ApacheCon US 2008

Registration is now open for ApacheCon US 2008. There will be an Early Bird discount, so register early and Save! The schedule is up and I’m very happy to see the return of the schedule grid that shows the entire conference on one page. J. Aaron has done a great job on the site.

I will be presenting one session at the conference: Hardening Enterprise Apache Installations Against Attacks will discuss security issues with the Apache Web Server and how the developer team reacts to issues as they are found. We’ll also talk about protecting applications that are served by the Apache server and may be the target of attacks that do not subvert the web server itself, but the code behind it.

The first time I did this talk, at AacheCon EU 2008, I ran out of time. There’s so much to talk about! The feedback forms submitted by the attendees did, however, identify some spots I can tighten up, so I’m looking forward to present a new, updated version of the talk this fall.

Hope to see you, first week of November, in New Orleans!

ApacheCon US 2008

PGP Keysigning at ApacheCon EU 2008

AC EU 2008 Speaker buttonWe’re doing a PGP Keysigning again at ApacheCon Europe 2008, but the Apache Wiki is down today so I can’t update its PGPKeySigning page. Several folks have already sent me their key: thank you very much!

The Keysigning session will happen at the tail end of the Welcome Reception, and hopefully be done before the BOFs start. If you would like to participate, send your public key to sctemme at apache dot org before 3PM on Wednesday. I will compile the key list after I’m done with my talks.

E-mail from Paypal…

So this e-mail message from Paypal landed in my Hotmail. What makes this blog-worthy is that it actually, really came from Paypal. It was not a spam zombie attack, phishing scheme, virus or other type of malware, but a real, honest missive about their privacy policy. Go figure.

How Henning Made Me Actually Do It

Like yachtsmen, programmers are lazy. Being a little bit of both, I guess that makes me doubly lazy, and a byproduct of this seems to be that I just don’t get around to signing the keys that emerge from the ApacheCon Keysigning sessions I organize.

Henning the Fussbal FanFor programmers, laziness manifests itself in the wish to write programs to perform repetitive tasks, not infrequently spending more time writing the program than it would have taken to just perform the task by hand. Of course the merit of writing such a program is that others can use it to perform the same repetitive task, without having to write the program first. A couple of days ago, Apache’s Henning Schmiedehausen posted PGPSigner, a utility that helps you sign all the keys on your list from the Keysigning session.

This is absolutely great, it just helped me do in five minutes what I had already put off for close to a month, and the keys from the last keysigning session are now signed, uploaded to the keyservers (pgpkeys.mit.edu and minsky.surfnet.nl) and mailed to their owners insofar their mail got through. I used the Signing Party Keyring that contains the keys of all the attendants.

Small patch to make the startup script suck in the jars in the lib directory:

Index: pgpsigner.sh
--- pgpsigner.sh (revision 1009)
+++ pgpsigner.sh (working copy)
@@ -31,4 +31,8 @@
exit 1

-java -jar target/${APPNAME}-${APPVERSION}.jar "$@"
+for j in `ls lib/*.jar` ; do
+java -classpath $CLASSPATH -jar target/${APPNAME}-${APPVERSION}.jar "$@"

This makes it easier to run the program from the command line as opposed to from within Eclipse. (: Thank you Henning.

ApacheCon EU 2007 Keysigning

Yep, we’re doing it again. Wednesday night May 2 at ApacheCon Europe, we’ll be having a PGP KeySigning. All Apache committers and all conference attendees are invited to participate.

Why do we have a PGP Keysigning session at ApacheCon? At the Apache Software Foundation, we sign our releases with PGP. Every release archive is accompanied by a signature file (name ends in .asc) and a hash file (name ends in .md5) that you can use to verify the integrity of the release.

Continue reading

The Fight Against Zombie PCs

SpamAssassin’s Justin Mason comments on a talk by one Joe St. Sauver about the Spam Zombie Problem. Joe has some good points, but I’m afraid his proposed solution?a government-issued, free cleanup disk to be applied to infected PCs?won’t cut it.

