Wednesday, November 29, 2006

Hans Reiser

According to this article in the San Francisco Chronicle Hans Reiser pled "not guilty" to the charge of murdering his wife. This isn't particularly exciting news as all previous indications were that he was going to do so.

However one noteworthy fact from the article is that they are setting up an education fund for his children. Regardless of whether Hans is convicted or not, his children will still be in a bad situation and in need of assistance. While there are plenty of other worthy charities needing donations, if you are considering donating towards a Linux related cause then you might want to consider the children of a kernel coder.

Monday, November 27, 2006

when you can't get along with other developers

Many years ago I was involved in a free software development project with write access to the source tree. For reasons that are not relevant to this post (and which I hope all the participants would regard as trivial after so much time has passed) I had a disagreement with one of the more senior developers. This disagreement continued to the stage where I was threatened with expulsion from the project.

At that time I was faced with a decision, I could have tried to fight the process, and I might have succeeded and kept my position in that project. But doing so would have wasted a lot of time from many people, and might have caused enough productivity loss for enough people to outweigh my contributions to the project for the immediate future. But this didn't seem very productive.

So I requested that my write access to the source tree be removed as I was going to leave the project and unused accounts are a security risk.

I never looked back, I worked on a number of other projects after that time (of which SE Linux is one) and the results of those projects were good for everyone. If I had stayed in the project where things weren't working out then it would have involved many flames, distraction from productive work for everyone, and generally not much good.

The reason I mention this now (after many years have passed) is because in another project I see someone else faced with the same choice I made who is making the wrong decision. The people who are on the same private mailing list as me will all know who I am referring to. The individual in question is appearently suffering health problems as a result of stress caused by their inability to deal with the situation where they can't get along with other people.

My advice to that person was to leave gracefully and find something else to work on. If you don't get along with people and make a big fuss about it then they will only be more glad when they finally get rid of you. Running flame-wars over a period of 6 months to try and get accepted by a team that you don't get along with will not do any good, but it will convince observers that removing you is a good idea.

Sunday, November 26, 2006

supporting an electrion campaign

Yesterday I handed out "how to vote" cards for the Greens at the state election. It did seem to be a significant waste to have so much paper produced. Slightly more than half the voters who visited my polling booth took cards from all parties, which was obviously of little use. There is some useful information to be gained from reading the cards from all parties, but nothing that you can analyse during the short period spent waiting in line. I expect that most people decide who to vote for before they get anywhere near the polling booth and just accept the cards because they feel that it may be rude to reject them. While ironically some people who didn't like the Greens refused to accept a card from me and told me that they didn't want it with the impression that they would offend me, I'd rather save the trees and not give cards to people who don't want to use them...

I spoke to a representative of the Family First party who tried to convince me that the Greens should be against homosexuality because the Greens are "against unnatural things", he also claimed that people who choose not to have children (being gay is apparently choosing not to have children) are selfish - unless of course they are a celibate priest. He also managed to offend a supporter of the ALP in two different ways which led to an amusing heated debate and then left before I could have any more fun. For the reference of other Family First people, I've pasted in the dictionary definitions of "homo" and "hetero", when used as prefixes those Greek derived words mean "like attracting like" and "opposites attract". An example of such usage is the term "homo-charged electrets" used in electronics.

From The Collaborative International Dictionary of English v.0.48 [gcide]:
Hetero- \Het"er*o-\ [Gr. "e`teros other.]
A combining form signifying other, other than usual,
different; as, heteroclite, heterodox, heterogamous.
[1913 Webster]

From The Collaborative International Dictionary of English v.0.48 [gcide]:
Homo- \Ho"mo-\
A combining form from Gr. "omo`s, one and the same, common,
[1913 Webster]

From Bouvier's Law Dictionary, Revised 6th Ed (1856) [bouvier]:
HOMO. This Latin word, in its most enlarged sense, includes both man and
woman. 2 Inst. 45. Vide Man.

The ALP (usually known as Labor) supporters had unfortunately believed the lies of their own apparatchiks. They were convinced that the Greens were directing preferences to the Liberal party, even though in most districts the Greens actually directed preferences to the ALP! The only exceptions were a small number of districts with split preferences (favoring neither Liberal nor ALP). It continually amazes me that while helping the ALP they were attacking us! Once I showed the ALP supporters the cards I was distributing they became quite friendly, as the Greens had a very low chance of winning the lower house in the districts for the polling place in question the preferences would go to the ALP.

