Category Archives: Security

Security

Qubes Alpha 2 Released

Leave a comment

Taking virtual machines to the application level seems to be the goal of Qubes, which is yet another hypervisor based on Linux. Perhaps the name YAH was not appealing?

It uses the phrases “lightweight virtual machine”, “work virtual machine” and “Disposable VMs” as well as “AppVMs” in the documentation. It is an interesting concept, along the lines of sandboxes, applets, chroots, LPARs, LVMs, etc. and similar trusted computing architectures that have been around for ages. In the Qubes model each application is meant to run in a virtual machine space so attacks find harder to escape. You can run a financial VM and a gaming VM, for example, that would be isolated in the same way as running a financial computer and a gaming computer.

I have run a similar setup for years. Not sure what would make anyone want to switch to a Qube. AFAIK no one has every accused Joanna Rutkowska of understatement in her marketing.

With that being said, her Invisible Things Lab’s blog announced today Qubes Alpha 2 released!

The Alpha 2 is out!
New screenshots are here :)

Exclamation! Exclamation! Can you believe that this virtually hyped sandbox will be any different than the many open source ones already available such as Nizza and the Nova microhypervisor?

Security

Opscode Platform Released

Leave a comment

Opscode has announced their Commercial Platform is now available to the public

Opscode, Inc., a cloud infrastructure automation company, today announced the limited beta release of the Opscode Platform, the world’s first hosted configuration management service. The Opscode Platform makes the popular open-source configuration management tool Chef even more powerful and easy to use.

Chef is an open source project that allows administrators to write “recipes” and automate builds in a cloud environment. It can provision web servers all configured the same way, for example.

I was just watching an example of how efficient this can be when I noticed a typo in permissions that would create a weakness. This reminded me of the double-edged swords of administration. Although it’s fantastic to be able to deploy hundreds or thousands of servers with the click of a button, deploying hundred or thousands of insecure servers can create a real nightmare. Yet another example of how security in the cloud might look different to some.

History, Security

Terror and the Great Fire of London

1 Comment

I have searched the city of San Francisco for a museum and historical record of the great fire of Aptil 18, 1906. The best, so far, seems to be the Virtual Museum of the City of San Francisco and a collection of images and letters on a few walls in the Bay Model Visitor Center in Sausalito. Another collection is in the Fairmont Hotel. None tells a complete story but they do reveal much controversy at the time that is probably far from anyone’s mind today.

The resident federal militia started a campaign to dynamite large sections of the city to back-burn as well as establish a fire break. This apparently is why Van Ness avenue is so wide. Some said the fires created by the Army were far worse than the quake causing far more destruction to the city. The San Francisco Museum has letters that suggest residents actually were in favor of burning down their own homes to collect insurance.

The death toll is another example. It is said to have been severely underestimated for three reasons. First, politicians wanted to paint a positive picture and keep property values high. The reality was that the city had such severe displacement that Los Angeles quickly gained prominence as a new port for commerce in the West. Second, racism prevented many thousands of people living in China Town from being counted. Third, the Army had been authorized to shoot and kill anyone suspected of looting. With more than 400,000 residents approximately 4,000 troops killed around 500 people; the quake was said to have killed 3,000.

This post, however, is not really about San Francisco. The BBC reports that the Great Fire of London in 1666 is being recast. Today we can look back at this disaster and learn a great deal about investigations and security.

Everyone learns at school that the fire raging for four days in that hot, dry summer began in a bakery in Pudding Lane.

But a new Channel 4 documentary focuses on the lesser known story of the fire – it sparked a violent backlash against London’s immigrant population, prompted by the widely-held belief at the time that it was an act of arson committed by a foreign power.

The countries already least in favor with the English, the Netherlands and France, were quickly suspected of some involvement. The BBC tells of how the British Navy attacked the Dutch weeks before the fire. That created a sense of victory that turned to guilt and led people to believe the Dutch were counter-attacking. The desire to find a cause of terror also led many to blame Catholics, whom they already disliked. Interrogation practices during an investigation ended with officials placing blame on immigrants from France, and one man in particular:

At the end of September, the parliamentary committee was appointed to investigate the fire, and a French Protestant watchmaker, Robert Hubert, confessed to having deliberately started the fire at the bakery with 23 conspirators.

