2010-06-01

SOA-style security for linux

news.addn/security/soa for linux:

5.6:
OpenVZ is container-based virtualization for Linux
. this is what could make linux
more secure than mac ? 5.13:
another layer of security wouldn't hurt,
but openVZ is just the open engine for
for a closed product from Parallels .
. Qubes has a complete open betaware isolation solution .

5.13: web:
Qubes is an open source operating system
designed to provide strong security for desktop computing.
Qubes is based on Xen, X Window System, and Linux,
and can run most Linux applications
and utilize most of the Linux drivers.
qubes-os.org/trac/wiki/SourceCode
qubes-os.org/gitweb/
qubes-os.org/trac/wiki/InstallationGuide
In the future it might also run Windows apps.
. critique at threatpost.com .

5.13:
Secure Virtualization Using SELinux (sVirt):
"(Crackers have already broken though the xen hypervisor,
as I documented in one of my previous blogs.

Adventures with a certain Xen vulnerability (pdf)
was just published which contains a Xen vulnerability
which allows a process in a virtual machine
to attack the host machine,
and SELinux is pretty much a speed bump in his way.
3.4
What actions are available for an uid 0 process
running in thesystem u:system r:xend t:s0 context?
It turns out that default SELinux policy allows very few.
For instance, we cannot write to system configuration files,
nor load kernel modules.
However, qemu-dm processes also implement
virtual block devices for HVM guests,
and these devices can be backed by raw disk partitions.
In order to make it possible,
the default SELinux policy grants xend t domain
the read-write access to all disk partitions.
The relevant lines in the SELinux reference policy
(from the default selinux-policy-3.0.8-44.fc8.src.rpm)
are: storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
Particularly, qemu-dm (so, the shell executed from it as well)
can write to the blocks on the root filesystem.
Through the use of fixed disk the attacker
is able to trick the host operating system
into loading kernel modules that can take over the machine.
If we had forced the users to label the physical disk partitions,
this vulnerability would not have been exploitable.
Lesson learned.
When it comes to virtualization going forward,
I plan on forcing the user to apply the correct labeling.
KVM/QEMU have nice process separation
and make confinement easier.
virt_manager and libvirt are being built with SELinux
understanding in them.
virt_manager will setup the labeling correctly
when virtual images are installed
and libvirt will make sure they run in the correct domain
when they are launched.
In the future we want to protect not only the host machine
from the virtual machines,
but the virtual machines from each other.
Watch for information on in the future

In conclusion,
as we move towards more widespread use of virtualization,
we should avoid making compromises in security
for the sake of usability,
but work toward making security usable.) .
Want to know how to make Linux really secure?
http://www.linuxsecurity.com/content/blogcategory/171/167/
Security Enhanced Linux (SE Linux),
a system of security policies developed by the NSA,
lets you secure Linux at every level from the kernel up.
Find out how EnGarde Secure Linux and others
build and maintain a truly secure server environment.

secure virtualization with MAC
selinuxproject.org/page/SVirt

2010-05-31

ubuntu lucid saves a fujitsu laptop

rev.addn/xuw/why linux on xpw didn't work:
5.10:
. I had linux on this laptop once before;
so, what were the problems that had me switching back?
. I couldn't get screen brightness down;
then I crippled the wifi trying to network with mac .
5.11:
. there are ubuntu pages for my new wifi card,
but that wasn't a problem if I didn't mess with networking .
http://ubuntuforums.org/showthread.php?t=1387483
http://www.backports.ubuntuforums.org/showthread.php?t=1353044

5.31: summary:

. ubuntu 10.04 (lucid) did find my laptop's wifi
and even the brightness -- a feat mac can't do
even with it's own monitors! (imac 24") .

. I first tried the netbook version
and couldn't figure out why the menu's icon's were so huge .
huge icons are great on an ipod touch,
but they were making me [/]scroll
through a tiny menu!
. I got obsessive about rearranging the submenu's
so that none of them would need scrolling .
. along the way I delete any icons I didn't need;
duh, it was as if I'd actually deleted app's .
. after that I lost control of the gui
and couldn't even find a way to reach a terminal!

. I finally got back in there
after installing a 2nd ubuntu
(try the desktop version this time);
when I went back in rescue mode
it would add a lightweight gui
where I could backup my bookmarks etc .