It was interesting to talk to a Liberal supporter, he supports the workplace reforms implemented by the Federal government (Liberal) because he was hired for his current job because his employer can easily get rid of him if the business has a down-turn. It is hard to argue with someone who has only got a job because of the policy in question, but I did point out that continuity of employment is a major factor when applying for a mortgage. I recently bought a house and had a significant amount of hassle from the banks due to the fact that I work as a contractor. I had previously enquired about borrowing twice as much money while at my last permanent position and had much fewer problems from the banks.

I mentioned some of the other bad things the Liberal government has done (such as invading Iraq for no good cause), but the Liberal supporter was too sensible to comment on any of the issues where he would only lose. This however left him with not very much to say.

Most of the work of handing out the cards was quite boring and very tiring. Fortunately a friend decided to visit and help out so there were three people handing out Greens cards instead of the scheduled two which made it easier work. The ALP apparently had four people which seems to be an optimal number as there were voters arriving from two directions and no matter where they came from at least two ALP supporters would be able to intercept them.

Surprisingly the work was easier at the most busy times. When the queue stretched out into the street I could stoll along the queue and give the cards to the voters. When the queue disappeared later in the day the voters were walking past at high speed and I had to move quickly to get to them.

Now it's time to start planning for the next Federal election.

Thursday, November 23, 2006

Linux support by politicians

In two days time we are having a state election in Victoria (Australia). For this election there is only one party with policies that are positive towards free software, that is the Australian Greens. The policy documents include an IT policy (note that the IT policy is on a link that may change while the policy documents is a permanent link).

The Greens IT policy has three sections under the goals, one of those is about open standards (ensuring that government data is in documented file formats for use by all with no need to purchase software) and another is about Open Source which directly advocates the use of free software by government agencies. The principles part of the document is also very positive towards free software and explains why it's beneficial for Australia.

Any Greens representatives that are elected on the weekend have to abide by the party policy, that means that they must advocate the use of open standards and Open Source in government use and vote accordingly when any legislation related to computers is being considered!

Some of the members of the Greens are also members of the free software community, we were able to explain to the other party members the benefits for Australia and for social justice in the use of free software, and thus we reached an agreement about on a policy that suits people who use free software - not to benefit such people, but because of the benefits to society of the use of free software.

I think it would be good if members of the free software community in other countries would also join their local Green party and promote similar policies. While there is no direct connection between the Green parties in different countries the aims are very similar and therefore the arguments that persuaded Green members in Australia can be expected to work reasonably well in other countries (I am happy to provide advise in this regard via private mail if requested).

Also it would be good if other parties could be persuaded to have similar policies. If you want to help the free software community but for some reason you don't support the Greens then please join a party that matches your views and advocate an IT policy that promotes free software.

Currently people who want to vote for free software in the Victorian election have no option other than to vote for the Greens. As a member of the Greens I am happy to document this as a reason to vote Green. But as a member of the free software community I would like to see other parties adopt policies that promote free software.

The Greens adoption of a policy that promotes free software was largely driven by the issue of social justice. We believe that every Australian citizen has the right to access all public government data. If government data is available in proprietary formats then access is only granted to people who can afford the latest software ($800 for a full copy of MS Office) and hardware to run it ($600 at least). We believe that unemployed people who receive free Linux computers from Computerbank should be able to access government data. We also believe that when FOI laws apply in 30 years time all current data should be accessible, there's no chance that whatever version of Office is being sold in 30 years time will read current MS file formats, and there's no guarantee that MS will even be in business then. File formats for which there are authoritative open-source programs written to use them will be accessible in 30 years time and more.

Wednesday, November 22, 2006

nuclear power in Australia

From Crikey: If a government wanted to figure out how best to defend the country, it wouldn’t hold an inquiry into the air force. It would hold an inquiry into … defence. So if a government wanted to figure out how to plan for responsible energy consumption in an age of climate change you’d assume it would hold an inquiry into energy consumption. Instead, the Australian government holds an inquiry into … nuclear energy.

The above really says it all. The Liberal government has decided that they want to get nuclear reactors regardless of what the citizens want. Surprisingly the Switkowski report was not very positive towards nuclear power. It concluded that producing 1/3 of Australia's electricity requirements would require 25 nuclear power plants, and that they would have to be built close to population centers, and mainly on the east cost. I guess that means about 8 reactors for Melbourne and about 10 for Sydney! It has been suggested that the federal government could force nuclear power on the states even if the state governments don't want it!

