Micro-Star International motherboard with AMD Phenom II 4-core processor and Nvidia chipset running Linux.

Linux and Security Blog

Thoughts from Time to Time on Linux and Security

I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.

They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).

I try to keep this page updated, but it can take them a surprisingly long time to do whatever SEO fiddling they want to do before posting these to their site. I wait until they have a full month's done before updating this page of links, so this list may be up to two months behind.

May 2016

PolicyKit Authentication Framework: From Authentication to Authorization PolicyKit Authentication Framework: Creating Your Own Rules

PAM is Pluggable Authentication Modules, but a lot of authorization had been stirred in. Authentication is the first step, authorization is an entirely different later step. The PolicyKit Authentication Framework (or simply polkit) handles authorization. With the move from Red Hat/CentOS 6 to 7 some of the authorization inappropriately in PAM in version 6 has been moved to PolicyKit. Here's what all that is about and how to work with it.

Using Linux Containers and Docker for Reliable Service

Convert your legacy architecture into a container-based model. Split functions into lightweight modules. Improve your availability.

Keep Your Secure Shell Functional and Secure

Some web hosting providers, including GoDaddy, only support some rather old SSH authentication methods. Once you upgrade to OpenSSH 7.0, your SSH client will no longer try the deprecated DSA algorithm.

Additionally, CVE-2016-0777 warns of a vulnerability in the experimental support for roaming, or resuming SSH connections.

Here's how to both provide exceptions for specific servers needing DSA authentication and work around that vulnerability.

April 2016

Encrypting with vim

The vim editor supports encryption. It has supported a very weak method based on gzip for a long time. More recently, they added Blowfish encryption. For reasons I can't figure out, most Linux systems only support a significantly weaker method of (mis)using the Blowfish cipher. If you want the best file-by-file confidentiality, you will have to build vim from source, or else use OpenBSD.

Skeptical Looks at Cryptography

There have been some nice papers in the past few years carefully and skeptically examining the current state of the art and of practice in the area of cryptography. Here's a guide to some of them.

Are Consumer Crypto Systems Too Hard To Use?

Yes.

Some very capable cryptography is available, but it is rendered mostly useless by horrible user interfaces. Everything from e-mail plugins to (potentially) secure phones are made far less secure in practice because of awkward, misleading, and vague user interfaces.

Make Meaningful Measurements

Just because a thing can happen doesn't mean that it will happen. You must make many observations or measurements before you can honestly say anything that isn't vague about the likelihood of success, or of any supposed improvement in performance tuning.

March 2016

What Could Possibly Go Wrong With Backdoors? Backdoor Disasters

The Problem With
Government-Imposed
Backdoors

These two are based on my more complete and updated page on the dangers of backdoors.

What's the Current State of Software-Defined Networking?

Software-Defined Networking or SDN is a hot topic, but right now it's for the telco carriers and builders of seriously large cloud infrastructure. If you're saying "We have virtualized servers" or "We're planning to build a cloud" then you're not nearly ready yet.

File System Encryption: When Is It Worthwhile?

Short answer: On laptops, portable media, or other easily stolen or misplaced hardware. Not on servers.

There's no point in encrypting the operating system, the user data is what matters. When it is appropriate, you can put something together with PAM and pam_mount.so, automounting, LUKS and dm-crypt.

February 2016

Efficient Storage for Linux Virtualization

How copy-on-write makes storage much more efficient, and how it is qcow2 or "QEMU Copy-on-Write v2" in Linux QEMU/KVM virtualization.

Performance Tuning on Virtual Machines

Provisioning and tuning for the best storage performance on Linux QEMU/KVM virtual machines.

Should We Worry About Virtual Disk Fragmentation?

No, at least not the fragmentation reported for compressed qcow2 disks as it isn't what you probably think it is. Here are some techniques for testing fragmentation within the virtual machine and from its host OS.

Avoid Graphical Slowdowns

Do not use a graphical console tool like virt-viewer on top of the Gnome desktop, especially if you're doing that on the host operating system! Gnome is amazingly resource-hungry. It will fully saturate 1.5 to 2 CPUs, while the hypervisor running the entire guest OS uses maybe 0.5.

January 2016

New Year's Resolution: Back Up Your Data New Year's Resolution: How to Back Up Your Data

You must make backups of your personal data. The good news is that it's cheap and fairly easy with Amazon's Glacier cloud service. Here's what Glacier is about, and how to use it.

Cryptography Developments: Elliptic Curves — Part 1 Cryptography Developments: Elliptic Curves — Part 2

Background of the NSA's surprising announcement in August, 2015, saying that Elliptic Curve Cryptography wasn't the hoped-for defense against quantum computers. Here is some analysis of what that announcement probably means.

Older blog entries