. the desktop edition with gnome windows
is really working well .
. there are several niceties that expect gnome:
mercurial distributed version control,
and a default login that was auto-starting my wifi
-- I lost the auto-start after switching
from gnome to xfce4 .
. the reason I switched is that when you do ctrl-tab
to switch between windows,
gnome does the huge flashy act
that gives me epileptic fits !
. I like the {mac, pc} style of just showing
an array of icons, not flipping through every window .
. but I'm definitely going back
for mercurial integration .

ubuntu's WYSIWYG web editors

web.addn/free html editors:
5.31: web:

>> Ubuntu >> Packages >> lucid >> web:

KompoZer WYSIWYG web page editing.
a complete Web Authoring System
that combines web file management
KompoZer is designed to be extremely easy to use,
making it ideal for non-technical computer users
who want to create an attractive, professional-looking web site
without needing to know HTML or web coding .

web based HTML WYSIWYG editor
TinyMCE is a platform independent web based
Javascript and HTML WYSIWYG editor control
released as Open Source under LGPL
by Moxiecode Systems AB.
It has the ability to convert HTML TEXTAREA fields
or other HTML elements to editor instances.
TinyMCE is very easy to integrate into
other Content Management Systems.
* Easy to integrate, takes only two lines of code.
* Customizable through themes and plugins.
* Customizable XHTML 1.0 output.
* Block invalid elements and force attributes.
* International language support (Language packs)
* Multiple browser support, Mozilla, MSIE, FireFox, Opera and Safari
. version 2 of tinymce is older version
the google web app way -- openware:
www.openwebware.com/
. a free cross-browser WYSIWYG editor
that's packed with every rich-text editing feature
you need to make your content management system
that much better.

Setting up openWYSIWYG is so easy,
you can quickly turn any html`textarea
into a powerful WYSIWYG editor
with just a few simple lines of code.

Packed with every rich text editing feature you need,
openWYSIWYG gives you total control over formatting your text.
The ultimate html`textarea replacement
for your content management system.
Coded Entirely in JavaScript
Regardless of what language you use to code your web applications,
openWYSIWYG will work.
openWYSIWYG is coded entirely in client side JavaScript,
so it will work with any web programming language .
other tools

Text-to-HTML conversion tool
Markdown is a text-to-HTML conversion tool for web writers. It allows you to write using an easy-to-read, easy-to-write plain text format, then convert it to structurally valid XHTML (or HTML).

Macro processor for HTML documents
Mp4h is a core component of the Website Meta Language (WML).
Mp4h is a macro processor for HTML documents,
with powerful programming features.
It allows definition and expansion of new tags
with a syntax familiar to HTML authors.

off-line HTML generation toolkit
WML (Website META Language) is a
free and extensible Webdesigner's off-line
HTML generation toolkit for Unix.
WML consists of a control frontend
driving up to nine backends
in a sequential pass-oriented filtering scheme.
Each backend provides one particular core language.
For maximum power WML additionally ships with
a well-suited set of include files
which provide higher-level features
build on top of the backends core languages.
While not trivial and idiot proof
WML provides most of the core features
real hackers always wanted for HTML generation.
Homepage: www.thewml.org/

Content management platform to maintain complex web sites
WebGUI is a content management platform based on
Apache, mod_perl and MySQL,
built to allow average business users
to build and maintain complex web sites.
It is modular, pluggable, and platform independent.
. get some detail$ . no mention of wysiwyg .

pretty print html
hindent

error-tolerant HTML parser for Python
The BeautifulSoup class turns arbitrarily bad HTML
into a tree-like nested tag-soup list of Tag objects
and text snippets.
A Tag object corresponds to an HTML tag.
It knows about the HTML tag's attributes,
and contains a representation of everything contained
between the original tag and its closing tag (if any).
It's easy to extract Tags that meet certain criteria.

HTML syntax checker and reformatter
Corrects markup in a way compliant with the latest standards,
and optimal for the popular browsers.
It has a comprehensive knowledge of the attributes
defined in the HTML 4.0 recommendation from W3C,
and understands the US ASCII, ISO Latin-1, UTF-8
and the ISO 2022 family of 7-bit encodings.
In the output:
* HTML entity names for characters are used when appropriate.
* Missing attribute quotes are added, and mismatched quotes found.
* Tags lacking a terminating '>' are spotted.
* Proprietary elements are recognized and reported as such.
* The page is reformatted, from a choice of indentation styles.
Tidy is a product of the World Wide Web Consortium.

check websites and HTML documents for broken links
linkchecker-gui

Makes an HTML site map from meta tags from other HTML pages
This Python script reads the META DESCRIPTION tags
from all HTML files under a directory
and generates a site map from them.
It can be easily configured with a simple dotfile.

