style-span" style="font-style: italic;">das nicht</span> will! Aha!</p><p>Im zweiten Absatz wird deutlich gemacht, dass ein nahezu beliebiger Grund - auch von Dritten - ausreicht, um die Daten eines Bankkunden an die SCHUFA zu übermitteln...</p><p><br /></p><p>Gute Nacht Datenschutz...</p><p><br /></p><p><br /></p><p><br /></p><br /><br /><br /><br /><br /><table border="1" cols="3" width="100%" nosave=""><tbody></tbody><tbody><tr><td><br /> <center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7283167272225895401?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-86579202377135383462008-09-16T09:05:00.000-07:002008-09-16T09:07:33.365-07:00<p>Today I arrived in Nuremberg to work at the HQ and meet my colleagues... but I was too late it seems because winter arrived earlier and it's cold here. *brrrrr*</p><br /><br /><br /><br /><br /><table border="1" cols="3" width="100%" nosave=""><tbody></tbody><tbody><tr><td><br /> <center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8657920237713538346?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-22676219359694111282008-08-16T03:18:00.000-07:002008-08-16T03:19:37.286-07:00<p class="mobile-photo"><a href="http://2.bp.blogspot.com/_YYeA-lwcHBA/SKapuymCPSI/AAAAAAAAAGY/f_bw3JiMTBs/s1600-h/IMAGE_170-777288.jpg"><img src="http://2.bp.blogspot.com/_YYeA-lwcHBA/SKapuymCPSI/AAAAAAAAAGY/f_bw3JiMTBs/s320/IMAGE_170-777288.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5235058238185159970" /></a></p>... Chilling with my wife and my kids. :)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2267621935969411128?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-86868754874779855242008-08-14T09:40:00.000-07:002008-08-14T12:13:16.900-07:00<p>Today we released two security advisories, one for <a href="http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html">postfix</a> and the other one for <a href="http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00003.html">openwsman</a>.</p><p>Sebastian found the bugs in postfix that allow to read other users emails  (CVE-2008-2937) (think about "Forget Password" functions of web-services) and code execution as root/mail (CVE-2008-2936) by delivering mail to a shell script via a file link. Exploiting both vulnerablities depend on the permissions of the mail directory.</p><p>The other advisory is about openwsman, an implementation of the <span class="Apple-style-span" style="font-style: italic;">Web Service Management</span> specs. I think most people do not know or use it ;) - at least <span class="Apple-style-span" style="font-style: italic;">I</span> didn't know it before I started auditing it.  A review of the pre-auth code revealed a buffer overflow (CVE-2008-2234) when the function <span class="Apple-style-span" style="font-family:'courier new';">ws_base64_decode()</span> was used to decode the HTTP authentication header. This function occurs at two places in the code. The other problem affects the <span class="Apple-style-span" style="font-style: italic; ">callback-verify</span> function for the <span class="Apple-style-span" style="font-style: italic; ">OpenSSL</span> library (CVE-2008-2233). The client code  verifies the fingerprint of the certificate received by comparing it with a fingerprint stored in the config without checking the host the certificate comes from. An attacker can record the SSL handshake and replay it to the client (or <span class="Apple-style-span" style="font-style: italic;">man-in-the-middle attack</span>), the fingerprints will match and everything looks fine.</p><p>We have to thank Wietse Venema and Anas Nashif for getting the code fixed.</p><p>And yes, the SuSE Security-Team still does pro-active work! ...even if you do not directly recognize it because it does not occur in the news. :)</p><p><br /></p><p><br /></p><br /><br /><br /><br /><br /><table border="1" cols="3" width="100%" nosave=""><tbody></tbody><tbody><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8px;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-8686875487477985524?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-28592553113900841912008-07-15T00:56:00.000-07:002008-07-15T08:50:49.177-07:00<p>Not much details, just the result of <a href="http://www.suse.de/%7Ethomas/projects/tia/index.html">TIA</a> watching my wife's MacMini.</p><p></p><blockquote><span style="font-style: italic;">gate:/home/thomas # cat transid-stat.sorted|head -n 24</span><br />17 0x6071<br />16 0x5F71<br />16 0x5E71<br />16 0x5D71<br />16 0x5C71<br />16 0x5B71<br />8 0xBBC2<br />8 0xBAC2<br />8 0xB9C2<br />8 0xB8C2<br />8 0xB7C2<br />8 0xB6C2<br />6 0x4EA8<br />6 0x4DA8<br />6 0x4CA8<br />6 0x4BA8<br />6 0x4AA8<br />6 0x49A8<br />5 0xA3D4<br />5 0xA2D4<br />5 0xA1D4<br />5 0xA0D4<br />5 0x9FD4<br />5 0x9ED4<br /><br /><span style="font-style: italic;">gate:/home/thomas # cat portnum-stat.sorted|head -n 24</span><br />232 5353<br />4 49263<br />4 49262<br />4 49261<br />4 49260<br />4 49259<br />4 49258<br />4 49257<br />4 49253<br />4 49252<br />4 49251<br />4 49250<br />4 49249<br />4 49248<br />4 49247<br />4 49246<br />4 49244<br />4 49243<br />4 49242<br />4 49241<br />4 49240<br />4 49239<br />4 49238<br />4 49233</blockquote><br /><p></p><p>:-)<br /></p><br /><br /><br /><br /><br /><table nosave="" border="1" cols="3" width="100%"><tbody></tbody><tbody><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2859255311390084191?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-47410633685145411612008-07-11T07:09:00.000-07:002008-07-16T09:01:27.922-07:00<p>I released an update of TIA, the DNS TRXID analyzer, to record and count the UDP source-port numbers used too. <a href="http://www.suse.de/%7Ethomas/projects/tia/index.html">TIA can be downloaded from my suse.de page</a>.</p><p>The tool simply counts the number of times a TRXID/port -number occured. Use whatever tool and method you like to find patterns etc. in it. :-)</p><p><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-4741063368514541161?