Tag Archives: English

Open source security

Assistant professor at Boston College, Dr. Sam Ransbotham, have recently completed an empirical study of exploitation attempts of open source vulnerabilities. The study shows us that vulnerabilities in open source software is being exploited faster and with a higher spread than vulnerabilities in proprietary software.

This found of Dr. Ransbotham is interesting, but yet it raises more questions than it gives answers. Why are vulnerabilities in open source software more likely to be exploited, and what can be done about it?

To answer those questions, we need more information. We need to know what software, and what vulnerabilities that was observed in the study. We need to know how each exploitation spreads to find out if there are software packages within the open source pool that are at higher risk than the rest. I was in contact with Dr. Ransbotham by e-mail, but unfortunately he was not able to share information on the alerts he compiled his statistics from.

I also wonder when the exploits are counted? Are some of the exploits discovered and counted by signature file? In that case – are they counted a) after the signature file has been installed for a while and at once the malicious file is infecting the system, or b) at once the signature file is installed and after a unknown period of time the vulnerability has been exploited?

Yet another highly important factor are patch dates and the participating companies patching policies: What date was the patch available from vendor, and what date was it installed?

We know from earlier studies that patches for open source software is delivered faster than patches for proprietary software. From Dr. Ransbotham’s study we can read that less open source vulnerabilities are exploited, more open source vulnerabilities are patched, and yet more companies experience malicious attacks. Given this data is correct, can this open source disfavouring statistics be turned around by companies adopting patches faster?

Not much of a conclusion here, other than: Patch your systems. 😉

The infinite information publisher theorem

We know for a fact that with a earth citicent count of

I got about this far, and I had to fix wikipedia for a math error. It had this”{{#expr:({{worldpop}}/1000000000) round 4}} billion.”
going on, it should of course be round 3.

where was I? Right; ..we have populated this world of ours with 6.769 billion humans, and counting (fast). At this point we are about 1 000 000 internet users in the world, many of us blog, or some way or another publish text, music, images, source, math or any kind of information. Given that the amount of published information will keep on rising for as long as human kind stay around, this will eventually be one big bag of information all together.

How long do we (the human kind) aim to stick around? I know we are doing our best to brake the world, but what if the next generation, and the next one again, somehow manages to *not* ruin the world? Will the number of humans ever existed keep on rising into infinite? Do we aim for infinite, or can anyone tell me the date we aim for?

“oops, sorry kids.. I broke the world.”

If an infinte amout of internet users publish random information, for an infinte amount of time we will most likely eventually see two bloggers blogging the same, without copying eachother. We will most likely see to musicians creating the exact same tune. We will see an extreme amount of tunes almost the same, millions of blogs nearly identical. We will also see an infinite number of published ideas, most different, but many the same, or nearly the same.

Really; it should have been called copywrong.

Of course, much of this publishing would be illegal due to the unnatural copyright laws of today, but that will change.. someday. I am sure you can think of a way to help out on this one.

Infinity is a long time, but we should at least aim for the future, right?

New mandatory IT-standards for Norwegian government

Update: The press release is now also available in English.

The Ministry of Government Administration and Reform could in a press release (yet only in Norwegian) inform about new mandatory IT-standards for Norwegian government. This is version 2.0 for the reference catalog for mandatory standards.

The most important changes:
* On state Web sites, it is mandatory from 1.1.2012 to publish multimedia content in open formats.
– Video will be Theora/Vorbis/Ogg eller H.264/AAC/MP4.
– Audio will be Vorbis/Ogg, MP3 eller FLAC/Ogg.
– Images will be JPEG or PNG

* When exchanging documents as attachments to e-mail between government and users, it is mandatory from 1.1.2011 to use document formats PDF or ODF.

* Version change: From 1.1.2010 ODF version 1.1 should be used.

* Character settings should be UTF8 represented ISO10646 in all new projects. From 1.1.2012 UTF8 will be used for information exchange.

Oooh, shiny.. Screensavers for Ubuntu

I was a bit disappointed by the fact that gnome-screensaver, the default for Ubuntu, does not have a Settings-button, nor an option for custom slide show. It’s not really that hard to hack together a slide show, just look into /usr/share/applications/screensavers.  The regular user should be able to go *click* *click* *click* *clickclik*, done.

I did not find a replacement that can do that, but I found xscreensaver. Xscreensaver gives you all the functions missing in gnome-screensaver, but the user interface of this one is not optimal yet. I wish it didn’t show uninstalled screen-savers in the list, and I wish I could browse files like I am used to in gnome.

For xscreensaver you can choose your own picture folder under the Advanced-tab, and GLSlideshow is just looking *sweet*. Tweak as you like 🙂

You can use Synaptic from the System/Administration menu to swap for xscreensaver. Just type screensaver and check xscreensaver and uncheck gnome-screensaver.

BTW, heres a link to Ubuntu brainstorm.

Putting two words together

In Norwegian we put together words to make new words. We have a grammar rule for when to separate two words that together creates a meaning, and it goes like this:

Never.

Now thats quite easy to remember, so in Norwegian “grammar rule” is “grammatikkregel”, “rubber tire” is “gummidekk” and “guitar buddies” is “gitarkameratene”.

For quite a while Norwegian press has referred to a band as “de nye gitarkameratene”. The musicians first using the name “Gitarkameratene” now reacts to this, claiming that it’s disrespectful to use this word that they “invented”.

