New “Secure Programmer” Article on Calling Components Safely
The latest article in my “Secure Programmer” series is now available! This series is a developerWorks series on secure development for Linux/Unix.
Article #7 is Secure programmer: Call Components Safely. The posted date is 16 December 2004, but it’s only been available since around 23 December 2004.
Here’s the abstract:
Application programs typically make calls to other components, such as the underlying operating system, database systems, reusable libraries, Internet services (like DNS), Web services, and so on. This article explains how to prevent attackers from exploiting those calls to other components by discussing the use of only secure components, passing only valid data, making sure the data will be correctly interpreted, checking return values and exceptions, and protecting data as it flows between applications and components.
path: /security | Current Weblog | permanent link to this entry
New paper on how to secure Microsoft Windows for home and small business users
As a security expert, I occasionally get asked by Microsoft Windows users questions like “I got this strange error message — do I have spyware?” or “How do I keep my [Windows] computer secure?” Large businesses employ people who secure computer systems as a full-time job, but that doesn’t help if you’re a home or small business user. “Small business” here includes small non-profits, too.So, I’ve posted on my website information on how to secure your Microsoft Windows system. It’s basically a checklist of things you can do to make things better.
Get it here: Securing Microsoft Windows (for Home and Small Business Users)
path: /security | Current Weblog | permanent link to this entry
Comments on Email Authentication for Countering Spam
The Federal Trade Commission (FTC) and National Institute of Standards and Technology (NIST) are considering their options for email authentication as a technique to partially counter spam. I recommend that they make two fundamental decisions. First, FTC and NIST should urge lawmakers to make spam illegal, so that technological measures will have legal standing. Authentication has little anti-spam value without it. Second, FTC and NIST should insist that any anti-spam technical standard must be implementable by all suppliers of email infrastructure, both proprietary and open source software.
This essay responded to a Federal Register request supporting the “Email Authentication Summit” of November 9-10, 2004. I sent the original version of this essay on September 27, 2004. Although it was publicly posted, and quoted in places such as Groklaw’s FTC Email Authentication Summit article, it had various formatting problems, a few minor grammatical mistakes, and it mentioned only NIST and not the FTC. This version is much easier to read since I converted it to HTML and had these minor problems fixed.
So, for those of you who wanted a nicer copy of this essay — enjoy!
It’s here, at:
Comments on Email Authentication for Countering Spam
path: /security | Current Weblog | permanent link to this entry
Software patents — keep protesting
Linus Torvalds (lead developer of the Linux kernel), Michael Widenius (lead for MySQL) and Rasmus Lerdorf (lead for PHP) have written an appeal to the EU Council against software patents in Europe. This letter is useful as yet another ray of sunlight into a sea of deceptive practices. Here’s what the letter reveals: “The draft directive in question is deceptive because it leads laymen, and even those legal professionals who are not familiar with the intricacies of patent law, to falsely believe that it would exclude software from patentability. However, it is actually a compilation of the entirety of the excuses with which the patent system has, for many years, been circumventing article 52 of the European Patent Convention in order to grant patents on software ideas.”
I think that the patented webshop in particular shows why patents have always been excluded from patenting in Europe (and were originally excluded everywhere, until big money bought the laws of some countries). You should also see this link to relevant excerpts from the U.S. Federal Trade Commission Report. For example:
Many panelists and participants expressed the view that software and Internet patents are impeding innovation. They stated that such patents are impairing follow-on incentives, increasing entry barriers, creating uncertainty that harms incentives to invest in innovation, and producing patent thickets. Panelists discussed how defensive patenting increases the complexity of patent thickets and forces companies to divert resources from R&D into obtaining patents. Commentators noted that patent thickets make it more difficult to commercialize new products and raise uncertainty and investment risks. Some panelists also noted that hold-up has become a problem that can result in higher prices being passed along to consumers.Note that after discussing the various ways that patents are intended to spur innovation, “Commentators were generally skeptical about the benefits of the patent system in these [software and Internet] industries.”
You can see my patent blackout page, so you can get its information even when it’s not the front page of my site.
For more information on the problem, and how you can help stop this absurd notion, see NoSoftwarePatents.com and the FFII.
path: /misc | Current Weblog | permanent link to this entry
But I’ve also found something new: Arimaa. Arimaa is a fun board game that you can play using chess pieces, but it’s really a completely different game. Its rules are very simple, much simpler than chess — kids can learn the rules in a few minutes. Yet with those simple rules you end up with a very strategic and interesting game.
The official Arimaa web site has lots of great stuff - a fancy presentation on how to play, official rules, and ways to sit down and start playing both computers and humans right away. The Wikipedia entry on Arimaa has lots of good information, and Wikipedia also has information on Arimaa Tactics and Arimaa Strategy.
