Share technical know-how with other users, or help to promote Ubuntu
Share your development expertise and help shape the future of Ubuntu
I was stoked when Patrick Gray took up my suggestion to ask Marcus Ranum to reflect on "The Six Dumbest Ideas in Computer Security". I encourage you to listen to the interview for yourself, but my summary of it is that Marcus was mostly discouraged that very little progress has been made in computer security, while Patrick was of the opinion that a number of good lessons had been learned in certain key areas.
Patrick pointed particularly to Apple's iOS as a commercially-successful example of default-deny execution policy. Whilst iOS, Windows Vista and later, and even Android (to a lesser extent) have implemented varying levels of default-deny when it comes to execution of programs, I think default-permit policy is still the dominant mindset in our industry. As I was listening to the interview, a few areas came to mind where it still seems to be true:
- Outbound connections from client devices. Despite the fact that client-based exploits have become the dominant method of compromising organisations (the so-called "Advanced Persistent Threat" which compromised RSA was started with a phishing campaign and an Excel-delivered Flash exploit) and security practitioners generally assume that client devices (whether PCs or phones) are routinely compromised, many (most?) networks provide allow outbound connections from client devices by default, often to any destination and sometimes on any protocol. This is exacerbated by the appalling lack of proxy server support in most iOS and Android applications, which means that administrators of BYOD networks rarely have any choice in the matter if they want to provide a functional service.
- Compounding the problem is the fact that generally when users browse or client-side apps make connections, all web sites are allowed. In this area, enumerating badness (Marcus' stupid idea #2) is still dominant; many (most?) web filtering solutions which attempt to protect clients from malware use a blacklist of known-bad sites.
I've worked in K-12 school IT management, support, and consulting for a number of years, and every now and then the suggestion of whitelisting web sites comes up. That's usually all that happens. Other fields (perhaps banking, industrial control systems, or medical applications?) might also consider it, but I suspect that they end up with similar conclusions (i.e. that it's impractical to implement). (I'd love to hear from anyone who has actually tried this in a real network.)
- Scripting languages are a common exception to the default-deny execution policies of operating systems. To my knowledge, Windows PowerShell is the only common scripting system which allows for script signing policies. However, scripts can request that Windows simply turn this feature off, which defeats the purpose. To my knowledge, no signing system or default deny policy has ever been implemented for Unix/Linux systems (other than the default protection provided by Mandatory Access Control systems like SELinux and AppArmor).
- The Android application permissions system is one of my pet peeves. Android applications must inform the Google Play store about which security- and privacy-related features they intend to use. This is good; however, permissions are approved when the application is installed, and users only have the choice of installing or not installing. Many applications require permissions that are not obviously critical to their operation, but because users typically try to install an application because they want to use it, an informed evaluation of an application's permissions is rarely performed at installation time. Most applications are installed regardless of what permissions they request. So effectively, this becomes a default-permit situation. (Moxie Marlinspike's WhisperSystems seemed to be making progress on this before they were acquired by Twitter, and I hope that Open WhisperSystems takes up this work again in the near future.)
All of this says to me that we're still living very much in a default-permit world, and there's a lot of work to be done before we can confidently say that progress has been made in this department.
- Coalition celebrates a religious Easter: 8 of 19 cabinet members are Catholic http://t.co/N6lRBMFdwa #auspol 18:27:06, 2014-04-20
- Copycat: Sydney is slowly turning into Melbourne http://t.co/KHUM3Wa0WJ 18:27:04, 2014-04-16
- Even more astounding than O’Farrell’s resignation is Abbott’s praise for his corruption http://t.co/uKNn3l3CSX #auspol 16:33:04, 2014-04-16
- Study reports that 4m Australians are vitamin D deficient. Darker-skinned people are most at risk. http://t.co/v3KW0X2Tfc 14:19:02, 2014-04-16
- Market failures stifling Australian startups: StartupAUS http://t.co/DrhtidMC67 14:19:00, 2014-04-15
- Australian graduates contribute $188b/year to the economy & pay $32b tax. Let’s keep Australia clever! http://t.co/CzF7DfDd5Z #keepitclever 20:32:12, 2014-04-14
I've always been a big fan of Shelfari, a book management/tracking website owned by Amazon. It's been very useful over the years keeping track of what books I want to read, what's coming next in the series' that I enjoy, and setting reading goals for the year. In fact, a little over a year ago I even posted I still prefer Shelfari after the Amazon acquisition of Goodreads was announced.
A year later and Shelfari hasn't changed. It's still slow, it's still buggy, 'Amanda' the liaison between users and developers has disappeared, and edits I requested to some books are still pending 7 months later. Contrast that with the new features in Goodreads (such as Kindle integration), and it's clear that Amazon is spending all their resources on Goodreads. It wouldn't surprise me if they bought Shelfari, tried to convince users to switch from Goodreads with little success, so they gave up and simply bought the competition as well.
What do I do now?
The big features in Shelfari that I used were the ability to keep track of books I want to read, and check what is coming next in the series that I like - so I can read the next book when it's released.
These are mostly covered by my Kindle directly and Luzme, a Kindle price watching alerts website. I download samples of books I want to read onto my Kindle, and make heavy use of a "To Read" collection, and Luzme keeps me informed when Authors I like have a new book out. I don't use it so much for the price as for the alerts of new books.
Given that I've been neglecting Shelfari for the past couple of months and only really using these options for a while now, I don't see myself missing Shelfari too much.
What about keeping track of what you've read?
Ok, yes, I do like to keep track of the books I've read. It's not critical to me, but it's important and useful to look back over the year. For this I'm going to give Goodreads a try, to see if it's still badly designed and clunky, or it can capture my interest and do what I want.
And the "next in series" feature?
Shelfari's killer feature, in my opinion, is the ability to list books coming next in the series' you've read. It uses it's extensive database of book series to easily figure it out. This is something Goodreads desperately needs - but unless it's quite new, they still don't support it. It may drag me back into Shelfari, although with the lack of approvals for edits, their information is going to get very out-dated very quickly. We shall see...
I'll report back when I've decided if it's going to work or not. I'm very interested in the Kindle integration, but that will have to wait until I upgrade my old Kindle Touch to a new model with support for it.
- Can Open Source Infrastructure Move the Education Market? http://t.co/n8CGxnKnBV #EduTech 14:19:14, 2014-04-11
- If you believe that higher education is important to Australia, sign the petition http://t.co/4t21IqYKsf 14:19:00, 2014-04-10
- Why Sydney is on course to lose its status as Australia’s biggest city http://t.co/S7nJqGecQ5 14:19:01, 2014-04-09