Category: InfoSec and IT Page 1 of 28

Over/Under

Today’s post is over at Safer Computing, about over- and under-estimating risk.

Orange Book

I did a talk today about the Orange Book. The Orange Book lays out some very well-structured, very stringent principles for the construction of truly secure systems. The audience for it was DoD and other government procurement officers who needed to buy reliably secure systems for classified processing.

This turns out to be a very personal topic for me. Around the time the Orange Book came out, I was working on a Multics system doing database work for a pharmaceutical company. Multics became one of the first systems to successfully be evaluated under the Orange Book criteria — at level B2. Honeywell, the maker of Multics, was quite pleased!

They gave these buttons away to all and sundry, and I got one.

I found the fact of a framework capable of assuring a secure computer system fascinating. It has always inspired me to find ways to make systems simpler and so more secure. Vendors to the commercial market today will insist that there’s no way to make systems both secure and affordable. Since the primary method of improving a product in its evaluation for an Orange Book rating is to make it simpler, I smell a rat.

One can probably say that my Multics experience in the 1980s inclined me toward getting my CISSP in 2005, and the whole progression of my career since then.

Stupid Jeopardy! Category

The category of Final Jeopardy! for the last game of the All-Stars team tournament was “Constitutional Amendment Math”. I had a foreboding when I saw this, and it was right.

The clue asked the contestants to add the numbers of the Amendments banning state-sponsored religion, ending slavery and repealing Prohibition. The answer is 35, “cleverly” arranged so as to be a tribute to Jeopardy!’s 35-year run. (In its current incarnation, that is; the older Art Fleming version is typically “forgotten” by Trebek’s crew.)

Well, here’s why this set my teeth on edge. The numbers of the Amendments are not really quantities. We don’t do arithmetic with them, any more than we do with zip codes or phone numbers. They are just labels that happen to be numeric. If we’re making a spot for them in the memory of a program, or in a database, we should allocate text strings, not numbers.

This is a very important principle: I have seen a lot of applications errors that originated because labels were stored as numbers and then later, unintended consequences arose. For example, if we store all phone numbers as numbers, what happens if a future change causes them to be rounded? 9165551309 is not much more interesting or useful as a number than, say, 9.166 billion. But as a phone number, a label to a communication channel, its usefulness has been completely destroyed.

Deliberately doing arithmetic with these values just because all of them happen to be made up of digits? That is the kind of thing that screams out the sort of basic design error alluded to with phone numbers.

Getting Ready for BSides

BSides Rochester is tomorrow. The preparations are in their frantic final day.

Plus, today is a training day on CTF Basics, presented by The Hackerground.

Get a ticket to B-Sides if you don’t already have one, and be there tomorrow!

Free Stuff I Like

UptimeRobot is a free service for monitoring online properties: networks, websites, etc.  I use it for this blog and some others, and for my home network.  Tell it the website URL or network IP address / DNS name you want to monitor and it’s set up.  You can get notified by text message, email, RSS or a public web page that will be created for you.

A paid option is available that removes some limits (such as only 50 monitors) and adds features such as predefined maintenance windows or more frequent checking. For my use, the free option is fine so far: I have a grand total of six monitors active.

Speaking of monitoring your home network, there’s an important difference between most home networks and most commercial ones. Home networks typically have dynamic IP addresses, as opposed to the static IP addresses that are allocated to businesses. “Dynamic” means that the provider can change the IP address at their convenience, and with no notification. For many home uses it doesn’t matter because your IP address is not usually a destination, only a starting point. Netflix and Google can find you to provide the content you requested because they just send it back to where the request came from.

However, if you want to do something like monitoring your own home network, or hosting a web site from your own computer, now you have to be able to be a destination, just like microsoft.com. That means you need to claim an entry in DNS, the Internet’s “phone book”. But if your IP address can change without notice, it’s a problem: DNS entries always need an immutable destination address.

Enter Dynamic DNS. The principle is, a DNS entry is created for a location that has a dynamic IP address, and the location updates the DNS server with a new address whenever it changes. Most home routers have built-in support for this, you just have to choose a provider that supports one of the common methods of keeping updated. I use afraid.org because it’s easy to set up (step-by-step instructions for everything) and has proven 100% reliable. And the basic service is, of course, free. You select a domain from a long list (VERY long – see illustration), and then make up a new subdomain name for it. That subdomain becomes your very own DNS name, and you can give that out without worrying what happens when Comcast changes your IP address.

I’m going to do another post soon about some more free things I like: pfSense, Plex and Ubuntu. Meanwhile, check out Gizmo’s Freeware where you will find lots of free stuff for all your geekery needs.

Page 1 of 28