Micro-Star International motherboard with AMD Phenom II 4-core processor and Nvidia chipset running Linux.

Linux and Security Blog

Thoughts from Time to Time on Linux and Security

I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.

They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).

I try to keep this page updated, but it can take them a surprisingly long time to do whatever SEO fiddling they want to do before posting these to their site. I wait until they have a full month's done before updating this page of links, so this list may be a few months behind at times.

Older blog entries

September 2016

Asimov Created Three Laws of Robotics, So How About Cyber Security?

I got it down to five:

  1. People, especially sysadmins, must know what they're doing.
  2. Patch.
  3. Validate all user input.
  4. Handle logic correctly
  5. Handle errors gracefully.

How To Add Virus Scanning to Linux

Anti-virus for Linux desktops is sort of like dragon repellent, a solution in search of a problem. There is some, if you need it to satisfy a policy. But most anti-malware is for servers, scanning files and e-mail messages.

3 Ways Lists Can Help You Prepare For the CompTIA Security+ Exam

Other CompTIA
Security+ Advice

The main point is that you should make the crib sheet you would like to take into the testing room. The process of creating that sheet makes you memorize what's needed. Here is some background on that process, and suggestions for the horrible table of TCP/UDP port numbers.

What's Happening To The CompTIA Security+ Exam?

The CompTIA Security+ exam is poorly designed and getting worse. Here's what's been happening, and my guesses as to where it's going.

August 2016

How Can We Create Secure Passwords?

A thought experiment about how you might generate usefully strong pass phrases with a Linux script, using /dev/urandom to select strings from /usr/share/dict/words. Spoiler alert: it isn't very practical, a far better solution is in the next one...

How To Manage Your Passwords With KeePassX

How to install and use the KeePassX password generation and storage tool on Linux, OpenBSD, and Android.

We Need Something Better Than Passwords, And We Already Have It

How repeated hashing works, providing secure authentication.

Making the High Security of Repeated Hashing Practical

The S/KEY standard defined in RFC 2289, and practical tools like OTPDroid.

July 2016

Are You Absolutely Certain That You Have The Real Source Code?

How to check digital signatures to make sure that your Linux kernel source is the real thing and not a Trojan Horse.

Linux Tutorial: Finding Duplicates

Designing and writing a script to find duplicates in a large collection of video files.

Internet Safety and Protecting Your Cookies

A suggestion for compartmentalizing your Internet access and protecting authentication cookies by using multiple browsers.

Cyber Security Requires Cautious Logic

You must carefully distinguish between necessary and sufficient when analyzing security risks. For example, you can say "If you could factor a 300-digit number into its prime factors, you could derive an RSA private key from the corresponding public key." But that doesn't mean that you must solve that factoring problem to get the key!

June 2016

Cyber Security Tradeoffs

Confidentiality, Integrity, and Availability are the three standard concerns of information security. The problem is that when you work to improve one of them in isolation, you usually make one or both of the others worse.

Set Up SSH Keys For Easier And More Secure Authentication Without Passwords Set Up An SSH Key Agent For Convenient Yet Secure Authentication Easily Maintain Multiple Websites With SSH

These were based on my more detailed SSH pages, see those for the real story. The actual blog posts are here, here, and here.

May 2016

PolicyKit Authentication Framework: From Authentication to Authorization PolicyKit Authentication Framework: Creating Your Own Rules

PAM is Pluggable Authentication Modules, but a lot of authorization had been stirred in. Authentication is the first step, authorization is an entirely different later step. The PolicyKit Authentication Framework (or simply polkit) handles authorization. With the move from Red Hat/CentOS 6 to 7 some of the authorization inappropriately in PAM in version 6 has been moved to PolicyKit. Here's what all that is about and how to work with it.

Using Linux Containers and Docker for Reliable Service

Convert your legacy architecture into a container-based model. Split functions into lightweight modules. Improve your availability.

Keep Your Secure Shell Functional and Secure

Some web hosting providers, including GoDaddy, only support some rather old SSH authentication methods. Once you upgrade to OpenSSH 7.0, your SSH client will no longer try the deprecated DSA algorithm.

Additionally, CVE-2016-0777 warns of a vulnerability in the experimental support for roaming, or resuming SSH connections.

Here's how to both provide exceptions for specific servers needing DSA authentication and work around that vulnerability.

April 2016

Encrypting with vim

The vim editor supports encryption. It has supported a very weak method based on gzip for a long time. More recently, they added Blowfish encryption. For reasons I can't figure out, most Linux systems only support a significantly weaker method of (mis)using the Blowfish cipher. If you want the best file-by-file confidentiality, you will have to build vim from source, or else use OpenBSD.

Skeptical Looks at Cryptography

There have been some nice papers in the past few years carefully and skeptically examining the current state of the art and of practice in the area of cryptography. Here's a guide to some of them.

Are Consumer Crypto Systems Too Hard To Use?


Some very capable cryptography is available, but it is rendered mostly useless by horrible user interfaces. Everything from e-mail plugins to (potentially) secure phones are made far less secure in practice because of awkward, misleading, and vague user interfaces.

Make Meaningful Measurements

Just because a thing can happen doesn't mean that it will happen. You must make many observations or measurements before you can honestly say anything that isn't vague about the likelihood of success, or of any supposed improvement in performance tuning.

March 2016

What Could Possibly Go Wrong With Backdoors? Backdoor Disasters

The Problem With

These two are based on my more complete and updated page on the dangers of backdoors.

What's the Current State of Software-Defined Networking?

Software-Defined Networking or SDN is a hot topic, but right now it's for the telco carriers and builders of seriously large cloud infrastructure. If you're saying "We have virtualized servers" or "We're planning to build a cloud" then you're not nearly ready yet.

File System Encryption: When Is It Worthwhile?

Short answer: On laptops, portable media, or other easily stolen or misplaced hardware. Not on servers.

There's no point in encrypting the operating system, the user data is what matters. When it is appropriate, you can put something together with PAM and pam_mount.so, automounting, LUKS and dm-crypt.

February 2016

Efficient Storage for Linux Virtualization

How copy-on-write makes storage much more efficient, and how it is qcow2 or "QEMU Copy-on-Write v2" in Linux QEMU/KVM virtualization.

Performance Tuning on Virtual Machines

Provisioning and tuning for the best storage performance on Linux QEMU/KVM virtual machines.

Should We Worry About Virtual Disk Fragmentation?

No, at least not the fragmentation reported for compressed qcow2 disks as it isn't what you probably think it is. Here are some techniques for testing fragmentation within the virtual machine and from its host OS.

Avoid Graphical Slowdowns

Do not use a graphical console tool like virt-viewer on top of the Gnome desktop, especially if you're doing that on the host operating system! Gnome is amazingly resource-hungry. It will fully saturate 1.5 to 2 CPUs, while the hypervisor running the entire guest OS uses maybe 0.5.

January 2016

New Year's Resolution: Back Up Your Data New Year's Resolution: How to Back Up Your Data

You must make backups of your personal data. The good news is that it's cheap and fairly easy with Amazon's Glacier cloud service. Here's what Glacier is about, and how to use it.

Cryptography Developments: Elliptic Curves — Part 1 Cryptography Developments: Elliptic Curves — Part 2

Background of the NSA's surprising announcement in August, 2015, saying that Elliptic Curve Cryptography wasn't the hoped-for defense against quantum computers. Here is some analysis of what that announcement probably means.

Older blog entries