Tuesday Dec 01, 2009

Solaris Security Essentials is Out!

I found out just before going on Thanksgiving break, by searching Amazon myself, that I am now a published author! Solaris 10 Security Essentials is officially released!

I would've thought the publisher would've let us know, but apparently that's not an unusual problem. All the same, I am so excited to be counted among the elite of the published author!  We debuted #68,242 on Amazon's Best Seller list, and climbed to the top 20,000 by the end of the week! And since publication, we're now available on the Kindle!

While the title suggests this is only for Solaris 10, all of the concepts are applicable to OpenSolaris as well, though some of the examples may differ slightly in OpenSolaris. In fact, the working title had been "Solaris Security Essentials" and I wasn't even aware of the change until I saw it on Amazon. :)

Writing a book was such an interesting process! Starting with just a basic idea from our director about writing a book about what we all do and love, to all of us contributing suggestions for what topics would be interesting, volunteering to write specific chapters, generating outlines, arguing with the publisher about why 80 column width was required for command line related text, and working with great co-authors, editor and project manager to see the finished product! \*whew\*

The book is also available on Safari and in brick & mortar bookstores everywhere.

I am so proud of each and every one of us for pulling together and getting this project completed. Let me know what you think of the book!

Wednesday Oct 21, 2009

Still time to register for the OpenSolaris Security Summit!

Advanced registration for the OpenSolaris Security Summit that is going on in Baltimore, Maryland on Tuesday, November 3rd in conjunction with USENIX LISA 09 is open until October 26th. After that, you'll need to register on site, space permitting.

Why should you go?  This free summit will include some of the top people in the field of computer security and networking, including author and luminary Bill Cheswick!  This will be your chance to learn about technologies already shipping with the Solaris 10 Operating System as well as get a peak at what is coming in the future for OpenSolaris!

Did I mention this is free? While you're in town for LISA conference, why not spend a day getting free training from Sun Microsystems? btw, you don't have to be attending the LISA conference to go to this summit - so if you just live nearby, you should take advantage of this opportunity!

Oh, and it comes with lunch and a chance to win free prizes, too, FTW!

Tuesday Oct 20, 2009

GHC09: Pictures and video!

Okay, I still haven't downloaded my pictures off of my camera (if only I had more hours in the day...), but fortunately Terri Oda is more on the ball and she put this gem up on flikr:

That's me, Terri, Kathryn, Stormy, Sandy and Teresa!

Ed and Ashley have been busy as well, putting up these interviews of Sun women that attended the Grace Hopper Celebration of Women in Computing:

Deirdre Straughan and Teresa Giacomini are interviewed about community development!

Me getting interviewed about Open Source, OpenSolaris and my work at Sun Microsystems!

Friday Oct 02, 2009

GHC09: Susan Landau: Bits and Bytes: Explaining Communications Security (and Insecurity) in Washington and Brussels

Susan Landau started out giving us her history about how she went from a theoretical computer science faculty member at a university to someone working at Sun Microsystems on public policy. A path she said she wasn't working towards, but feel she must've been just a little bit, or she wouldn't have ended up where she is.

The US first started doing wire tapping during the Civil War! Wow!  Apparently we didn't slow down - not only did the US use wire tapping to watch criminals, but they were also doing it on congress people and supreme court judges! In particular, a congress person could be talking about the FBI budget and the FBI would be listening in! Clearly a conflict of interest!

Congress didn't like this and put in a law to regulate this - requiring wire taps to only be for a specific person at a specific number

In 1994 a US law was passed that required all digitally switched telephones to be built wire tapped enabled!  The equipment was to be designed by the FBI, much to the chagrin of telephony providers.

This is problematic - in 2004-2005, it was discovered that some non US diplomats had been wiretapped - but not by a government entity! (at least not officially.) This was discovered when there was some problems with text messaging on one of these phones. They found the switch in Greece, which had been bought from a US company with the wire tapping software disabled - so no auditing software was enabled.  Someone very knowledgeable with the switch used a rootkit to get in, turn on the wire tapping software and then targeted these diplomats! With no auditing software enabled, the Greek phone company had no idea this was happening until there were problems with the text messages! Once this illegal wire tap was discovered, the phones that were listening in suddenly went dark and the perpetrators were never found. Very scary stuff!

