CLIQ on Security

From the CLIQ 2001 conference Kevin Fenzi (tummy.com, creator of KRUD) led the Security BOF @ CLIQ. This was a pretty informal session, and Kevin is a pretty informal guy. I grabbed a copy of KRUD to install on my servers and test workstation and I'm totally sold on it. In addition to having a solid security profile, I'm just overall happier with it on a useability level than I am with Mandrake (my prior favorite distro).

We started with a brief conversation on current virii, the winux virus (I'm not too worried about legions of script kiddies starting to write assembly virii, and the only way it can really hurt you is if you check your mail as root and execute a binary from someone), how dumb it is to run things as root (see above).

Some nice tips for those of you who want to be more secure:

get updates from the legit source.
Make sure you set the gnupg for root to only check the official Red Hat/Mandrake/etc keys.
verify verify verify
use limits.conf to limit proc's etc per user
PAM is your friend, use it
Firewalls in general can give a false sense of security do it carefully
use new kernel (it's stateful)
netfilter is very very useful
proxy, toolkits are sometimes useful, not always
netfilter provides full NAT, as opposed to masquerading. check the NAT, ip fundamentals, and iptables How-To's
port 137 is the WINS server port, all Win95 boxes send requests to host any time they request anything (e.g. they send 137's to web servers when they view a web page) so don't worry about port 137 queries unless you're running a service there (and if there's a service there that you didn't know was there, worry).
run nmap and nessus, saint (in place of satan) against your systems from outside.
LIDS - check it out (not ludes, lids)
freeswan is very very hard to set up, but it works w/IPSec?.
VPND or PPP over SSH are your best secure connect approaches
use postfix. sendmail bad. postfix good.
chroot is fine, but don't let it give you a false sense of security as it's not that hard to break out of.
make sure EVERYTHING is up to date, turn off anything you aren't using

All common sense stuff, but I really enjoyed hearing different opinions on issues and the 30 minute melee over RPM security and I made some great contacts.

read more

CLIQ on Zope

From the CLIQ 2001 conference Paul Everitt (CEO of Digital Creations) headed up the Zope BOF as well as giving a speech on Zope, really a great set of presentations. Some of the high points he hit on:

Zope has a steep learning curve (I disagree with this and told him so) and they are trying to make it a bit easier. They are working towards componentizing more so you can really focus on learning one piece at a time.

They use UML modeling, which has been (as he put it) extremely interesting. The stability of UML apps is less than ideal.

Activestate is working on Perl embedded in Python to make Perl native in Zope. I've no idea why you'd want to use Perl once you've used Python.

side note: Zope is good for cacheing, PHP/Perl/JSP are not. Anything question marked is not cacheable as per the http spec, zope doesn't use them much, php/perl/jsp do. Web services with XML protocols do not work with question marking (because XML uses question marks and you can't double question mark).

Zope uses a built in obj database (transactional, tunable cache, hierarchical, distributable, etc) built in python w/c extensions. It doesn't suck. relational databases = stupid databases. object databases = smart databases. What will relational db do with an arbitrarily structured xml doc? Puke. In creating zope, they wanted to create a data model that matched the web. Content managers can't think in terms of relational algebra. They think in terms of Windows Explorer. I realize that the previous sentence seems a contradiction in terms, but we are talking about content managers after all. The object database is extensible (create a product for expense reports, for example). A text index is integrated w/database, on add or undo it updates index.

So who is Zope targeting? Users (or potential users) of Interwoven, Broadvision, Storyserver, etc. They are working on a project with BEA right now, front ending the system.

Hot new tool: ParsedXML - as you traverse the doc it converts each component into a persistent object to keep memory under control.

Coming up in Zope:

Documentation - New Riders book due this summer (zope for content managers, this was going to be the O'Reilly book, but the proj mgr @ ORA totally misunderstood the proper target audience and it ended up not being the type of book ORA does). Zope Dev Guide in progress Architecture streamlining more formal component model make developers the target audience rather than content managers, let devs sell the content mgrs Raise visibility enterprise zope ease learning curve implement inverted index (more efficient cache management) replace file storage with berkeley db3 system (transaction & journaling engine) zeo (distributed cache, etc) In a big coup for Zope, CBS news (all their websites, national and local) are moving from storyserver/solaris to zope/va linux Python labs is taking over the ZEO engine to make it more elegant and working on ...

read more

CLIQ on Jabber

From the CLIQ 2001 conference
Peter from Jabber.com/ Jabber.org gave a great BOF on Jabber, which really opened my eyes to the potential of the technology. I hadn't played with Jabber at all, so I was under the impression that it was Just Another Instant Messenger. Not the case. Jabber is an general XML routing technology, instant messaging is simply the first application (the proof of concept piece).

The people @ jabber.com are working on Jabber As Middleware (JAM), to let disparate systems talk via XML. This has obvious advantages in e-com as companies are trying to tie cutting edge web junk to legacy back end crap. And those are technical terms.

Also, independent devolopers working on jabber extensions to proxy your jabber client to a pager, cel, AIM, ICQ, MSN, IRC, Yahoo (sort of a functional, stable version of everybuddy, but better). You can also have your own jabber client route incoming messages based on where they are coming from (work people get routed to pager/cel, spam routes to /dev/null, etc)

Resources such as contact info, URL, profile info, etc etc) use the concept of ACL's so you can control who sees your resources (IM, weblog, URL, calendar, phone number, etc). The basic premise w/Jabber is that everything should be built around the user Tying in XML-RPC, SOAP, etc.

Jabber works well as a highly configurable as a secure messaging platform (only allow particular IPs, etc).

Upcoming in Jabber:

moving from pth to pthreads will in be the 2.0 release someone is working on ODBC/LDAP connectivity for Jabber. Lots of companies are using jabber.com to develop voice over ip or wireless solutions. also working on a web client (jabber uses port 5222 (jabb on your phone), can't get through firewalls and the like). JAM will make extensive use of agents (another area I'm looking at right now with great interest) Jabber's roster (your info/friends/etc) uses /var/spool//username.xml is on server each time you log in from anyplace, it downloads the file to your client so you can have all your info no matter where you are. And to top it off, Peter was just very cool.

read more