The releases of SCO UNIX (3.2v4.2) and Open Desktop (3.0) has the
following security patches available:
uod368b -- passwd
oda377a -- xterm, scoterm, scosession, clean_screen
These can be downloaded from ftp.sco.com:/SLS. First get the file "info"
which lists the actual filenames and descriptions of the supplements.
Security problems were made aware by 8LGM in the following programs for SCO:
* at(C)
* login(M)
* prwarn(C)
* sadc(ADM)
* pt_chmod
These programs, which allowed regular users to become SuperUser (root),
affect the following SCO Products:
* SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
* SCO Open Desktop Lite Release 3.0
* SCO Open Desktop Release 3.0 and 2.0
* SCO Open Server Network System Release 3.0
* SCO Open Server Enterprise System Release 3.0
You need the following patches which are available at ftp.sco.com:/SSE:
Binary Patch
------ ------
at(C) sse001
login(M) sse002
prwarn(C) sse003
sadc(ADM) sse004
pt_chmod sse005
Open source security
patches, unix
As important as security is, remaining current with every development is hard, and evaluating possible vulnerabilities across a network can be quite a chore. You need a way to both automate tests and make sure you’re running the most appropriate and up-to-date tests. Open Vulnerability Assessment System (OpenVAS) is a network security scanner that includes a central server and a graphical front end. The server allows you to run several different network vulnerability tests (NVT) written in Nessus Attack Scripting Language (NASL), which OpenVAS updates frequently.
OpenVAS, Open Vulnerability Assessment Server is a free opensource vulnerability assessment software released under GNU GPL lincese. OpenVAS is a fork of Nessus Vulnerability assessment software. Similar to the Plugin sets in Nessus, OpenVAS provides free Network Vulnerability Tests plugins that can be updated regularly.
OpenVAS needs for components installed on the server end namely
OpenVAS-Server: Core component of OpenVAS, which contains the functionality used for scanning a large number of target servers at a high speed.
OpenVAS-Libraries: This module contains functionality used by OpenVAS-Server.
OpenVAS-LibNASL: The NVTs are written in the “Nessus Attack Scripting Language” (NASL). This module contains the functionality needed by OpenVAS-Server to interface with NASL.
OpenVAS-Plugins: This module contains a base set of NVTs.
and then there is a OpenVAS Client to access the Open VAS server and run the scans.
The latest versions of OpenVAS do not have packages for any Linux Distribution. However, the previous versions of all the above components have the RPMs for openSuSE 10.2. I have to choose to use the source for the latest versions to install OpenVAS on my openSUSE 11.0
Open source security
openvas, scanner, Vulnerabilities
Microsoft stated that open source software is dangerous. Congressman Villanueva aptly pointed out that Microsoft gives no specifics on the dangers of open source software. Mr. Villanueva takes the stance that open source software is by it’s nature more secure in general than proprietary software. He bases his argument on the notion that, since the source code of proprietary software can’t be examined, its security can’t be assessed.
In my opinion, he has a valid point. Just consider the number of security flaws being constantly uncovered in Microsoft’s proprietary software. Security through obscurity can, and often does, lead to sloppy practices and lax security.
Microsoft states that the proposed Peruvian government policies supporting free open source software are anti-competitive and will cause a loss of jobs and corporate revenues. Microsoft also points out that open software is not truly free and actually will cost the government more in training and support.
The congressman counters by noting that Microsoft contradicts itself in indicating that open source software involves more costs than proprietary software. Mr. Villanueva also clarified that, while they believe they will save money, that is not the motivation behind backing open source software. The primary goals are better security and better accessibility of public information. He also takes a stinging jab at Microsoft by highlighting the irony of a business with monopolistic practices trying to say that supporting open source software is anti-competitive.
Mr. Villanueva clarification has dual point, on one hand where he is discussing the security issue and supporting the open source applications while in the other point his conclusion is based on economic results where he is discouraging open source support. Let me clarify him the supply has its own demand. The more open source software popular the more demand it will create and thus there will be positive impact on economy. The free software does not means it will be free for whole life. The Peruvian government may take this policy to encourage this segment of IT industry so the existing commercial software companies become more competitive and can result in dropping down the prices of softwares.