This is a clear example of how software made to "protect" us can actually be used to spy on innocent people - terrifying indeed!

All of this gets much more complicated with technology like VoIP (Voice over Internet Protocol) where people do not have a set phone number, it is done with the IP address which will vary every time you reconnect your laptop or mobile device to the network. What this means is it is very hard to pinpoint the caller - one of the risks here is that the wrong person will be eavesdropped upon.

Landau knows it is very important for society to have secure communications - to enable conversations with first responders, for example, and we need to have the technology to do this.

Landau continues on about how much more devastating natural disasters are than terrorist attacks, yet for some reason they don't get nearly as much news and political coverage as a terrorist attack. I wonder if we all feel we're more protected from a random natural disaster? Or if we are fascinated with how evil someone would have to be to purposefully hurt another human? hrm.

President Bush apparently authorized warrantless wire tapping in 2001 - and this was relatively unknown and undiscovered until 2007. She wrote an op-ed for the Washington Post on this topic, and next thing she knew, she was the expert on privacy. This is good, in that she now has Washington's ears, but she realized she needed to find more people to help support her in this and she was happy to find many intelligent, bright and like minded folks.

Now she's been working on reviewing public policy - basically doing law reviews. Landau jokes that she feels she's in training to be a lawyer.

If you want to get into public policy, you need to learn their stuff: "laws, policies, motives", to speak well, write well and have great courage.  She believes these are all the traits that a good engineer should have as well, so perhaps it's a career path after all. :-)

Thursday Oct 01, 2009

GHC09: Technical Track: E-voting & privacy with health records

This session started out with a fun talk on electronic voting by Dr. Kathy S Faggiani, though it's unfortunate that she seemed to be preaching to the choir. It's not her fault - it seems only people really interested in security of voting and wary of the existing digital voting machines came to the room.

She did a fun experiment with her son that was inspired by California's Secretary of State, Debra Bown who had stated that she had to de-certify California's electronic voting machines because of all the mistakes they made that a first year computer science student wouldn't do.  As her son was in his second year, he went and wrote a voting system... turns out his also wasn't as secure as it should've been :-)

Electronic voting is really tricky, though, as you all know. We, as individuals, want to know that our vote counted - but if we're given a receipt that shows how we voted (or with a number where we can look up later on the internet who our vote was cast for),  you would be susceptible to vote coercion. This is also why I do not like absentee voting, and am saddened by the state of California's push to force us to do this by taking away polling places and "reminding" you about three times a year to sign up for permanent absentee voting status.

I've read too many stories about voter fraud and simply cannot trust our society to do the right thing in their own homes. I've already heard stories about ballots being stolen from mail boxes. \*sigh\*

Faggiani mentioned that Hawaii did "successfully" run an all electronic election, managed by Everyone Counts.  While it was deemed a success, the voter turnout in this already low-voter state dropped by 83%.  Seems like a disaster to me.  Clearly the voting was not as accessible to all of the voting public as they thought it would be - since it was all done by cell phone or Internet.

The next talk was on A Cryptographic Solution for Patient Privacy in Electronic Health Records by Melissa Chase.  Another area where we are very concerned with the integrity and privacy of the data, yet she pointed out many successful attacks on this information over the last few years.  One very egregious example was a doctor that was blogging about his patient's records without their consent. Who needs hackers when someone is giving away your private data for free? \*yikes\*

Chase covered problems with different encryption key schemes, including saving the private key on the primary server and escrow systems, and went on to propose a hierarchical encryption scheme which seems promising.

She is a strong advocate of making sure the patient is in control of the data and decides where it can go and which doctor can see the data.

This is a fascinating area of research, very important to all of us, and could revolutionize health care in industrialized nations, but there are still many issues to solve like how to handle emergencies when the patient may not be able to "unlock" their data.

Wednesday Sep 30, 2009

Grace Hopper: PhD Forum 4

Sitting in my second packed room of the Grace Hopper conference! Considering we're still before "official" launch time, I can't believe how many women are here and how packed every session is!  Here in my first session in the PhD series, I'm excited to see three PhD students present their research.

