My web wanderings

Jason Brooks of eWeek offers a primer for integrating Linux and Windows on the network using Samba and Fedora Core. Brooks says that by integrating Linux clients among the Windows desktops, users can use Microsoft’s Active Directory to administer Linux desktops. But he warns that it does not come easily.

Armed with the Samba HowTO, Google searches, and John Terpstra’s Samba By Example, here is how you too can do it.

[Via DesktopLinux.com]

27 Jul 2004: “In the first chapters, the authors briefly review some basics of MySQL. The concepts they discuss are pertinent to database performance. Chapter 1 explains the configuration file my.cnf and how it can be set to improve a MySQL server. The authors also discuss the results of the SHOW VARIABLES statement and the SHOW PROCESSLIST statement so that an administrator can determine where the MySQL service is being slowed because of inefficiencies.” Story

[Via RootPrompt — Nothing but Unix]

25 Jul 2004: “There is no assurance that any software development effort is free from people who have bad intent or who just write lousy software. The US government’s highest security agencies have discovered spies working at the most trusted levels - does anyone realistically expect that software companies will adopt more rigorous screening than the CIA? In any case, it’s not clear that it is easier to get code into Linux than it is to get code into other operating systems. In fact, because Linux code

[Via RootPrompt — Nothing but Unix]

25 Jul 2004: I’ve been collecting command line tips and tricks
over the last while, based on questions from work
collegues and from my local LUG. Others have found them useful so
I hope you do to.

[Via RootPrompt — Nothing but Unix]

In the June issue of the Information Security Bulletin there is an article examining specific ways that the security and development teams can collaborate while software is being designed and developed as opposed to only patching software once it has been deployed. The article explores how software is extremely malleble in the design and development phase, once the architectural layers, tiers and distribution models are set and the application is deployed, then the cost and complexity of making changes rises dramatically.

My favorite part of the article is the clarity it gives in a table of the Software Development Activities and Artifacts. It clearly relates development processes and security-specific artifacts. Basically it looks something like this:

Phase Activity	Standard Software Development Process Artifact	Security-specific artifact
Analysis	Use Case	Misuse Case
	Functional and non-functional requirements
	Glossary
Design	Object modeling	Threat Modeling
	Design Patterns	Data Classification
		Security Integration Design
Coding	Unit Tests	Unit Hacks
	Code Development	Countermeasure and detection development
Deployment	Build and configuration	Security Baseline
	Operational processes	Response processes
		Integration to Overall Security Architecture
Table 1- Software Development Activities and Artifacts

Anyways, this was part one of a series on the topic. Will be interesting to read the next installment. If you are into secure programming, this article might be an interesting read to pass along to your dev team partners.

[Via Dana Epp’s ramblings at the Sanctuary ]

Evans Data Corporation’s just-published Security Development Survey found that one in four developers believe that the biggest hurdle to computing security is end users who refuse to adhere to, or circumvent, polices.

In the study, Evans found that “a quarter of developers found social engineering and lack of adherence to policies to be the biggest problem, while another 15% cite lack of qualified personnel.” At the same time, just 11% of the developers surveyed reported that solutions were too complex or difficult for users.

“As with any other security concern, the best technology in the world can be undone by untrained or inattentive end users, the same holds true for the development of secure computing applications and projects,” said Glenn MacEwen, an analyst with Evans Data.

Other findings from the Summer 2004 survey of more than 400 Database developers and IT mangers included:
Developers are split down the middle on which libraries and APIs to use when building security applications. Seventeen percent use Java security APIs and seventeen percent use Microsoft Web Services Extension (WSE). OpenSSL is a strong second choice at 15%.

Twenty five percent of developers believe that the Linux operating system has the best innate security. Windows 2003 is a close second at 19%.

IBM was viewed as the leader in security tools and infrastructure.

[Via DesktopLinux.com]

Neowin guide to Removing Spyware

Here are some MySQL tools:

• MyTop - a top clone for MySQL

How to Make Your Web Site Work with Windows XP Service Pack 2

If you:

Then:

< ?xml:namespace prefix = o /> 

ize=2>Make sure you have reviewed this article ‘How to Make Your Web Site Work with Windows XP Service Pack 2’ and plan accordingly.

• If you know anyone in the webdev & online marketing industry, pass the link on.

• If you want to know the ‘what’ and ‘why’ (non-technical) of Windows XP SP2 go here.

Thanks to Kent Sharkey for the reminder!

posted on Saturday, May 29, 2004 11:45 AM

Infocus: Malware Analysis for Administrators The purpose of this article is to help administrators and power users use behavioral analysis to determine if a binary is harmful malware, by analyzing it in a lab environment without the use of anti-virus software, debuggers, or code disassembly.

Jeff Prosise has an article posted this month in MSDN Magazine on “Foiling Session Hijacking Attempts”.  I was talking about this issue with a friend last week, so this is very timely.  If you want to protect against session cookie information being stolen from your ASP.NET website, give Jeff’s solution a try.

[Via Weblogs @ ASP.NET]

When Ireland’s leading bank, Allied Irish Bank (AIB), last month disclosed that it was disposing of the Windows PCs that its tellers used on their desktops in favor of Linux-based terminals, experts said it demonstrated that an IT insurgency is emerging in the financial services sector. Linux is finally proving itself on the desktop in the financial industry, where cost-conscious executives want powerful performance at an affordable price.

[Via IT Manager’s Journal: ]

So, you’ve set up parental filtering, only to discover that an overachieving teenager has Googled a way around it. You’ve just been the victim of a local intrusion. Preventing such an occurrence on GNU/Linux requires a little knowledge and even less …

[Via Linux.com]

Infocus: Packet Crafting for Firewall & IDS Audits (Part 2 of 2) This article is the second of a two-part series that will discuss various methods to test the integrity of your firewall and IDS using low-level TCP/IP packet crafting tools and techniques.

Infocus: Metasploit Framework (Part 2 of 3) This article provides an elaborate insight into the Open Source exploit framework, the Metasploit Framework, which is meant to change the future of penetration testing once and for all. Part two of three.

PHP 5.0 Goes For Microsoft’s ASP-dot-Net

Dozix007 writes “Uberhacker.Com reports : Zend Technologies quietly announced last week the final release of the open source PHP version 5. An interesting article reports the different strengths and weaknesses of ASP vs. PHP, and it becomes quite clear that with the release of PHP5, Zend has taken a shot at ASP’s heart. The differences from PHP4 to 5 has created a clear advantage for the new preprocessor over Microsoft’s proprietery ASP.”

Wrangle digital photos with imgSeek

Customizing GNOME 18 Jul 2004: “In this article we’re going to discuss GNOME 2.6, but many of the tips that you’ll learn can be used in versions of GNOME back to 2.0. While some distributions modify GNOME a bit, everything you read here should work in any edition of GNU/Linux, Free/Open/NetBSD, Solaris, and any other operating system that offers GNOME support. The only exception is Red Hat and all Red Hat derivatives such as Fedora Core and White Box Linux, which have some of the menu editing tricks disabled in some vers

Infocus: Metasploit Framework (Part Two) This article provides an elaborate insight into the Open Source exploit framework, the Metasploit Framework, which is meant to change the future of penetration testing once and for all. Part two of three.

The downlow on Mono