5.21: about.com's take:

Aptana Studio Community edition:
"( Instead of focusing on the HTML,
Aptana focuses on the JavaScript
and other elements that allow you to create Rich Internet Applications.
One of the things I really like
is the outline view that makes it really easy to visualize the DOM.
This makes for easier CSS and JavaScript development.
If you are a developer creating Web 2.0 applications,
Aptana Studio is a good choice.)
5.31: not easy to find:
. for linux as app or eclipse plugin;
but not installable by ubuntu .

Screem:
"( Screem is a versatile text Web page editor and XML editor.
It recognizes the Doctype you're using
and validates and completes tags based on that.)
5.31: Screem ubuntu lucid download is missing:
--. for hardy but not lucid (the current release)
"(Unlike most other web site / HTML editors
SCREEM does not provide a WYSIWYG display of pages.)

linux vs bsd security

5.20: web.addn/laptop`os selection:

. win'xp is just too bogged down with security issues,
so I'm going for a more secure os,
one that doesn't rely on disruptive anti-malware,
and won't run my laptop's fan so hard .
. as long as I'm making the move for security,
is bsd better than linux ?
review freebsd, vs openbsd, vs TrustedBSD .

. gui for openbsd?
openbsdsupport.org/desktopOBSD.html

. wiki for sec'focused os .
Security-focused_operating_system

. TrustedBSD -- cap'based sec
en.wikipedia.org/wiki/TrustedBSD
TrustedBSD is a sub-project of FreeBSD designed to add
trusted operating system extensions, targeting the
Common Criteria for Information Technology Security Evaluation
(see also Orange Book ).
fine-grained capabilities .
-- access control lists are known to be confronted with
the confused deputy problem,
capabilities are a different way to avoid this issue.
. ported the NSA's FLASK/TE implementation from SELinux
. OpenBSM, an open source implementation of Sun's
Basic Security Module (BSM) API and audit log file format,
supports an extensive security audit system.
While most components of the TrustedBSD project
are eventually folded into the main sources for FreeBSD,
many features, once fully matured,
find their way into other operating systems.
For example, OpenPAM and UFS2
have been adopted by NetBSD .
. the TrustedBSD MAC Framework
has been adopted by Apple for Mac OS X .
Much of this work was sponsored by DARPA .

Ubuntu security
Ubuntu is the most popular Linux distribution,
and is built with security and protection in mind.
While the desktop version of Ubuntu provides a GUI ,
the server version avoids that
added security vulnerability.
[todo: what's the diff?]
Ubuntu developers made a conscientious decision
to disable the administrative root account:
it's been given a password which
matches no possible encrypted value,
therefore may not log in directly by itself.
This makes the system very secure
as the only way to get root privilege
is to use the "sudo" command.
Moreover, AppArmor is installed and loaded by default.
It uses profiles of an application
to determine what files and permissions
the application requires.

an openbsd server admn goes to Ubuntu's
JeOS
(Just Enough Operating System):
. linux was more of security threat back then .
"( Ubuntu JeOS is a version of Ubuntu that has
an optimized VMWare kernel. (50MB or so)
. the packaging system didn't require me to install
X11, TCL, Ruby, PHP, or MySQL for my server setup.
I was able to get just the tools I needed.) .

2010-05-18

ms' xp malware prevention is worse than malware!

4.15: mis.addn/xpw.security essentials/so slow and rude!:
. annoyed at speed hit,
consider removing sec'essentials real-time process monitoring .

4.27: mis.add/xpw/lcd is slow to light up:
. lcd is slow to light up;
a coincidence with this problem was that
skype had to check for msg's
and found one to download .
. this may have given the anti-virus
a lot to think about .

4.30: mis.addn/xpw/ms'worse than the virus:
. the xpw is just wildly ignoring me
.. to run my hd into the ground!?
then it takes so long
and something I asked it to start 5min ago
it uses that request to suprise-interrupt my editor's input!
. ms is stupid or abused
-- what a nut house they are!