Arimaa was designed to be hard for computers to play (while being easy for humans), and there’s even a prize for a computer that can beat the best human Arimaa players. Which is an interesting angle, story-wise. Its creator hopes that by creating better computer players, we might learn more about computerizing strategy. If that turns out to happen, I’ll certainly be interested in those results. But either way, it’s a fun game to play, and that’s a useful thing in its own right.
path: /misc | Current Weblog | permanent link to this entry
New Edition: Countering Spam by Using Ham Passwords (Email Passwords)
I’ve released a new version of my article, Countering Spam by Using Ham Passwords (Email Passwords). In particular, I’ve christened the approach with a new name: “ham passwords”. I’ve found that ham passwords are a simple and effective technique for countering spam; I use it myself. A ham password is a special password you ask strangers, or senders in general, to include in email they send to you, typically in the subject line. If the sender wants the receiver to receive an email, then the sender should send the ham password to prove that they are authorized to send the email. This technique is excellent in countering the major weakness of spam filters: incorrectly labelling ham as spam. This approach is inexpensive, requires no changes to any software code, and is simple to understand. It especially works well when combined with other techniques that handle non-strangers.path: /security | Current Weblog | permanent link to this entry
Firefox is coming November 9, 2004…
The official release of the Firefox web browser is coming soon, on November 9, 2004. Of course, “new” is misleading; much of the infrastructure of Firefox is based on Mozilla, which is based on Netscape Navigator’s original code. But Mozilla underwent a major redesign in 1998 to make its infrastructure design far better, and now the same is happening to the outer browser. The result - a very nice browser. It’s clean and simple, yet it’s easy to add extensions that do lots of extremely useful things. I really like it; if you haven’t checked it out, you need to.Firefox has lots of useful capabilities. I love tabbed browsing, which it supports; I find it truly painful now to use a browser without tabbed browsing (such as Internet Explorer (IE)). Firefox’s built-in tabbed searching and finding is really nice. There’s much to like from a security point of view: it won’t load harmful ActiveX controls, it has a built-in pop-up blocker, and frankly it’s got a better security history to recommend it. Indeed, CERT’s taken the unusual step of suggesting that a good solution to IE’s endless woes is to switch browsers; eWEEK.com Senior Editor Steven J. Vaughan-Nichols recommends dumping IE as too dangerous.
But something very nice about Firefox - and not as clearly crowed by its developers - is that Firefox is far more standards-compliant. This isn’t just an idle claim; this detailed analysis of CSS support clearly shows how badly IE supports CSS, a key web standard. No browser is perfect; Firefox is based on Mozilla, and you’ll notice some weaknesses of Mozilla in that paper. But you want a browser that’s close and in the process of fixing any minor problems. Even though many web application developers have complained mightily to Microsoft for years for them to fix the many bugs and incomplete capabilities of Internet Explorer, Internet Explorer has continued to poorly implement the web standards for years, with little evidence they’ll be fixed soon.
There are lots of nice extras you can get. I like the “Google Cache” and “Internet Archive” extensions; they’re very handy for research.
Firefox also runs on just about anything: Windows, Mac, Linux, Unix. Notice that it runs on old versions of Windows (like Windows 98), too.
If you’re curious, download and try Firefox out - it’s free!
path: /oss | Current Weblog | permanent link to this entry
November 2004 release of “Why OSS/FS? Look at the Numbers!”
I’ve made a somewhat major re-release of my paper “Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!” I made many changes, here are some of the highlights:path: /oss | Current Weblog | permanent link to this entry
Speaking October 27 at “Open Source Enterprise Solutions Conference” of the Tech Council of Maryland
On October 27 I’ll be speaking at the Open Source Enterprise Solutions Conference in Rockville, Maryland. This event is put on by the Tech Council of Maryland. My topic is security and open source software; those who’ve read my books and articles won’t be terribly surprised by the content. I debunk extreme views like “open source is always more secure” and “open source is never more secure,” for example.One surprising thing is how many open source software / Free Software (OSS/FS) security-related companies and projects are based in Maryland. There are quite a number! They include:
path: /oss | Current Weblog | permanent link to this entry
Supreme Court Could Make Washington, DC Part of Maryland for Congressional Elections
As I’ve noted before, due to strange quirks of history, residents of the U.S. capital — Washington, DC — cannot vote in U.S. Congressional elections. I’m a big believer in democracy, and this is a quirk that needs fixing. I earlier wrote Treat Washington, DC as Part of Maryland for Congressional Elections. to describe what I think is a solution that deserves more consideration. I’ve now added to that essay an important way that result could be obtained: the courts. This situation wasn’t established by the U.S. Constitution (as commonly thought), but by a later 1801 law; before that time, residents of the current DC land voted as Marylandians. So, DC residents could bring a suit to the courts, claiming that the disenfranchisement is unconstitutional. If the U.S. Supreme Court agrees, then voila — DC residents can suddenly vote in Congressional elections, as they did before 1801.See my essay for more details.
path: /misc | Current Weblog | permanent link to this entry
New essay: “Linux Kernel 2.6: It’s Worth More!”
In response to a posting by Jeff V. Merkey, Ingo Molnar used my tool SLOCCount to estimate the effort it would take to redevelop Linux kernel version 2.6. Molnar’s rough estimate found it would cost $176M (US) to redevelop the Linux kernel using traditional proprietary approaches. I thought it was an interesting way to respond, but I knew that the defaults in SLOCCount are probably not the best for the Linux kernel itself. After all, an operating system kernel is much more complicated and difficult to implement than most programs, and although there are ways to account for that, SLOCCount by default doesn’t do so. By using a more detailed cost model and much more information about the Linux kernel, I created another effort estimate that refines Molnar’s work. Bottom line: I believe the current Linux kernel 2.6 would take closer to $612M (US) to redevelop.
