Wayne

Tags: knownGood

In this article I am just going to use GPL to refer to the GNU GPL version 2. The main articles leading up to this post are here, here and here.

The discussion is primarily around people being confused with the GPL and what is allowed under the license. The GPL is a license which states what is expected up front, if you comply with those terms then you do not need to contact the author for permission.

If you want to do something that is not authorized by the GPL a separate license is required from the author. This way the author is not bothered with people asking to use their software for pre-approved uses.

So what use is approved by default? Everything.

The GPL does not restrict how you use the software, the restrictions only take place when you want to distribute the software. This is the first area where people new to Open Source may get confused, usually a license tries to limit what you can do with the software once it is in your possession.

The second area of confusion is on what we call linking. The Free Software Foundation has a good FAQ page on this point, but I believe this is confusing if people lack a programming background. As an aside, the Free Software Foundation is the organization which maintains the GPL and holds license over a large body of GPL code.

Why does a programming background matter? The GPL was written in a time when C and C++ ruled the roost, it was also written mostly by a programmer (with the help of a lawyer).

If a person has programmed in C or C++ then the term linking has a specific meaning. However if you have only known higher level languages such as Ruby, Python or Perl, which do not have an explicit linking process, the term may seem more ambiguous. The GPL FAQ says in part:

If the modules are included in the same executable file, they are definitely combined in one program. If modules are designed to run linked together in a shared address space, that almost surely means combining them into one program.

By contrast, pipes, sockets and command-line arguments are communication mechanisms normally used between two separate programs. So when they are used for communication, the modules normally are separate programs. But if the semantics of the communication are intimate enough, exchanging complex internal data structures, that too could be a basis to consider the two parts as combined into a larger program.

Why does this matter? If, under the GPL, you link two programs together they must have compatible licenses. If one of them is GPL then the other must either be GPL or under a license that allows the same freedoms as the GPL, if it is ever distributed.

This is the cost of using GPL software. If the cost is too high, then you need to find some other software to build upon.

It is important to remember that this is only if you distribute the software outside your organization. If the software is used internally then the source code never has to be shared. However if you provide a copy to anyone outside your organization you must also make available the source code and they have the same rights as you do.

They can turn around and post that source code on the Internet if they desire, including your changes. They can also charge money for it, but they cannot use a trademark of yours. For example, I can download all of the code that comprises Red Hat Linux, but I can’t sell my version of that code as Red Hat Linux. I can re-brand the code and sell it under a different name though.

You also can’t add restrictions to the GPL, it wouldn’t be the GPL anymore. The GPL FAQ says in part:

You can use the GPL terms (possibly modified) in another license provided that you call your license by another name and do not include the GPL preamble, and provided you modify the instructions-for-use at the end enough to make it clearly different in wording and not mention GNU (though the actual procedure you describe may be similar).

The biggest problem I have seen with people being confused about the GPL is that they expect it to be more complex. Remember the GPL is a distribution license, it does not restrict how code can be used only the terms under which it can be distributed.

The main GPL FAQ answers a lot of questions and includes a quiz if you want to test your understanding of the GPL.

If I can clarify anything or you have questions please let me know.

TTFN,

Wayne

Tags: knownGood, GPL

This post was edited to clean up some spelling errors.

I was thinking to use OpenID as the authentication back end, then build the encryption layer on top of that. I am not sure how well this will work with GnuPG, since the ID will not be an email address but this seems like the best approach.

Permalink Tags: Programming, knownGood

Wayne

My money is on the startups.  In particular Telsa because of their choice to use technology that is already in wide production rather than create their own.  The main case where I have hard of this is the use of computer style batteries rather than typical car batteries.

While the big companies work to develop and control everything possible, smart startups are using the development and demand curve of other industries to lower costs.  This has the advantage of saving startups R&D on the basics, let anyone but Sony build the batteries, and Telsa can focus on other aspects of the electric cars.

This compounds a company like Telsa’s advantage, they do not have to worry about building, designing or manufacturing the commodity parts.  Instead they focus on taking those parts and creating something unique.

Now if only I could afford a Telsa…

Wayne

Permalink Tags: TerraPass Electric+Cars

The first applications we will talk about are firewalls, anti-virus, intrusion detection systems and malware scanners.

Firewalls

When talking about how firewalls work, I like to use a Traffic Officer as an example. Traffic Officers are there to enforce certain rules, they do not get to make up the rules but do have some flexibility with the how rules are enforced and interpreted. Some Traffic Officers watch from one direction, while others watch from multiple directions; if you violate the rules they will stop you and either write a ticket or provide a warning. It is possible to get a ticket and still continue on, but breaking some rules will get you arrested.