For those reactors to be economically viable
a carbon tax is required (this means taxing all energy sources on the amount of carbon that they release into the atmosphere). The Liberal government has been opposing such a tax but now the report they commissioned recommends it.

The Victorian branch of the Liberal party seems to support such things. I have been walking past the office of Ted Baillieu (the leader of the Victorian Liberal party) on my way to work. He has a sign in his office window opposing wind power so I guess he'll be supporting nuclear power.

It's something to keep in mind at the election on Saturday. I'll be handing out how to vote cards for the Greens.

Thursday, November 16, 2006

biometrics and passwords

In a comment on my post more about securing an office someone suggested using biometrics. The positive aspect of biometrics is that they can't be lost, no-one is accidentally going to leave a finger or an eye in their car while they go to a party while other authentication devices are regularly lost in such a manner.

The down-side is that having your finger or eye stolen would be a lot less pleasant than having a USB device, swipe-card, key, or other security device stolen. I think that it's good to have an option of surrendering your key when under threat (for the person who might be attacked at least).

Rumor has it that some biometric sensors look for signs of life (EG temperature and pulse), but I believe that these could be faked with a suitable amount of effort. A finger attached to a mini heart/lung machine should make it possible to pass the temperature and pulse checks (although I don't think that I have access to any data that is important enough to justify such effort on the part of an attacker).

One thing that biometrics could be useful for is screen-blankers. It would be good to be able to have a screen-blanker for your computer that operates when you go to get a coffee. For a period of 10 minutes after leaving a biometric method could be used to re-enable access. After that time a different method would ave to be used. This gives the convenience of biometrics for when you need it most (the many short trips away from your computer that you make during the day) but removes the benefit for an attacker who might consider removing part of your body. Also I am not convinced in the general security of biometrics. There are claims that you can make a finger based on a fingerprint which can fool a biometric sensor. If those claims are correct then a biometric sensor would still work for a coffee break (presumably you are not far away and will be back soon, and other people are in the area). The coffee break security is usually to prevent casual snooping such as colleagues who want to see what was on your screen but not actually do anything invasive to get it. Another benefit of biometrics for a screen saver is that although I trust people in the same office as me (whichever office that may be) not to try anything when they might get caught I still don't want them shoulder-surfing my password. Replacing the trivial authentication cases with a fingerprint reader would prevent that.

In the KDE 1.x days I had a shell script launched when the lid closed on my laptop which would lock the screen (the screen-saver ran in the background and a signal could make it lock the screen). This meant that I could merely close the lid of my laptop to lock the screen, this is fast and easy and also is not immediately recognised as locking the screen. Some people get offended if you lock your laptop screen when in their presence as they think that you should trust them enough to leave your most secret data open to them (generally people who aren't serious about computers - I'm sure that the same people would happily lock their diary if I was ever in the same room as it). Being able to lock the screen in a non-obvious way is a security benefit.

Regarding the comment about using a USB device to store passwords, there are two problems with this, one is that all passwords will be available all the time, this means a program that is permitted to access password A would also be given access to password B. The other is that the passwords can be accessed easily. The ideal solution is to have an encryption device that uses public key cryptography and stores the private keys on the device with no way of removing them. It would also permit the user to authorise each transaction.

I would like to see a USB device that stores multiple GPG keys and implements the GPG algorithm (with no way for anyone with less resources than the NSA to extract the keys). The device would have a display and a couple of buttons. When it is accessed it would display messages such as "signing attempt on key 1" and allow me to press a button to authorise or reject that operation.

This means that if I insert the key to sign an email I won't have a background trojan start issuing sign and decrypt commands. The only viable attack that would be permitted is the case where I want to sign a message and my message is sent to /dev/null and a message from an attacker is signed again. The non-arrival of my original message would hopefully alert me to this problem. I am not aware of any hardware which supports these functions.

Also I have just received a couple of RSA SecurID tokens as a sample. An RSA representative phoned me to ask about my use of the tokens, I said that I am an independent consultant and I have been having trouble getting my clients to accept my recommendations to use such devices and that I want to implement them on a test network so that I can give more detailed advice to my clients and hopefully get them to improve their security. For some reason the RSA rep found that funny, but I got my sample hardware so it's fine.