An n-gram Based Approach to the Classification of Web Pages by Genre: Jane E Mason, Dalhousie University:

Mason is looking for a novel approach to doing classification of web sites by actual genre - not just keywords. For example, searching for a health condition and only showing you information pages instead of pages by drug manufacturers attempting to sell you something.

Mason chose to use n-grams, because they are relatively insensitive to spelling errors, are language independent, and relatively easy to program.  She combines these and then processes them with the Keselj Distance Function, which is apparently "simple", but it has been awhile since I've been in Differential Equations :-)

Mason and her team have been looking at how to let some web pages have multiple genres, which means that some pages end up with no genre - noise! While it's easy for a human to identify a nonsense/useless web page, I think it's pretty cool to get a computer to do this for you, so you won't even see it in the search results!

Ant Colony Optimization: Theory, Algorithms and Applications: Sameena Shah, Institute of Technology Delhi:

I've never heard of this type of optimization, so this was very interesting for me. Shah chose to study this area of optimization because ants don't have centralized coordination and they  make great decisions based only on local information. She sees this as a great method to apply to distributed computing.  Now, how do we get computers to leave pheromones on the path of least resistance?

Other than the lack of pheromones, another problem she had to solve is that ants don't always find the shortest path - if enough ants have taken a longer path before the short path is discovered, all of the ants in the colony will use the longer path and ignore the short path. Obviously, she doesn't want that short coming in her algorithm :-)

Shah does have a slide in her presentation which shows the statistical "solution", but it's a much more complicated formula than I ever saw in my intro to statistics course at Purdue. :)

Using Layout Information to Enhance Security on the Web: Terri Oda, Carlton Univeristy:

Ms Oda is a woman after my own heart, starting her presentation with a xkcd comic :-)

She starts her talk out talking about different types of security, like secure networks between companies. Oda tells us about how the threat models are no longer obvious: those seemingly innocuous applications in facebook that have access to your private chats on the site and private emails, websites that don't properly protect passwords, and malicious users on the same forums. Her talk moved onto the types of threats she's actually trying to protect you against: cross-site scripting and previously good sites that have gone bad.

She makes an excellent point that most (all?) web pages are done by web designers (aka artists), NOT web security experts and with all their deadlines and basic functionality bugs, there is no time to even think about security. Is it any wonder we have so many attacks and vulnerabilities out there?

but how can we solve this? Schedules will never have enough padding and most people designing web sites did not receive a BS degree from Purdue (where we were told over & over again that security must be designed in from the beginning, not as an add-on)

She's looking at using heuristics to correctly identify different elements on a page so that it's visually evident which components on the page are from the site you're visiting or being served from an external site (like an ad).  I can't wait to see how her research turns out, and how much she can protect the user with a simple browser add-on!

Wednesday Aug 12, 2009

Reasonable Expectation of Privacy?

I've seen a lot of discussions lately about maintaining your privacy or personal identity on the Internet.

Let me tell you now - if you post something to a newsgroup, blog, Facebook, Myspace, Twitter, Friendster, Orkut, IRC, BBS, or send it in email to a mailing list, it's no longer private.  If you have a health condition you don't want people you work with to know about, don't blog about it or put anything in your Facebook status on it. Instead, talk to your doctor, talk to groups in person, keep a journal at the side of your bed.

I learned about the permanence of such things on the Internet in 1998 when I was interviewing for a job and and the interviewer pulled up a little site called DejaNews, a great search engine for netnews that has since been subsumed by Google, and he instantly knew that at the time I had been learning to play the bass guitar, had a pet snake, and had previously worked as a SunOS/Solaris system administrator.  He looked at my questions I had asked, to see if they were intelligent and well thought out. He looked at how I handled the responses I got. Was I gracious? Did I understand the information people were sharing with me?

Fortunately for me, I met his standards and the rest of the interview went well from there and I got the job.  I was shocked, though, I knew of no such service! I thought that once your postings fell off the news server, they were gone forever. Boy, was I naive!

I watch younger people on Facebook and MySpace posting all sorts of crazy things. Very personal things. Sometimes it's simply venting, but other times the attacks can be targeted at a specific person or be revealing very personal information on themselves or their own lack of self control.

I think we're doing a great disservice to future generations if we aren't teaching elementary school kids about the Internet Archive and Google's massive cache. Our ability to grasp the repercussions of our online actions is not keeping up with the technology.