A firewall is just a computer Traffic Officer and operates the same way. Every firewall has a policy or set of rules that are to be enforced, the enforcement options will depend on the type of firewall:

Some firewalls only monitor network traffic originating outside your computer and attempting to get in. This is currently the default type of firewall for Microsoft Windows XP™.

Some firewalls monitor traffic originating at your computer and going out to the Internet in addition to traffic originating outside your computer attempting to get in. This is how Zone Alarm™ functions.

Some firewalls monitor your behavior in an attempt to warn you if they detect anomalous behavior. These firewalls attempt to learn from your past actions.

Depending on the type of firewall any attempt to access your computer from the Internet or for your computer to access the Internet will be checked against the current policy. Depending on what the rules are this attempt will either be allowed or blocked, a log entry may also be created for later reference.

The main purpose of a firewall is to block everything and only allow what you explicitly say is good. This approach works to protect you since the number of acceptable things you might do is easier to manage than all of the potential bad things that might be attempted against your computer.

This approach is the exact opposite of how an anti-virus program works.

Anti-Virus

The best analogy for an anti-virus program that I can think of is a warrant for someone’s arrest. Warrants are entered into a national database that anyone can search, if a match is found the individual is investigated and potentially locked up.

The national database of warrants only works if people keep the information accurate and current. The approach of having a database of “known bad” items which is constantly updated is how an anti-virus works.

There are two main types of anti-virus programs heuristic and non-heuristic.

Heuristic programs attempt to learn from your behavior. These programs will try to block based upon behavior and a database of known bad signatures. By scanning for behavior they hope to block new attacks before a specific signature is released.

Non-Heuristic programs only block based upon a matching signature. Signatures are excerpts that the anti-virus program looks for; if these are found they presume the virus is present.

Not all anti-virus programs support heuristic behavior and heuristic programs are not a guarantee of protection. Just like the database with warrants, an anti-virus program must be maintained. Most anti-virus programs have an option to automatically download new updates and this is usually turned on automatically.

The problem with non-heuristic anti-virus programs is that you can only know about a new virus after it has been released. The reason anti-virus programs must work this way is that all of the potential malicious code is smaller than all of the potential good documents and programs.

Malware

The term malware is commonly used to describe several different types of undesirable categories. The more common of these are spyware, adware, trojan horses, root kits, worms and virii.

Spyware is a software application that monitors behavior, the information collected is then sent to a remote location. The most common spyware applications do this to support advertising; by watching where you go on the Internet they can target better advertisements.

Adware is a term used to describe software that displays advertisements, usually pop-ups. Adware and Spyware will normally be found on the same system, working together to collect data and then show advertisements based upon the data collected.

Trojan horses are programs that attach to another program. The second program remains hidden and is typically not desired by the person installing the first program. By attaching the trojan to a trusted program the attacker hopes to slip it past your defenses.

Root kits are programs that fundamentally change how an operating system, like Microsoft Windows™ operate. For example, in November of 2005 Sony™ placed software on CDs of their clients. This software was automatically installed when the CD was inserted, changing how Microsoft Windows™ responded to certain files and inserting a security issue that a malicious person could use to completely take over the machine.

The root kit hid any file beginning with $sys$ from a user, this was done by re-writing portions of Microsoft Windows™ at a very low level.

Incidetially, this is why I will no longer purchase anything made by any division of Sony™, they can no longer be trusted.

Worms are programs that self replicate. A worm is similar to a virus with the exception that a worm does not need user interaction to spread. Because of this worms are harder to write and less common than a virus.

Virii is the plural form of virus. A virus is an executable program that often requires you to click on something to execute. Once the program is clicked on the program can do anything that you as a user could do. Typically these will either email everyone it can find, steal data from your computer or attempt to install a trojan or root kit on your system.

Intrusion Detection System

When thinking of an Intrusion Detection System (“IDS”) I like to reference guard dogs. Guard dogs are trained to respond to a specific set of circumstances and can respond in different ways. Sometimes they may just bark while other times they may attack or chase after someone.

It is important to train the guard dog well, or you might have a high rate of false positives or false negatives.

False positives are when an alarm is raised accidentally. If a smoke detector goes off but there really is no fire, this is false positive.

False negatives are when no alarm is raised, but there should have been one raised. If a smoke detector does not go off but there is a fire, this is a false negative.

An IDS is a program with a database of patterns to match, just like a non-heuristic anti-virus program. When the IDS detects one of these patterns it takes a specified action, sometimes it makes a log entry and other times it may take action to block the connection.

If an IDS has the ability to filter out traffic that is known to be bad it is often called an Intrusion Prevention System. The only difference between an IDS and an IPS is whether the application can filter out the attacks before they have a chance to take effect. The idea is that if you know something is bad, do not let it pass. The risk is that you might mistakenly block something legitimate because it looks bad to the program; a false positve.