Wednesday, November 15, 2006

economics of a computer store (why they don't stock what you want)

In some mailing list discussions recently some people demonstrated a lack of knowledge of the economics of a shop. Having run a shop for a few years (an Internet Cafe) I have some practical knowledge of this. I will focus on small businesses in this article, but the same economic principles apply to large corporations too.

When running a shop the main problem you have is in managing stock. There are two ways of getting stock, one is to have wholesalers give it to you for a period in which you can try to sell it and you pay for it when it's sold, this is probably quite rare (I don't know of an example of it being done - and probably no retailer wants to talk about it in case they lose it). Often retailers consider themselves to be privileged if they are permitted to pay for hardware one month after they receive it! The more common way of getting stock is simply to buy it and hope you can sell it in a reasonable period of time (often the wholesaler will offer to buy the stock back at a 10% discount if you can't sell it).

To buy stock you need money, this can come from money that has accrued in the business account (if things are going really well) or from a mortgage taken out by the business owner if things aren't going so well. For small businesses things usually don't go so well so the money used to buy stock is borrowed at an interest rate of about 7% or 8% (I'm using numbers based on the current economic conditions in Australia, different numbers apply to different countries and different times but the same principles apply). The ideal situation is when there is money in the company bank account to cover the purchase of all stock, this means that the cost of owning stock is that you miss out on the 5.5% interest that the money will get in a term deposit.

Almost all stock has a use-by date of some form. Some items have a very short expiry (EG milk used to make hot chocolate in an Internet cafe, some have a moderate expiry date (computer systems become almost unsellable in about 18 months and lose value steadily month after month), but in the computer industry nothing has a long expiry date.

Let's assume for the sake of discussion that you want to run a small computer store that is open to passing trade (this means that you must have stock for an immediate sale). Let's assume that all items of computer hardware lose half their value over the period of 20 months at a steady rate of 2.5% of the original price per month (I think that most computer hardware loses value faster than that, but it's just an assumption to illustrate the point).

The next major issue is the profit margin on each sale. If you can make a 20% profit on a sale then an item that has lost 10% of it's value while gathering dust in your store will still be profitable. However the profit margins on computer sales are very small due to having a small number of major manufacturers (Intel, AMD, nVidia, ATI, Seagate, and WD) that have almost cartel positions in their markets and there being little to differentiate the stores apart from price. I have been told that 3% profit is typical for retail computer hardware sales by the small companies nowadays! Now if the stock will lose 2.5% of it's value per month, you pay 0.5% interest per month and you make a 3% profit then if an item remains in stock for a month then you lose money. So on average (by value) you need to have stock spending significantly less than a month in your store. Cheap items such as low-quality cases and PSUs can stay in stock for a while. More expensive items such as new CPUs and the motherboards to house them must be moved quickly.

What's the first thing that you do to reduce stock? You can keep stocks low, but there is a limit to how low you can go without losing sales. The next thing to do is to not stock items that customers won't often buy or items where there is a similar item that you can stock as a substitute. The classic example of this is hard drives, a customer will want a certain capacity for a certain price - if their preferred brand is not in stock they will almost always take a different brand if it has the same capacity at the same price. Stores often advertise prices on multiple brands of hard drive in each capacity, but often only try to keep one brand in stock.

Of course this is a problem for the more fussy buyer. If you want to buy two identical parts from the same store on different days you might discover that they don't have the stock on the second day and that they instead offer you something equivalent. Not only do retailers have issues with managing their investment in stock but wholesalers have the same problem. So if a retailer runs out of WD drives and discovers that their preferred wholesaler has also run out of WD drives then they just buy a different brand - most customers don't care anyway.

There are some companies I deal with that have a business model based on services. One of them sells hardware to customers at cost, but charges them for the time spend assembling them, transporting them, etc. The potential for a 3% profit on the hardware isn't worth persuing, they prefer to just charge for work and also save themselves the sales effort. Another company I know operates almost exclusively on the basis of ordering parts when customers request them (but still make a small profit margin on the sales), this means that the customer can be invoiced as soon as the hardware arrives. The down-side to this is that wholesalers have the same stock issues and they sometimes have excessive delays before the wholesaler can deliver the hardware.