5.18:
. I keep recalling ms`ceo on the stage
jumping up and down, ranting:
"(developers, developers, developers!)
. ms was forced to throw security into the gutter
trying to remain backwards compatable
even for developers who
flagrantly cheated the interfaces -- the
boundaries that could have defended security .

komodo editor NoneType object has no attribute textLength

mis.addn/xpw.komodo/
shawn-cook's mindware) for dev.unix`security
4.10:. I was transferring a section of text
from a log-file to a subj-file,
-- see co.net/knol/
shawn-cook's mindware for dev.unix`security
below -- then komodo editor said
it could not save the subj-file:
error saving 'co.net 1004.txt'
it gave the following error report
for sending as bug report,
and then all the other open files
were starting to be listed as unkown .
5.18:
. I wonder if this could be caused by my buggy keyboard
injecting a random null or control code into a string?
AttributeError: 'NoneType' object has no attribute 'textLength'
Exception: AttributeError: 'NoneType' object has no attribute 'textLength'

Traceback:
save@vieweditor:957
anonymous@chrome://komodo/content/views.js:2014
anonymous@chrome://xtk/content/controller.js:91
anonymous@chrome://komodo/content/views.js:1385
[anonymous]@null:0
command_doCommand@chrome://komodo/content/library/commands.js:280
command_doCommandAsync@chrome://komodo/content/library/commands.js:234
anonymous@chrome://komodo/content/keybindings/keybindings.js:2068
anonymous@chrome://komodo/content/keybindings/keybindings.js:2068
anonymous@chrome://komodo/content/keybindings/keybindings.js:2224
anonymous@chrome://komodo/content/keybindings/keybindings.js:2122

Komodo Edit, version 5.2.3, build 4312.
Built on Wed Nov 18 19:49:30 2009.

bugs.activestate.com
komodo-feedback@activestate.com
4.10: aq.addn/activestate.com`komodo/
[AttributeError: 'NoneType' object has no attribute 'textLength']:
summary:
[AttributeError: 'NoneType' object has no attribute 'textLength']
description:
[!] '10.4.10: mis.addn/xpw.komodo/shawn-cook's mindware for dev.unix`security

Bug 86587 has been added to the database
Email sent to:
EricP@ActiveState.com, dev-komodo@activestate.com
Excluding:
dr.addn@gmail.com
http://bugs.activestate.com/post_bug.cgi
4.8: co.net/knol/shawn-cook's mindware for dev.unix`security:
(//knol.google.com/k/shawn-cook/
the-atomic-panacea/2bikvz4o16j7f/2#)

date Thu, Apr 8, 2010 at 6:08 PM
subject Shawn Cook has submitted a knol to the
moderated collection: dev.unix`security

Shawn Cook has submitted THE ATOMIC PANACEA
to the collection: dev.unix`security.
You can review some or all of the pending changes here:
. that knol is?

THE ATOMIC PANACEA SCRIPTING LANGUAGE
This is MINDWARE for serious programmers
THE ATOMIC PANACEA
Programming Language
Infinite anything. Super creative. Awesome forces. Prove miracles.
Cure anyone. Process logic. Atomic brain. Hero powers. Future
charts. Hack root ip. Smart science. Into mystery. Paragon crunch.
Actual truth. Trudge muck. Real dreams. Draw embryo. Cosmic anchor.
Realize dots. Learn words. Invent symbols. Self onslaught.

name: #attempt
usage: #attempt x
desc: try your very best to achieve x
desc: do all you can to solve x and hope it is enough
div: best try/important goal=optimal attempt
whois?
Programming, analog/digital electronics, writing text files,
recording music, artwork, making tutorials, science,
developing the panacea.
other knols?
SCARLET PANACEA
COMBAT SCRIPTING
The Scarlet Panacea Combat Scripting is a premium
programming language designed to shine a new light
on the mind and it's reasoning potential. When
we use our mind as a computer it may unleash
experiences and perceptions beyond understanding.
When we make programs for the great and mysterious
mind we are creating MINDWARE.


wrestling with facebook app's

4.2: proj.addn/net.facebook.familylink
mom and ellen:

. part of facebook is an app familylink
-- so I can link to fam wo calling them friends!
send familylin.com relative request to
any facebook friends that are also family .
. familylink does some completely monstrous scripting!
it has a dialog window that keeps minimizing
so I can't respond to it! ??
ask chrome to do it !!
ok .
. try to get more contacts;
strangely its search for facebook users
only works if they're already signed up to familylink
or if you give their email ? don't do that .

