Monthly Archives

February 2016

Working With the White House

By Blogs

Head over to Linux.com to read Jim Zemlin’s latest blog posting The Linux Foundation’s Core Infrastructure Initiative Working with White House on Cybersecurity National Action Plan.

We are pleased The White House recognizes the work that CII has been doing to improve the security of open source software as it’s used on the Internet and by business and government. We look forward to working closely with the White House and the Department of Homeland Security as they implement CNAP and believe that private-public partnerships of this kind can have a major impact on improving security best practices.

CIO: Linux goes to Washington: How the White House/Linux Foundation collaboration will work

By In the News

Swapnil Bhartiya interviewed Jim Zemlin about the mention of CII in President Obama’s  Cybersecurity National Action Plan and wrote about it in an article called Linux goes to Washington: How the White House/Linux Foundation collaboration will work. No doubt by now you’ve heard about the Obama Administration’s newly announcedCybersecurity National Action Plan (CNAP). But what you may not know is that the White House is actively working with the Linux and open source community for CNAP.

Read more at CIO.

Linux.com: 7 Things to Consider Before Fuzzing a Large Open Source Project

By In the News

Linux.com published CII’s Emily Ratliff’s article on 7 Things to Consider Before Fuzzing a Large Open Source Project

Dr. Wheeler recommends, “I’d consider writing a fuzzer specific to the project’s APIs & generate random inputs based on them, and adding lots of assertions that are at least enabled during fuzzing.  If you know your API (or can introspect it), creating a specific fuzzer is pretty easy – grab your random number generator, set up an isolated container or VM for the fireworks, and go. ”

Read more at Linux.com.

This Anti-Pattern Must Die

By Blogs

One of the fun things about working in computer security is the emotional rollercoaster that vendors and journalists use to try to sustain attention on security topics, get dollars spent, and get bugs fixed. “If this patch isn’t applied immediately, then the earth will be hit by asteroids and we are all going to DIE!” “If you don’t buy this security  product, then your network will be hacked and you will be FIRED!”

With that said, there is one security anti-pattern that really must die an immediate death. I promise not to name and shame, but if you are doing this, please stop immediately, especially if you are doing it with a security package.

The issue at hand is the damage caused when users follow instructions similar to the following

“1. Install the apt-get repository key:

# apt-key adv –fetch-keys http://<removed to protect the guilty>/repos/apt/conf/<removed>.key

2. …”

A pattern closely related to the above:

“$ wget http://<url removed>/<removed>.key | sudo apt-key add –

2. …”

While I’m off crying softly in the corner — LOOK OUT FOR ASTROIDS! You can read calm and well reasoned arguments for why this (and its cousin where the key is acquired over http via wget) is such a bad practice on StackExchange and in the Debian manual. Hint, from this point forward the database of keys which are used to validate packages prior to installation and update can no longer be trusted to contain only non-malicious keys.

Once you have recovered from the shock of awareness of what you have done to anyone who was foolhardy enough to follow your instructions, head over to Let’s Encrypt to get an SSL certificate. Also, publish the key’s figerprint along with instructions for users on how to validate the key.

If you see this pattern online or if you are working on an open source project which uses this anti-pattern, please feel free to drop me a line at eratliff at linuxfoundation dot org or ejratl at gmail dot com.