Monthly Archives: January 2013

My web of trust

Web of Trust built on 26 Jan 2013

Web of Trust – 26 Jan 2013

I created my web of trust graphic (select the graphic to zoom in to see detail) this morning showing the additions from the key-signing event at FUDCon Lawrence.  I’m also working on building the Fedora web of trust and I may do one for Red Hat as well.

If you’d like to create your own web of trust graphic you can follow the instructions on Aaron Toponce’s website.

Closed-source security solutions

A dark door.

by cthoyes (Flickr) – CC BY-NC-ND

The recent report of someone finding backdoors in Barracuda Networks’ firewall and VPN products didn’t surprise me much.  What else do you expect from a closed-source solution?  I mean really, when are people going to stop trusting black-box solutions?  Security is always a trust issue no matter what aspect you are looking at.  Why would you trust something with your security without knowing exactly what it does and how it works?

Open source solutions are completely different.  You can look inside, see how things work, make changes if you like, and trust the solution works the way you expect it to.  You aren’t trusting the company that is selling it to you but rather you are trusting yourself or your own people.  Why would you want it any other way?

How to get involved in Open Source

I had a very difficult question get asked of me tonight on IRC.  Someone I’ve never met before asked how they could get involved in open source.  At that exact time I was actually writing about open source cartography which really opened my mind to the question of how one gets involved in open source.  What is open source, exactly?  Perhaps to many, open source is software.  It’s Linux or it’s LibreOffice or it’s Firefox.  Or maybe open source is much bigger than that.  It’s data, it’s books, and yes, it’s code.  Is it also a mindset?

So I ask my readers: what is open source and how can I become a part of it?  Please leave your answers as a comment.

Petition to add more open source software to US schools

Earlier this morning I took a quick look on identi.ca to see what I had been missing.  I was a bit surprised to see that someone had started a petition on the Whitehouse.gov website asking for more open source, specifically GPL-licensed, software to be included in our public schools.  I had not seen this petition and it appears that it won’t be active for too much longer.  I encourage everyone to sign the petition as this is an easy way to get the Whitehouse to recognize the goodness that is open source software.

Not a new PGP key

Earlier I announced a new PGP key.  The decision was made based on my inability to correctly revoke certain uids on my key.  I finally figured out my problem and have revoked many of the uids on my key that no longer valid or were no longer being used.  So I hope no one wrote off my old key just yet.  I’ve had it for a while and I kinda like it.  You may want to update it from either my website (see top of the page on this site) or via one of the many keyservers.  Sorry for the noise.

Link

A bad (as in it’s a 10) Java vulnerability has been discovered.  Affecting Java 7 Update 10 and prior versions, this vulnerability can allow an untrusted Java applet to escalate its privileges without requiring code signing.

Currently, the only defense to this vulnerability is to disable Java in your browser.  Additional information is provided by US-CERT.

Update at 20:18 UTC 11 Jan

I good resource to follow this story is krebsonsecurity.com.

Update at 22:05 UTC 14 Jan

The US-CERT has released the following bulletin:

US-CERT Current Activity
Oracle Releases Out-of-Band Patch to Address Java 7 Vulnerability

Original release date: January 14, 2013
Last revised: January 14, 2013

Oracle has released an out-of-band patch to address the recently
announced vulnerability in Java Runtime Environment (JRE) 7. US-CERT
encourages users and administrators to review the bulletin and follow
best-practice security policies to determine which updates should be
applied.

Relevant URL(s):
<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>

<http://www.us-cert.gov/current/#us_cert_releases_oracle_java>