I have turned on SSL on my site, primarily to be able to log into the management interface of the blog engine over a secure connection. You are welcome to read the blog over SSL. The certificate was signed by Cacert.org, so you will want to download their root certificates and install them into your browser.
No guarantees that using SSL will make me post more often. Life has been busy.
Registration is now open for ApacheCon US 2008. There will be an Early Bird discount, so register early and Save! The schedule is up and I’m very happy to see the return of the schedule grid that shows the entire conference on one page. J. Aaron has done a great job on the site.
I will be presenting one session at the conference: Hardening Enterprise Apache Installations Against Attacks will discuss security issues with the Apache Web Server and how the developer team reacts to issues as they are found. We’ll also talk about protecting applications that are served by the Apache server and may be the target of attacks that do not subvert the web server itself, but the code behind it.
The first time I did this talk, at AacheCon EU 2008, I ran out of time. There’s so much to talk about! The feedback forms submitted by the attendees did, however, identify some spots I can tighten up, so I’m looking forward to present a new, updated version of the talk this fall.
Hope to see you, first week of November, in New Orleans!
Firms whose business interests are served by having us be scared of scams advise us to expect scams. Film at eleven.
We’re doing a PGP Keysigning again at ApacheCon Europe 2008, but the Apache Wiki is down today so I can’t update its PGPKeySigning page. Several folks have already sent me their key: thank you very much!
The Keysigning session will happen at the tail end of the Welcome Reception, and hopefully be done before the BOFs start. If you would like to participate, send your public key to sctemme at apache dot org before 3PM on Wednesday. I will compile the key list after I’m done with my talks.
So this e-mail message from Paypal landed in my Hotmail. What makes this blog-worthy is that it actually, really came from Paypal. It was not a spam zombie attack, phishing scheme, virus or other type of malware, but a real, honest missive about their privacy policy. Go figure.
Like yachtsmen, programmers are lazy. Being a little bit of both, I guess that makes me doubly lazy, and a byproduct of this seems to be that I just don’t get around to signing the keys that emerge from the ApacheCon Keysigning sessions I organize.
For programmers, laziness manifests itself in the wish to write programs to perform repetitive tasks, not infrequently spending more time writing the program than it would have taken to just perform the task by hand. Of course the merit of writing such a program is that others can use it to perform the same repetitive task, without having to write the program first. A couple of days ago, Apache’s Henning Schmiedehausen posted PGPSigner, a utility that helps you sign all the keys on your list from the Keysigning session.
This is absolutely great, it just helped me do in five minutes what I had already put off for close to a month, and the keys from the last keysigning session are now signed, uploaded to the keyservers (pgpkeys.mit.edu and minsky.surfnet.nl) and mailed to their owners insofar their mail got through. I used the Signing Party Keyring that contains the keys of all the attendants.
Small patch to make the startup script suck in the jars in the lib directory:
Index: pgpsigner.sh
===================================================================
— pgpsigner.sh (revision 1009)
+++ pgpsigner.sh (working copy)
@@ -31,4 +31,8 @@
exit 1
fi
-java -jar target/${APPNAME}-${APPVERSION}.jar “$@”
+for j in `ls lib/*.jar` ; do
+ CLASSPATH=”$CLASSPATH:$j”
+done
+
+java -classpath $CLASSPATH -jar target/${APPNAME}-${APPVERSION}.jar “$@”
This makes it easier to run the program from the command line as opposed to from within Eclipse. (: Thank you Henning.
Yep, we’re doing it again. Wednesday night May 2 at ApacheCon Europe, we’ll be having a PGP KeySigning. All Apache committers and all conference attendees are invited to participate.
Why do we have a PGP Keysigning session at ApacheCon? At the Apache Software Foundation, we sign our releases with PGP. Every release archive is accompanied by a signature file (name ends in .asc) and a hash file (name ends in .md5) that you can use to verify the integrity of the release.
SpamAssassin’s Justin Mason comments on a talk by one Joe St. Sauver about the Spam Zombie Problem. Joe has some good points, but I’m afraid his proposed solution—a government-issued, free cleanup disk to be applied to infected PCs—won’t cut it.
Joe even contradicts himself in his slide show: first he assesses that the average owner of an 0wned PC does not have the motivation, or wherewithal, to clean up their infection, they are unwilling to pay to have this done and ISPs can’t be expected to help out their users since it’d take hours to properly clean up a zombie PC. However, a cleanup CD to me seems not only a hard sell to the general public, but it also looks like something easily obtained by the bad guys, who can then code around it. Malware can be updated in minutes through its natural distribution medium; good luck updating a stock of CDs sitting at every post office and library.
Nevertheless, Joe makes some interesting points such as:
However, what can we do about this? I agree with Joe that rate-limiting e-mail from consumer PCs and cutting off their direct-to-MX SMTP path is not enough. I don’t use AOL, but I’m sure their widely advertised move to make antivirus software available to their customers for free is in their own best interest. The $250 tax credit Joe proposes seems to me merely a shot in the arm for Dell and Microsoft… especially the latter would love to see the masses upgrade to Vista forthwith. Speaking of which, what exactly does Vista bring to the table in this regard?
The Hack Report has an interview with Honeynet Founder Lance Spitzner where he gets to re-hash what we know about the bad guys: yes they are after your computer, they are in it for the money now and no, there’s nothing law enforcement can do.
And, of course, someone in the comments speaks up and denounces the use of the word ‘Hacker’ for the bad guys, since ‘Hacker’ really means ‘One who is proficient at using or programming a computer’ etc. etc. Of course I agree with this, but it’s too late to shut the barn door.
Give it up. The linguistic battle has been lost: in the eyes of the general public and the industry, ‘Hacker’ means you’re breaking stuff. End of story. Instead of mincing over words, let’s concentrate on actually fighting the bad guys. What we need is a new moniker for the ethical, the good guy hacker. Let’s rally under a new banner! From now on, the good guys should consider themselves ‘CyberPonies’.
Nick Kew over at ApacheTutor reviews a couple of books on Apache Security. One of them, by Ryan Barnett, is already on my shelf. I’ll probably pick up Ivan Ristic’s book as well.
Powered by WordPress