Raesene's Ramblings

I found an interesting product called GroundWork.
However what was more interesting to me was the advert's they're using to attract customer, which are actively promoting the products open source background
"no proprietary hassles" and "open source flexibility" are 2 of the phrases from the ads.
I'd be interested to know how that approach works out for them, 'cause it's fairly opposed to what a lot of the research firms seem to say about open source, which is that big business finds the open source nature of the software a turn off...

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: Security Management - October 2004
Another interesting article on passwords v passphrases

Password vs. Passphrase redux
Interesting article covering passwords and passphrases. I must say that personally I'm not too fond of trying to remember passphrases (I tend to forget how I punctuated them when I originally set them)...
One of the more interesting ways I've heard of for setting passwords was a friend of mine who uses the second letter each word of song lyrics which he's written himself ;op

the story over at Wired covers the news that american passports are going to get RFID chips...
As is mentioned in the story I don't really understand why they don't just use chips that require contact, thus reducing the risks that the chips is read by unauthorised persons considerably...
Also I can see the sales of passport holders that block RFID signals going through the roof!! (hmm wonder if I could patent that sharpish ;op)

Theres's a story over at Slashdot, covering the idea of a bootable USB based operating environment based on Damn Small Linux
I could see this kind of thing as quite handy if you wanted to use cybercafe's or other untrusted computers, without the risk of, software, spyware. Of course whether the cybercafe owners would be too happy with you booting one of their PC's of a USB memory stick is another matter.....

There's an interesting post over at Schneier on Security: Security Information Management Systems (SIMS).
This post touches on 2 current security issues, firstly managing the ever growing amounts of security-related log information and secondly the outsourcing of security related tasks.
On the subject of the use of outsoucers for security monitoring, I must say that I'm not wholly convinced that passing the information to a 3rd party is the best way to handle it. My reservations centre around the fact that someone who doesn't work for an organisation has a lot less information on which to base decisions relating to the information being analysed.
For example an internal log monitoring team will likely have more information about projects occuring within the company, and the location and roles of IT and other departments, which would help them decide whether a pattern of information in a log is an attack or just the result of a new service that's being tested.
In the large organisations I've seen it can be enough of a challenge for someone working for the company to know what's going on, on the network, for an outsider it can be next to impossible.....

An interesting advisory from Secunia - Multiple Browsers Dialog Box Spoofing Test, and another one here .
Goes to show that there are still vulnerabilities to be found, and also it's not just IE that has security issues...

There's a link to a very interesting over at Michael Howard's blog commenting that the Security issue of MSDN is out today.
The article linked from the posting is very interesting as well in that it talks about reducing attack surface.
On the whole, I'm really happy that this is getting focus from a company like Microsoft, because if anyone can make developers sit up and listen it's Microsoft (commercial one's 'cause they're all involved with Microsoft somehow, and Open Source one's 'cause if nothing else they'll be out to try and prove that they do it better than Microsoft ;op)
However that said I think that there's something missing from Microsofts definitions of how to reduce attack surface. In the article they mention 3 ways of helping to reduce attack surface
* Reduce the amount of code executing by default
* Reduce the volume of code that is accessible to untrusted users by default
* Limit the damage if the code is exploited
However I think they're should be a fourth, although it primarily relates to operating systems, it could also apply to other software.
* Reduce the amount of code installed.
This is important especially on operating systems the more code that is installed the higher the likelihood that some of it will have security vulnerabilities (especially if you follow the oft-quoted truism that there will be 1 security related problem in every 1000 lines of code).
I think this is important at the moment as you see both Microsoft and the Linux distribtution vendors shipping more and more code with their operating systems and the default install sizes going up and up. Well if nothing else that just causes a nasty patch management problem as, the more code you have deployed the more you have to patch..
I could follow on to a rant about the relative ease of removing unneeded software from servers (cough cough web browser cough cough), but I think I'll leave that for another day...

Well it's taken far longer than it should have to get this up and running again, but I've had some issues getting everything setup at the new house (and indeed this is still running through a bit of a hack, using Dynamic DNS, some redirection and some port forwarding.....
but t'was getting annoying not having this here, so I thought it better to get it up and running in this way rather than wait for the complete solution, as a result the domain name's not the same as was, so it'll be a little while before it's all working properly....

The blog's been a bit erratic over the last couple of weeks as I've been out of town and we've had the odd power problem (good excuse for buying a UPS!!)
Anyway I'm moving house this week so unless I get a chance to move the DNS temporarily and put the blog on a hosted site somewhere I'll be out for a couple more weeks while I get access set up at the new house........