Liudvikas Bukys

The Rise of “Worse is Better”
by Richard Gabriel

Counterpane Internet Security, Inc – Crypto-Gram — March 15, 2001.

Notable In this issue:

• The Security Patch Treadmill

  Security based on patches is inherently fragile. Any large network is going to have hundreds of vulnerabilities. If there’s a vulnerability in your system, you can be attacked successfully and there’s nothing you can do about it. Even if you manage to install every patch you know about, what about the vulnerabilities that haven’t been patched yet? (That same alert service listed 10 new vulnerabilities for which there is no defense.) Or the vulnerabilities discovered but not reported yet? Or the ones still undiscovered?

  Good security is resilient. It’s resilient to user errors. It’s resilient to network changes. And it’s resilient to administrators not installing every patch. For the past two years I have been championing monitoring as a way to provide this resilient security. If there are enough motion sensors, electric eyes, and pressure plates in your house, you’ll catch the burglar regardless of how he got in. If you are monitoring your network carefully enough, you’ll catch a hacker regardless of what vulnerability he exploited to gain access. Monitoring makes a network less dependent on keeping patches up to date; it’s a process that provides security even in the face of ever-present vulnerabilities, uninstalled patches, and imperfect products.

• Insurance and the Future of Network Security
• TCP/IP Initial Sequence Number Flaw
• The “Death” of IDS?
• 802.11 Security

• GaTech Office of Information Technology
  • OIT Strategic Plan
  • GaTech Information Security Directorate
    
    • Policies & Guidelines
      
      • Georgia Tech Computer and Network Usage Policy
        The Institute-wide policy governing use of computers and networks.
        

      • Proposed (draft) New Network Usage Policy (3-14-01 rev)
        Georgia Institute of Technology is currently revising the existing (6 year old) network usage policy. The current draft policy is posted here for review.
        

      • Georgia Tech Data Access Policy
        Georgia Tech policies concerning access to Institute data.
        

      • Georgia Tech World Wide Web Policies and Guidelines
        Georgia Tech Policies and Guidelines concerning the Publication of Information via the World-Wide Web.
        

      • Policy for Email Mass Distribution

Georgia Tech Implements Wireless Campus Net
[from Slashdot]

CVS-based Software Release Steps.

For my main project on SourceForge, Redfoot, I’ve
developed a set of steps to follow to do a release. I’ve started using
them on all my CVS-based projects. I’d be interested in getting
feedback on the steps and what steps others follow. [Advogato]

CNET NEWS.COM – ICQ logs spark corporate nightmare.

Thousands of confidential messages between the CEO of an Internet company and top executives have been posted on the Web, stirring up a hornet’s nest of corporate intrigue and providing a rare glimpse into a dot-com as it struggled to cope with a brutal shakeout.

Last week, hundreds of pages of the ICQ instant messaging logs were posted on the Web and copied onto various sites, creating the kind of information security breach that has become one of the worst corporate nightmares of the digital age. The logs, which were apparently snatched from a PC used by Sam Jain, CEO of eFront, have nearly paralyzed his company and created a personal nightmare for Jain.

[Privacy Digest]

Linux-HA 0.4.9 (Stable). Heartbeat subsystem for High-Availability Linux project [freshmeat.net]

MindTerm 1.99pre5 (Default). SSH-client in pure Java, includes stand-alone ssh- and terminal(vt100)-packages [freshmeat.net]

Palm PDA threat to network security [via Security Focus]:

Palm’s debugging program can be exploited by anyone ready to read the Palm OS developer’s manual online and hitch up a PC to a Palm. The program is installed on all devices, and is designed to be used only by application developers and technical support.

The program allows anyone to type in commands such as ‘coldboot’ to wipe all data from the device, or ‘export’ to copy everything onto another computer. The program can also be used to access a user’s Palm password.

An attacker could copy the contents of the average Palm in about five minutes and decrypt a password in a few seconds.

Besides the fact that network managers tend to put commercially sensitive data in their PDAs, Palm devices, which can exchange data with a network, could also be used to crack into a classified network.

“It is not possible to employ a secure application on top of an insecure foundation,” said Wysopal. “Because the Palm OS is inherently insecure, methods to completely secure data are moot. A Palm device should not be left unattended, or loaned to a potentially untrustworthy colleague,” Wysopal added.

@Stake recommends Palm users glue a piece of plastic over the Palm’s serial port connector, leaving the infra-red port as the only method of synching or disabling the Palm’s port by opening the case and cutting the specific RS232 lines.

Electronic Signatures:

• Larry Loeb: You can now use them in electronic transactions, but what exactly does that mean? [IBM DeveloperWorks]
• Alston & Bird LLP:
  How the New E-Sign Act Will Affect E-Commerce [GigaLaw.com]