Over the next few articles that follow we will begin talking about trust and a concept called transitive trust. After talking abut trust we will begin looking at applications and sites, how they can be used securely and the implied trust when using them.

I would really like to hear from any readers: Was this article helpful? Would you like more detail on a particular area? Is there any topic you want me to address in a future article?

-Wayne

Permalink Tags: Information+Assurance, Training, Security

Update: I fixed the tags.

The next article should be up in a couple of days.

-Wayne

Permalink Tags: knownGood

For many people computer security is all about programs that are running on your computer to prevent bad things from happening. What many people do not realize is that security is about processes not programs. A computer application is only as good as the person who wrote the program, the person who maintains the program or the person who implemented the program. The term information assurance is the same as computer security, it is a matter of preference.

If you consider a home alarm system it is important to have a trusted brand, someone install the alarms properly and turn on the alarm when you are not home. You may also want a periodic review of your alarm and procedures to follow in the event of a break-in, malfunction or suspicious activity. Why not take the same approach to computer security?

Before we can effectively talk about securing parts of the computer we need to establish some terminology, discuss how certain types of programs are supposed to work and why they are supposed to work that way. The terms we are going to talk about initially are risk, threat, risk assessment, CIA+2, firewall, anti-virus, malware and intrusion detection system. There are many more we will eventually talk about, but this will serve as a good starting point.

Risk and threat are related concepts, a risk is a potential problem inside your system and a threat is a potential problem outside your system. An example may help to clarify this concept.

If you are using a computer that is missing a patch, which can be taken advantage of, the missing patch is a risk. Not having the patch is something you can control and is inside your area of influence. If there is an individual on the Internet who attempts to use this missing patch to their advantage they are a threat, they are outside your control and area of influence.

Since nobody has an infinite supply of time or resources, which is more important to address, risks or threats?

In truth there is no easy answer, a good security program requires watching and mitigating both. This is the role different computer applications will perform, but these applications must be used properly for them to work properly. One of the worst things you could do with a security application is set it and forget it. Every application that you are trusting for protection should be monitored and when necessary replaced if it no longer provides the level of protection necessary.

So how do you determine what level of protection is necessary? This is where the term CIA+2 comes into play.

When we talk about CIA+2, this has nothing to do with the government agency, but with a series of concepts that are the key to information assurance and risk assessment. Originally CIA stood for confidentiality, integrity and availability at some point two additional concepts were added: non-repudiation and authentication.

Confidentiality

Confidentiality is about restricting who has access to something. Your medical records should be a confidential matter between you and your doctor. If anyone else has access to the information without your consent, you confidentiality has been broken.

Integrity

Integrity is about the condition of something. To continue the previous example, if your medical record has been altered by someone without authorization it no longer has integrity.

Availability

Availability is a matter of ensuring the data or services are present when needed.

Authentication

Authentication is when you need to prove who you claim to be, for example withdrawing money from a bank account. Once you have proven to the teller who you are they will withdraw money based upon your authorization. Authorization is the process of determining what you are allowed to do, once you have proven your identity.

Non-repudiation

I like to think of non-repudiation as a way to ensure accountability. There are ways I can put a digital signature on my email, from this point forward I cannot claim that the message was sent by someone else; it has my digital signature. This also works in the reverse, if I receive a message from someone with a digital signature; I know it came from them and will generally trust the message more. We will discuss digital signatures at a later time when we talk about encryption.

Knowing what CIA+2 represents, which of the concepts is most important?

The only honest answer is: “it depends, what are you attempting to protect?” This is where a risk assessment is used to determine what you are protecting, what value it has to you, and what the cost would be if it were altered, lost or copied. After thinking about these topics and having an understanding of the tools available to help, you will be better equipped to make a decision.

In the next article we will cover some of the more common programs designed to help with information assurance. We will not be covering specific products at this time, just the functionality and why these programs work a certain way. We will cover the tools first, then we will talk about different ways to apply these tools.

If you would like me to clarify anything or expand on a particular topic above please let me know.

-Wayne

Permalink

Tags: Information Assurance, Training, Security

Initially I was thinking to cover some basic terminology, best practices and then freely available applications like Firefox with security-related plug-ins. A big part of what I want to do is not to only talk about what should be done, but why it should be done.

I plan to start working on the first article tonight, if you have any suggestions on topics, Firefox extensions or other applications to cover please let me know either in the comments or via email. I have already decided that the first extension I cover for Firefox will be No Script and then probably Dr. Web.

-Wayne

Permalink

Technocrati Links: Information Assurance, Training, Firefox, Security

I plan to talk about a bit more than that this time, especially since I’m still in the desert. I usually travel quite a bit over here, but can’t write too much about my travels so there may be times when this place is a ghost town.

I’ll be working on the template for a little while to match the main site, things will almost certainly break.

-Wayne