FOSS Week in Review
Java is the target for half of all exploits
We’ve been saying for a couple of years now that Java isn’t safe and have been urging everyone who will listen to disable Java in the browser. As we’ve been saying this, comments to our articles on Java security have filled with folks wagging a finger and “reminding” us that Java is only a threat in the browser, that otherwise Java is safe.
That is wrong. The only time Java is safe is when it’s in a cup. According to an article published on IT World, researchers say that Java is now responsible for fully half of the exploits discovered in December.
“A blog post from Trusteer explains why Java is so highly targeted by malware developers: ‘Java is a high risk application that exposes organizations to advanced attacks. It has numerous vulnerabilities that can be exploited to deliver malware and compromise users’ machines. Once on the endpoint, it is extremely difficult to prevent its malicious execution.’”
It’s beginning to appear to us as if Oracle has absolutely no idea how to deal with the security issues posed by Java. This should come as no surprise to anyone, especially given the fact that the company has been unable to deliver a working website, albeit a highly complex one, even after burning through $100 million of Oregon’s money.
Do you need further proof of Oracle’s incompetence, especially when it comes to security? Right here at FOSS Week in Review, we passed this tidbit from Reuters on to you on February 1:
“David Litchfield, an established security expert and frequent speaker at top hacking conferences, disagreed with Ellison’s comments and said he regularly sees Oracle systems being compromised.
“‘Of all of the commercial databases, Oracle is the least secure,’ he told Reuters by email.”
If Oracle can’t its own highly expensive proprietary database secure, what makes you think it’ll do any better with Java.
Judge gives NSA a thumbs down
The NSA has been in and out of court for the last week or so and it’s beginning to look like an episode from “The Good Wife.”
We told you on March 1 that the NSA was trying to convince the spy court that they should be able to keep some of their collected data longer than the legal five year limit, just in case they might need it to defend themselves in a number of lawsuits that are already pending. Last Friday we learned from Ars Technica that Judge Reggie Walton with the FISC court has turned them down.
On Monday things changed when US District Court judge Jeffrey Wright ruled that the NSA absolutely had to hold on to all data collected that might be relevant to the ongoing legal cases. By Thursday, FISC Judge Reggie Walton had changed his mind and issued a ruling in agreement with Wright’s.
Meanwhile, for those of you who see no harm in having your data stored on a NSA computer somewhere as long as it’s never opened, security expert and blogger Bruce Schneier explains why you should be afraid — very afraid.
“Of course, any time we’re judged by algorithms, there’s the potential for false positives. You are already familiar with this; just think of all the irrelevant advertisements you’ve been shown on the Internet, based on some algorithm misinterpreting your interests. In advertising, that’s okay. It’s annoying, but there’s little actual harm, and you were busy reading your email anyway, right? But that harm increases as the accompanying judgments become more important: our credit ratings depend on algorithms; how we’re treated at airport security does, too. And most alarming of all, drone targeting is partly based on algorithmic surveillance.”
Schneier explains that in NSA-speak, data isn’t “collected” when it’s taken and placed on one of their servers. It’s not even “collected” when their robots and programs sniff all through the data looking for red flags. According to the NSA, the data isn’t collected until it’s actually looked at by human eyes. In other words, the data isn’t collected until the NSA says it’s collected.
To paraphrase Bill Clinton: “That depends on what your definition of ‘collected’ is.”
We also learned this week that government spooks aren’t just spying on individuals, companies and foreign governments, they’re spying on Congress too. This has Senator Diane Feinstein in a snit. Although she wholeheartedly supports the NSA and the CIA spying on everyday people, Congress is another matter entirely.
On Tuesday, Gizmodo reported that the Congressional spying concerned some documents the CIA had shared with legislators. It seems the intelligence agency had a change of heart and wanted to take them back.