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-78183757149732330852008-07-09T02:50:00.000-07:002008-07-09T03:22:18.366-07:00<p>Most code that uses SSL I verified made at least one mistake that allows an attacker to read the plaintext traffic. When you were able to listen to one of my secure programming presentations or read this blog you already know the examples. And the list of vulnerable applications seems not to end...<br /></p><p>I am currently doing a design and source-code review of an application which uses SSL for communications with its components.</p><p>The client verifys the certificate and the hostname, but uses a "clever" <span style="font-style: italic;">verify-callback</span> function to compare the the fingerprint of the invalid certificate received with a fingerprint defined in the client's configuration. <span style="font-style: italic;">The hostname is not verified by the callback function!</span><br /></p><p>All that is needed to make the client accept connections to another system controlled by an attacker is to sniff the public certificate with <span style="font-style: italic;">WireShark</span> (other tools work too, but I used this one), save the server payload of the packages (with <span style="font-style: italic;">WireShark</span>, just follow the TCP stream and save it as a C array). Now the malicious server only needs to create a listening TCP socket, accepts the SSL handshake messages from the client (they can be ignored) and replays the SSL payload. The client uses the <span style="font-style: italic;">curl API</span> which recognizes that the certificate comes from the wrong host, calls the callback function, compares the fingerprint of the certificate with the trusted one, they match and so the connection is accepted. <span style="font-weight: bold;">Voila!</span><br /><table nosave="" border="1" cols="3" width="100%"><br /><tbody><br /><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><br /><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr><br /></tbody><br /></table><br /><br /></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-7818375714973233085?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0tag:blogger.com,1999:blog-5240359826706545510.post-23072221665386458652008-07-09T00:42:00.000-07:002008-07-11T02:23:37.394-07:00<p>The US-CERT releases an <a href="http://www.kb.cert.org/vuls/id/800113">advisory about DNS cache-poisoning</a> yesterday. The story is not new: The DNS protocol is vulnerable to a <a href="http://en.wikipedia.org/wiki/Birthday_attack"><span style="font-style: italic;">Birthday Attack</span></a>. The ISC released a new version of <span style="font-style: italic;">bind</span> that uses a random <span style="font-style: italic;">Transaction-ID</span> (TRXID) <span style="font-weight: bold;">and</span> a random UDP source-port for each query. This makes a <span style="font-style: italic;">Birthday Attack</span> impracticable for DNS cache-poisoning.</p><p>We <a href="http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/1179">fixed it in <span style="font-style: italic;">PowerDNS</span></a> in April and <span style="font-style: italic;">bind</span> follows now (due to pressure from a <span style="font-style: italic;">Black Hat</span> presentation). I hope that this reminder helps to remove this vulnerability from the Internet.<br /></p><p>Also have a look at<a href="http://www.trusteer.com/research"> the great research work on PRNG implementations done by Amit Klein</a>.</p><p><span style="font-weight: bold;">Update 1</span>: The attack Dan Kaminsky found seems to be <span style="font-style: italic;">new</span>, but yet there are no details available and we have to wait for his <span style="font-style: italic;">Black Hat</span> conference presentation. Maybe he just sends UDP packets with a broadcast destination IP set (port is static) to all DNS servers involved in the resolution process to increase the likelyhood of a TRXID match... dunno. <span style="font-style: italic;">Nevertheless UDP port randomization stops the attack.</span><br /></p><p><span class="Apple-style-span" style="font-weight: bold;">Update 2</span>: Our QA team worked hard to test the new <span class="Apple-style-span" style="font-style: italic;">bind</span> packages and they should be available at all our mirrors now... happy updating. :-)</p><span style="font-weight: bold;">Update 3</span>: Hopefully the last one. We released the <span style="font-style: italic;">bind</span> advisory today. Please make sure you did not specify a port number for queries in your config files (<span style="font-family: courier new;">query-source port 53</span> or <span style="font-family: courier new;">query-source-v6 port 53</span>) . The default config files we ship should all be ok as far as I can see.<br /><br /><table nosave="" border="1" cols="3" width="100%"><tbody></tbody><tbody><tr><td><br /><center><b>Disclaimer</b></center><br /></td></tr><tr><td><br />The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.<br /><br />Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.<br /></td></tr></tbody><tbody></tbody></table><br /><br /><p></p><p><br /><!-- BlogCounter Code START --><br /></p><p><a href="http://www.blogcounter.de/" id="bclink" title="kostenloser Counter fuer Weblogs"><span id="bccount" style="font-size:8;">kostenloser Counter</span></a></p><script type="text/javascript" src="http://track.blogcounter.de/js.php?user=thetom_blog&amp;style=1"></script><noscript><p><a href="http://www.blogcounter.de/"><img style="border: 0px;" alt="Weblog counter" src="http://track.blogcounter.de/log.php?id=thetom_blog" /></a> - </p></noscript><br /><!-- BlogCounter Code END --><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5240359826706545510-2307222166538645865?l=thetoms-random-thoughts.blogspot.com' alt='' /></div>Thomasnoreply@blogger.com0