Dell is the real winner out of this. As they operate by mail-order they don't need to have the stock immediately available, they have a few days to deliver it which gets them time to arrange the supply. They can also have a central warehouse per region which reduces the stock requirements again. A 3% profit on items that rapidly decrease in value makes it almost impossible to sustain a small business. But an organization such as Dell can sustain a successful business at that level.

Of course the down-side for the end-user is that Dell doesn't want to have too many models as that just makes it more complex for the sales channel. Also they have deals with major suppliers which presumably give them deep discounts in exchange for not selling rival products (this is why some brands of parts are conspicuously absent from Dell systems).

10 years ago there used to be a small computer store in every shopping area. Now in Australia there are a few large stores (which often only have a small section devoted to computers) and mail-order. There seems to be much less choice in computer hardware than there was, but it is much cheaper.

PS I've attached a picture of day 39 of the beard.

Saturday, November 11, 2006

more about securing an office

My post about securing an office received many comments, so many that I had to write another blog entry to respond to them and also add some other things I didn't think of before.

One suggestion was to use pam_usb to store passwords on a USB device. It sounds like it's worth considering, but really we need public key encryption. I don't want to have a USB device full of keys, I want a USB device that runs GPG and can decrypt data on demand - the data it decrypts could be a key to unlock an entire filesystem. One thing to note is that USB 2.0 has a bandwidth of 30MB/s while the IDE hard drive in my Thinkpad can sustain 38MB/s reads (at the start - it would be slower near the end). This means that I would approximately halve the throughput on large IOs by sending all the data to a USB device for encryption or decryption. Given that such bulk IO is rare this is feasible. There are a number of devices on the market that support public-key encryption, I would be surprised if any of them can deliver the performance required to encrypt all the data on a hard drive. But this will happen eventually.

Bill made a really good point about firewire. I had considered mentioning it in my post but refrained due to a lack of knowledge of the technology (it's something that I would disable on my own machines but in the past I couldn't recommend that others disable without more information). Could someone please describe precisely which 1394 (AKA Firewire) modules should be disabled for a secure system? If you don't need Firewire then it's probably best to just disable it entirely.

To enable encryption in Fedora Core 6 you need something like the following in /etc/crypttab:

home_crypt /dev/hdaX /path/to/key
swap /dev/hdaX /dev/random swap
Debian uses the same format for /etc/crypttab.

The Peregrine blog entry in response to my entry made some really good points. I wasn't aware of what SUSE had done as I haven't done much with SUSE in the past. I'm currently being paid to do some SUSE work so I will learn more about what SUSE offers, but given the SUSE/MS deal I'm unlikely to use it when I don't have to. Before anyone asks, I don't work for SUSE and given what they have just done I will have to reject any offer of employment that might come from them.

I had forgotten about rsh and telnet. Surely those protocols are dead now? I use telnet as a convenient TCP server test tool (netcat isn't installed on all machines) and never use rsh. But Lamont was correct to mention them as there may be some people still doing such things.

The Peregrine blog made an interesting point about Kerberised NFS being encrypted, I wasn't aware of this and I will have to investigate it. I haven't used Kerberos in the past because most networks I work on don't have a central list of accounts, and often there is no one trusted host.

I strongly disagree with the comment about iSCSI and AoE "Neither protocol provides security mechanisms, which is a good thing. If they did, the additional overhead would affect their performance". Lack of security mechanisms allows replay attacks. For example if an attacker compromises a non-root account on a machine that uses such a protocol for it's root filesystem, the victim might change their password but the attacker could change the data back to it's original values even it if was encrypted. Encryption needs to have sequence numbers embedded to be effective, this is well known - the current dmcrypt code (used by cryptsetup) encrypts each block with the block ID number so that blocks can not be re-arranged by someone who can't decrypt them (a weakness of some earlier disk encryption systems). When block encryption is extended to a network storage system I believe that the block ID number needs to be used as well as a sequence ID number to prevent reordering of requests. CPU performance has been increasing more rapidly than hard drive performance for a long time. Some fairly expensive SAN hardware is limited to 40MB/s (I won't name the vendor here but please note that it's not a company that I have worked for), while there is faster SAN hardware out there I think it's reasonable to consider 40MB/s as adequate IO performance. A quick test indicates that the 1.7GHz Pentium-M CPU in my Thinkpad can decrypt data at a rate of 23MB/s. So to get reasonable speed with encryption from a SAN you might require a CPU which is twice as fast as in my Thinkpad for every client (which means most desktop machines sold for the last two years and probably all new laptops now other than the OLPC machine). You would also require a significant amount of CPU power at the server if multiple clients were to sustain such speeds. This might be justification for making encryption optional or for having faster (and therefore less effective) algorithms as an option.