For me, I have a problem with this. I mean, if the word was something like “Kraputtvoltgitarkameratene”, surely, this *IS* a new word, but just putting together two common words, creating another common word is something we all *should* be doing according to Norwegian grammar rules, hence such a word can not be owned by anyone.

To make sure this kind of stupid debate rises once again in the future I wrote a small script to fix this.

for i in $(cat words.txt) ; do
    for j in $(cat words.txt) ; do
        echo $i$j
    done
done

I ran the script on a Norwegian dictionary, but I didn’t bother to remove all the double words first, so many entries are now put together by 3 or 4 words.

Anyway the output file is about 2TB, so I can’t post it here, but if anyone can lend me some server space, I’ll publish this new word list on the conditions that everyone can use any word in this list as they want forever.

– But I will always know that I created many of these words first 🙂

Norwegian police force computers may be hacked more than once

If you still want to use Windows for your home computer, that is OK, because its only your own data and it will not affect many users if you get hacked. Last, but not least, its you, not the tax payers that have to spend money fixing it when it happens. Windows may also run some of your games best.

One public service after another gives away the control over their computers to criminal hacker groups. The list keeps getting longer and includes military defence, police force, hospital and other critical institutions. All of the infected computers running Windows, and it seems to be a global issue.

Make no mistake about this – when a computer is infected with malware, it’s all up to the writer of the malware to decide what should be done. Usually the goal is creating a large botnet, but it could just as easily erase all data on the computer, or even upload data from the computers to an internet server. Or just implement a backdoor for later use.

The Norwegian police’s computers has been infected with Conficker a few days now, and they try to calm down people with saying that this was not a targeted attack. Right. THIS what not at targeted attack, but the fact that this automatic attack uses a well known security hole, with published PoC and everything you need means that anyone with the ability to use Google could create their own attack in 1-2-3.

How to hack unpatched computers in 1-2-3:
1.Select your favourite exploit, you can find hundreds of them.
2.Copy and paste the proof of concept code into your little malware
3.Attack and hide.

What we know is that bots have been walking around inside our police offices, and the reason is that the doors has not been locked. The same doors have been open for anyone, who else has been inside since October? We could never know…

If you do this targeted, you will remain undetected for a LONG time unless you screw anything up. The antivirus software will not detect a targeted attack, because they only look for known malware signatures. You know; I bet that the IT-department of some of the institutions that have had their doors unlocked for months now didn’t even reinstall everything on all the computers that have remained unpatched for months, but only removes the malware and updates Windows. So if you hacked the computers a while ago, you can still remain undetected. The doors may be locked now, but you already created your own well hidden backdoor.

How to stay undetected in 1-2-3:
1.Hide your backdoor in existing files
2.Do not mess with anything. Make a copy and mess with the copy.
3.Do not remote control a computer while its in use

Oh, another thing. The Norwegian police force states that they still are working with removing Conficker (Monday afternoon). I hope they don’t have any of the unpatched computers connected to anything, because these are open as a open door as we speak, or type, or read. I mean; I type – You read.

This is really serious. Systems so targeted for malware, and so hard to maintain should not be used by public sector. Yes, I say hard to maintain. If you installed Debian in 1996, you could still run it and have it patched. If you run Windows from 1996, you have to have reinstalled at least once, preferably twice, and bought new hardware at least once, again preferably twice.

Another issue is, that swapping to Linux for public sector would not only be safer, but also cheaper and more reusable.

Many countries are already doing this with success, so why shouldn’t we all? The French police are migrating all 90.000 workstations by 2015, and even if they only moved 5.000 so far, they have saved 50.000.000 Euro in licensing and maintenance costs.

Cheaper, safer, simpler, better. Who decides that we still stick with Windows? This is a political matter, and politicians say go open source, yet (almost) nothing happens.

The work with getting rid of closed source in public sector needs to accelerate before public sector is owned by hackers or script kiddies.

Who would like to hack the police, or the hospitals? I can think of a few groups:
1.The botnet makers
2.Criminals looking for stuff to blackmail others on
3.Kids fooling around

I guess there are more groups, but this should be enough to start locking the doors. Right?

Would hacking for good be bad?

Some years ago hacking was about fun, learning and freeing information. Then came the fame, and suddenly it turns bigtime, and these days its all about the money. Incredible many computers are remote controlled by criminal hacking groups to spam the rest of the world, stealing passwords, performing denial of service attacks and more. Imagine all this computer power used to search for stolen computers and illegal material on infected computers.

Yes, I know – there is a privacy issue. The irony is that privacy has left the building, years ago. You leave an electronic trace around everywhere, to be used and abused. And the creators of malware – they basically own your computer at some point or another.

In an action movie the idea of all computers all over the world starting to mailing the police if illegal porn was found would be a great idea. In the real world I guess we have to stick with computers mailing you about penis enlargement and the big lottery you won.

There might be some gray areas as well. Like looking at a computers MAC-address to see if it is stolen. To check the MAC-address of the wireless network card, you do not have to look into the computer, since its visible from outside.

When its about wireless networks, its much like driving down the street looking at other peoples houses. If you see into a window, and you think what you might just saw was some illegal activity, its probably your duty to have another look, and call the police if you still believe there is some illegal activity. On the other hand, f the shades are down, it would be illegal for you to lift up the shades to have a look. Even though the radio waves of a wireless network is much similar to the light rays that comes out of the neighbors window, these waves is not visible to your eyes, but to your computer. If the network is open, a script could have a quick look and email the police, and it would be good, but if there is a WEP, and your script breaks this key first, it would be bad. Right?