Information Security News
Wednesday's bombshell advisory declaring TrueCrypt unsafe to use touched off a tsunami of comments on Ars, Twitter, and elsewhere. At times, the armchair pundits sounded like characters in Oliver Stone's 1991 movie JFK, as they speculated wildly—and contradictorily—about what was behind a notice that left so many more questions than answers. Here are some of the more common theories, along with facts that either support or challenge their accuracy.
Theory: Borrowing a page from the Lavabit crypto service that former NSA contractor Edward Snowden used, Wednesday's advisory was what legal practitioners call a "canary," intended to signal receipt of a confidential demand from a law-enforcement or national security entity. Since National Security Letters (NSLs) can impose draconian penalties on those who make the demands known, this theory goes, the TrueCrypt developers issued a thinly veiled warning to users that they should no longer count on the program to prevent snooping by the US government.
Pros: Several elements of the advisory left many readers with the vague sense that the writers' tongues were planted firmly in their cheeks. Most obviously was the advice that TrueCrypt fans—a mish-mash of privacy-loving Linux, Mac, and Windows users—should abandon the cross-platform app for BitLocker, Microsoft's proprietary encryption program that runs only on selected versions of Windows. With much less prominent mention of FileVault or LUKS—the rough Mac and Linux equivalents of BitLocker, respectively—some people regarded the advice as so absurd as to be a wink and nudge signaling something much more serious was going on.
by Jon Brodkin
A Linux Foundation project inspired by the Heartbleed security flaw announced that it will fund a security audit for the OpenSSL code base and the salaries of two full-time developers.
The Heartbleed flaw shone a spotlight on how poorly funded the OpenSSL cryptographic software library is despite being used by many of the world's richest technology companies. The Linux Foundation, with support from those tech companies, created the Core Infrastructure Initiative (CII) to boost the security of OpenSSL and other open source projects in need of help.
Today, the foundation announced that the first projects to get funding will be OpenSSL, OpenSSH, and Network Time Protocol.
This keeps happening over and over, and we aren't really covering this as much as we should: Readers finally heed our advise and look at their logs! Now this should make us proud and glad. But then the bad thing happens: They have no idea what they are looking at, and the logs look scary. So the conclusion is "I am hacked!". People stop working and their only goal is to get back a clean system which they find impossible to achieve. For some people, this even results in them becoming unemployed, or worse: They become security professionals.
With this introduction, I got a challenge for you: Take a system that you reasonably believe to be "clean". Find some logs that make you think otherwise, and try to explain them. To get started, here some from my iMac desktop that I use to type this diary:
May 29 10:04:37 iMac.local com.apple.authd: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent'  for authorization created by '/usr/libexec/UserEventAgent'  (12,0)
Even after a full 5 minutes with Google, I am kind of at a loss as to what this means. In my opinion it is nothing to worry about, but then again, that is just my "impression".
May 29 10:46:16 iMac.local sandboxd (): com.apple.WebKit(7255) deny file-read-data /Library/Preferences/com.apple.security-common.plist
Seems like a coding bug in Safari to me. Why? Well, WebKit is the rendering engine behind Safari, and Safari runs inside a sandbox on OS X. But why does it try to read "com.apple.security-common.plist"? Looks bad. Maybe I am just doing this too long to still care about some of these messages. Sure looks dangerous to someone who still does care.
So what are your favorite non-events? How do you figure out what is a problem and what isn't? Do we need a database of log messages with translations?
âJust because you're paranoid doesn't mean they aren't after youâ (Joseph Heller, Catch 22).