I believe that the lack of built-in security in the AoE and iSCSI protocols gives a significant weakness to the security of the system which can't be fully addressed. The CPU requirements for such encryption can be met with current hardware even when using a strong algorithm such as AES. There are iSCSI accellerator cards being developed, such cards could also have built in encryption if there was a standard algorithm. This would allow good performance on both the client and the server without requiring the main CPU.

Finally the Peregrine blog entry recommended Counterpane. Bruce Schneier is possibly the most widely respected computer security expert. Everything he does is good. I didn't mention his company in my previous post because it was aimed at people who are on a strict budget. I didn't bother mentioning any item that requires much money, and I don't expect Counterpane to be cheap.

Simon noted that developing a clear threat model is the first step. This is absolutely correct, however most organizations don't have any real idea. When advising such organizations I usually just invent a few possible ways that someone with the same resources and knowledge as I might attack them and ask whether such threats seem reasonable, generally they agree that such things should be prevented and I give further advice based on that. It's not ideal, but advising clients who don't know what they want will never give an ideal result.

One thing that I forgot to mention is the fact that good security relies on something you have as well as something you know. For logging in it's ideal to use a hardware security token. RSA sells tokens that display a pseudo-random number every minute, the server knows the algorithm used to generate the numbers and can verify that the number entered was generated in the last minute or two. Such tokens are sold at low prices to large corporations (I can't quote prices, but one of my clients had prices that made them affordable for securing home networks), I will have to discover what their prices are to small companies and individuals (I have applied to evaluate the RSA hardware). Another option is a GPG smart-card, I already have a GPG card and just need to get a reader (this has been on my to-do list for a while). The GPG card has the advantage of being based on free software.

One thing I have believed for some time is that Debian should issue such tokens to all developers, I'm sure that purchasing ~1200 tokens would get a good price for Debian and the security benefits are worth it. The use of such tokens might have prevented the Debian server crack of 2003 or the Debian server crack of 2006. The Free Software Foundation Fellowship of Europe issues GPG cards to it's members, incidentally the FSFE is a worthy organisation that I am considering joining.

Friday, November 10, 2006

flash for main storage

I was in a discussion about flash on a closed mailing list, so I'll post my comments here.

I believe that flash will soon be suitable for main storage on most desktop and laptop machines (which means replacing the vast majority of the hard drive market). Flash survives mechanical wear much better than hard drives (flash storage in a camera will usually survive the destruction of the camera), it produces less heat and less noise, and it has better seek times. It is more expensive, although the price is coming down and the main problem now is the number of writes that can be made.

Flash is widely regarded as being slow for bulk IO (benchmark results I have seen approach 10MB/s - while 60MB/s is common for cheap desktop IDE disks). I am not sure how much of this is inherent to flash technology and how much is due to the interface used to access the flash. I often work with Gig-E networks, but for my home use I only have 100baseT, so I have little need for more than 10MB/s IO rates at home.

It is generally regarded that a sector of flash storage wears out at between 10,000 and 1,000,000 writes depending on how recent the hardware is and who you talk to (some vendors are more optimistic than others regarding the usable life of their devices).

Let's assume that you have a 32G flash module running JFFS2 with an average of 2G free (30G of long-term data that doesn't change and 2G of space that is used for new files). Let's assume that the most pessimistic prediction for flash reliability of 10,000 writes happens to be correct. So if 10,000 writes are to be made to that 2G of space that means 20T of data written! If we assume that the machine will be obsolete in 5 years then that allows us an average of just over 10G of data written per day (20,000/365/5=10.9). On my laptop iostat reports the following after 5 days of uptime:

Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
hda 1.94 9.94 20.33 4614118 9439808
I believe that this means an average of 20 blocks were written per second over the last 5 days with a block size of 4K (page size), this means 6.6G per day. Clearly something is wrong with my laptop as there should not be so many writes, but even so I wouldn't expect it to wear out within 5 years if I used only flash storage. Incidentally I do a lot of travelling and generally find that I'm lucky if a laptop hard drive lasts three years. So I could expect flash to last longer than a hard drive for my laptop use.

