Linux and Security Blog
Thoughts from Time to Time on Linux and Security
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
I try to keep this page updated, but it can take them a surprisingly long time to do whatever SEO fiddling they want to do before posting these to their site. I wait until they have a full month's done before updating this page of links. In April 2017 they still hadn't published one I uploaded on schedule in early October 2016. This list may several months behind at times.
October 2016
Clean Up Your Writing With Linux Utilities
How to quickly put together a shell script to find doubled words within text. I make that error a lot...
Our Continuously Connected Lives: Benefits and Risks
A piece commissioned for a DHS week-by-week cybersecurity month of October.
How to Build Resilience in Critical Infrastructure
A piece commissioned for a DHS week-by-week cybersecurity month of October.
September 2016
Asimov Created Three Laws of Robotics, So How About Cyber Security?
I got it down to five:
- People, especially sysadmins, must know what they're doing.
- Patch.
- Validate all user input.
- Handle logic correctly
- Handle errors gracefully.
How To Add Virus Scanning to Linux
Anti-virus for Linux desktops is sort of like dragon repellent, a solution in search of a problem. There is some, if you need it to satisfy a policy. But most anti-malware is for servers, scanning files and e-mail messages.
3 Ways Lists Can Help You Prepare For the CompTIA Security+ Exam
Other CompTIASecurity+ Advice
The main point is that you should make the crib sheet you would like to take into the testing room. The process of creating that sheet makes you memorize what's needed. Here is some background on that process, and suggestions for the horrible table of TCP/UDP port numbers.
What's Happening To The CompTIA Security+ Exam?
The CompTIA Security+ exam is poorly designed and getting worse. Here's what's been happening, and my guesses as to where it's going.
August 2016
How Can We Create Secure Passwords?
A thought experiment about how you might generate
usefully strong pass phrases with a Linux script,
using /dev/urandom to select strings
from /usr/share/dict/words.
Spoiler alert: it isn't very practical, a far better
solution is in the next one...
How To Manage Your Passwords With KeePassX
How to install and use the KeePassX password generation and storage tool on Linux, OpenBSD, and Android.
We Need Something Better Than Passwords, And We Already Have It
How repeated hashing works, providing secure authentication.
Making the High Security of Repeated Hashing Practical
The S/KEY standard defined in RFC 2289, and practical tools like OTPDroid.
July 2016
Are You Absolutely Certain That You Have The Real Source Code?
How to check digital signatures to make sure that your Linux kernel source is the real thing and not a Trojan Horse.
Linux Tutorial: Finding Duplicates
Designing and writing a script to find duplicates in a large collection of video files.
Internet Safety and Protecting Your Cookies
A suggestion for compartmentalizing your Internet access and protecting authentication cookies by using multiple browsers.
Cyber Security Requires Cautious Logic
You must carefully distinguish between necessary and sufficient when analyzing security risks. For example, you can say "If you could factor a 300-digit number into its prime factors, you could derive an RSA private key from the corresponding public key." But that doesn't mean that you must solve that factoring problem to get the key!
June 2016
Confidentiality, Integrity, and Availability are the three standard concerns of information security. The problem is that when you work to improve one of them in isolation, you usually make one or both of the others worse.
Set Up SSH Keys For Easier And More Secure Authentication Without Passwords Set Up An SSH Key Agent For Convenient Yet Secure Authentication Easily Maintain Multiple Websites With SSH
These were based on my more detailed SSH pages, see those for the real story. The actual blog posts are here, here, and here.
May 2016
PolicyKit Authentication Framework: From Authentication to Authorization PolicyKit Authentication Framework: Creating Your Own Rules
PAM is Pluggable Authentication Modules,
but a lot of authorization had been stirred in.
Authentication is the first step, authorization is an
entirely different later step.
The PolicyKit Authentication Framework
(or simply polkit) handles authorization.
