Security

There was some discussion about possible attack vectors for checksum-only deduplication. However i don't think the proposed vectors are really feasible. The first attack tries to create data corruption by foiling deduplication into using a thoughtfully created block, with the same checksum but different data. Another, less discussed attack vector, is gaining knowledge of a block by using a thoughtfully created block to foil dedup to show you a different block than the one you have actually written, as the checksum-only variant didn't stored your block, but just created a pointer to data written beforehand.

This is a nice example, why those backscatter airport scanners are not the solution of all problems in airport security. The interesting part starts at 18:05 of this video available in the ZDF mediathek (an public broadcasting network in Germany). Despite being scanned they are not able to find the thermite the scientist is carrying. The guy demoing the scanner doesn't look amused as well as Mr. Bosbach, a german politician who thinks that we should use such scanners, if they are able to protect the privacy of the scanned peoples.

It turned out that the images of a story about "What a nude scanner" in germanys favorite gossip catapult and tabloid were faked: BildBlog - a watchblog dedicated to this tabloid - reports in "Kehraus 2009" that this newspaper just used a "Negative" plugin of their favorite photo alteration application to create such photos from a cd containing photos of a nude woman...

There is a lot of discussion about the backscatter scanners (or as the media calls them: "nude scanners") in Germany at the moment. Technically it's in discussion for a long time. I wrote about it in 2005 after Bruce Schneier wrote about it. My thought at this moment was "Okay, they will need an aircraft blown out of the sky to force this into the public".

Personally i think the this is lobby at work at the moment. It's a big business to implement backscatter at all airports in germany alone. Just think about the central security area in Hamburg.10 entries ... ka-ching .... and Hamburg is a relatively small airport.

At first: I have no problem with backscatter scanning. Technically the current metal detectors look through my clothing as well. So if a backscatter scanner makes no images and instead just make "boink" (as we all know, scientific progress goes "boink") and then get a TSA massage, i'm fine with that.

I'm not fine with high resolution nude photos of every one just want to fly, i'm not fine with spending millions for back scatter scanners, while the people at security can decide to flip burgers or searching people at almost the same wage, i'm not fine with dumbed down version of this scanners with software to protect the privacy as the bad-guys will find ways to use this dumbing-down to fool this device (i want just simple logic .. there is something else than your leather underpants or your latex bra under your clothing .... "boink" -> TSA massage). I'm not fine with with maximal invasive security counter measures, that just helps against past attacks, but not against future attacks.

The same politicians that force us into this back scatter scannings will be the first ones that will cry when the "Bild Zeitung" will publish the length of their private parts. Who prevents someone who can flip burgers for the same wage to get bribed for not seeing a bomb in his or her shift or for writing down interesting information about prominent people. In former times we used well-paid public servant for this task to reduce this risk ... but today.

And at the end those back scatter scanning is somehow futile anyways: Drug dealers found out that it's quite simple to hide drugs inside a person. Backscatter can't detect it, as it stops at the first layer of the skin. So what's the problem to substitute the cocaine with Semtex to create a not-so-intelligent bomb?

Gestern lief das Webseminar "Solaris 10 Security". Dieses möchte ich Euch nun als Video zur Verfügung stellen:


Ich hoffe es ist informativ für Euch. Der CC-Teil am Anfang ist etwas vereinfacht für Einsteiger in die Thematik. Ich möchte mich bei einem der Zuhörer für die freundliche Zurverfügungstellung der Aufzeichnung bedanken, nachdem das im Tool selber nicht funktionierte. Vielen Dank!

I'm really frustrated at the moment. My second webseminar "Solaris Security" was scheduled for today. We use WebEx for our presentations, so you use a java tool for the slides and use the ordinary telephone for the audio track of the presentation. Everything went well ... until some minutes into the presentation. I was thrown out of the telephone conference. I've noticed this situation 10 minutes later, so i've talked with the void for quite a while. I wasn't able to get back. I've tried with the fixed line, with my job cell phone, even with my private cell phone. But no chance. I wasn't able to get back into the call. At the end we stopped the call. In the hindsight the signs were on the wall, because there were significantly less users in the telephone conference than in related the WebEx tool session right from the start.

We have a new time for the call: 13.10.2009 from 14pm to 15pm. Sorry for any inconvenience. But this give others the chance to attend the meeting: So if you haven't been able to register for the event today, you can use the old form to register for the new date. Everyone else should already have the mail with the details for the next event.

PS: I've checked the Webex voice numbers a few minutes ago .. still broken ...

I've finalized the presentation i want to hold tomorrow. In a series of web seminars in german language i'm presenting on Solaris Security tomorrow afternoon. I don't think i will put the german version online at my own blog, but i'm thinking about an english version. I just integrated a short chapter about the Immutable Service Container. This is really an interesting concept introduced by Glen Brunette. But i have just an hour. So many topics and not enough time.

Whenever a friend asks me about a tip in regard of flying and getting rid of the fear of flying a give them some hints and at the end i make the joke "Oh, and then there are the people who ask you friendly to bend over while thy putting on a latex glove. Just relax". All muscles of the face just go south and the reactions are just to funny to leave out this joke. Just be sure, that you don't start to smile

The problem: I don't think that using a plane will be fun, when you think about the implications of the latest attack on a saudi prince: The assassin had the bomb inside of his body ... to be exact ... in his colon. That's looks to be the newest fashion in not-so-smart bomb technology. With George W. Bush i would be sure, that would lead to rectal probing for everyone. With Obama i have some hope, that they won't go this far. Perhaps we just see an increased rate of radiation induced cancer due to mandatory X-ray examinations at the airport, because the backscatter scanners (we call them "nude scanner" in Germany) are not capable to look into a body, just under the clothes.