For more information, including some comments on what it all means, see my essay Linux Kernel 2.6: It’s Worth More! Feel free to also look at my related paper More than a Gigabuck: Estimating GNU/Linux’s Size.
path: /oss | Current Weblog | permanent link to this entry
New Security Article on Race Conditions
Well, I’m happy to announce that another one of my developerworks article on secure development is now out for the public. Go take a look at Secure programmer: Preventing Race Conditions.This was a trickier article to write, because race conditions are harder to describe in a simple way. No matter what, they always involve subtle timing interactions, and that makes them hard to describe. Even the conventional definitions are too complicated and don’t really help explain the issue. So, I ended up writing my own definition: A “race condition” occurs when a program doesn’t work as it’s supposed to because of an unexpected ordering of events that produces contention over the same resource. Notice that a race condition doesn’t need to involve contention between two parts of the same program; many security problems occur if an outside attacker can interfere with a program in unexpected ways.
And from there, it shows some of those big surprises. A whole bunch of race conditions have been found over the last few months, so this is certainly still a serious problem.
path: /security | Current Weblog | permanent link to this entry
End of September 2004 release of “Why OSS/FS? Look at the Numbers!”
I’ve made another release of my paper “Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!” Here are some highlights:path: /oss | Current Weblog | permanent link to this entry
Sorry for the website unavailability…
For those of you who were trying to reach the website recently — sorry about that! The website was unavailable for a little while. The problem wasn’t on the website system itself, but on a communications link (at the ATM level) to the outside world. In any case, it’s obviously been fixed, and hopefully we won’t be having that kind of problem again…. at least for a very long time.path: /website | Current Weblog | permanent link to this entry
New release of “Why OSS/FS? Look at the Numbers!”
I’ve made a new release of my paper “Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!” This is basically a minor release, with various small additions and improvements here and there. Here are some highlights:path: /oss | Current Weblog | permanent link to this entry
The Cautionary Tale of XFree86
Well, it’s been many months, and the sad tale of XFree86 is now clear to all. At one time, if you used a Unix-like machine with a graphical user interface, it was very likely that you were using the results of the XFree86 project. But not now. Much of the code of the XFree86 project will live on in the X.org project, but the XFree86 project itself has now been abandoned by nearly all.This is an important tale that needs recording, and telling. Cautionary tales about hubris, and ignoring both the people you lead and your customers, can sometimes help others to avoid the same mistakes. Hopefully, by recording such tales, there will be fewer similar tales to tell in the future. And in many ways this is a story of hope and triumph; it shows how developers and customers joined and revolted together against an extremely unpopular decision, and eventually got their needs met instead. In fact, customers ended up with a very simple transition path, one which is hard to imagine for a proprietary product. Rarely are “votes of no confidence” in the OSS/FS world so obvious and so powerful.
I’ve now documented XFree86’s demise in more detail as a new appendix on XFree86. The appendix is part of my essay about GPL compatibility. In short, the XFree86 leader decided that GPL compatibility was unimportant to customers and developers, ignoring all those who tried to explain otherwise. Customers and developers got fed up, established a competing fork, and switched en mass. In the end, the customers and developers got GPL compatibility, just as they demanded.
path: /oss | Current Weblog | permanent link to this entry
Countering Spam Using Email Passwords
I’ve been having a great deal of success countering spam using a simple technique that I call “email passwords”. It’s been mentioned on my website for a long time, but I thought it might be helpful to others if I gave a more detailed description of them and how they work.As a result, I’ve just released a short essay titled “Countering Spam Using Email Passwords” which describes email passwords, including how they work and how to implement them. The idea is pretty simple: if a stranger wants to contact you, tell them to include an ‘email password’ in the subject line. Then provide the email password in a shrouded way on your website so that legitimate senders can get it, but so it’s a pain for a spammer to get. If a spammer gets the email password, you can simply change it. I also use a “reply indicator” text phrase in my replies, so that legitimate replies are also less likely to be labelled as spam. But simple isn’t necessarily bad! Combined with other anti-spam tricks (like whitelists, content filters, and blacklists), I get really useful results.
I suspect other people have done this too, but I haven’t seen anything written about email passwords before. Maybe it’s in many places and I just missed it; sorry if I have. Maybe some people will point me to prior work (I could update my essay to reference some). But since I’ve read about many anti-spam approaches without seeing a discussion of this approach, I suspect others haven’t heard of this either. It’s similar to challenge-response systems, but there’s no actual challenge. While it’s not perfect, it definitely helps.
In the long term, I believe that governments must step in and make spamming illegal, with serious legal teeth (including possible prison terms and financial bankrumptcy) for the spammer and the people who fund them, as well as making spamming itself illegal (instead of just fraudulent headers and spamming after a “please stop” message). Spamming is a massive denial-of-service attack against people’s email accounts, and it’s basically a theft of service. After all, it doesn’t matter if you own an email account if you can’t use it. But the history of computer crime law shows that this takes time; it took a long time for laws to be written to criminalize computer crime, and it’s really still in process. Current laws are completely ineffective (especially the U.S. law), but that’s not surprising; lawmakers often try to make small steps in the hopes that they will solve the problem. Eventually laws with real teeth will have to be written, or email will be useless. Since legislatures like to use email, and have constituents who will throw them out if their email is taken away, in the long term this will be addressed.