With the move from Red Hat/CentOS 6 to 7 some of the
authorization inappropriately in PAM in version 6
has been moved to PolicyKit.
Here's what all that is about and how to work with it.
Using Linux Containers and Docker for Reliable Service
Convert your legacy architecture into a container-based model. Split functions into lightweight modules. Improve your availability.
Keep Your Secure Shell Functional and Secure
Some web hosting providers, including GoDaddy, only support some rather old SSH authentication methods. Once you upgrade to OpenSSH 7.0, your SSH client will no longer try the deprecated DSA algorithm.
Additionally, CVE-2016-0777 warns of a vulnerability in the experimental support for roaming, or resuming SSH connections.
Here's how to both provide exceptions for specific servers needing DSA authentication and work around that vulnerability.
April 2016
The vim editor supports encryption.
It has supported a very weak method based on
gzip for a long time.
More recently, they added Blowfish encryption.
For reasons I can't figure out, most Linux systems only
support a significantly weaker method of (mis)using
the Blowfish cipher.
If you want the best file-by-file confidentiality,
you will have to build vim from source,
or else use OpenBSD.
Skeptical Looks at Cryptography
There have been some nice papers in the past few years carefully and skeptically examining the current state of the art and of practice in the area of cryptography. Here's a guide to some of them.
Are Consumer Crypto Systems Too Hard To Use?
Yes.
Some very capable cryptography is available, but it is rendered mostly useless by horrible user interfaces. Everything from e-mail plugins to (potentially) secure phones are made far less secure in practice because of awkward, misleading, and vague user interfaces.
Just because a thing can happen doesn't mean that it will happen. You must make many observations or measurements before you can honestly say anything that isn't vague about the likelihood of success, or of any supposed improvement in performance tuning.
March 2016
What Could Possibly Go Wrong With Backdoors? Backdoor Disasters
The Problem WithGovernment-Imposed
Backdoors
These two are based on my more complete and updated page on the dangers of backdoors.
What's the Current State of Software-Defined Networking?
Software-Defined Networking or SDN is a hot topic, but right now it's for the telco carriers and builders of seriously large cloud infrastructure. If you're saying "We have virtualized servers" or "We're planning to build a cloud" then you're not nearly ready yet.
File System Encryption: When Is It Worthwhile?
Short answer: On laptops, portable media, or other easily stolen or misplaced hardware. Not on servers.
There's no point in encrypting the operating system,
the user data is what matters.
When it is appropriate,
you can put something together with PAM and
pam_mount.so, automounting,
LUKS and dm-crypt.
February 2016
Efficient Storage for Linux Virtualization
How copy-on-write makes storage much more efficient, and how it is qcow2 or "QEMU Copy-on-Write v2" in Linux QEMU/KVM virtualization.
Performance Tuning on Virtual Machines
Provisioning and tuning for the best storage performance on Linux QEMU/KVM virtual machines.
Should We Worry About Virtual Disk Fragmentation?
No, at least not the fragmentation reported for compressed qcow2 disks as it isn't what you probably think it is. Here are some techniques for testing fragmentation within the virtual machine and from its host OS.
Do not use a graphical console tool like
virt-viewer on top of the Gnome desktop,
especially if you're doing that on the host operating
system!
Gnome is amazingly resource-hungry.
It will fully saturate 1.5 to 2 CPUs, while the hypervisor
running the entire guest OS uses maybe 0.5.
January 2016
New Year's Resolution: Back Up Your Data New Year's Resolution: How to Back Up Your Data
You must make backups of your personal data. The good news is that it's cheap and fairly easy with Amazon's Glacier cloud service. Here's what Glacier is about, and how to use it.
Cryptography Developments: Elliptic Curves — Part 1 Cryptography Developments: Elliptic Curves — Part 2
Background of the NSA's surprising announcement in August, 2015, saying that Elliptic Curve Cryptography wasn't the hoped-for defense against quantum computers. Here is some analysis of what that announcement probably means.