Headlines from the Computer Security Blogosphere

Private: confined to particular persons or groups or providing privacy; “a private place”; “private discussions”; “private lessons”; “a private club” … i.e. something a social network isn’t.

• Thinking Beyond the Ivory Towers
  people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory,
• Addressing the Insider Threat - Realtime IT Compliance
• Shimel Wants To Sell You A Dead Parrot. On An Iceberg. Slathered In GRC | securosis.com
• StillSecure, After All These Years: Rich Mogull does his best Stiennon imitation, says GRC is dead

I mentioned before that in Susan Wolcott’s: Steps for Better Thinking Rubric(.pdf), skilled thinkers use general principles to interpret information, i.e. they use a model and they know which model they are using.

Since critical thinkers know which model they are using, they can easily question their model and adapt it to new facts and reality. They know the strengths and weaknesses of their model and know about many other models that could be used to interpret reality.

The Critical Thinking Community calls such a thinker a strong sense critical thinker:

strong sense critical thinker: One who is predominantly characterized by the following traits: 1)an ability to question deeply one’s own framework of thought, 2) an ability to reconstruct sympathetically and imaginatively the strongest versions of points of view and frameworks of thought opposed to one’s own, 3) an ability to reason dialectically (multilogically) in such a way as to determine when one’s own point of view is at its weakest and when an opposing point of view is at its strongest.

Strong sense critical thinkers are not routinely blinded by their own points of view. They know they have points of view and therefore recognize on what framework of assumptions and ideas their own thinking is based. They realize the necessity of putting their own assumptions and ideas to the test of the strongest objections that can be leveled against them.

Not to be outdone by Dilbert, xkcd has it’s own Debian related humor today. Who ever thought that the words “encryption” and “humor” would apply to the same blog post.

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

PHP’s sort() function works pretty well.  It does what you think it would do, IE, sorting an array.  However, it’s return value is not what I think it should be, ie, an array…  Now, while it’s nice that I don’t have to do:

$array = sort($array);

It is *highly* annoying that I can’t just:

print_r(sort($array));

Bookmark To:

Ouch! That hurts, and I don’t even run Debian. Thanks, Stepto.

Shrdlu is entertaining and insightful and writes everything I wish I could have written on the Blogo-topic du jour, GRC.

If you’re using Debian or Ubuntu, it looks like you need to generate a new set of keys immediately, if not sooner! The SSH keys on those systems used the PID of the process as a seed for generating the old keys, which severely limits the randomness of the keys and has made it possible for a rainbow table of all possible keys to be generated.

There’s some debate about whether this vulnerability is related to an increase in SSH scanning on the Internet, but that’s really immaterial; it will cause a rise in SSH scans soon. Better to secure your system now and stay ahead of the curve than be one of the people unlucky enough to get compromised. As always, the real danger is not what’s happening today, but what happens in a few months when the awareness dies down and people who didn’t get the alerts leave their vulnerable machines on the Internet.

The Internet Storm Center thinks this is really important, so you probably should too.

• Nerd News: Dimitri SIEM vs LMI
• GRC, Average Deal Size, And The Dangers Of Venture Capital | securosis.com
• The Security Roundtable » Security Roundtable for May 2008 | RSA Conference - Beyond the Hype
• Smart Business Leaders Support Effective Log Management Practices and Necessary Resources - Realtime IT Compliance