“According to Feinstein, the dustup centers around the full CIA internal review document concerning the ‘enhanced interrogation’ tactics used by the CIA on detainees. As part of an agreement during the investigation, the CIA had granted access to Senate staffers to a partial copy of the report at a secure CIA location on CIA computers. Later, though, it turns out the CIA got cold feet about some of what it had allowed the Senate to see, and importantly, to transport off the premises.
The next day, the Huffington Post called Feinstein on her hypocrisy.
“When former contractor Edward Snowden revealed last year that the National Security Agency was secretly collecting phone and electronic records from millions of ordinary Americans, the response in Congress was far more muted. Top senators insisted the surveillance was critical to U.S. counterterrorism activities.
“‘It’s called protecting America,’ Feinstein said then. Graham said he was glad Verizon was turning over customer records to the government to ensure that his phone was not linked to any terrorist activity.
“It was not until reports that the NSA had spied on foreign leaders and allies, such as German Chancellor Angela Merkel, that Feinstein offered criticism of the agency’s surveillance.
“Snowden said Tuesday it was hypocritical for some lawmakers to finally express anger when the privacy of elected officials was breached.”
But wait, there’s more…
We also learned this week, via Snowden docs, that the NSA has a superduper Internet attack tool called QUANTUM. On Thursday, Wired gave us a glimpse of the system’s capabilities.
“Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party’s database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.)
“And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense.”
Back in the 1960s there was a song with the lyrics “nowhere to run, nowhere to hide.” Of course, in those days there were plenty of places to which to run and all sorts of places where one could hide. Not anymore, or so it seems.
Now you can get a minor in open source
The Rochester Institute of Technology in New York state has announced that beginning this fall it’ll be offering an “interdisciplinary minor in free and open source software and free culture” through its School of Interactive Games and Media. The offering will be the first of its kind in the United States.
“‘As students progress through the minor, they acquire domain knowledge, hands-on experience and community interaction skills,’ said Stephen Jacobs, professor of interactive games and media and associate director of RIT’s Center for Media, Arts, Games, Interaction and Creativity (MAGIC). ‘Students can use their new skills to become leaders, as well as contributors.’
“While propriety software—such as Microsoft Office—is developed, controlled and restricted by organizations, free open source software—such as Libre Office—gives users the right and ability to freely use, modify and share the software itself. The free culture movement, exemplified by Creative Commons, allows for the same type of flexible use rights for creative works, such as music or graphics. When companies want to take advantage of the opportunities to modify and/or redistribute FOSS software, which is often more reliable, secure and less expensive, they turn to experts in FOSS culture, process and licenses.”
That last paragraph seems to us to be particularly enlightened for academia, as U.S. educational institutions are infamous for their adherence to the Microsoft gospel. We’re keeping our fingers crossed and hoping this program is a success that will spread to other colleges and universities.
Open source devs find and remove Galaxy back door
On Wednesday, the Free Software Foundation reported that a back door was found in the Samsung Galaxy.
“While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone’s storage. On several phone models, this program runs with sufficient rights to access and modify the user’s personal data. A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.”
Atlanta gets ready for Great Wide Open
We’d like to remind you that Great Wide Open, an open source conference focusing on the enterprise, is less than three weeks away. The conference will be held at the 200 Peachtree Special Events & Conference Center in downtown Atlanta on April 2 and 3. This conference features a super lineup of great speakers, so if you’re going to be in the Atlanta area on those dates, we suggest you might want to attend.
If you’re planning on going, you might want to go ahead and register now. As we explained last week, the people putting on the event are offering FOSS Force visitors 50% off the early bird price, meaning you can attend both days for $75 or one day for $50. All that’s necessary to take advantage of this offer is to type “fossforce” (without the quotes) into the promotional code box when you register on their website. This offer ends on March 19th.
Well, that does it. We’ve flushed away another week. We’re finally experiencing some springlike temps around here, but guess what? They’re predicting snow and ice on Monday. We think the weather folks need to buy another crystal ball. Anyway, until next time, may the FOSS be with you…