But in the short term, we need to use email in spite of inadequate laws. Approaches like email passwords will hopefully make it possible to keep using our email until the legislatures around the world catch up to the technology.
If you’re curious, you can also see my essay on stopping spam and my paper on guarded email. I’ve also written several articles on other topics you may find interesting, including writing secure programs and quantitative reasons why you should consider open source software / Free Software when acquiring software. And of course, you can always visit my home page.
path: /misc | Current Weblog | permanent link to this entry
New release of “Why OSS/FS? Look at the Numbers!”
I’ve made a new release of my paper “Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!” It’s a tome, and getting even longer, as more stuff becomes available. This is basically a minor release, with various small additions and improvements here and there. Here are some highlights:path: /oss | Current Weblog | permanent link to this entry
Apple should release Apple ][ code
I’d like to convince you, gentle reader, to add your voice to mine, and ask Apple Computer to release the code for the Apple ][ line.Many years ago, the Apple ][ line was one of the most popular computer lines, but it’s now completely obsolete. You can see Apple history for more information, The Apple ][ (also spelled Apple II, later Apple //, and sometimes Apple 2) was an 8-bit computer first built in 1977, and ran at 1MHz with 4K to 64K of memory. The last of the Apple ][ line was the Apple //gs, announced in September 1986, and discontinued in December of 1992. It ran at 2.8 or 1 MHz (with upgrades up to 18MHz), and could expand to up to 8 MB of RAM. Compared to todays’ machines that run at 1000 MHz and much more, and routinely come with 512MB and more of RAM, these machines are completely obsolete.
Still, there are hobbyists and nostalgia buffs who’d like to be able to run these old machines (either directly or by emulation).
So I ask Apple, as a gesture of goodwill, to release the code for the Apple ][ line, say to the public domain or under some sort of open source software license, so that hobbyists can keep these old systems running. That includes the Apple ][, ][+, //e, //c, and //gs ROMs, the disk ROMs, and the operating systems (at least DOS 3.2, DOS 3.3, and ProDOS). Apple may not be able to release the Applesoft BASIC stuff (I believe Microsoft owns that copyright), but Apple can at least release the rest of it, and we can ask Microsoft to release Applesoft BASIC separately. The original Apple ][ ROMs didn’t include Applesoft BASIC, and yet for many circumstances that ROM is enough to run many Apple ][ programs, so even without Applesoft such a grant would be very helpful.
Apple, you aren’t going to make money on these things. But current copyright law doesn’t acknowledge that obsolete things should be automatically released to the public. By releasing obsolete items that no longer have real market value, you allow others to maintain and use these old systems (through hardware or emulation) in future generations.
Others have released obsolete systems to the public. The Minix operating system, developed long after the Apple ][ line began, originally required a fee, but it’s since been released under a BSD license. CP/M binaries and source code have been released to the public at no charge, and that 8-bit operating system comes from the same timeframe.
path: /misc | Current Weblog | permanent link to this entry
Flawfinder version 1.26 released!
I’ve released yet another new version of flawfinder - now it’s version 1.26. Flawfinder is a simple program that examines C/C++ source code and reports on likely security flaws in the program, ranked by risk level. When I announced flawfinder version 1.25, people responded with a flurry of useful improvements, so I thought I’d incorporate those right away for all to enjoy.You can view the Flawfinder ChangeLog for the details. Here are some of the highlights:
NOTE: Due to an error on my part, the tar file for version 1.25 on my website was for a short period (between 2004-06-05 and 2004-06-15) actually a functional equivalent of version 1.26 (without some stuff that only affects me), incorrectly labelled as 1.25. This wasn’t true for the RPM packages (the 1.25s stayed as 1.25), so suspicious people could look inside the RPM packages to see if the tar file within was correct. In some sense this wasn’t a serious problem - tar users got the latest version of flawfinder a little sooner than I intended. But I really want version numbers to mean what they say, and I know others do too; for those folks, my sincere apologies!! Please upgrade to 1.26, since that way you’ll be SURE to get the right version. If you want to check, here are the md5sum’s of various correct files:
dcdd0a7a5b9dc8d0ffc85c1a5833bc43 flawfinder-1.25-1.noarch.rpm 744f0cc317c583de6d295860db3c7cbe flawfinder-1.25-1.src.rpm fa5b644e00aa4862de5b790f0e1a3ad7 flawfinder-1.25.tar.gz (the real 1.25) 530b11016c52d473ebb7bc9639d4338b flawfinder-1.26-1.noarch.rpm cbc61513620bc7b17bcc29f8eb50fb9f flawfinder-1.26-1.src.rpm 242a90ecf2f21a709a2425c8771ef38e flawfinder-1.26.tar.gzHere’s the md5sum of the file that was briefly labelled as flawfinder-1.25.tar.gz, but was actually a functional equivalent of 1.26:
e1fa5fcb540b91d27c3ae427595a182e flawfinder-1.25.tar.gz-actually1.26
Just go to the flawfinder home page to get the latest version.
path: /security | Current Weblog | permanent link to this entry
Democracy Requires Verified Voting
I’m a strong advocate of democracy, but democracy only works if a small group of people can’t rig the outcome. Sadly, that’s no longer true; many counties have unwisely begun installing computerized voting systems that cannot be verified, and in fact are untrustworthy.That means a single person could determine who wins or loses a given election, by simply modifying the reports from unverifiable computers. By adding just a few lines of code to a voting program, or breaking into one (experts have generally reported them to be easy to break into), you could make an unverifiable voting system say whatever you wanted it to say. That’s nonsense.
