I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet. I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past. Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:
Archive for the ‘software’ Category
A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers. Since then, many other vendors have followed suit. There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand on the issue.
It’s been quite a while since I wrote or updated DFW, the I)ruidic FireWall. Included with that utility is a default iptables firewall policy which the user can use directly, tweak to their liking, or completely throw away and start over from scratch. NetFilter (iptables) has come a long way since I was actively working in the firewall space and regularly maintaining the DFW utility, so I thought it high time that I update the firewall policies on my servers to take advantage of some of it’s newer features, and in doing so update DFW’s default policy with some extra bells and whistles. The primary goal I wanted to accomplish was to significantly clean up my firewall logs, as the Internet is an extremely dirty and hostile place to connect a computer to. Regularly my logs would be full of default drop log entries for entire port-scans, the same worm-infected hosts connecting to the same closed ports over and over and over again, and other general random connection attempts.
Today, Bruce Schneier posted an essay to his blog arguing the case for full disclosure of software vulnerabilities, which I am also in favor of. It’s apparently a side-bar to an article in CSOOnline entitled “The Chilling Effect” which is about some of the growing issues surrounding vulnerability research in web software. There’s also two other side-bars arguing the case for keeping vulnerability information secret or only telling the software vendors as well as the hybrid option that has sprung up in the last few years termed “responsible disclosure.”