Saturday Feb 24, 2007

Don't rely on just biometric identification

No news, but this is the first time I've seen bypassing a fingerprint scanner documented on TV, and on one of my favorite shows: Mythbusters

Monday Feb 19, 2007

Remote audit trail storage project

Tomas have started to work on the remote audit storage trail project now, which is one of the most requested features.

It will allow you to send the complete binary audit trail off the system that generates the audit events, to a remote system where the audit trail is out of reach of an attacker who compromises the system generating the events.

<script type="text/javascript"> digg_url = ''; digg_topic = 'security'; </script> <script src="" type="text/javascript"></script>

[Technorati Tags: ]

Tuesday Feb 13, 2007

Rapid response

It was with great interest I watched the events related to the remote telnet exploit (102802) on Sunday.

I've put down a timeline (in PST/GMT-8) of the events, so you can follow how quickly people reacted:

  • Feb 11, 2007 09:35
    Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45
    Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03
    First fix available internally
  • Feb 11, 2007 15:54
    Code review performed
  • Feb 11, 2007 16:46
    Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51
    RTI draft created
  • Feb 11, 2007 18:25
    RTI submitted
  • Feb 11, 2007 18:31
    RTI approved
  • Feb 11, 2007 18:33
    Fix integrated into Nevada

From report to integrated fix in 9 hours - not bad! Especially since this was on a Sunday. Lots of people were involved in this, but the one how deserve the most praise is Dan McDonald.

Apart from this, the event resulted in a spree of emails on how we can improve - everything from the bug/development/rti process, to the external communication. I think we handled this first OpenSolaris fire drill very well, but it is far from perfect. We can certainly do better on the communications part - one should always strive to better oneself!

If you have feedback and/or suggestions on what we can/should improve in this process, let us know by posting here.

[Technorati Tags: ]

Screw Sun, cross-platform will never work

I just came across a very interesting document from Microsoft which shows their original intentions with Java. It is exhibit 2768 in Comes et al. v. Microsoft.

This exhibit are emails from the Visual J++ product manager Prashant Sridharan, which unfortunately didn't surprise me: "Screw Sun, cross-platform will never work. Let's move on and steal the Java language."

I'd like to point out two things to Mr Sridharan:

  • I guess you were wrong, cross-platform does work, and
  • I would not like to be in your shoes now

I didn't buy Microsoft stuff before, and after seeing this, they'll be making snow men in hell before I do!

Note: they seem to have added user and password requirement on since I wrote the blog entry, but it exists in Google's cache.

[Technorati Tags: | ]

Saturday Sep 16, 2006

Speaking at Øredev

I just got asked to speak at Øredev developer conference, which is held in Malmö between the 14th and 16 of November.

Since the folks at Sun in Sweden who are organizing Sun's participation at the conference could not get hold of me in time (I'm still in California), they invented a bio for me and wrote that I'll speak about "something generic on security", but I think I'll talk about project Jackpot and how we (the Java SE Security team) plan to use it to look for security problems in code, and hopefully demo it too.

Wednesday Sep 13, 2006

Benchmarking the SecurityManager using DTrace

Tomorrow I'm going to start benchmarking Glassfish with and without a SecurityManager, to figure out the performance impact of running with one enabled.

It will give me a chance to try out Kelly O'Hair's DTrace Java provider. Information on how to use DTrace with Java is available in Bryan's and Adam's blogs.

[Technorati Tags: ]

Monday Sep 11, 2006

Meeting my new boss

I'm working from Santa Clara for two weeks! I'm here to meet my new boss and my new team.

It is good to be able to put a living face on the names of people. It makes me feel more part of the Java SE security group.

I always enjoy going to California, but two weeks away from my fiancé is a long time, and when I get home it is just to pack my bags and head for the FIRST TC.

[Technorati Tags: ]

Wednesday Aug 30, 2006

Do you use a SecurityManager?

A recent thread at discussed the use of a SecurityManager. Most people seem to be running without a SecurityManager, so I'd like to post an open question to the audience: do you use a SecurityManager, and if not, why? We'd like to know what we can do to make it easier/better?

Summing up the thread, some have two main reasons for not using a SecurityManager:

  • Configuring permissions is difficult
  • Turning on security affects performance

While others have use a SecurityManager because of:

  • SecurityManagers (in EE) are often used just to enforce certain programming paradigms that are not necessarily security-specific (EJB's should not write to the file system, servlets should not spawn threads)
  • SecurityManagers are especially needed if you're running untrusted code
  • Even if you're only running trusted code, SecurityManagers can still be useful in preventing vulnerabilities caused by buggy software

I'll try to measure the performance impact of enabling a SecurityManager in Glassfish and post the results so we can start to look at improving the performance.

