2004

SSL in depth

business, security, tech help, technology / /

I host Web sites, but we’ve only recently [2004] had to start implementing SSL, the Secure Sockets Layer, which turns http into https. I’ve been on the lookout for a good overview of SSL that explains why it is implemented as it is, and I think I’ve finally found one: Chris Shiflett: HTTP Developer’s Handbook: 18. Secure Sockets Layer is a chapter from Shiflett’s book posted on his web site, and boy it is good.

SSL has dramatically changed the way people use the Web, and it provides a very good solution to many of the Web’s shortcomings, most importantly:

  • Data integrity – SSL can help ensure that data (HTTP messages) cannot be changed while in transit.
  • Data confidentiality – SSL provides strong cryptographic techniques used to encrypt HTTP messages.
  • Identification – SSL can offer reasonable assurance as to the identity of a Web server. It can also be used to validate the identity of a client, but this is less common.

Shiflett is a clear technical writer, and if this chapter is any indication, the rest of his book may be worth buying.

SSL in depth Read More »

Crack Windows passwords in seconds

security / /

This is an oldie but still a goodie – or a baddie, if you use or depend on Windows. Back in 2003, researchers released tools that enable the cracking of Windows passwords in an average of 13.6 seconds. Not bad, not bad at all. CNET has a nice writeup titled Cracking Windows passwords in seconds, which explains that the best way to guard against the attack is to create passwords that use more than just alphanumeric items. In other words, read my SecurityFocus column from May 2004, Pass the Chocolate, which contains this advice: “… you should use a mix of at least three of these four things: small letters, capital letters, numbers, and symbols. If you can use all four, great, but at least use three of them.”

If you want to download and test the security of your Windows passwords, you can grab the software at Ophcrack. You can get source, as well as binaries for Windows and Linux. There’s even an online demo of the software, in which you can paste a hash of the password you’d like to crack and get back the actual password. Nice!

Crack Windows passwords in seconds Read More »

Mozilla fixes a bug … fast

tech in changing society, technology / /

One of the arguments anti-open sourcers often try to advance is that open source has just as many security holes as closed source software. On top of that one, the anti-OSS folks then go on to say that once open source software is as widely used as their closed source equivalents, they’ll suffer just as many attacks. Now, I’ve argued before that this is a wrong-headed attitude, at least as far as email viruses are concerned, and I think the fact that Apache is the most-widely used Web server in the world, yet sees only a fraction of the constant stream of security disasters that IIS does, pretty much belies the argument.

Now a blogger named sacarny has created a timeline detailing a vulnerability that was found in Mozilla and the time it took to fix it. It starts on July 7, at 13:46 GMT, and ends on July 8, at 21:57 GMT – in other words, it took a little over 24 hours for the Mozilla developers to fix a serious hole. And best of all, the whole process was open and documented. Sure, open source has bugs – all software does – but it tends to get fixed. Fast.

Mozilla fixes a bug … fast Read More »

BSD vs. Linux

history, technology / /

As a Linux user, I don’t have a lot of daily experience using BSD. Oh sure, I use it on a couple of servers that I rent, but I certainly have never used it on the desktop. And while I certainly understand the concepts, history, and ideas behind Linux very well (although there’s always more to learn), I don’t really know that much about BSD. So it was a delight to read BSD vs. Linux.

“It’s been my impression that the BSD communit{y,ies}, in general, understand Linux far better than the Linux communit{y,ies} understand BSD. I have a few theories on why that is, but that’s not really relevant. I think a lot of Linux people get turned off BSD because they don’t really understand how and why it’s put together. Thus, this rant; as a BSD person, I want to try to explain how BSD works in a way that Linux people can absorb.”

In particular, I thought the contrast between the non-unified nature of Linux and the unified nature of BSD was pretty darn fascinating. As the author points out, this is not to criticize Linux – it’s just the way it is. It’s not a value judgment. Here’s the author on BSD:

“By contrast, BSD has always had a centralized development model. There’s always been an entity that’s “in charge” of the system. BSD doesn’t use GNU ls or GNU libc, it uses BSD’s ls and BSD’s libc, which are direct descendents of the ls and libc that where in the CSRG-distributed BSD releases. They’ve never been developed or packaged independently. You can’t go ‘download BSD libc’ somewhere, because in the BSD world, libc by itself is meaningless. ls by itself is meaningless. The kernel by itself is meaningless. The system as a whole is one piece, not a bunch of little pieces.”

11 pages of really interesting, well-explained analysis. If you’re a Linux user, go read it. You’ll learn about the other great open source OS.

BSD vs. Linux Read More »