norbert's weblog

Upgrade, CARP, etc.

The holy week celebration is over, so it means vacation is over. Yay!

I decided to upgrade our webserver and firewall box today. Thanks to the CARP protocol for giving me zero downtime while I'm on the process of upgrading. This neat protocol's really handy in times like this.

While upgrading, I also watched some HITBSecCon 2004 presentation videos. Some OpenBSD folks like Theo de Raadt and Jose Nazario are on the video.

By the way, I'm very tempted to pre-order the new Puffy wireframe t-shirt. It's a nice t-shirt.

NetBSD code on PSP

I got this information from Feyrer's NetBSD blog:

"Logix pointed me at the license of the Sony Playstation Portable (PSP), which looks like a bunch of NetBSD code was used. Fun."

Looking at the license:

http://www.scei.co.jp/psp-license/pspnet.txt

It seems that the NetBSD networking code was used on Sony Playstation Portable.

BSD Certification

I've just received an email from Irvin, thru the Philippine BSD Group mailing list, regarding the BSD Certification initiative. Its mission is to bring BSD certification program that will be recognized as the industry standard for administering BSD systems. More information at:

http://www.bsdcertification.org

Although some people may disagree on this certification effort, I still want to see the progress of this project so I decided to subscribe to their mailing list :-)

Nvidia dlloader support

It's good to know that the new Nvidia driver for Linux now supports X.Org's dlloader.

So why do I need to use dlloader instead of the default elfloader in X.Org? I'm currently using the Hardened Gentoo profile on my Linux desktop which transparently enables SSP (a stack-smashing protection formely known as ProPolice) and PIE (Position Independent Executable) on the compiler. PIE is needed to take advantage of the application base address randomization offered by PaX, without the ET_EXEC performance hit. Unfortunately PIE breaks X.Org's elfloader since it does not resolve some relocatable symbols that are generated by the PIE enabled compiler. Aside from that, the elfloader does not also support GOTs (Global Offset Tables) which are used as data references of PIC (Position Independent Code) objects. As we can see, compiling X.Org with SSP/PIE is a PITA. Fortunately, there's the glibc loader, the dynamic loader which is available in almost any Linux distributions. And the dlloader is the interface to the glibc loader. However, some 3rd party drivers like Nvidia does not support dlloader, so I'm forced to use X.Org's generic nv driver (which was slower - no other complains :-).

But now, Nvidia has it. I can now use the official Nvidia driver on my Linux desktop with dlloader (though IMHO it's better for Nvidia to open up their drivers so that operating system developers and other interested developers can further improve and audit the driver code for potential bugs and security holes. And can possibly, made the driver run on other architectures too :-).

OpenSSH 4.0 released

I have just received this announcement on the OpenBSD announce@ list.

OpenSSH 4.0 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
...

I have also noticed the new OpenSSH banner :-)

For more information, visit the OpenSSH website.

OpenBSD goes 3.7-beta

OpenBSD goes 3.7-beta, as the CVS log states:

CVSROOT: /cvs
Module name: src
Changes by: deraadtcvs.openbsd.org 2005/03/06 17:06:00

Modified files:
        sys/sys : param.h
        distrib/miniroot: install.sub
        etc/root : root.mail
        share/mk : sys.mk
        share/tmac/mdoc: doc-common
        sys/arch/macppc/stand/tbxidata: bsd.tbxi
        sys/conf : newvers.sh

Log message:
move to 3.7-beta

Another OpenBSD release is coming to town soon :-)

Is Windows really insecure?

I have read different comments, articles, and blogs regarding the poor security design of Windows compared to Linux, Mac OS X, or BSD. This may be true, maybe at least in the "default" setup, but let us also think why Windows users suffer from great security disasters like viruses, worms and spywares? Surely, some unknown zealots might say, "It's because Windows design is not as secure as Linux, Mac OS X or BSD". But I have to ask them, "Is this really the fault of the operating system or the fault or ignorance of the user itself?"

In Unix, the user "root" is commonly used only to perform system specific administration and maintainance. Unprivileged accounts can always be added when needed. In contrast, Windows XP's default user has an administrative privilege, just like running as "root" in a Unix system, which can surely put the account in risk when used for browsing, chatting with IRC friends, and other online activities. This is the main reason, in my opinion why Windows are more prone to security disasters than any Unix-like operating system and this is what I meant when I mentioned "default" setup earlier.

But let's take a look at it, we can always create a least privileged account on Windows that can be used for browsing and chatting right? It's just like creating a normal account on any Unix-like operating system. In that sense, the security threat could be limited. Viruses can't simply infect the core system files and libraries, spywares can't simply write core registry values, etc. In fact, Internet Explorer also has a good security option called Zones, which can be used to block certain malicious scripts and permit only the known trusted sites. Windows XP also features a built-in firewall, which can be used to block unwanted traffics. And recently Microsoft released an anti-spyware tool, which (according to my friend, Teejay), effectively detects and elimitates known spywares.

You'll notice that upon installation of Windows XP Service Pack 2, you'll be reminded if you have no firewall, no anti-virus, etc. And although I haven't tested it yet, the 64-bit edition of Windows XP Service Pack 2 comes with a feature which takes advantage of AMD64's NX (No eXecute) bit. This is a proactive approach on security and I can't find this same kind of feature on some major Linux distributions (except of course if you're familiar to PaX).

To make the story short and to make your Windows browsing experience more secure, do not use accounts with administrative privileges when that account is not really needed. Anyone may argue with me that some applications requires administrative privilege to run properly. Well, Windows has a feature called "RunAs" that almost works like "sudo" in the Unix world.

Instead of blaming Windows users when they're infected with viruses, trojans, and spyware because they're not using Linux, the more proper thing to do is to educate them. For example, we can tell them that surfing the web, chatting, downloading, etc. with administrative privileges is dangerous.

And NO! I am not advocating Microsoft! :-)