The paperless electronic voting systems have already demonstrated that they can never be trusted; here are a few examples from CNN:
As noted in the article Gambling on Voting (NY Times, June 13, 2004), gambling equipment is far more trustworthy than voting machines. For example, the state has access to all gambling software (electronic voting machine makers say their software is a trade secret), and the machines are spot-checked to make sure that the software running is what’s registered.
What’s needed, as a bare minimum, is verified voting. The VerifiedVoting.org folks wisely advocate the use of voter-verified paper ballots (VVPBs) for all elections in the United States, so voters can inspect individual permanent records of their ballots before they are cast and so meaningful recounts may be conducted. They also insist that electronic voting equipment and software be open to public scrutiny and that random, surprise recounts be conducted on a regular basis to audit election equipment. Without these simple safeguards, we’ll all be forced to say that the computer ate my vote.
I urge anyone in a democratic country to ensure that these minimal requirements of verified voting (by paper ballot) are met.
path: /misc | Current Weblog | permanent link to this entry
UPDATE: Why OSS/FS? Look at the Numbers!
After about half a year, I’ve now made a big new release of my paper Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers! This large paper lists various statistics I’ve found justifying why anyone should consider OSS/FS.In theory, this shouldn’t be as needed, because much of the IT industry has figured that out already. Look at IBM’s Linux ads, the continuing dominance of Apache and bind in their markets, the take-up by many organizations of Mozilla and Open Office, and so on.
Yet I still encounter far too many software users who never consider their alternatives (even if the alternatives might be much better), and organizations that still create acquisition processes that unnecessarily exclude OSS/FS. These decisions aren’t good for the users and organizations; without considering their options, they’re unlikely to always make the best choices. But worse still, Adam Smith’s invisible hand cannot work without competition. If too many users fail to consider their alternatives, they can encourage vendors and projects to stop working to get better (since the users won’t change anyway).
There’s a certain large software vendor who has paid for a number of reports to “prove” that their proprietary stuff is better, with an implication that their proprietary products are always better. As I mentioned in my interview with NewsForge, you should consider suspect any study of a vendor that’s funded by that vendor. Organizations self-fund public studies to give them good press, not necessarily to give customers a full understanding. I’m actually not out to get the vendor, but it does bug me when people use vendor-funded studies as though they were really independent research. Yet if you don’t know about alternative analyses, it’s hard to respond to the vendor-funded analyses. My paper is a useful antidote.
So… what’s in the updated paper? A lot of little improvements and new references to studies. In market share, I’ve updated the Netcraft and Security Space surveys of web servers (Apache still dominates), and added a new DNS survey showing (in yet another way) OSS/FS’s massive dominance in that market. In security, I noted that SuSE and Red Hat have received Common Criteria evaluations, and noted some of the serious security problems that seem unique to proprietary operating systems (91% of broadband users have spyware; 80% of spam is now sent from infected Windows machines). For reliability, I’ve added the May 2004 Netcraft survey of reliable servers (80% of the top ten most reliable hosting providers are OSS/FS based), and an IBM study showing that Linux is quite reliable under continuous high stress for 30 and 60 days. For scaleability, I added a reference to “Thunder”, the fastest computer in North America (it runs on Linux). I added a lot of text noting that OSS/FS isn’t just pirated source code (a new claim being heard occasionally, though so far only from people who appear to be paid to say it). I added much more text about SCO and ADTI, including some of Tanenbaum’s statements and a Minux/Linux code study refuting ADTI’s claims. In the discussion about forking, I noted the XFree86 vs. X.org fork to show that forking can be about licensing, not just about project speed. Various typos fixed, too; my thanks to the many who sent suggestions.
Overall, this should be an even better starting point for those of you who need specific quantitative data on OSS/FS, and don’t know where to start. It won’t prove OSS/FS is always better — I use proprietary software myself — but shows that OSS/FS needs to be considered.
path: /oss | Current Weblog | permanent link to this entry
Flawfinder version 1.25 released!
I’ve released a new version of flawfinder - version 1.25. Flawfinder is a simple program that examines C/C++ source code and reports on likely security flaws in the program, ranked by risk level. You can view the Flawfinder ChangeLog for the details. Here are some of the highlights:Just go to the flawfinder home page to get the latest version.
path: /security | Current Weblog | permanent link to this entry
Added permanent location for patent protest
I can’t keep the protest page on patents up forever, but I certainly want people to be able to access it. So here’s the permanent location of the patent blackout page, so you can get its information even when it’s not the front page of my site.
