Search Results for security
Some thoughts on Firefox and security
David Fenton is one of the more prolific posters on the WWWAC list, one of the my favorite online hangouts, and he
made some good points in regard to Firefox and browser security the other day. He's allowed me to post 'em here.
This fix highlights the HUGE difference between Firefox and IE in terms of safety. The vulnerabilities announced
just a few days have already been patched.
And Secunia shows quite clearly that Firefox's open vulnerabilities are much less serious than IE's. Compare these
two charts:
Firefox Criticality http://secunia.com/graph/?type=cri&period=all?=4227
IE Criticality http://secunia.com/graph/?type=cri&period=all?=11
Open those two graphs in separate tabs and then flip back and forth between them. You'll see that Firefox has a
much lower number of discovered vulnerabilities in the most serious 3 of the 5 classes of vulnerability.
Also, if you look at Firefox's unpatched vulnerabilties, all are in the bottom 2 of the 5 classes of
...
Securely - and easily - wipe that hard drive
Most of you reading this know that deleting a file actually does nothing, really - you can still get to that file.
And formatting a disk or partition doesn't necessarily remove data either. No, to really get rid of the stuff on a
drive, you have to securely wipe it. Sure, there are tools to do that - heck, you could use Knoppix - but here's a
thing that's built to do one thing only: securely wipe an entire hard drive. It's
Darik's Boot and Nuke, and you can put it on a bootable floppy or CD. Boot
with it, and bang! your data's gone. Works for Windows, Linux, and now Mac OS X! Just be freakin' careful with this
thing, OK? If you use it, your data is gone. So don't come whinin' back to me that you accidentally
deleted your girlfriend's emails. That's your problem, buddy, not mine.
(Check out all my postings on Knoppix and
security.) ...
Great HOWTO for securing your Linux box
There's a lot of great info out on the web & in bookstores about securing your Linux box, but here's a great
resource you should definitely take a look at: Werner Puschitz's
Securing Linux Production Systems: A Practical Guide to Basic
Security in Linux Production Environments. Written for a technical audience (so if you're an absolute noob, you'd
better look elsewhere), this lengthy (over 40 printed pages) guide is designed to provide "basic Linux security
requirements for production systems that are being audited". Topics covered include passwords, system services,
permissions, ssh, & more. You probably already know a lot of the stuff in here, but you'll undoubtedly find some
new info as well, so give it a look.
(Check out all of our posts on
security.) ...
Excellent interview with Dan Razzell about system security
NewsForge has an excellent interview with Dan Razzell, "a computer scientist with over 25 years of experience in
system architecture and security", titled
"Security myths and architectural
realities". It's an in-depth piece, with good questions and really meaty, thoughtful, smart answers from Razzell.
He touches on a lot of topics, including open design and implementation, firewalls, logging in as root, &
"survivable systems". While Windows is never mentioned explicitly, it's pretty easy to read between the lines. I mean,
when he says that "But where there is a clear trade-off [between security and convenience], system architects have the
ideal opportunity to apply the principle of security by default, which requires the user to make a deliberate choice to
make the system less secure", it's not too hard to think to yourself that MSFT tends to choose convenience over
security (they claim they've changed … we'll see). Definitely a piece worth reading & thinking about. ...
Greasemonkey extension a (temporary) security risk
Greasemonkey is one of my all-time favorite Firefox extensions, & lately there's
trouble in Greasemonkeyville.
Mark Pilgrim, who's a wicked smart web dev guy,
found a serious security hole in Gm, &
I mean a biggie. For now, downgrade to Gm 0.3.5
(which will protect your machine, but at the cost of Gm no longer working like it should), & keep checking this
blog until a better fix is posted. Hey, it's still early days with Gm, & this is what open source is all about:
allowing folks to find bugs openly, report them, & get 'em squished.
(Check out all of my posts on Firefox &
Greasemonkey.) ...
Firefox 1.0.3 released - security fixes and a better installation experience
The Mozilla Foundation has released a new version of the
Firefox browser that addresses a number of security
vulnerabilities including a well-publicized Javascript issue. The
Mozilla Suite has also been updated (the new version is
1.7.7). eWeek has details on
the vulnerability issues this release addresses.
More interesting (to me anyway) is that the developers have pretty much fixed the installer problems that have plagued
previous releases. This morning, Firefox displayed the critical update icon in the menu bar and, when I told it to go
ahead an update my copy of Firefox, it downloaded the new version and began the installation process without a hitch.
It offered to shut down any running instances of Firefox, did so gracefully, and completed the installation.
A quick check of the Add/Remove Programs control panel confirmed that the previous behavior of leaving a listing for
older versions has been corrected. I have only version 1.0.3 listed. ...
