Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsOpen source encryption software in Denmark. This article on the Skåne Sjælland Linux User Group's site covers a hearing held by the Danish Ministry of Research concerning the use of encryption software to enable Danish citizens to protect themselves from Echelon and other surveillance activities. Thanks in part to SSLUG's efforts, open source software was well represented at this hearing. "Even more interesting was the 'how do you prevent back-doors in you product?'. Most companies stated that third-party reviewers could be allowed to check the source code given that they conform to a NDA (non disclosure agreement). The representatives for GnuPG and PGP had an easy task here. Roger Needham from Microsoft managed to make the whole audience laugh by stating that 'If our product contains a back-door, we simply don't know anything about it....'" (Thanks to Hans Schou).More details on "NSA Linux". More information came out this week on exactly what work Secure Computing will be doing on Linux for the NSA and how it will be handled in this note, posted to the securedistros mailing list by Tom Haigh, CTO for Secure Computing. "We will open source all the modifications to the kernel as well as deliver a general-purpose security policy engine...Separately, we will use Linux and develop Linux policy engines for our own products, such as Sidewinder. These policy engines will remain proprietary to Secure Computing." If you are interested in some of the code origins of the planned "Type Enforced Linux" from Secure Computing, check out Jay Lepreau's comments and Tom Haigh's response from recent conversations on the securedistros list. Security ReportsNew FreeBSD update for procfs. Previous fixes to problems with procfs under FreeBSD have been found to be incomplete. Upgrading to the latest patch is strongly recommended, to prevent potential local root compromises.Cobalt RAQ server vulnerabilities. The RAQ1, RAQ2 and RAQ3 servers from Cobalt contain vulnerabilities that may allow the site administrator password to be trivially acquired. Cobalt has issued an advisorycovering the issues with information on where to acquire patches to resolve the problems. Applying the patches as soon as possible is highly recommended. UpdatesDebian advisory: symlink problem in apcd package. Debian has issued an advisory regarding a /tmp symlink vulnerability in the apcd package. If you have this package installed, an upgrade is strongly recommended.ResourcesSARA Security Auditor. SARA, which stands for the "Security Auditor's Research Assistant", is based on the original SATAN scanner, but offers quick response to today's problems and a real-time report writer. It has been field-tested and is now being made available as free software, with a commercial product, SARA Pro, apparently on the way.Instructor 1.0 is a "32 bit instruction set auditor" announced by author David Goldsmith. Section Editor: Liz Coolbaugh |
February 3, 2000
|