Joe even contradicts himself in his slide show: first he assesses that the average owner of an 0wned PC does not have the motivation, or wherewithal, to clean up their infection, they are unwilling to pay to have this done and ISPs can’t be expected to help out their users since it’d take hours to properly clean up a zombie PC. However, a cleanup CD to me seems not only a hard sell to the general public, but it also looks like something easily obtained by the bad guys, who can then code around it. Malware can be updated in minutes through its natural distribution medium; good luck updating a stock of CDs sitting at every post office and library.

Nevertheless, Joe makes some interesting points such as:

  • The vast majority of SPAM e-mail is now delivered through virus-infected PCs (zombies) owned by the general public
  • Said general public has no compelling interest in cleaning up their machines
  • The zombie PC problem is out of control
  • This is a world-wide issue
  • Something needs to be done

However, what can we do about this? I agree with Joe that rate-limiting e-mail from consumer PCs and cutting off their direct-to-MX SMTP path is not enough. I don’t use AOL, but I’m sure their widely advertised move to make antivirus software available to their customers for free is in their own best interest. The $250 tax credit Joe proposes seems to me merely a shot in the arm for Dell and Microsoft… especially the latter would love to see the masses upgrade to Vista forthwith. Speaking of which, what exactly does Vista bring to the table in this regard?

Honeynet Founder Lance Spitzner: ?Hackers not afraid of being caught?

The Hack Report has an interview with Honeynet Founder Lance Spitzner where he gets to re-hash what we know about the bad guys: yes they are after your computer, they are in it for the money now and no, there’s nothing law enforcement can do.

And, of course, someone in the comments speaks up and denounces the use of the word ?Hacker? for the bad guys, since ?Hacker? really means ?One who is proficient at using or programming a computer? etc. etc. Of course I agree with this, but it’s too late to shut the barn door.

Give it up. The linguistic battle has been lost: in the eyes of the general public and the industry, ?Hacker? means you’re breaking stuff. End of story. Instead of mincing over words, let’s concentrate on actually fighting the bad guys. What we need is a new moniker for the ethical, the good guy hacker. Let’s rally under a new banner! From now on, the good guys should consider themselves ?CyberPonies?.

New SSL Certificates, now with Green which is More Safer!

As noted in The Register, Verisign teams up with Microsoft to enhance the user experience of Internet Explorer 7 when browsing SSL-protected sites. Verisign will sell High Assurance certificates to sites that pass a more stringent identity verification than is currently the norm. When it encounters such a certificate, IE 7 will turn the address bar green in addition to displaying the usual padlock. A Phishing Filter (Philter?) turns the address bar red when the user accesses a known phishing site.

While I hope that they include enough visual cues for the red/green colorblind among us, I don’t dislike this idea. Is it a scam? Not necessarily. Details about what a High Assurance or Extended Validation certificate actually comprises are scarce, but it’ll probably take the form of a certificate attribute that Verisign will set on these mo’ expensive, mo’ better certificates. Such an attribute can be set by any CA, parsed by any browser and can be ignored by the enormous installed base of credit card wielding, revenue generating users of older browsers. Whether or not a company drinks the Microsoft/Verisign Kool-aid, they hopefully won’t stand for breaking backwards compatibility. On the other side, it’s the responsibility of the Certificate Authorities to only set this attribute on their mo’ better certificates, for which they in turn can charge mo’ money.

This whole thing ties into a new concept of Trust. The situation is not black and white anymore. Trust is the new green. Or yellow, or red. You can get a cheap certificate by proving that you can ping an e-mail back and forth to the CA. This shows them that you have access to e-mail on the domain, which is good enough for them as an (automated) identity verification. Whether said domain is practically undistinguishable from that of an actual business falls outside this check. One would dearly hope that applicants for a High Assurance certificate undergo more scrutiny than that.

Earlier this month at ApacheCon, I attended a very interesting talk by Lisa Dusseault about Federated Identities. As she talked about rate-limiting the creation of centrally verified identities to thwart spammers, she came up with the Fifty Dollar identity. The knowledge that the party you are talking to has a non-trivial sum of money behind their identity record might positively affect the trust you place in that identity. I see much the same happen with this new server-side certificate paradigm: cheap normal certificates you trust a little, and mo’ Green mo’ better certificates you might trust more. So far, browsers have not given us any idea about the quality of a site’s certificate. It’s either trusted, or the browser puts up a slew of scary dialogs. The red/green address bar might bring some nuance to this concept and put a more human face on the concept of the identity of a web site.