I’ll occasionally place it back as the front page until this issue gets resolved more reasonably. In the meantime, I’ve added a link to relevant excerpts from the U.S. Federal Trade Commission Report. For example:
Many panelists and participants expressed the view that software and Internet patents are impeding innovation. They stated that such patents are impairing follow-on incentives, increasing entry barriers, creating uncertainty that harms incentives to invest in innovation, and producing patent thickets. Panelists discussed how defensive patenting increases the complexity of patent thickets and forces companies to divert resources from R&D into obtaining patents. Commentators noted that patent thickets make it more difficult to commercialize new products and raise uncertainty and investment risks. Some panelists also noted that hold-up has become a problem that can result in higher prices being passed along to consumers.Note that after discussing the various ways that patents are intended to spur innovation, “Commentators were generally skeptical about the benefits of the patent system in these [software and Internet] industries.”
path: /misc | Current Weblog | permanent link to this entry
Version 2.24 introduces a few minor bugfixes and improvements. Now SLOCCount automatically tries to use several different MD5 programs, until it finds one that works - this is more flexible, and as a result, it now works out-of-the-box on Apple Mac OS X. SLOCCount now accepts “.” as the directory to analyze, it correctly identifies wrapper scripts left by libtool as automatically generated code, and it correctly identifies debian/rules files as makefiles. Also, installation documentation has improved. My thanks to Jesus M. Gonzalez-Barahona for telling me about the Debian bug reports and testing of candidate versions. My thanks to Koryn Grant, who told me what needed to be done to get SLOCCount running on Mac OS X (and for testing my change). This version resolves Debian Bug reports #173699, #159609, and #200348.
path: /oss | Current Weblog | permanent link to this entry
Counter EU Council of Ministers’ foolish patent decision
The FFII has learned that the EU Council of Ministers has decided to ignore the EU Parliment, and instead plan to establish a reckless “patent everything” approach to software and business models. This is an incredibly bad idea; US experience has shown uncontrolled patenting is an unmitigated disaster for commerce, and there’s no reason for Europe to import bad ideas. It’s also exposing some serious problems with EU governance; members of the European Parliament across the political spectrum are condemning this blatant disrespect for democracy in Europe.See the FFII for more information, including a simple example of why patents are bad — they have a demo web page that would be illegal if these laws were passed, because Europe has already granted patents on the idea of a web store, etc. In the process of gathering information on software innovation it became quite clear to me that, while patents may be useful in the hardware fields they were intended for, patents actually impede innovation in software and business methods. Which is why US law originally forbid them (until these laws were stealthily overturned by patent lawyers), and why most countries still forbid them.
I urge Europeans to get involved - see this FFII page for more information.
path: /misc | Current Weblog | permanent link to this entry
Updated my essay on Software Configuration Management Security
I’ve updated my essay on Software Configuration Management (SCM) Security. That essay is relatively new, and I’ve added more now. Today we use SCM tools to manage our complicated software, yet we’re not paying enough attention to those tools’ security requirements.For example, few SCM tools think about the problem of handling malicious developers (who are trying to insert Trojan horses) or about countering people who gain root access on a centralized system being used as the SCM data repository… even though that’s already happening. There are ways to deal with those kinds of attacks… but you have to think about them to counter them.
One of the recent additions to the essay is based on an interesting email I received from Dr. Carsten Bormann of the University of Bremen. He mentioned a specialized attack that he terms the “encumbrance pollution attack”. In an encumberance pollution attack, the attacker inserts material that cannot be legally included.
To understand it, first imagine an SCM with perfectly indestructible history. The attacker steals developer credentials, or is himself a malicious developer, and checks in a change that contains some encumbered material. “Encumbered” material is simply material which cannot be legally included. Examples include child pornography, slanderous/libelous statements, or code which has copyright or patent encumberances. This could be very advantageous, for example, a company might hire a malicious developer to insert that company’s code into a competing product, and then sue the competitor for copyright infringement, knowing that their SCM system “can’t” undo the problem. Or a lazy programmer might copy code that they have no right to copy (this is rare in open source software projects, because every line of code and who provided it is a matter of public record, but it proprietary projects do have this risk).
Any SCM can record a change that essentially undoes a previous change, but if the history is indestructable and viewable by all, then you can’t get rid of the history. This makes your SCM archive irrevocably encumbered. This can especially be a problem if the SCM is indestructably recording proposals by outsiders!
Anyway, take a look at Software Configuration Management (SCM) Security.
path: /security | Current Weblog | permanent link to this entry
Treat Washington, DC as Part of Maryland for Congressional Elections
The U.S. has encouraged democracy abroad through the years. Yet due to strange quirks of history, residents of the U.S. capital — Washington, DC — cannot vote in U.S. Congressional elections. That is, simply put, absurd. I’m a big believer in democracy, and this is a quirk that needs fixing. Several solutions have been proposed, but I think one solution in particular stands above the rest and hasn’t gotten the attention it deserves. What’s that solution? Treat Washington, DC as Part of Maryland for Congressional Elections. See my essay for more details.path: /misc | Current Weblog | permanent link to this entry
Stop European Software Patents
As you can tell, I’ve placed a protest on my front page about the push in Europe to permit software patents. Patent lawyers are trying to get laws passed to permit unlimited patenting of software, a foolish idea that the European Parliment has already rejected. The ffii.org and other groups have more information on the topic. Please get others to stop this thing.path: /misc | Current Weblog | permanent link to this entry
NewsForge interviews me on Proprietary vs. OSS/FS TCO
NewsForge has just posted an interview of me, where I discuss the Microsoft-funded studies claiming that Microsoft’s proprietary products have a lower total cost of ownership (TCO) than Open Source Software/Free Software (OSS/FS).My answers shouldn’t be surprising to those who’ve read my other writings. For example, I say that:
“TCO is extremely sensitive to a specific circumstance, so a TCO for one situation doesn’t usually apply to other cases. I’m sure that there are cases where Microsoft’s approach has a lower TCO than alternatives, so in those specific cases it’s true. However, there are also cases where open source software or Linux-based solutions have a lower TCO. You really have to consider all the costs for your specific situation, and your results may differ.”