Although his confession seemed to change and flounder under scrutiny, he was tried and hanged. Afterwards, colleagues told the inquiry Hubert had been at sea with them at the time, and the inquiry concluded the fire had indeed been an accident. No-one knows why he confessed.

I suspect the toll from this fire is wildly underestimated and there was likely to be conspiracy that made the fires spread, similar to San Francisco. Wanton destruction could have been a natural reaction to the plague of 1665. While the San Francisco fire is a study of human behavior relative to technology and liability a clear lesson in the London fire is how prejudice dictates a sense of security. We must fight the urge to satisfy ourselves with false resolutions and declarations, such as this one:

Until the 19th Century, the plaque at London’s Monument stated that followers of the Pope were to blame, says Ms Horth, and named Hubert as the fire-starter. It was only after Catholic emancipation in the 19th Century that the government decided the plaque was inflammatory and had those inscriptions removed.

Speaking of plagues, we know today that the disease was spread by rats and fleas. Those who washed regularly as part of their customs were unlikely to be infected. Some deduced in the 1300s that this meant a group of people were to blame. Those who practiced clean living and did not get the plague were thus attacked for being its cause.

Monty Python’s “She’s a Witch” skit does a fair job of reenacting how fear can have a powerful yet absurd influence on the concepts of security and justice.

Security

US Supreme Court Shoots Down Gun Control

Leave a comment

When I read about gun control in America I am reminded of a presenter at the RSA Conference who said he specialized in security certifications. He told me he recommended that people spend time at a firing range to meet their Continuing Professional Education (CPE) requirements. I suggested this was not a reasonable test of information security knowledge, but I knew right away that he was not hearing me…especially in his right ear, the one closest to his pistol.

With that in mind the big story today is that the US Supreme Court extends gun rights by shooting down local and state authority on guns. The court was asked to review a gun ban in Chicago, which has some sobering statistics:

The Supreme Court’s decision follows a weekend in which 29 people in Chicago were shot, three of them fatally, according to local media.

The Chicago Sun-Times reported that 54 people were shot, 10 of whom died, the previous weekend as well.

I am tempted to ask whether those for and against the ban predict what the numbers will look like. The New York Times has a caustic editorial that seems to suggest deaths must go up when the bans are removed:

About 10,000 Americans died by handgun violence, according to federal statistics, in the four months that the Supreme Court debated which clause of the Constitution it would use to subvert Chicago’s entirely sensible ban on handgun ownership.

The 5-4 decision centered on whether an individual’s possession of a gun should be protected under the phrase “A well regulated Militia”. It did not address whether the ban was effective as a means of preventing death. It also did not address whether militias, in present day terms, are a threat or benefit. Regulation instead was said to mean that guns should be kept only from the hands of felons and mentally ill. The irony of this definition for me seems to be that both may be best defined by how someone acquires and uses a gun, as in the cases of University of Iowa, Virginia Tech and Columbine. The US certainly does not have a great record of identifying, let alone treating, the mentally ill. With weakened bans, will there be any pressure to regulate better and prevent this kind of story?

Neighbor Monte W. Mays said Speight was cordial and friendly. He had long been a gun enthusiast and enjoyed target shooting at a range on his property, Mays said. But the shooting recently became a daily occurrence, with Speight firing what Mays said were high-powered rifles.

“Then we noticed he was doing it at nighttime,” and the gunfire started going deeper into the woods, Mays said.

Then they noticed a homicide.

Imagine if the courts instead said that whereas the mentally ill are not readily and reliably identified, and whereas the mentally ill who are identified are not readily and reliably treated, therefore mental illness is not a wise litmus for “well regulated” militias.

This news has another point that seems somewhat ironic. Groups that are opposed to federal control are the ones now in favor of this particular federal ruling, which explicitly states state and local governments must follow federal law.