Slow Week

It’s kind of a slow week in security. Of course there’re new vulnerabilities, but no new interesting vectors of attack or anything like that.

So to give a sign of life, I at least updated my blogroll. There are some really great and interesting blogs among them. Here in order of how much I like them:

• Heise Security: I like them because they compile lists like full discosure or bugtraq for me. I’ve long since canceled my subscriptions of the mailing lists themselves. The flamewars (especially on FD) are simply unbearable.
• GNUCITIZEN: Currently on of the best security research blogs. The guys at GNUCITIZEN really know what they are doing and found a couple of high profile vulnerabilities recently. (Hey, if someone from GNUCITIZEN is reading this: Please use better pictures to illustrate you postings 😉
• Michael Howard’s Web Log: Michael over at Microsoft writes about the security aspects in software development (on Windows platforms). While I’m not a developer, it’s still good to be kept up-to-date.
• SecurityBuddha: Everyone in security knows Mark Curphey. He’s one of the grandfathers of the OWASP Guide for example. Apart from being dreadfully funny, he raises lots of valid points.
• RiskAnalys.is: Amazingly, there are not only technical blogs, but also some about the management aspects of security. RiskAnalys.is is all about risk management. It’s written by the guy who invented the FAIR risk analysis approach, btw.
• Ivan Risic’s Blog: Ivan is the original author and developer of ModSecurity. While you know my opinion on Web Application Firewalls, it’s always good to have an eye on your enemy competition fellow combatants 😉
• HiredHacker: One of the newer entries in my RSS reader. I stumbled across the blog when I read about the Firefox vulnerability that was discovered by this guy.
• Security on Digg: This is mostly not very relevant to information security, but from time to time there’re some funny stories.

If nothing more interesting comes up, I’ll post a list of the funny entries in my RSS reader too…

Picture of snail on mouse pad by zenera

Video Recordings of 24C3

After missing the 24th CCC hacker conference (24C3) I’m glad to see that the video recorded talks are available now. Their wiki has a page that lists all sources from where they can be downloaded. That’s over 9 gig of video material and 4 days worth of security talks (each day having three parallel tracks). Find the schedule of the conference here.

Don’t expect me to post to this page for the next couple of days. I’ll be watching videos 🙂

Photo of crowd at 24C3 by bicyclemark

Google Hosts Your Mail Server

Yesterday I was exploring the possibilities of Blogger (I’m pretty new to this whole blogging thing, remember?) and from there inevitably stumbled across the many Google applications available. I also noticed something that is not brand new, but wasn’t known to me: Google hosts your mail server.

If you sign up for Google Apps, they’ll take care of handling the email service for your domain. You can get practically unlimited users, each with a quota of (currently) about 6GB (if you have a spare $50/user/year, you can raise it to 25gig). This is great especially with the IMAP support that is available since last year. To my knowledge, Google is the only company who provides this service for free. The features are amazing too. They include the possibility to add multiple domains, aliases for users and email lists.

I operate a mail server of my own and my biggest problem is reliability. I can’t put two servers in two locations just for my private email. I used to use rollernet.us as free backup MX, but they are now enforcing the limits for free accounts too. Google has a solid infrastructure and provides what seem to be 7 different MX servers. The chance that one of them is up is (hopefully) rather good.

The only thing that speaks against using this service is privacy. Technically Google is of course able to read all your emails. In their Gmail Terms of Use they state that they will monitor and disclose all information (inclusing the contents of your emails) if “required to do so in order to comply with any valid legal process or governmental request”. Good thing is, as you can use any mail client via POP or IMAP, you can also use S/MIME or PGP/GPG encryption.

Currently Google Apps email service seems to be in beta stage, but let’s just hope it’s here to stay.

Picture of abandoned mailbox by cindy47452

Another year over again – WTF?!

Yet another year is over. Today, I’d like to share a link to a page I read basically every day in the past year. It’s one of the things that make me tick during work. Ever heard of The Daily WTF? Every (work)day, they publish a curious perversion in information technology. Most WTFs are developer centered, but there are a lot of them that have a security impact. It’s a great read.
So, I wish you (all of my zero readers) a Happy New Year! I’ll be celebrating at home with a couple of friends. I just had a look out of the window and it’s snowing hard. As in “can’t see your hand in front of your face” hard. We didn’t have a white Christmas, but at least now everything is white outside. I think I’ll have to pick up my camera and take a couple of pictures. See you next year!

Picture of WTF Coffee Cup by bitzcelt