Web of Trust – 26 Jan 2013
I created my web of trust graphic (select the graphic to zoom in to see detail) this morning showing the additions from the key-signing event at FUDCon Lawrence. I’m also working on building the Fedora web of trust and I may do one for Red Hat as well.
If you’d like to create your own web of trust graphic you can follow the instructions on Aaron Toponce’s website.
by cthoyes (Flickr) – CC BY-NC-ND
The recent report of someone finding backdoors in Barracuda Networks’ firewall and VPN products didn’t surprise me much. What else do you expect from a closed-source solution? I mean really, when are people going to stop trusting black-box solutions? Security is always a trust issue no matter what aspect you are looking at. Why would you trust something with your security without knowing exactly what it does and how it works?
Open source solutions are completely different. You can look inside, see how things work, make changes if you like, and trust the solution works the way you expect it to. You aren’t trusting the company that is selling it to you but rather you are trusting yourself or your own people. Why would you want it any other way?
I had a very difficult question get asked of me tonight on IRC. Someone I’ve never met before asked how they could get involved in open source. At that exact time I was actually writing about open source cartography which really opened my mind to the question of how one gets involved in open source. What is open source, exactly? Perhaps to many, open source is software. It’s Linux or it’s LibreOffice or it’s Firefox. Or maybe open source is much bigger than that. It’s data, it’s books, and yes, it’s code. Is it also a mindset?
So I ask my readers: what is open source and how can I become a part of it? Please leave your answers as a comment.
Earlier this morning I took a quick look on identi.ca to see what I had been missing. I was a bit surprised to see that someone had started a petition on the Whitehouse.gov website asking for more open source, specifically GPL-licensed, software to be included in our public schools. I had not seen this petition and it appears that it won’t be active for too much longer. I encourage everyone to sign the petition as this is an easy way to get the Whitehouse to recognize the goodness that is open source software.
Earlier I announced a new PGP key. The decision was made based on my inability to correctly revoke certain uids on my key. I finally figured out my problem and have revoked many of the uids on my key that no longer valid or were no longer being used. So I hope no one wrote off my old key just yet. I’ve had it for a while and I kinda like it. You may want to update it from either my website (see top of the page on this site) or via one of the many keyservers. Sorry for the noise.
I’ve created a new OpenPGP key (0x08CC129D) to replace the one I’ve used for the past few years (0x024BB3D1). Please update your keyrings as necessary.Nope, I’ve decided to keep my old key and just clean it up a bit.
A bad (as in it’s a 10) Java vulnerability has been discovered. Affecting Java 7 Update 10 and prior versions, this vulnerability can allow an untrusted Java applet to escalate its privileges without requiring code signing.
Currently, the only defense to this vulnerability is to disable Java in your browser. Additional information is provided by US-CERT.
Update at 20:18 UTC 11 Jan
I good resource to follow this story is krebsonsecurity.com.
Update at 22:05 UTC 14 Jan
The US-CERT has released the following bulletin:
US-CERT Current Activity
Oracle Releases Out-of-Band Patch to Address Java 7 Vulnerability
Original release date: January 14, 2013
Last revised: January 14, 2013
Oracle has released an out-of-band patch to address the recently
announced vulnerability in Java Runtime Environment (JRE) 7. US-CERT
encourages users and administrators to review the bulletin and follow
best-practice security policies to determine which updates should be