By martin on Feb 24, 2007
No news, but this is the first time I've seen bypassing a fingerprint scanner documented on TV, and on one of my favorite shows: Mythbusters
Random ramblings of a paranoid git
"The question is not if you are paranoid, it is if you are paranoid enough."
It will allow you to send the complete binary audit trail off the system that generates the audit events, to a remote system where the audit trail is out of reach of an attacker who compromises the system generating the events.
It was with great interest I watched the events related to the remote telnet exploit (102802) on Sunday.
I've put down a timeline (in PST/GMT-8) of the events, so you can follow how quickly people reacted:
From report to integrated fix in 9 hours - not bad! Especially since this was on a Sunday. Lots of people were involved in this, but the one how deserve the most praise is Dan McDonald.
Apart from this, the event resulted in a spree of emails on how we can improve - everything from the bug/development/rti process, to the external communication. I think we handled this first OpenSolaris fire drill very well, but it is far from perfect. We can certainly do better on the communications part - one should always strive to better oneself!
If you have feedback and/or suggestions on what we can/should improve in this process, let us know by posting here.
This exhibit are emails from the Visual J++ product manager Prashant Sridharan,
which unfortunately didn't surprise me:
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language."
I'd like to point out two things to Mr Sridharan:
I didn't buy Microsoft stuff before, and after seeing this, they'll be making snow men in hell before I do!
Note: they seem to have added user and password requirement on since I wrote the blog entry, but it exists in Google's cache.
Since the folks at Sun in Sweden who are organizing Sun's participation at the conference could not get hold of me in time (I'm still in California), they invented a bio for me and wrote that I'll speak about "something generic on security", but I think I'll talk about project Jackpot and how we (the Java SE Security team) plan to use it to look for security problems in code, and hopefully demo it too.
I'm working from Santa Clara for two weeks! I'm here to meet my new boss and my new team.
It is good to be able to put a living face on the names of people. It makes me feel more part of the Java SE security group.
I always enjoy going to California, but two weeks away from my fiancé is a long time, and when I get home it is just to pack my bags and head for the FIRST TC.
[Technorati Tags: Java ]
A recent thread at TheServerSide.com discussed the use of a SecurityManager. Most people seem to be running without a SecurityManager, so I'd like to post an open question to the audience: do you use a SecurityManager, and if not, why? We'd like to know what we can do to make it easier/better?
Summing up the thread, some have two main reasons for not using a SecurityManager:
While others have use a SecurityManager because of:
I'll try to measure the performance impact of enabling a SecurityManager in Glassfish and post the results so we can start to look at improving the performance.
A couple of days ago I started to use the MailTags extension to Mail.app, and it has made my life a lot easier!
It allows me to put emails into projects, add keywords to them and associate them with iCal TODOs. Very handy when you're trying to juggle a bunch of projects at the same time, and get tons of email every day. I only get about 300 every day, and MailTags make it so much easier to sift through them quickly.
[Technorati Tags: Mac OS X ]
Two weeks have passed since I started my new job as security geek in the Java SE security team. What have I accomplished so far?
For startes I've already reviewed three incident reports, which all have been genuine. I've pulled down the source for both 1.5.0 and Mustang and built Java from scratch on my Nevada lab machine. I've arranged access to the JSN lab systems, and setup OpenGrok indexing of the Mustang source (on a Sun internal system).
I've also bought and started to read the Java Language Specification book (3rd ed.). Not only is it a 600+ page brick, it is as boring as it gets, but to be able to be proactive I need to know the bounds which Java operate with in.
I have two full shelves of Java books in my study, and reading through them have been a breeze. The Language Specification will cure even the most severe case of insomnia!
Since the second week was the "July shutdown" things have been very quiet, so I've had plenty of time to read.
That's it I guess. Time for bed!
[Technorati Tags: Java ]
On Monday I will begin a new era! I'm leaving Sun IT and moving to Java engineering. I'll no longer be a security geek, instead I'll be a Java security geek!
I'm moving to the Java SE security group, and will work on proactive security. We haven't defined exactly what I'm going on focus on yet. It will naturally involve bug verification and fixing, and also trying make the VM and core classes more secure. You can expect a large number of blogs on Java security from me...
I'm sad to leave my old colleagues, but very exited to be working on making Java even more secure. I've been in Sun IT for almost six years now, and we have had our ups and downs. All in all it was a great experience and I've learnt a lot during my years in the Network Security Group, which have had celebrity members such as: Alec Muffet, Caper Dik, Danny Smith & Dan Farmer.
Do you want to be a Sun Certified Security Administrator for the Solaris 10 Operating System?
On the 3rd of July you can sign up for the free beta exam, of the certification. We need to test the questions before we make the certification available to the public, so we need your help. As a bonus: if you pass the exam you will get your certification!
Before you sign up you should read this email from our head mistress:
If you are an expert security administrator, this is your opportunity to get involved in the creation of the new Solaris 10 Sun Certified Security Administrator exam! As a beta tester, you officially test the test and will be able to provide Sun with valuable comments and technical feedback about the questions. Sun beta exams count towards official Security Certification! Recommended prerequisites: Twelve months job-role experience administering security in a Solaris Operating System and previous Solaris OS system and network administration.
I've spent this week in Broomfield (Colorado), writing questions for the Solaris 10 Sun Certified Security Administrator exam. Despite what you may think, it is hard work! Our head mistress, Yvonne, is whipping us hard to come up with good questions. She is very demanding, but she makes sure we enjoy ourselves too.
We are a bunch of security geeks from all over Sun (and the world), who are spending 5 days here to create what will be the examination questions. Each of us have our own specialty, so my focus have been on Solaris Auditing, but I have written questions for a bunch of other areas too.
This evening we went to Boulder for dinner, not far from where Mork and Mindy lived. It is a really nice place, and if it weren't for the dry air, I would consider moving here. I wake up every morning with a nose-bleed, and I am not the only one i the group who have that problem.
Tomorrow is the last day of work here. All we have to do is to finish the technical review of the questions in the last section of the exam. We have to make sure that the questions are technically correct and unambiguous, which usually results in a lot of man-page reading and discussions.
On Sunday I fly back to Sweden. It'll be good to get back home, even if we are having very good time here, I miss my fiancé.