The slides are now available: The Frugal CSO: IT Security Tools for Tough Times (pdf).

This presentation was to raise  awareness of the availability and quality of some of the leading free / open source and low cost security software.

Unlike the U.S. and European governments, the Canadian federal government has never officially blessed the use of open source.  There are a ton of deployments, but they tend to be isolated, small and kept really quiet.

There are many outstanding open source and low cost security products out there, and there are few, if any, valid reasons to exclude them from consideration when evaluating products.

No related posts.

Lately I’ve been helping a group transition from a legacy HP/UX environment to Linux. Being an Oracle shop, they’re tempted to use Oracle Enterprise Linux (OEL) instead of Red Hat Enterprise Linux (RHEL) to run the Oracle DBMS on.

You may recall Oracle released a recompiled Red Hat back in 2006. Since Red Hat is GPL, anyone is free to compile the source code and release their own knock-off of Red Hat. The are a few groups who do this, with the excellent CentOS distribution being the most popular.

CentOS is fantastic for those need Red Hat compatibility but don’t need or can’t afford the mandatory Red Hat support licenses. CentOS has near-perfect binary compatibility so commercial products that only support Red hat are almost certain to run.

Oracle Linux is similar… they compile the Red hat sources and release it under their own brand. However, unlike CentOS, Oracle certifies their products will run without issue on their imitation Red Hat. Other products? Maybe, maybe not.Like CentOS, very few commercial vendors certify or support their products running on OEL. However, unlike CentOS, who try not to modify the Red Hat sources, Oracle admits to monkeying around. For example:

• Adding their own patches and device drivers
• Replacing the GFS file system with their competing OCFS2
• Replacing Red Hat Cluster Suite with Oracle Clusterware

Oracle Linux may be suitable for running Oracle products, but given these changes and lack of certification and support, is it a trustworthy platform for other commercial apps?

Also unlike CentOS (and despite claims to the contrary), OEL is not free. Yes, you can download and install the ISOs, but getting online updates via Yum requires a support license.

If you’re a Red Hat shop, it doesn’t make much make sense to use OEL for Oracle servers and RHEL for everything else. Just standardize on RHEL. Oracle is fully supported on Red Hat, as are nearly every other commercial products.

The real deal breaker for OEL, however, is VMware support. VMware lists both RHEL and OEL as compatible guest OSs. Red Hat also fully supports RHEL deployment on VMware ESX. But get this: OEL deployments on VMware may or  may not be supported by Oracle. There seems to be no technical reason for this… OEL runs fine as you would expect. No, it appears Oracle has taken this stance to drive customers to their competing virtualization solution, (a fork of Xen) and to drive sales of Oracle RAC over VMware’s less expensive HA solution.

Deploy Oracle on RHEL on VMware and problem solved: you’re fully supported by all players. RHEL also offers a substantial price break for VMware deployments. Oracle doesn’t.

On the security side, SELinux is available in both RHEL and OEL. Both RHEL and OEL have EAL4+ validations under the Common Criteria. RHEL also has FIPS 140-2 validation for the NSS crypto modules, but OEL does not. For government users, that could be a deal breaker.

So again I’m left wondering… what is the advantage of Oracle Linux? If your only deploying Oracle products, theoretically using OEL under Oracle VM would remove the potential for vendor finger pointing when things go wrong. But that’s putting a lot of faith in Oracle Support’s knowledge of Linux and Xen.

Related posts:

• Linux software vs hardware RAID
• Disabling the NX bit for specific apps

These days Perl is most often thought of as the first “web programming” language. Back in 1994 or so when public access to the Internet first took off, just about every web application was a Perl CGI script.

Perl has fallen out of favor lately, but it was revolutionary. Perl combined elements of C, awk, sed, and Bourne shell already familiar to every Unix sysadmin into one fast executing, consistent and (later) highly extensible language.

Perl was (and still is) an extremely productive language… the Perl concept of “there’s more than one way to do it” makes it easy to whip up a working programs quickly to solve problems at hand.

Of course, that concept and Perl’s syntax horrifies language purists who criticise it as a mess and denigrate it as a “write only language.” Perl’s author Larry Wall agrees: Perl is a mess. In fact he once compared it to the mess that is the English language:

English is useful because it’s a mess. Since English is a mess, it maps well onto the problem space, which is also a mess, which we call reality. Similarly, Perl was designed to be a mess (though in the nicest of possible ways).

Larry is a funny guy.

Despite criticisms, Perl remains the “duct tape of the Internet”. You can do wonders with just a few lines of Perl, especially when you know about Perl’s secret weapon: the CPAN archive . No matter what data format you need to parse or API you need to talk to, chances are a Perl library for it already exists in CPAN.

Happy birthday, Perl. You may be ugly but you sure get the job done.

No related posts.

(You may recall ElcomSoft from 2001 when an employee was arrested during Defcon. He was eventually acquitted. The case was an early test of the U.S.’s disastrous DMCA law.)

According to the press release, ElcomSoft’s technique of using a GPU is “patent pending” but I can’t see how… using the high performance of GPUs for non-graphical processing is nothing new.

Last February nVidia launched their CUDA C compiler and libraries for both Linux and Windows developers that lets anyone use GPUs for processing intensive tasks, and ATI AMD announced something similar last November with their “Close to metal ” product.

nVidia is also just about to release their Tesla “Deskside Supercomputers” which looks like just a bunch of nVidia GPUs (JBOGs?) conveniently boxed up for use in high performance computing.

Fast password and hash cracking (and factoring RSA ) is a whole lot less expensive than it used to be. There’s been speculation for a while now that government organizations have the horsepower to decrypt SSL communications in real time. Now with gigaflops of processing power cheap and accessible through off the shelf graphics cards, that kind of capability could be available to almost everyone.

Also, for those who prefer to brew their own crackers, there are projects like NSA@home

No related posts.

Sourcefire , the little company behind the open source Snort intrusion prevention has just acquired the open source ClamAV anti-virus project:

“Sourcefire has acquired the ClamAV project and related trademarks, as well as the source code copyrights held by the five principal members of the ClamAV team. Sourcefire will also assume control of the ClamAV project including: the ClamAV.org domain, web site and web site content; and the ClamAV Sourceforge project page.”

Congratulations to the ClamAV team! They’ve been building the product as a volunteer effort since 2002.

According to the announcement , the product will continue to be open source and licensed under the GPL. More importantly, they promise to keep the malware signature database database open as well.

However, when Sourcefire was created to take Snort commercial they changed access to the IDS signatures from free for all to a tiered structure : $500 per year for real-time updates, and free-but-registration required access to the same rules after a five day delay. The urge to monetize the widely used ClamAV beyond just selling support services for it will be irresistible, and Sourcefire will probably do so in a very similar way to Snort.

Related posts:

• Snort vendor sourcefire files for IPO
• Open source ClamAV beats McAfee and Norton

Marcus is generally credited with creating the first commercial firewall and IDS but is better known for his straight thinking and straight talk about security. The podcast covers familiar ground… the deplorable state of Internet security in general, digs about statistics, penetration testing, software complexity and vendor B.S.

It’s 37 minutes well worth listening to.

No related posts.