PS: I don't know what Mr. Schaeuble will do in regard of this.

The cryptographic algorithm AES is everywhere. You find it in your router, you find in your OS. Your WiFi network use it. And probably the three-letter agency in your country,too . But how does it works? Jeff Moser wrote (well, it's more a comic) the "Stick Figure Guide to the Advanced Encryption Standard (AES)". A really great explanation of AES.

The Apache Foundation had a security breach a few days ago (no, not on the Solaris 10 system ), that led to the compromitation of their services. A nice information was the role that ZFS played in the recovery of this situation. The Infastructure Team wrote in their article about the recovery:

aurora.apache.org runs Solaris 10, and we were able to restore the box to a known-good configuration by cloning and promoting a ZFS snapshot from a day before the CGI scripts were synced over. Doing so enabled us to bring the EU server back online, and to rapidly restore our main websites. Thereafter, we continued to analyze the cause of the breach, the method of access, and which, if any, other machines had been compromised.

Perhaps that's interesting for people needing a highly secure tape storage. As reported by eWeek the StorageTek T10000B tape drive got the FIPS 140-2 certification:

Nonetheless, Sun revealed Aug. 19 that it has become the first enterprise tape drive maker to be granted a prestigious federal security qualification: the FIPS 140-2 Certification at Security Level 2 for its Sun StorageTek T10000B tape drive.

The T10000B drive has the integrated capability to encrypt the data before writing it to the tape. Thus it contains components to do this encryption. The FIPS certification states that a hardware device complies to the standards set by the FIPS 140-2 document, which is headlined "Security Requirements for Cryptographic Modules". A level 2 FIPS certification means (copied from the Wikipedia article):

Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

Thus you can't get the key without leaving traces. BTW: I'm sure the messages in "Mission: Impossible" are FIPS140-2 Level 5 certified ... "This tape will self-destruct in five seconds"

The T10000B is the first tape-drive with this level of certification. If you are interested in this matter, the certification of the T10000B is available the nist.gov website. The FIPS140-12 document itself is available for download at NIST, too.

A reader that wants to be anonymous (thus he use such a pseudo in his comments) asked an interesting question: How do you do secure deletion in ZFS? The standard mechanism to it, is to overwrite data with zeros, ones or a data pattern to ensure that the data is deleted as normal delete would only delete the metadata and not the data itself. This is a little bit hard with ZFS. Why? ZFS is a copy-on-write filesystem, thus the zeros are written somewhere else, as active data is never overwritten by ZFS. There are hacks to solve this problems: For example overwriting all sectors on the free list. Or you can implement code to overwrite the data directly in a kind of secure delete. But from my point of view this wouldn´t really help.

Ich hatte ja schon vor einigen Tagen angekündigt, das es bald wieder ein neues Webseminar von mir geben wird: Ich werde in diesem Seminar auf die ganzen Sicherheitsfeatures in Solaris eingehen. Also wie gehe ich mit Least Privileges um, was hat es mit den signed Binaries auf sich, was bedeutet eigentlich EAL und Common Criteria, wie können mir die Trusted Extensions weiterhelfen, was ist die Solaris Fingerprint Database und vieles mehr. Stattfinden wird dieses Webseminar Seminar am 30 September 2009 von 14:00 bis 15:00 Uhr. Für dieses kann man sich nunmehr auch anmelden. Das Anmeldeformular findet Ihr hier.

Bei dieser Gelegenheit möchte ich gleich noch auf drei weitere Webseminare hinweisen: Am 26. August wird Volker Wetter (Technical Architect Systems Pratice) zum Thema "10 Gründe, Ihre Applikation auf Solaris zu betreiben" sprechen. Für den 16. September ist dann ein Vortrag zum Thema "Sun Unified Storage in der Praxis" geplant. Dieser wird von Karlheinz Vogel, seines Zeichens Senior Storage Consultant vorgetragen. Der Holodoc, sorry ... Dr. Stefan Schneider, Chief Technologist, wird sich dann am 22. September mit dem Thema "Start smart. Scale hard! Warum Web-Startups mit Ihrer IT skalieren müssen" befassen. Weitere Informationen findet Ihr dazu auf der Webseite der deutschen Sun Webseminare.

PS: Entschuldigt bitte den Text bei der Beschreibung meines Seminars. Is vom Produktmarketing. Der Vortrag ist marketingfrei

Even the Register reports about Deduplication in ZFS. I´m asking myself, if the people at the Register read my blog, as i´ve talked about that a few days ago.

Fun aside: Synchronous Dedupe is the only sensible way to do dedupe data as you would need to provide the storage for undeduped data otherwise until the system gets to the point where the data gets deduplicated. Dependent on the frequency of dedupe runs, this could be a vast amount of storage. On the other side, synchronous dedupe is dependent of a fast mechanism to detect duplicates. The checksumming feature of ZFS looks like a good way to do this, as it capable to use various hashing algorithms. When the probability of collision is less than the probability of reading wrong data from disks it should suffice just to check the checksums instead of checking the complete block.

Soviel zum Thema Kompetenz zum Thema Computersicherheit: Herr Schünemann sitzt vor einem Rechner des LKA. Achtet mal auf den Monitor. Ich vermute das ist ein DemoPC, aber trotzdem: Sowas macht man nicht ...