I don’t have a lot of faith in Microsoft’s studies, because Microsoft funded almost all of them… a concern I discuss in the interview. As I say, “There may be useful information in the self-funded studies, but I don’t have any way to be confident with them.” There are just too many ways for a vendor to tweak studies they fund. Oh, and I’d say the same thing about a study funded by Red Hat or IBM or Apple or anyone else. You should give much more weight to independent studies.
Want more details? Take a peek at the interview.
path: /oss | Current Weblog | permanent link to this entry
Presentation at Open Source in Government Conference 2004
I just finished presenting at the Open Source in Government Conference 2004, aka “Unlocking Innovation for the Business of Government”. This was co-sponsored by the U.S. General Services Administration (GSA) and The Center of Open Source & Government. My presentation was about open source software and security, and I think it was received well. Those of you who have read my articles about open source software and writing secure programs won’t be surprised at what I said.Dawn Meyerriecks (Defense Information Systems Agency (DISA)) gave a good presentation appealing for engineering reasoning rather than hype. I talked with another attendee who noted that in many places now, open source software is no longer the scary new concept, but instead it’s a workhorse that people have finally begun to understand.
A long presentation at the conference was a demonstration of “Workforce Connections”, a really good tool developed through government funding, and the first to my knowledge developed and released by the government as GPL software. (SELinux was released under the GPL, but it was a modification of an existing GPL’ed program.) It looks like a really good tool, and the presenter showed many charts detailing the extraordinary amount of money the government was saving by taking this approach. The Microsoft representative was taking notes, but I’m not sure if that was because he wanted to try to interfere with the project… or because he realized he could sell more Windows systems by supporting it (Workforce Connections can run on Windows as well as on Linux, and making sure it’s well-supported would give them additional sales opportunities). I also talked with an attorney, who had been involved in the licensing discussions. At one time, lawyers who understood (or had even heard about) the GPL and other such licenses were rare, but this lawyer flatly asserted that he understood the GPL and that they’d worked through the legal issues. That’s quite a change.
Indeed, it’s amazing how widespread the meme of open source software / Free software is. I mentioned speaking at an open source conference on the subway (on the way there), and the person next to me praised Mozilla Firebird for its tabbed browsing (note: she knew it was open source; I didn’t give a product name). I mentioned open source at the Ottawa airport, and the two people behind me said they were already using open source programs (in particular, Linux). I’m very pleased to see that people are now actively considering OSS/FS as an option, and then applying it where it makes sense to do so.
path: /oss | Current Weblog | permanent link to this entry
I speak March 11 at “You Paid What?” on evaluating OSS/FS
On March 11, 2004, I’ll be speaking at the conference You Paid What? A Workshop On Full Cost Accounting Methodology For Information Technology Projects In The Public Sector in Ottawa, Canada. My talk will be based on my paper, Evaluating OSS/FS Programs.What’s Full Cost Accounting (FCA)? It’s the idea that instead of making information technology purchasing decisions on the basis of a single-project cash-flow, you should use a framework (FCA) to assess value-for-money from an enterprise perspective, and when appropriate, in consideration of the wider community (this particular conference is aimed at governments, which in the end exist to serve the wide community of their citizens).
path: /oss | Current Weblog | permanent link to this entry
Slashdot posts my review of David J. Agans’ “Debugging”
Today Slashdot posted my review of David J. Agan’s Debugging: The 9 Indispensable Rules for Finding Even the Most Elusive Software and Hardware Problems. The bottom line: it’s a really good book. Debugging explains the fundamentals of finding and fixing bugs (once a bug has been detected), rather than any particular technology. It’s best for developers who are novices or who are only moderately experienced, but even old pros will find helpful reminders of things they know they should do but forget in the rush of the moment.path: /misc | Current Weblog | permanent link to this entry
New: Comments on Software Configuration Management (SCM) Systems
I’ve just posted a new essay, Comments on Software Configuration Management (SCM) Systems. It primarily compares CVS, Subversion, and GNU arch. If you need a way to manage software development, there’s lots of interesting stuff going on; take a look.path: /oss | Current Weblog | permanent link to this entry
Modified “GPL-Compatible. Or Else” noting Apache and XFree86
I’ve just revised my paper Make Your Open Source Software GPL-Compatible. Or Else. Among other things, the new version notes the interesting events surrounding Apache and XFree86.Apache has changed their license, claiming they’re now GPL-compatible; the FSF doesn’t agree that it’s compatible. Regardless of which version the courts will agree on, it’s clear that some people who deal with Apache’s license agree that GPL compatibility is important.
The XFree86 situation is even more muddled. David Dawes of XFree86 plans to change the XFree86 code license to be GPL-incompatible, and that’s started a firestorm.