When flash fails I believe that only a small part of the data will be lost, which is better than the hard drive failure condition which is often to lose everything!

Also there is nothing preventing you from creating a RAID-1 of flash devices. Last time I checked the JFFS2 kernel code didn't support such things but that could be fixed if there was suitable hardware.

Note that JFFS2 is vastly preferable to using Ext3 or similar filesystems on a flash device. Flash needs wear-levelling (spreading the write load over all parts of the disk) for sane operation. JFFS2 has this built in to the filesystem, while Ext3 etc are designed to repeatedly write the same parts of the disk. This means that to use Ext3 you need a mapping layer that does wear-levelling which causes inefficiency. Also JFFS2 has compression built in (same method as gzip). This is good for smaller flash devices (EG the 32M storage that was common in iPaQs), and also reduces the wear on larger storage.

The biggest problem for me in using flash at the moment is the lack of support for XATTRs (needed for SE Linux) in JFFS2. KaiGai Kohei has been working on this, it's been a while since I checked on the progress so I'm not sure if it's got into the repository yet.

Another problem with flash is that it is totally unsuitable for use as a swap device. This means that you need to have so much RAM that swap is not needed. Fortunately desktop machines with 2G of RAM are becoming common.

Thursday, November 09, 2006

a good security design for an office

One issue that is rarely considered is how to deal with office break-ins for the purpose of espionage. I believe that this issue has been solved reasonably well for military systems, but many of the military solutions do not apply well to civilian systems - particularly the use of scary dudes with guns. Also most office environments don't have the budget for any serious security, so we want to improve things a bit without extra cost. Finally the police aren't interested in crimes where an office is burgled for small amounts of cash and items of minor value, it gets lost in the noise of junky burglaries, so prevention is the only option.

Having heard more information about such break-ins than I can report, I'll note a few things that can be done to improve the situation - some of which I've implemented in production.

The most obvious threat model is theft of hard drives. The solution to this is to encrypt all data on the drives. The first level of this is to simply encrypt the partitions used for data, support for this is available in Fedora Core 6 and has been in Debian for some time. The more difficult feature is encrypting the root filesystem, encrypting root means that important system files such as /etc/shadow are encrypted. Also if the root filesystem is encrypted then an attacker can't trivially subvert the system by replacing binaries. An unencrypted root filesystem on a machine that is left turned off overnight (or for which an unexpected reboot won't be treated seriously) allows an attacker to remove the drive, replace important system files and then re-install it. If the machine is booted from removable media (EG USB key) which contains the kernel and the key for decrypting the root filesystem then such attacks are not possible. Debian/unstable supports an encrypted root filesystem, but last time I tried the installer there did not appear to be any good support for booting from USB (but given the flexibility of the installer I think it's within the range of the available configuration options). I have run Fedora systems with an encrypted root filesystem for a few years, but I had to do some gross hacks that were not of a quality that would be accepted. With the recent addition of support for encrypted filesystems in Fedora it seems likely that some such patches could be accepted - I would be happy to share my work with anyone who wants to do the extra work to make it acceptable for Fedora.

Once the data is encrypted on disk the next thing you want to do is to make the machines as secure as possible. This means keeping up to date with security patches even on internal networks. I think that a viable attack method is to install a small VIA based system in the switch cabinet (no-one looks for new equipment appearing without explanation) that sniffs an internal (and therefore trusted) network and proxies it to a public network. This isn't just an issue of securing applications, it also means avoiding insecure protocols such as NFS and AoE for data that is important for your secrecy or system integrity.

An option for using NFS is to encrypt it with IPSEC or similar technology. AoE can be encrypted with cryptsetup in the same way as you encrypt hard drive partitions, it doesn't use IP so IPSEC won't work but it is a regular block device so anything that encrypts block devices will work. I have been wondering about how well replay attacks might work on an encrypted AoE or iSCSI device.

Security technologies such as SE Linux are good to have as well. An attacker who knows that a server has encrypted hard drives might try cracking it instead. A thief who has stolen a laptop and knows that it has an encrypted drive can keep it running until future vulnerabilities are discovered in any daemons that accept data from the network (of course if you have enough technology you could sniff the necessary data from the system bus and from RAM while it's running - but most attackers won't have such resources). I have considered running a program on my laptop that would shut it down if for a period of 48 hours I didn't login or un-blank the screen, that would mean that if it was stolen then the thief would have 48 hours to try and crack it.