. maybe I should tell all my relatives
that it's available;
then I would need to waste time
seeing if it worked in their browser too (safari) .
. I got 2 of them linked up,
maybe they can help move the idea .

using links it knows:
. going back to clagget's page
where I first saw the family app,
I notice one facebook friend is using the service
and from there I can see
that if you know the person,
then their fam list acts like a friends list,
but it's unstable:
sometimes it takes you to their facebook page,
and other times -- even for the same person --
it just takes you to your own fam page .

gathering links:
. requested familylink additions by
familylinks related to a facebook friend
who are also my family: heidi, art .
. added familylinks to any family I could reach
via facebook {family, friends} of friends:
maya, monet, eliot, maria, edie, sarah,
and marge herself .
-- prev'ly done are: ellen, mom .

4.3: mis: what a clunker!:
. every fam member is listed as I suggested
except mom, now I don't see any way to
identify her relation;
it prefers to wait for her confirmation?
it accepted ellen's labeling as cousin .
. added dad as divorced to mom
but not as linked into facebook .
. when you add a relation by drag,
then if the gui stops working (cursor disappears),
then up at menu of page, try switching view;
then the redraw recoordinates everything .
. all the facebooks in familylink are treed now
adding some nodes that are not in facebook:
sally, mom's parents, art french .
[5.18: art french is on facebook a while now]

4.3: mis: gui mystery:
. how do I get a family-link box
on the side of my facebook page?
easy to remove most boxes ... .

4.3: proj: gathering links/miles french:
. added mom`miles french as cousin once removed .
4.3: proj: gathering links/megan strand:
. is there any way to update ellen's relation?
[her familylink shows no relation until she ok's it;
but she ignored the invite .]
. added mom`sister`megan strand as cousin once removed .

4.2: proj.addn/net.facebook.circlefriends:

Welcome to Circle of Friends! To: New Users! Thanks for signing up for Circle of Friends,
the best way to organize your friends based on
why they're important to you.
To help you get started,
we've created two ways to organize your friends.
Try them both and see which one works best for you.
Create a New Circle is pretty straightforward...
it lets you name a circle
and put your friends in it.
Suggested Circles searches through your friends' profiles
to find people with similar interests or backgrounds.
Browse through them to find the circles that are right for you!
To allow for easy access to your circles,
when you go back to your profile,
find the application and drag it
to the top of your profile page.
Enjoy!
Mike, Ephraim, and Ben
The Circle of Friends Team
If you like the application, click here to become a fan. It is easy!
If you have any suggestions on
how we can improve the application
(like what you want to add to each circle page
or things you would like to share with different circles),
feel free to start a discussion on it.

start a discussion#is this betaware?:
. some of the time when you choose an icon
the selection is ignored;
and other times it doesn't stick,
instead being replaced by the generic close-friends icon .
. I'm using chrome on mac .

I con icons!:
. used circle of friends app to org friends into contexts:
Magruder High School 1978
Norbeck Meadows, Rockville, Md, USA
Wash.DC, USA 1970's
Torrance-Winter family
. getting this circlefriends app to work was such a pain!
. half the time the icon's weren't as expected,
then you understand why when it warns you that what you upload
should be owned by you
and, not be a copy of trademarks like simpson cartoons .
. they're showing you a bunch of
what they already know is owned!
5.18:
. the stupidest thing about that app
is that the face icons look just like facebook friends
but they are not hypelinked to a popup
that would introduce the face's public info .

4.2: mis.addn/net.facebook/comments do stick:
. not sure why my comment to allen's didn't stick,
but I reposted it directly on his page .
. oh, now I'm seeing both posted on my page,
so, I'm deleting the first one,
since it had a syntax error .

4.3: mis.addn/facebook`profile.tab/
sidebar's [create a profilebadge
]

. I was hoping a "(profile badge)
would let me move my friends.tab to a sidebar box;
but it did offer a pleasant suprise:
it let me add a facebook splash to my blogger.com sites .

2010-03-28

Jon Justice sneers at sure justice

3.24: news.pol/jon justice sneers at sure justice:
. ironic how Jon Justice radio show
sneers at sure justice:
speeder-catching cam's are
"(the gov't watching you!)
. but perhaps the real point is that
speed limits are an obnoxious democracy
imposed where consensus could have worked:
eg, consensus would be where
your taxes pay for the roads with
the speed*mass you want:
. the most practical way is to
restructure our city planning
as gated communities that minimize commuting
by use of work-based residences .
. everything you need can be biked to
or trucked in with an internet sale .
. the shop docks are at the wall to minimize truck traffic,
the walls are composed of doughnut strip malls .
. then people can drive between these gated communities
at any speed they want .