Thoughts from Time to Time on Linux and Security
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
I try to keep this page updated, but it can take them a surprisingly long time to do whatever SEO fiddling they want to do before posting these to their site. I wait until they have a full month's done before updating this page of links, so this list may be a few months behind at times.
How Can We Create Secure Passwords?
A thought experiment about how you might generate
usefully strong pass phrases with a Linux script,
/dev/urandom to select strings
Spoiler alert: it isn't very practical, a far better
solution is in the next one...
How To Manage Your Passwords With KeePassX
How to install and use the KeePassX password generation and storage tool on Linux, OpenBSD, and Android.
We Need Something Better Than Passwords, And We Already Have It
How repeated hashing works, providing secure authentication.
Making the High Security of Repeated Hashing Practical
The S/KEY standard defined in RFC 2289, and practical tools like OTPDroid.
Are You Absolutely Certain That You Have The Real Source Code?
How to check digital signatures to make sure that your Linux kernel source is the real thing and not a Trojan Horse.
Linux Tutorial: Finding Duplicates
Designing and writing a script to find duplicates in a large collection of video files.
Internet Safety and Protecting Your Cookies
A suggestion for compartmentalizing your Internet access and protecting authentication cookies by using multiple browsers.
Cyber Security Requires Cautious Logic
You must carefully distinguish between necessary and sufficient when analyzing security risks. For example, you can say "If you could factor a 300-digit number into its prime factors, you could derive an RSA private key from the corresponding public key." But that doesn't mean that you must solve that factoring problem to get the key!
Cyber Security Tradeoffs
Confidentiality, Integrity, and Availability are the three standard concerns of information security. The problem is that when you work to improve one of them in isolation, you usually make one or both of the others worse.
Set Up SSH Keys For Easier And More Secure Authentication Without Passwords Set Up An SSH Key Agent For Convenient Yet Secure Authentication Easily Maintain Multiple Websites With SSH
These were based on my more detailed SSH pages, see those for the real story. The actual blog posts are here, here, and here.
PolicyKit Authentication Framework: From Authentication to Authorization PolicyKit Authentication Framework: Creating Your Own Rules
PAM is Pluggable Authentication Modules,
but a lot of authorization had been stirred in.
Authentication is the first step, authorization is an
entirely different later step.
The PolicyKit Authentication Framework
polkit) handles authorization.
With the move from Red Hat/CentOS 6 to 7 some of the
authorization inappropriately in PAM in version 6
has been moved to PolicyKit.
Here's what all that is about and how to work with it.
Using Linux Containers and Docker for Reliable Service
Convert your legacy architecture into a container-based model. Split functions into lightweight modules. Improve your availability.
Keep Your Secure Shell Functional and Secure
Some web hosting providers, including GoDaddy, only support some rather old SSH authentication methods. Once you upgrade to OpenSSH 7.0, your SSH client will no longer try the deprecated DSA algorithm.
Additionally, CVE-2016-0777 warns of a vulnerability in the experimental support for roaming, or resuming SSH connections.
Here's how to both provide exceptions for specific servers needing DSA authentication and work around that vulnerability.
Encrypting with vim
vim editor supports encryption.
It has supported a very weak method based on
gzip for a long time.
More recently, they added Blowfish encryption.
For reasons I can't figure out, most Linux systems only
support a significantly weaker method of (mis)using
the Blowfish cipher.
If you want the best file-by-file confidentiality,
you will have to build
vim from source,
or else use OpenBSD.
Skeptical Looks at Cryptography
There have been some nice papers in the past few years carefully and skeptically examining the current state of the art and of practice in the area of cryptography. Here's a guide to some of them.
Are Consumer Crypto Systems Too Hard To Use?
Some very capable cryptography is available, but it is rendered mostly useless by horrible user interfaces. Everything from e-mail plugins to (potentially) secure phones are made far less secure in practice because of awkward, misleading, and vague user interfaces.
Make Meaningful Measurements
Just because a thing can happen doesn't mean that it will happen. You must make many observations or measurements before you can honestly say anything that isn't vague about the likelihood of success, or of any supposed improvement in performance tuning.
What Could Possibly Go Wrong With Backdoors? Backdoor DisastersThe Problem With
These two are based on my more complete and updated page on the dangers of backdoors.
What's the Current State of Software-Defined Networking?
Software-Defined Networking or SDN is a hot topic, but right now it's for the telco carriers and builders of seriously large cloud infrastructure. If you're saying "We have virtualized servers" or "We're planning to build a cloud" then you're not nearly ready yet.
File System Encryption: When Is It Worthwhile?
Short answer: On laptops, portable media, or other easily stolen or misplaced hardware. Not on servers.
There's no point in encrypting the operating system,
the user data is what matters.
When it is appropriate,
you can put something together with PAM and
LUKS and dm-crypt.
Efficient Storage for Linux Virtualization
How copy-on-write makes storage much more efficient, and how it is qcow2 or "QEMU Copy-on-Write v2" in Linux QEMU/KVM virtualization.
Performance Tuning on Virtual Machines
Provisioning and tuning for the best storage performance on Linux QEMU/KVM virtual machines.
Should We Worry About Virtual Disk Fragmentation?
No, at least not the fragmentation reported for compressed qcow2 disks as it isn't what you probably think it is. Here are some techniques for testing fragmentation within the virtual machine and from its host OS.
Avoid Graphical Slowdowns
Do not use a graphical console tool like
virt-viewer on top of the Gnome desktop,
especially if you're doing that on the host operating
Gnome is amazingly resource-hungry.
It will fully saturate 1.5 to 2 CPUs, while the hypervisor
running the entire guest OS uses maybe 0.5.
New Year's Resolution: Back Up Your Data New Year's Resolution: How to Back Up Your Data
You must make backups of your personal data. The good news is that it's cheap and fairly easy with Amazon's Glacier cloud service. Here's what Glacier is about, and how to use it.
Cryptography Developments: Elliptic Curves — Part 1 Cryptography Developments: Elliptic Curves — Part 2
Background of the NSA's surprising announcement in August, 2015, saying that Elliptic Curve Cryptography wasn't the hoped-for defense against quantum computers. Here is some analysis of what that announcement probably means.
☚ Older blog entries