« Back to home

Security practices: experts vs non-experts

Google recently published the results of a survey of computer users to see what security practices they follow. The paper splits the users into two groups — security experts (people who deal with computer security for a living as part of their job, like me), and non-expert users. For each of the two groups, Google assembled a list of the top five security practices followed. You probably won’t be surprised to learn that the two groups had almost completely different lists.…

Read more »

The other end of the POODLE

I’ve written about how to front-end your Domino servers with Apache to provide TLS up to TLS 1.2 and block SSLv3. But what about the other side of the problem? You might not be able to upgrade your Java runtime easily, particularly if you’re using IBM XPages. Well, fortunately life is easier on the consumer side of Web Services. There are some system properties which let you enable TLS on earlier Java runtimes where it’s disabled by default.…

Read more »

Playing Domino without a POODLE

If you run any kind of Internet server, you’ve hopefully heard about the POODLE vulnerability in SSL 3. If you run a Domino server, you need to worry about this, because Firefox plan to turn off SSLv3 support in their next release in a couple of weeks and remove the code in the release after that — and Chrome will follow soon after. SSLv3 is the only secure connection supported in Domino out of the box, so that could leave you with no HTTPS support.…

Read more »

In the wake of shellshock

So, shellshock. It’s big. I think it’s bigger than heartbleed, because the bug has been in the code for 22 years, so there are an awful lot of systems out there with a vulnerable shell installed and nobody maintaining them properly. One misconception I’ve seen posted across the web is that you’re not in trouble if you don’t use bash as your shell, or that you’re safe if you have dash as /bin/sh.…

Read more »

Learning from Apple's goto fail

I’ve seen multiple posts drawing lessons from [Apple’s goto fail](). However, they’ve all focused on one or two issues that led to the error. I think there were a good half a dozen problems that led to the error, so here’s my summary. Problem 1: Braces The first problem, and the one most people pick up on, is the use of statements outside of code blocks in control flow statements.…

Read more »

Setting up DB2 on Linux

This is a quick sketch of the typical process for setting up individual user IDs to access a DB2 database on a Linux-based DB2 server — basically, the bare essential things to do which aren’t covered by the DB2 installation guide. Before attempting the DB2 install, install the necessary additional packages:

apt-get install libxrender1 libxft2 libxtst6 libxi6 libaio1 ksh libstdc++6-4.4-dev libstdc++6-4.4-pic libstdc++5 rpm Install DB2, and check licensing is set up correctly via db2licm -l.

Read more »

Sometimes old technology is the best option

A while back, I had an interesting problem to solve. We have a set of servers on their own TCP/IP network, with addresses in the 10.0.0.0/8 private IPv4 space; it’s colloquially referred to as “the 10 network”. It’s cut off from the main corporate network; you generally need to use a VPN client to access it. It’s possible to get SSH connections enabled by special request, but only from the corporate network to the private network, only to unprivileged IDs, only between static IP addresses, and definitely not for any non-SSH protocol.…

Read more »

Adjusting ulimit -n

The first time you run IBM Lotus Domino server on a new Red Hat Enterprise Linux (RHEL) box, you get the following message: WARNING: the maximum number of file handles (ulimit -n) allowed for Domino is 1024. See Release Notes and set the allowable maximum to 20000. This message is less than ideal for a couple of reasons. Firstly, it doesn’t tell you how you’re supposed to change ulimit, and secondly it hints at the wrong way of doing it.…

Read more »

OpenSSH flaw: workaround

A flaw in the SSH protocol is starting to get more widespread attention. It appears that a workaround is available: disabling CBC ciphers in favor of CTR. To do so, edit /etc/ssh/sshd_config and add the following: Ciphers arcfour128,arcfour256,arcfour,aes128-ctr,aes192-ctr,aes256-ctr That’s the default list of SSH ciphers, minus the CBC ones.…

Read more »