Linux in the news
All in one big page
See also: last week's Security page.
NewsIs there any chance that the U.S. Government will relax its stance on the export of encryption technologies? In 1998, heavy lobbying by many industries resulted in the relaxation of controls on some weaker forms of encryption, but most of the relaxation affected only commercial entities and had little benefit for the end user. An article entitled Data Scrambling Fight Continues, by Aaron Pressman, examines the political climate in the U.S. and sums up our chances for change. The bad news is that lobbying from commercial entities is likely to decrease, releasing some of the pressure on lawmakers. However, there is good news, based on an increase in support in political circles and the absence of at least one key opponent. Legislation to remove bars to the use and export of encryption will be reintroduced, so there is hope, but because of the absence of lobbying from industry, the result is definitely in doubt. We strongly urge you to contact your own representatives and voice your opinion. Voter opinion can sway this vote.
Security ReportsAn rpcbind Security Advisory has been issued. The advisory reports a vulnerability found by Martin Rosa where a remote attacker can insert and delete entries by spoofing a source address. It can be prevented via proper firewall hygiene.
Marc Schaefer has pulled together information on potential modem denial-of-services attacks. His note explains the potential problems and offers work-arounds. In response, Steve Bellovin provided a pointer to an article on problems with tty access and a possible strong solution that he wrote over 10 years ago.
Chris Evans, of the security audit project, has put out some updated RPMs with security fixes. Hopefully as a result, we'll soon see some updated RPMs from the Linux distributions for lpr, bootpd, nmh and inn.
UpdatesOn the topic of uses for a serial number built into the CPU, (covered in last week's Security Column ), Bill Henning wrote to us to mention his article on the subject. While concurring that using the ID numbers for tracking stolen CPU's is one likelihood, he suggests that the more prevalent use will be for copy protection. His argument is highly plausible, especially given Microsoft's obsession with software piracy over the past year.
It is interesting to note, therefore, that Intel will offer software to disable the processor serial number in their upcoming Pentium III chips, in response to concerns about customer privacy. The next question is, of course, whether or not you'll still be able to install new software if you've chosen to disable the process serial number.
Eric Smith posted us a note with comments on last week's SSH thread. His comments are in reference to the quote we pulled out of an administrative note from Aleph One and focus on how PAM can be used to to implement security policies for ssh in an external and extensible manner. In fairness to Aleph One, if you examine his actual posting, he also discusses how PAM can be used to address these issue, slightly below the paragraph we pulled out for a quote.
Last week's HERT Advisory included a pointer to auditd. This note from HERT mentions that auditd is still in beta and contains an overflow that could cause a kernel panic. Downloads of auditd on hert.org have been disabled and a new version will be made available shortly.
Nessus 990201 has been released. Nessus is a client/server security scanner, available under the GPL. The new version includes GTK 1.1 compatibility, a new ciphered layer between the client and server and over 180 security checks.
EventsNetworking '99 is a conference jointly sponsored by USENIX and SAGE which plans to bring together network administrators to share expertise and strategies for managing complex network. Check their announcement for more details.
The Call-for-Papers for the Fourth ACM Workshop on Role-Based Access Control has been released. "The driving motivation for RBAC is to simplify security policy administration while facilitating the definition of flexible, customized policies."
February 4, 1999