[Technorati Tags: ]

Saturday Aug 19, 2006

A very handy addition to

A couple of days ago I started to use the MailTags extension to, and it has made my life a lot easier!

It allows me to put emails into projects, add keywords to them and associate them with iCal TODOs. Very handy when you're trying to juggle a bunch of projects at the same time, and get tons of email every day. I only get about 300 every day, and MailTags make it so much easier to sift through them quickly.

[Technorati Tags: ]

Friday Jul 07, 2006

Review of my first two weeks at the Java SE security team

Two weeks have passed since I started my new job as security geek in the Java SE security team. What have I accomplished so far?

For startes I've already reviewed three incident reports, which all have been genuine. I've pulled down the source for both 1.5.0 and Mustang and built Java from scratch on my Nevada lab machine. I've arranged access to the JSN lab systems, and setup OpenGrok indexing of the Mustang source (on a Sun internal system).

I've also bought and started to read the Java Language Specification book (3rd ed.). Not only is it a 600+ page brick, it is as boring as it gets, but to be able to be proactive I need to know the bounds which Java operate with in.

I have two full shelves of Java books in my study, and reading through them have been a breeze. The Language Specification will cure even the most severe case of insomnia!

Since the second week was the "July shutdown" things have been very quiet, so I've had plenty of time to read.

That's it I guess. Time for bed!

[Technorati Tags: ]

Thursday Jun 22, 2006

A new era

On Monday I will begin a new era! I'm leaving Sun IT and moving to Java engineering. I'll no longer be a security geek, instead I'll be a Java security geek!

I'm moving to the Java SE security group, and will work on proactive security. We haven't defined exactly what I'm going on focus on yet. It will naturally involve bug verification and fixing, and also trying make the VM and core classes more secure. You can expect a large number of blogs on Java security from me...

I'm sad to leave my old colleagues, but very exited to be working on making Java even more secure. I've been in Sun IT for almost six years now, and we have had our ups and downs. All in all it was a great experience and I've learnt a lot during my years in the Network Security Group, which have had celebrity members such as: Alec Muffet, Caper Dik, Danny Smith & Dan Farmer.

Sunday Jun 18, 2006

Beta testing

Do you want to be a Sun Certified Security Administrator for the Solaris 10 Operating System?

On the 3rd of July you can sign up for the free beta exam, of the certification. We need to test the questions before we make the certification available to the public, so we need your help. As a bonus: if you pass the exam you will get your certification!

Before you sign up you should read this email from our head mistress:

If you are an expert security administrator, this is your opportunity to get involved
in the creation of the new Solaris 10 Sun Certified Security Administrator exam!  As 
a beta tester, you officially test the test and will be able to provide Sun with 
valuable comments and technical feedback about the questions. Sun beta exams count
towards official Security Certification!

Recommended prerequisites: 

Twelve months job-role experience administering security in a Solaris Operating System
and previous Solaris OS system and network administration.

Good luck!

Wednesday Jun 14, 2006

Secure by default

As of build 42 Nevada is now "Secure by Default"![Read More]

Thursday Jun 08, 2006

Nanoo nanoo

I've spent this week in Broomfield (Colorado), writing questions for the Solaris 10 Sun Certified Security Administrator exam. Despite what you may think, it is hard work! Our head mistress, Yvonne, is whipping us hard to come up with good questions. She is very demanding, but she makes sure we enjoy ourselves too.

We are a bunch of security geeks from all over Sun (and the world), who are spending 5 days here to create what will be the examination questions. Each of us have our own specialty, so my focus have been on Solaris Auditing, but I have written questions for a bunch of other areas too.

This evening we went to Boulder for dinner, not far from where Mork and Mindy lived. It is a really nice place, and if it weren't for the dry air, I would consider moving here. I wake up every morning with a nose-bleed, and I am not the only one i the group who have that problem.

Tomorrow is the last day of work here. All we have to do is to finish the technical review of the questions in the last section of the exam. We have to make sure that the questions are technically correct and unambiguous, which usually results in a lot of man-page reading and discussions.

On Sunday I fly back to Sweden. It'll be good to get back home, even if we are having very good time here, I miss my fiancé.

Tuesday May 23, 2006

New PGP key

My old PGP key expired, so I've just created a new one, with the key id 0xAA514677 and fingerprint 4395 A18A 512A 832A 5C4F 666B DDDF 2041 AA51 4677

[Technorati Tags: ]




« July 2016