Algorithmic passwords - Memorable, high entropy, and unique

Background Passwords… ugh. I would wager that passwords rank among many peoples least favorite topics, but they are an integral part of life and therefore warrant discussion. Back in 2003 NIST published authentication guidelines for the US Federal government. Those requirements are largely responsible for password requirements for the last 15 years. In typical NIST fashion the document is comprehensive, includes threat models, mitigations, and detailed requirements. For their purposes a password is referred to as a “Memorized Secret Token” and the relevant threats and mitigations are:

Stackoverflow.com and the SELinux poll

So, stackoverflow.com was released to public beta pretty recently and I must say I’m impressed. It looks like a great place to go to get tough programming (and other) questions answered. So, in order to give it a spin I posted the question Do you disable SELinux? It didn’t get nearly as many answers as What’s your favorite “programmer” cartoon but I did get mostly good feedback, it seems like the audience on stackoverflow, in general, have seen the positive progress of SELinux and many have chosen to keep it enabled (or even write policies and make it work for them).

SELinux on Ubuntu (part 1)

I’m in the process of moving my server from an ancient decrepit Gentoo install to a shiny new Ubuntu Hardy install with SELinux enabled.

Web browsers, security and Google Chrome

Securing web browsers has always been a little tricky. With so many web applications available today, including corporate intranet sites, email and so on with confidential or proprietary information it is always a bit troublesome that web browsers essentially run in one security domain. The last thing I want is for a teller at my bank to go to some site that ends up getting bank info from another tab.

Secure doesn't mean anything.

No, seriously. I’m not trying to be ironic because the title of my blog is “Brindle on Security”, which I should probably change to something more creative anyway.

During my tenure at Gentoo, running the Hardened Gentoo project, the most common question by far was “How do I secure my system?” Warning, this article may contain some flamebait, avoid it if you can’t resist flaming back .

Eventually we gave up and just pointed people to websites, perhaps this post can serve as that page. The answer was “What do you mean ‘secure’ your system?” Security isn’t, and can’t be, a goal by itself. You need to know what exactly you are trying to protect yourself against, your threat model, as it were.

Why Blu-Ray scares me

Now that Blu-Ray has all but won the HD format war I guess its a little late to post this but oh well, I’ll do it anyway.

Disclaimer: I am an HDDVD owner but this post is not a result of bitterness about my chosen format losing. The reason I’m posting here about (among others) is the actual reason I chose HDDVD. I also don’t want to talk about the pro’s and con’s of DRM or whether the DRM has been cracked and is accessible via other means. I am going to talk about the intentions of the format producers and what it means to consumers.

Misunderstanding UNIX security

I just got a comment on my post about path based access control that was fairly startling to me. The more I thought about it, though, the more I thought maybe others shared the beliefs so I’m going to respond to it here. inode-based security has analogous problems to path-based security. Software opens paths, not inodes, so it very much matters what the permissions are for the file at /etc/shadow or /var/data/mydb, regardless of what the inode happens to be.

Don't disable SELinux!

A while back I wrote a post on companies telling their customers to disable SELinux in order to get applications running and why this is a very bad thing. While I don’t see the situation getting better in the near term I did see a blog posting today from an SAP employee about using SELinux with SAP. This made me happy Since I don’t think his blog software uses trackbacks I’ll be contacting him to suggest some changes.

SELinux training

My employer, Tresys Technology, occasionally hosts an SELinux training class, many of which I’ve been the teacher for. The course outline and slides are available for free at http://tresys.com/selinux/selinux-course-outline.html but that isn’t what this post is about. I’ve been asked if I think many people would pay to take an online shorter version of the class if it were around $500. I wasn’t sure how to answer so I decided to ask the people that read my blog what they think.