Für alle, die nicht Fefe lesen:

Großartig :)

The Lazy Programmer’s Guide to Secure Computing

small summary writeup:

• how to write secure code in an imperfect world
• code patterns for “principle of least authority” (POLA)a sharp razor (to much authority: you get abuse, to few authority: you don’t get your job done)
• security and POLA in the mail envelope, every security principle serves another purpose as well
• the OO paradigm could serve as a good security paradigm, too
• most languages break the security properties of OO (e.g. by allowing stack access)
• for various languages there are tools which fix these language problems and filter your code, thus enforcing OO security properties (e.g. Caja by Google and Yahoo for javascript, Joe-E for java, Emily for Ocaml)
• how could these patterns be transported into distributed systems, the web? implementations: waterken server / web-key
• with these patterns in action, a web-money protocol can be implemented in about 30LOC Java
• if POLA is used in larger OO software systems, you achive ultra-deep security in depth
• with POLA, the attack-tree risk-combining operation changes from OR to AND, thus the economics of security change
  • when extending code, you mostly add unpriviledged code
  • meanwhile you fix problems in the priviledged code
  • thus, over time code becomes more secure instead of less secure
• we should use memory-safe OO languages and POLA principles

Ist ja mal wieder eine großartige Idee: Alle Bösen zahlen monatlich in einen Topf. Und wer pleite geht, der kriegt was drin ist (aka Jackpot). Und diese Bankenabgabe soll jetzt das Risiko für zukünftige Krisen minimieren? Hört sich eher an wie Chicken-Game. Jeder Student im ersten Semester VWL, ach was, jeder Gymnasiast mit Sozialkunde/PW sollte sehen, dass das schief geht.

Daniel hat jetzt auch eins von mir:

schnieke, wa?

Bei Bedarf: einfach bei mir melden.

One of the main advantages of Gentoo Linux is the availability of the hardened profile and kernel. The hardened profile enables a number of switches and features which, together with the hardened kernel (PaX and grsecurity patchset), provide a system with full address space layout randomization (ASLR) and stack-smashing protection (SSP). ASLR requires a kernel patch, called PaX, and all binaries to be built as position independent executables/code (PIE/PIC). SSP, also known as cannaries, is a pure compiler-feature.

Now the old GCC 3.4.6 series had this feature (coming from an old IBM patch called ProPolice). But the current stable compiler on Gentoo, GCC 4.3.4 doesn’t have it anymore. This means, current stable Gentoo-hardened systems are built without SSP.

How could we fix that? Using gcc 3.4.6 will most likely break a number of things, so it’s not really an option. But GCC 4.4.2 has a new SSP feature. It’s a totally new implementation of the same idea. But 4.4.2 is not on by default.

To use GCC 4.4.2 and with it SSP on Gentoo-hardened, you have to import the hardened-dev overlay (layman -a hardened-development). Then you have to unmask =sys-devel/gcc-4.4.2-r2 in /etc/portage/package.unmask and install it. It will be put into a new slot (4.4), so it doesn’t overwrite the old gcc by default. When it’s compiled, you can enable it with gcc-config.

After there were mostly positive reports on the gentoo-hardened mailinglist, I just did that on my home-box. The complete re-build of the system with the new gcc is currently running. I’m confident that nothing breaks.

So if you have a server-box with hardened, I’d suggest you do the same and switch over to the new GCC in the hardened-dev overlay. It seems to work well for most people and packages. If you have a server-box without an ASLR kernel/system, aka not Gentoo-hardened, I’d suggest you do something about it anyway. I mean even Windows has it (since XP SP2).

As you might know, my blog/cms solution is a heavily outdated Joomla/Wordpress combo. I already found an XSS attack by myself. But I guess there are at least a hundred remote code executions in the wordpress components (although not directly exposed), not to speak of the ancient Joomla software. And all that is f*cking PHP code!!!11 ;)

Now, how do you run outdated and insecure PHP code?
Put simply: You don’t!

And that’s exactly what I inteded to do. But at the same time I also was not to keen to migrate all the content to a new cms/blog platform. So what could I do? Well, I just took it offline — and moved the PHP code and the database to a local box. What you see here, is a httrack-mirror of the dynamic page, together with a tiny hack for the RSS/Atom feed. I have a small script that ftps the locally generated httrack image on my website. Ahhh, no more unprotected credentials and login forms, no more sessions, no more cookies, just plain static http.

Now I’m back in the good old 90s. But at least I don’t have to worry anymore :)

(The comment-function was used rarely anyway and I got a lot of spam to filter every day. Getting rid of the dynamic functions is not to huge a loss for me, I think.)

Now that I have this rolled out, I also think, that this is a solution for a lot of other old websites. So if you’ve got one lying around with code you don’t really want to run anymore but with content you might still want, just put it through httrack. It feels a bit like rendering a vector image into a bitmap. Having as few code on the servers as possible, definitely helps reducing your attack vectors.

As much as I don’t like the products of his former company, in this talk at TED he has a point I can agree with: To overcome the nearly inevitable, we need a “miracle” and this miracle has to come from research and economics. We have to find some technology that solves the energy crisis, is very cheap and doesn’t produce CO2. I don’t necessarily agree with his proposed technology, but the basic idea, I think, is correct. And, we need to invent this technology in the next 40 years. It worked with the Manhattan Projekt, it worked with the Apollo Program, it could work here, too. Industry won’t do it on it’s own, because an investment in such a projekt is a huge risk and will bring a lot of sunken costs uppon failure. The state is clearly needed here (as for any investment with huge fixed costs). But then just why don’t our governments spend more on education and research in this area?

well, it seems my blog destroys even armored keys.
I guess you’ll find it on the servers, the fingerprint is:
1515 1500 8CC3 CE35 52CD C7BD DAE1 1BBD 410E 04AF
key-id is, ofcourse : 410E04AF

FED2d, 50mm, Ilford Delta 100, lab scan

FED 2d, 50mm, Ilford Delta 100, lab scan from neg