A new firewall product for Windows laptops would generally be greeted with yawns from the Linux community, but the newly announced Yoggie Pico has some features that may be of interest. The Pico is a device that contains a 'security processor' running Linux and whole slew of free and open source security applications in a USB 'key' form factor. The intent is to provide a laptop user on the road the same level of security as they would have behind the corporate firewall.
At its core, the Pico has an Intel CPU, some RAM and two separate banks of flash. At boot time, it copies the read-only version of the software from one bank to the other and runs from the copy; an attempt to ensure that even if the Pico is successfully compromised, a reboot will restore it. A driver is installed on the laptop that snags all network traffic just above the link layer and sends it off to the Pico for filtering. This allows traffic from all network interfaces to be intercepted.
The Pico provides firewall protection and Network Address Translation (NAT) via iptables and runs Snort for intrusion detection/prevention. It also does content filtering of various internet protocols (HTTP, FTP, POP3 and SMTP) to stop viruses, spyware, phishing and spam. It has three proprietary, patent-pending, modules that in some, unspecified way correlate the information gathered by the other security software to detect and thwart previously unknown threats.
If you can believe everything that is said on the website, the Pico will protect a laptop from any known or unknown threat immediately upon plugging it in. One suspects the reality falls somewhat short of the hype. Statements like: 'simply plug it to your laptop and you are completely secure' are at best exaggerated, at worst deceptive; security is a process and a set of tradeoffs, not a destination. How those tradeoffs are administered is glossed over as well; too much configurability can be error-prone, while too little can lead to unusable rigidity.
There certainly is a niche for this kind of protection; laptop security is often the Achilles heel of a company's network security. The Pico driver provides administrators a means to disallow network traffic when the Pico is not present which may help keep laptops from bringing home various ills. As a separate hardware device that does not rely on much from the host OS, the Pico could provide a nice laptop security device; it remains to be seen if its $180-200 price point is attractive.
Yoggie plans to release a driver for Linux (as well as Mac OS X and Windows Vista) sometime soon, but because it is relatively easy to run the same applications on the laptop itself, it may not be a big seller in that (already small) market. Depending on how hackable the device is, there might be a rather larger market for a USB attached computer that can run Linux. It will be interesting to see whether Yoggie stands in the way or actively assists anyone interested in modifying their Pico for purposes other than what the company had in mind. And if Linux hackers can figure out how to 'mod' it and talk to it, with or without Yoggie's help, some very interesting applications could result.
Some rumblings about GPL compliance have been heard in the community (for example see the comments on the LWN announcement). No links to source code could be found on the website; it is possible that the code is shipped with the device though there are indications that is not happening either. From the website, it would appear that the company has been shipping a similar Gatekeeper device with a different form factor and connectivity. It appears to have substantially the same software and one would have hoped that any GPL compliance issues would have been resolved then. An answer to an inquiry about the code is pending, stay tuned.
Brief itemsreports on a vulnerability in a number of Firefox extensions. "Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://. That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions' checks for updates at a plain http:// site and then pretend to be the update server."
Update: here's the disclosure of the vulnerability from Christopher Soghoian, the researcher who found it.
|Created:||May 24, 2007||Updated:||June 1, 2010|
|Description:||The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code.|
|Created:||May 24, 2007||Updated:||May 30, 2007|
|Description:||The CVS browsing interface from the Gforge collaborative development tool does not properly escape URLs. This can be used by an attacker to execute arbitrary shell commands with the privileges of the www-data user.|
|Created:||May 25, 2007||Updated:||June 6, 2007|
|Description:||From this Secunia advisory: "Some vulnerabilities have been reported in MadWifi, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service)."|
|Created:||May 30, 2007||Updated:||March 7, 2008|
|Description:||From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content."|
|Created:||May 30, 2007||Updated:||June 8, 2007|
|Description:||The otrs2 ticket request system fails to properly sanitize input data, allowing the injection of arbitrary code.|
|Created:||May 30, 2007||Updated:||March 10, 2008|
|Description:||The pulseaudio network code suffers from a denial of service vulnerability exploitable by an unauthenticated attacker.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds