Gilles Gravier's Weblog
Gilles Gravier's rants about things in general... security, open source, privacy, java, music... in particular.
Evil maids attacking? Nothing new. Really!
So, I've been reading Bruce Schneier's blog on the Evil Maid Attack. He's falling to one of the behaviors he usually criticizes. Just a new holywood industry plot for something not really new, not really changing the world.
The thing is... The assumption is that thee attacker has access to your laptop.
Which has always been an issue. Inserting a keylogger into your
hardware (keyboard cable on a desktop, or a bit more subtle on a
laptop, but nothing beyond the capabilities of your typical spooks) and
you get the same access to all keystrokes, including those for the
passwords to the encrypted disks, firefox datastores, and pretty much
anything else.
So appart from having a fancy name... nothing new.
It's like Java... If you let an attacker change your bytecode loader /
verifyer... yeah, they break your system. But then again... it's not
really running java anymore at this point.
Same here... if you let an attacker change the behavior of your machine
(hardware or software) then you're not really running your machine
anymore at this point either.
Sure, multi-factor authentication is the solution. But "Evil Maid Attack" is just a fancy name for something not really new.
Posted at 06:37PM Oct 23, 2009 by gravax in Security | Comments[0]
2020 FLOSS Roadmap version 2009 is out!
So the new version was published and announced about 2 weeks ago, right after the Open World Forum in Paris (quite an impressive event, with a very interesting speech from Mark Shuttleworth). Check out the new (2009 edition) of the 2020 FLOSS Roadmap! Very interesting reading!
Gilles.
Posted at 03:42PM Oct 22, 2009 by gravax in Opensource | Comments[0]
You know you've been using OpenSolaris too much when...
... when you start typing "pfexec" in Linux instead of "sudo" and wondering why it doesn't work.
Time to "alias pfexec sudo" for me. 
Posted at 08:25PM Oct 16, 2009 by gravax in Opensource | Comments[2]
Oracle Beehive and IRM
Just out of the session at Oracle Open World on Beehive and IRM. I think these 2 products make a fantastic combination. The capability of sharing extremely sensitive documents between users is known for a long time. My friends at Cyber-Ark Software have been doing it for quite a few years now.
The issue I have with this Oracle combination is that it is windows targetted. The IRM client/plugin for desktop, which provides great functions like preventing copy/paste, printing, re-saving the documents, only runs on Windows...
In Europe, where many (if not all) of the governments are progressively moving to open source (Linux desktops, OpenOffice.org productivity suite...), this basically locks them out of that market.
Posted at 08:51PM Oct 15, 2009 by gravax in Oracle | Comments[2]
Last day at Oracle Open World
The first session I listened to today was about security coding best practices. It was interesting to learn that Oracle finds 87% of their security bugs internally, 10% through customers finding them, and 3% from external non-customer sources...
I can't help but wonder how many more, and how much faster, they would find, were they to open source the software.
Our history at Sun has shown us that open sourcing our OpenSolaris operating system definitely increased the code quality by helping us find, and correct bugs (including security ones) much faster.
Posted at 07:17PM Oct 15, 2009 by gravax in Oracle | Comments[0]
Second day at Oracle Open World - Exhibition floor and public sector
So today's my second day on the conference. So far, it's enlightening.
The exhibition floor opened today. It's huge. It's in Moscone South AND Moscone West. Will the conference still fit in Moscone next year?
On the floor, I saw my friends from Cyber-Ark Software. Pity Udi Mokady, their CEO wasn't there. It's always a great opportunity for an interesting discussion when we meet. These guys have a great solution for sharing with extreme security information between people / entities.
I also attended a general session on Oracle in Public Sector. I and several other people left in the middle. Comments I heard (and share totally) included "this is useless, it's only focused on North America". Pity for a session that was not labled as being focused on only the North American market (1/3rd of the world market)... The speaker then details the multiple tracks focused on public sector... and they are all US centric. Oh well... I DO know Oracle has a global public sector team. They just don't give that idea here at Oracle Open World.
On a side note, I'm playing with a social networking tool called Aka-Aki... run it on your mobile. It tells you who's around... and you can chat, hook-up. You post your status there, it updates Twitter, which updates Facebook, which updates Plaxo... you get the picture. It's very popular in Europe... but for some reason, I seem to be the only user in San Francisco city most of the time. The only user the system has identified in the region is in Fremont... not really walking distance. Pity, as it would have been fun to meet other users. There has to be at least a few geeks at Oracle Open World. Come on, geeks of the bay... Try Aka-Aki! Find me there as "ggravier".
Posted at 12:24AM Oct 13, 2009 by gravax in Oracle | Comments[0]
My first day at Oracle Open World
OK... And officially my first Oracle related post.
So, today was the first day of Oracle Open World. I'm rather impressed!
First, this morning, at the SaaS / Cloud computing session of the partners' track, I learned that Oracle has a new SaaS focused sales model where you pay as you grow. Let's SaaS providers buy a (from a limited number of Oracle products) licenses in volumes that grow with their business. They can buy small, when they have small numbers of customers... and then, when they grow their business, they can increase the number of licenses... this is a great step in the right direction, and probably a response to the open source "pay at the point of value" model where you don't pay at all to begin... but only pay for support when what you have becomes mission critical and you need to be sure that it works... Let's see how far Oracle pushes that model... but I like the beginning.
Next, this evening, was the general keynote session. What a blast! It felt like the good old days of Sun Microsystems. All the keynote was done by Scott McNealy except a small part by Larry Ellison. Scott even did 2 of his top-10 lists. Lots of laughs in the room. Many serious points. Great review on Sun's track record at innovation... and James Gosling even came on stage. Then Larry stepped up and talked about his plans for the future, more investment in Sun's key technologies (SPARC, Solaris, MySQL) and how the combination Sun + Oracle is a fantastic opportunity for changing the IT world. We're going to kick serious ass. In particular IBM's, which seems to be very (legitimately) afraid. Competition is going to get very fun. In particular given the performance numbers we're announcing when we put our strenghts together.
I'm impatient to see how this will all evolve, and I have to say, I'm keeping very attentive to what Oracle's strategy for pushing (or just using) open source will be. Sun's a big advocate of open source. I hope Oracle will be just as active an activist! But I'm optimistic!
Let's go kick some big iron ass in the IT world!
Posted at 05:09AM Oct 12, 2009 by gravax in Oracle | Comments[1]
Today's Page Hits: 153