When I was a teenager, my worst fear was having a physical note I handed to someone end up being shared. But, that was one note. Now our equivalents in email and text messages can be digitally shared in seconds with hundreds of people, and you can't take it back.

Some people mistakenly believe that stuff on Facebook can only be seen by your friends. In general, depending on how you have security set up, that's true - unless someone uses a screen capture.  Take these recent "passive aggressive notes" - one woman ("exhibit d") actually managed to lose her job through Facebook (and this is not the first instance I've heard of for that). 

Yes, I realize she clearly was not thinking about who was in her friend list before posting, but it still could've been shared by someone else later. I've also seen examples of people screen capturing things that were obvious typos to use to embarrass people forever.

So, whatever you're doing, if you're doing it on the Internet in semi-public forums, don't expect it to be private.

Most of us would believe that at least we can still have privacy in our own homes...

(Oh, please don't mention wiretapping.... or message interception.....)

Tuesday May 19, 2009

vishing?!?! vishing?!

Okay, I learned a new word today - "vishing", which means using "voice" to "phish" data from people.  Am I the only one that couldn't stop laughing after reading this word in the CNet article on vishing?  It's good ol' fashioned social engineering, folks. Tele-scam.  Nothing new, really, autodialers have been doing this nonsense for decades.  And really, any old phone phreakers see the irony in "vishing" being the word associated with \*phones\*.  Please tell me this won't catch on. I can't imagine the outrage in Beige-ing. ;-)

Thursday May 14, 2009

Community One West

I've just registered for CommunityOne West on June 1-3 in San Francisco's Moscone Center! I am actually excited about my first CommunityOne event, and my first chance to meet directly with community members since beginning my term on the OGB (OpenSolaris Governing Board).

The OGB will be doing a Town Hall on Monday at 6PM, so please come over, get to know us, and tell us what's on your mind!  You can see this event and many others on the detailed schedule wiki. I am happy to see some security related talks! There is one by Dr. Christoph Schuba, a fellow Boilermaker, on Role-Based Access Control and the Cryptographic Framework, and another by Scott Rotondo and Secure Programming.

I'm not sure when registration closes, so if you want to go, sign up soon!

Thursday Feb 12, 2009

Psychology of a con

One of the biggest security weak spots in all systems is the user.  Yes, there are many complicated processes for attacking networks and cracking password files, but why bother with that when you can simply ask an inside user for their network credentials?  I'm just getting caught up on email so have just read Bruce Schneier's December cryptogram which highlighted a great article by Paul J Zak called How To Run a Con. While this article is specific to traditional con men and their marks, this same logic can be applied to how easy it is to social engineer data out of so many users. We want to trust people, and most of all, we want to be trusted, too. Interesting reading!

Friday Dec 12, 2008

Rough Cut of Solaris Security book published!

I'm about to become a published author! Okay, currently I'm just credited as "Sun Microsystems Security Engineers", but it is a step in the right direction.  Our organization found that a lot of papers and books out there on Solaris security were out of date, just plain wrong or missing coverage of cool features, so we thought what better way of setting the record straight then writing our own book?

Management got behind this, and many of the members from our organization set to writing an outline for the book and for each chapter and found an interested publisher.  Next came the hard part - writing the actual chapters! Okay, it wasn't that hard, because we all wrote about the technology areas we know and love, but we had to make tough calls on what to leave out and make sure we didn't miss any critical information.  Once we got all of our drafts together, Sharon Veach edited our work and wrote the introduction for the book, Solaris Security Essentials. The book is on Safari right now for review before we publish - please leave comments on the Safari site so nothing gets lost. The external link only shows excerpts, so if you are internal to Sun, please create a login using your Sun email address and look at the Sun Internal link.

I worked with Jan Pechanec and Darren Moffat on the Solaris Cryptographic Framework chapter, which is all based on Solaris 10 Update 4.  We leveraged work from my previous white paper and an updated paper by Wolfgang Ley. Some chapters appear to be missing still, but I'm sure they'll appear on the site over the next few days.

During this process I was told I use too many exclamation points in my writing, which (apparently) makes readers tired. How strange is that?


Valerie's former weblog. The new one can be found at http://bubbva.blogspot.com/


« July 2016