Open source security
free open source software, open source applications, open source software, software-security
Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a “moderator”, the source code is read by a “reader” and issues are documented by a “scribe”.
Open source security
code-audit, Open source security, open-source-security, walkthrough
When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.
Read article at http://www.developer.com/open/article.php/990711
Open source security
Business security, Open source security, open-source-security
I was about to be a big ball ‘o negativity, but I managed to stop myself. After not being nice about the whole Foleo thing earlier, I was going to go right off ranting about the whole Mobile AJAX thing, prompted by reading over the Mobile AJAX FAQ. But then I realized that’s wrong, I shouldn’t just rant all the time. Most of the time perhaps, but not all the time. Instead, I took a deep breath, calmed down, and examined why it is exactly that the mere mention of mobile AJAX normally makes the bile rise in my throat.
I don’t want to rail at Ajit and the other folks working on the FAQ, I know they’re trying to do something positive. So instead I’m trying to find a constructive way to contribute to the conversation. Why is it that I think the discussions about mobile AJAX are just too premature? Why do I consider them ‘dangerous’ even?
Way back in the deep dark depths of time I worked on a DHTML and Javascript project in a faraway galaxy called Rochester NY. I honestly don’t remember when it was, but I have to guess probably 1997. Long enough ago that there was a version of a browser that AOL was distributing that was different enough from whatever its original form was that it was considered a distinct browser. And it was important to pay attention to cause almost everyone was still getting online via AOL disks mailed to them. Very much pre-history. I don’t remember any giant lizards roaming around, but there may have been.
What we were working on was evaluating if the company could replace it’s desktop based relatively thin client installed application with the genuine thin client of a browser plus web app. The problem being that they [...]
Read more at miker
Open source security
Open source security
Charles Stross, my new favorite scifi author, has just weighed in on the Palm Foleo. W00t!! I love it when worlds collide like this, things get all plasmic. And you know my dislike for standing on solid ground for too long.
I was going to hold off on commenting about the Foleo. But I’m highly caffeinated and talkative. It’s a Saturday so almost no one will be at work, Mario caught whatever bug it was that knocked me out last week and is asleep on the couch, and Russ is watching Alex today. That’s pretty much everyone I know in the real world… so I’ll use my blog for what God intended them to be used for, wild speculation and useless blathering.
First of all, what do I love about the Foleo? Linux, first and of course. Not just running Linux, but running Linux and meant to be an open platform. Personally I think that gets right to the heart of what makes Palm interesting. When I got my first Palm 1000 I got it for exactly one reason: there was a GCC based toolkit that I could use to build apps for it myself. If I couldn’t make apps for it myself I would not have gotten it. If the tools weren’t open source I wouldn’t have gotten it. If it were some random set of tools outside the established project of GCC I wouldn’t have gotten it.
It was something that was just right about the initial Palm platform. However, it wasn’t also something that I think Palm did intentionally. If I remember correctly there were a few commercial toolkits for the platform, but then someone in the outside community realized that support for the processor instruction set was already in GCC, the architecture just needed to be supported by [...]
Read more at miker
Computer security technology, Open source security
Computer security technology, Open source security
Tut-tut. Tis Thursday’s IT Blogwatch: in which Digg melts down over the HD-DVD "processing key". Not to mention what every geek will be wearing this summer…
Heather Havenstein reports:
Digg.com, the popular site where users determine the placement of new stories by voting, yesterday found itself in the center of what some are calling a test case for the power of user-generated content on social networking sites.
The brouhaha erupted when executives at Digg began removing posts that contained a [master] key needed to crack the encryption used to limit copying of HD-DVD … discs. Digg, which began removing the posts after it got a cease-and-desist letter from another company asserting that the posts violated its intellectual property rights, also began deleting user accounts of those posting the key.
That move outraged many Digg users, who repeatedly posted the key until founder Kevin Rose relented last night and stopped the deletions. Stories about the key received tens of thousands of "Diggs," or online approvals from the community and by this afternoon, Digg’s top two stories — both about the keys and user response to them — had received approximately 35,000 Diggs.
Read more at ivanr
Open source security
Open source security, Storage