Prevent access to some hardware that you don't need. If you allow the system to load all USB drivers then maybe a bug in such a driver could be exploited to crack it. Remember that in a default configuration USB drivers will be loaded when a device is inserted (which is under control of an attacker) and the device will use data from the attacker's hardware (data of low integrity being accessed by code that has ultimate privilege). Turning off all USB access is an option that I have implemented in the past. I have not figured out a convenient way of disabling all USB modules other than the few that I need, I have considered writing a shell script to delete the unwanted modules that I can run after upgrading my kernel package.

Once these things have been done the next issue is securing hardware. Devices to monitor keyboard presses have been used to steal passwords. The only solution I can imagine for this is to use laptops on people's desks and then store them in a safe overnight, unfortunately laptops are still quite a bit more expensive than desktop machines and consequently they are mostly used as status symbols in offices. Please let me know if you have a better idea for solving the key-logging problem.

For servers there is also a problem with keyboard sniffing. Maybe storing the server's keyboard in a safe would be a good idea.

Security monitoring systems are a good idea, unfortunately they can be extremely expensive. There has already been at least one recorded case of a webcam being used to catch a burglar. I believe that this has a lot of potential. Get a webcam server setup with some USB hubs and cameras and you can monitor a small office from all angles. When the office is empty you can have it GPG encrypt pictures and send them off-site for review in the case of burglary. You could also brick the server into a wall (or make it extremely physically secure in other ways) so that the full photo record would be available in the case of damaged phone lines, and to give more pictures than the upload bandwidth of an ADSL link would allow (512Kb/s doesn't allow uploading many pictures - no-where near the capacity of a few high-resolution web-cams).

This is just a few random thoughts, some things I've done, some things I plan to do, and some that just sound like fun. I expect comments telling me that I have missed some things. I may end up writing a series of articles on this topic.

PS I've uploaded day 32 of the beard (which was taken yesterday). Last night at a LUV meeting I was asked to stand in front of the audience to show them my beard. I had imagined that they might have seen it enough through my blog, but apparently not.

Monday, November 06, 2006

the death penalty

I have just read the news about Saddam finally receiving the death penalty (it did not seem likely that his case would have any other outcome) and have been thinking about the death penalty in general.

Firstly I think that in a jury based system every jury member should have a hand in the execution. If they vote for the death penalty (if you use a jury then it should decide whether the death penalty is acceptable) then they should all be involved in carrying out the sentence. It would be quite easy to fit a room with a dozen switches that control an electric chair. If the jury members are unable to pull the switch then that should result in the sentence being commuted. I am against people voting for actions which they lack the courage to perform themselves.

One problem I have with the death penalty is the poor quality of justice in most courts. The US is a good example of this where poor people are the ones who get the death sentence. A pre-requisite of having penalties such as the death penalty should be that there is a reasonable chance of convicting the person who committed the crime!

In the case of someone like Saddam Hussein there is an additional problem of creating a martyr. I think that a solution to this would be to give him a life sentence and put him on TV on shows based on the Jerry Springer Show. Show him for what he is and let the audience pass judgement on him, I'm sure that he would not do well on such a show.

Another possibility is to have a glass prison where the lights are always on and web-cams show everything he does (including the toilet and shower). That might fall into the category of cruel and unusual punishment, but really the cruel and unusual stuff is what happens in Abu Ghraib (under the command of Saddam Hussein and more recently under the command of George Bush).

Sunday, November 05, 2006

Sell a Band has an interesting business model. If you want to make money from your band you can sign up to their site and create a web site with some sample tracks. Then wait for 5,000 believers to each pay $10 for a share which grants the band a recording contract. The $10 gets them a share of advertising royalties (which seems extremely unlikely to recover the $50,000) and also a first-edition CD from the band ($10 is cheap for a CD). If there is an unpublished band you like then all you need to do is to find 5,000 people who can each spare $10.

The main advantage of the site seems to be as a central advertising point. Sure it would be better to record your own CD and sell it for $10 per copy (which is not difficult to do with little expense nowadays), but finding the 5,000 people who want to pay will be difficult.

It's a pity that sellaband relies extensively on Flash, so I can't use their site. Maybe someone else will copy the idea and use standard web pages that display in all browsers.

PS I've attached a picture of day 29 of the beard.