Instant anonymous web browsing with Torpark
Here's how it works: you download Torpark (Windows
only right now ... grrrrrr) and install it on a USB flash drive. Then, when you're sitting at a public computer, or
someone else's PC, and you wanna browse anonymously, plug the USB flash drive in and open its Torpark, which really
open a copy of Firefox designed to work with Tor, the super-cool anonymous proxy. Don't know much about Tor? Read more about it, lazy bones! Wanna stay
anonymous when the US government seems hell-bent on knowing every damn thing we do online? Then use Torpark & stick
it to the Man!
(Check out all of our posts on Tor and security.) ...
How good is your password?
This is a pretty cool page: "Password Recovery
Speeds: How long will your password stand up". Given a password consisting only of numbers, and between 2 and
9 characters, how long would it take a Pentium 100 to crack it using brute force? What if you used a faster PC? What
about a supercomputer? OK, now what if your password added letters? And now symbols? And so on. It's a fascinating
series of tables, and it may help you to convince folks that they really really really need to change their crappy
passwords to something a bit tougher.
(Check out all of our posts on security &
passwords.) ...
Harden your *nix box
Even though we use Linux, BSD, or Mac OS X, which are generally better configured and safer out of the box than
Windows, we still need to be careful and keep security in mind. Good configurations help, but even better is knowing
how to harden your machine even further, and what to do if - crap! - you think you've been compromised. With that in
mind, take a look at "1001 ways to
harden Linux", an excellent, long list of links & resources about *nix security. It's worth a bookmark, &
definitely worth several hours of reading.
(Check out all of my posts on
security.) ...
Sony's rootkit: some questions
My new column for SecurityFocus is available on the Web now. Titled
"Sony-bologna", it's a series of questions inspired by Sony's
disastrous decision to install rootkit-like software on the computers of consumers who made the mistake of buying CDs
made by their companies. Be sure to add your own answers or questions in the comment section.
(Check out all of our posts on security &
rootkits.) ...
Artificial Openness?
JC Francois sent us this commentary called "Artificial Openness" that I think y'all might find interesting:
"I can only assume that it is desperation that pushed Microsoft to come up with yet another ridiculous initiative to
try and resist the pressure they receive from Open Source on all fronts.
In an effort to fend off the growing threat of governments considering open source software due to continued
security flaws in Windows, Microsoft has launched a new initiative to keep governmental organizations in the loop.
Through its Security Cooperation Program (SCP), Microsoft will provide information on vulnerabilities not yet
available to the public. Source:
BetaNews
While everybody will agree that early notification of vulnerabilities is critical for administrators to secure their
systems, any government signing up for this would only encourage Microsoft to hold back some vital security information
from the public simply to justify the existence and demonstrate the value of this ...
Reasons to use Ethereal as a packet sniffer
When it comes to sniffing packets, the tool I usually use is Ethereal, a fantastically powerful piece of software.
Tony Howlett's book Open Source Security Tools: A Practical Guide to Security Applications covers Ethereal and
many more. You can read a sample chapter, titled "Network Sniffers: Is Open Source Right for
You?", online. In it, Howlett gives a great list explaining Ethereal's benefits over using straight tcpdump on
the command line. Here's a brief outline of his list. After reading this, go check out the sample chapter & the
book!
Easy to use GUI
More analytical & statistical options than command line
Cleaner output format
Supports over 300 network protocols
Supports many physical network formats
Interactively browse & sort captured data
Save output in a variety of formats
Display packets with color-coding
Filter creation GUI makes it easy to create filters
Follow a TCP stream & view it as a unified whole in ASCII
Supports many ...
Thunderbird 1.0.5 is out!
There's a new Firefox; now there's a new Tbird as well. 1.0.5 for both. What's the
new Tbird got? Just like Firefox, no new features, just bug
fixes & updates. If you use Tbird, you need to update for security's sake, so get on it!
(Check out all of my posts on
Thunderbird.) ...
The open source enterprise data networking magazine
This month sees the release of The Open Source Enterprise Data
Networking Magazine online. Distributed in PDF format, it's available for free and you can print it now. The
magazine covers issues from VoIP to routing and security. Support a worthwhile open source publishing project, and
check out the magazine today.
(Check out all of our posts on
magazines.) ...
Directory of Linux applications
Know what kind of program you need for Linux, but don't have any names in mind? Then check out Linux App Finder, a directory of Linux programs in several categories, including
Backup & Recovery, Business & Finance, Communications, Development, Editors, Education, Games, Graphics,
Internet & Networking, Multimedia, Scientific & Engineering, Security, System Management, Utilities, and
Virtualization. Not everything in the world is there, but it's a good start nonetheless. ...