I continue to use the original title, which only uses the term “Open Source Software” (OSS) instead of “OSS/FS”. The real reason for the original title is that when I submitted this to OsOpinion, they had strict size limits that I needed to adhere to. Although OsOpinion is no more (and only my copy survives), it’s still helpful for searchers to keep the same title. Besides, those who prefer the term “Free Software” don’t really need this explanation; people who use the term “Free Software” and intentionally use GPL-incompatible licenses are rare indeed, and almost always consider the ramifications of their decisions. This essay is aimed at those who have not fully considered the ramifications of choosing a GPL-incompatible license.
path: /oss | Current Weblog | permanent link to this entry
The main thing I’ve done is put the various links in multiple columns, so that more will fit on the screen or on paper. Also, I’ve added a way to quickly search this site for information (it uses Google).
I’m not done; I intend to soon add above the search capability a set of items like this:
My Blog | About Site | About Me | Contact Me
The home page is now automatically generated; I use a self-created XSLT script to extract the most recent blog entries (from /blog/index.rss), and use sed to update the front page with them.
path: /website | Current Weblog | permanent link to this entry
Security Article 4 - Buffer Overflows
Well, I’m happy to announce that my fourth developerworks article on secure development is now out for the public. Go take a look at Secure programmer: Countering buffer overflows.The world is littered with buffer overflow articles, but I didn’t feel I could really write a good series on writing secure software without covering the topic. My goal was to discuss well-trodden ground while keeping it interesting and trying to bring in new material; hopefully I’ve succeeded at both. I suspect that a lot of developers know vaguely about buffer overflows, but haven’t heard about some of the interesting research to counter them that are finally getting out to the field. If you’re one of those people, you’ll still probably find it interesting.
My goal in all this is to get developers to understand how to write secure programs. If at some developers learn from this stuff, and avoid some old problems, I’ve have succeeded.
path: /security | Current Weblog | permanent link to this entry
New presentation on Government and OSS/FS (LinuxWorld 2004, eGov)
I’ve just posted a new presentation, What Should Governments Examine in Acquiring COTS Open Source Software (OSS)? This is the presentation I gave at LinuxWorld on January 22, 2004 (with a few tweaks). LinuxWorld was in New York City’s Javits center, and many U.S. government folks weren’t there. So, I’m also going to be giving the same presentation on February 3, 2004, at the Web-enabled Government conference in Washington, DC (at the Ronald Reagan building). In both cases this presentation is part of a set of short presentations by panel members, followed by a panel question and answer period. If you’re curious, the other panelists include Tony Stanco (George Washington University), Terry Bollinger (MITRE), and Peter Gallagher (devIS). If you’re not curious, I can’t help you.This presentation is pretty short; it has to be, since each of us has only has 10 minutes to give our initial presentation. So much information had to be kept out to fit in 10 minutes’ time!! Still, I think this presentation would be useful for those who are thinking about the relationship betwen governments and open source software / Free Software (OSS/FS). I talk about in what way OSS/FS is the same as proprietary software, how OSS/FS is different in terms of its implications, challenges in employing OSS/FS, and closing remarks. I think the challenges in particular need more thinking about. For example, acquisition processes were designed before OSS/FS was common; it’s easy to unintentionally exclude perfectly good OSS/FS options from consideration.
This presentation is yet another example of a minor terminology problem. I normally use “OSS/FS” in my writing, as a broad term covering the definitions of both open source software (as defined by OSI) and Free Software (as defined by the FSF). However, “OSS/FS” is a complicated thing to say. In this briefing, I just use the term “OSS”; for this audience, that works reasonably well. However, some seem to think that this term excludes “Free Software” (I don’t mean to), and for some government types this term is slightly confusing (since “open source” in governmentese means “available to the public”). I’m thinking about starting to use the term “FLOSS” (Free-Libre / Open Source Software), since FLOSS is easier to say and deals with the problem that to many, “free software” means “free of cost” and not the intended “freedoms provided”. F/OSS (Free / Open Source Software) is also easy to say, but that phrase leaves the second problem untouched. It’d be far too much of a hassle to change my current documents, though. Since FLOSS has “open source software” embedded in it, people searching for “open source software” could at least still find it.
One last-minute addition to the presentation is a set of web sites that might be of special interest to someone examining the issue of government and open source software. I’ve listed as interesting papers my own Why OSS/FS? Look at the Numbers! paper, the MITRE “Use of Free and Open Source Software in the US Dept. of Defense”, the President’s Information Technology Advisory Committee (PITAC) - Panel on Open Source Software for High End Computing, and the DoD policy memo “Open Source Software (OSS) in the DoD” signed by John P. Stenbit (DoD Chief Information Officer) on May 28, 2003. Interesting sites include the Center of Open Source and Government (eGovOS), OpenSector.org, and the Open Source and Industry Alliance. And of course, the Open Source Initiative (OSI) and Free Software Foundation (FSF). Obviously there are many other potentially interesting sites and papers; a longer list is in my list of OSS/FS references.
Note that, as with all things on my personal site, this presentation is not formally endorsed by my employer, government, or guinea pig. I’ll work on the guinea pig.
path: /oss | Current Weblog | permanent link to this entry
I’m not supporting community discussions. I don’t have the disk space, it’s not clear I have the bandwidth, and most importantly, that is much more complicated to secure.
path: | Current Weblog | permanent link to this entry