Everything is a Freaking DNS problem

I mean, we are heading towards 2010 , some of us have been using Open Source for decades, the Open Source vs Free Software discussion was like last millenium, and we've been doing open source consultancy for over a decade, yet today companies still think their customers are stupid,

Fancy this story on ZDNet today .. there's actually companies out there claiming that "Bind" because of it's FreeWare nature , yes that's right you've Read FREEWARE , (hadn't heard that word for over 5 years..) , is less secure than their proprietary offering in the Cloud. So the very nature of their Secure product is offering Security by Obscurity in an insecure environment .

The sad part is that they probably get customers that believe their story, afterall it's hosted in the Cloud .. so it must be good not ?

Oh well... James McGovern had a nice comment on that earlier today "

"The goal of the security market is to make money, not to ensure the customer's security"

I'll keep my security infrastructure Open, thank you very much

But afterall everything is a fine DNS Problem ...

Technorati Tags: bind dnsproblem morons obscurity opensource security

I`m not a big user of docs.google.com , but occasionally I use it sharing a public document to work on with friends or collegues.

So we have this spreadsheet we're sharing with some family and friends to swap Disney stickers. Google Docs has the option to publish that document publicly as html for others to view.

So I tried , and it generated me a very nice url

http://spreadsheets.google.com/pub?key=rtlvf2-JSU1Pw-oPtuIZBPg&output=ht...

My sleepy eye catched the A1:C300 ending part .. which was generated by the friendly popup that asked me if I wanted to show all Sheets, or just a range of the page.

Dare I pasting that URL into another browser and change the range ? Like changing the range from A1:C300 to A1:D300 ?

Suprise suprise .. that worked ! I could perfectly see the content of the other cells.

Apart from pointing to the Google API the popup doesn't really mention that publishing only a range won't restrict the actual viewing off the other data.

I can imagine some less technical savvy people to expect the rest of their data is secure... Well, it obviously it's not !
Not sure if Google does this on purppose, or by accident.

If it stops working next week it was by accident :)

Technorati Tags: docs.google google googledoocs security url mangling

With reports about Belgium being the 3rd most insecure country in the world, only being beaten by Russia and China and our nice country featuring in Wired with what could be the plot for Oceans 17 ...

Maybe it's time to refocus my career a bit more on security again ...

Just maybe ...

Technorati Tags: diamonds sad security

Grab your calendars and mark the following dates :

• T-Dose 2009 will be held on 3 and 4 october in Eindhoven again.

  Last year we had a nice Drupal track, some great MySQL talks and , a great unplanned Cloud talk , and different other interesting talks, so this year promises also to be very interesting.
  (PS. Drupal Themers.. you might want to propose a new theme for the T-Dose site, who knows you'll even win something)

• For the first time , 2009 will be the year that Belgium will have it's own Security Conference, BruCon has just announced Christofer Hoff as a KeyNote speaker , BruCon will take place on 18 and 19 september... obviously in Brussels ;)
• While we mention VirtSec I obviously should plug my own upcoming VirtSec talk at the LSec Secure Virtualization seminar on next Friday 13th

Technorati Tags: conferences drupal mysql open source security t-dose virtsec

@fredegre sent me a mail to tell me about the L-SEC Codebreakers and Enigmas's - Special Event , given the lineup I couldn't resist to register for the event ..

Security heroes like Bruce Schneier , Adi Shamir , Ron Rivest and off course our local experts...

Should be interresting

Cya there ..

Technorati Tags: adi shamir bruce schneier encryption events l-sec ron rivest rsa security

There is this great post over at sans.org Teaching people how to to suck at Security, (actually a reprint of this post

Especially the remarks about security tools ..
On how not to implement them or how to neglect configuring, afterall the default values must be secure enough.

However My favorite

Hire somebody just because he or she has a lot of certifications.

I'd write Vendor Certifications however .. as independent certifications might have some use.. but if I`m looking for a security guy and he starts talking to me about his product certificatins, something is wrong..

Remember, security is a life style, not product you can buy ..

Technorati Tags: certification false feeling of security life style security

A lot of discussion is going on around yesterday major DNS upgrade push
Is it needed, is it overkill, are we fixing a new hot flaw or just reiterating over a 4 year old RFC

Yes Dan from DJB DNS already told us ages ago .. but Dan isn't the most loved person on the planet. Now as long as he doesn't head in the direction of that other unpopular filesystem guy :)

Anyhow .. CVS information is here and you can read up on some more background at Securosis

Add to that the fresh release of Unbound and security is back in style just like Chris Hoff said during the VirtSec debate :

“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”

Technorati Tags: djbdns dns security unbound security dns unbound djbdns

Yesterday I took part in an interesting conf call with different Virtualization Security Industry leaders and Analysts

I`ll be processing the confcall logs and publish them over at Virtualization.com

Technorati Tags: security virtsec virtualization

I'm getting second thoughts about OpenID.

Here's why.

Technorati Tags: openid phishing security

Darkreading has a report on the next big dns threat according to Paul Mockapetris. DNS corruption. When a user connects to his ISP, or to a Wifi port, certainly a free one.
He has absolutely no idea about the state of the DNS server.

So a user working off a public WiFi port, for example, is at the mercy of the DNS servers it uses, which "could easily be malicious,"

Indeed it might be hacked, it might be modified on purpose, pointing your browser to somesite totally different than you want to .. while you're not expecting it.

Anyway

[sdog@mine ~]$ cat /etc/resolv.conf
nameserver 127.0.0.1

Technorati Tags: dns dns problem security