Rerouting spam or viruses with postfix and SpamAssassin

Go to /etc/mail/spamassassin/
Add or change this line. You can change THIS_IS_SPAM to any constant, just remember to add it to the header check as well. Spelling counts, double check it. It’ll be put in front of anything that SA flags as spam.

# Change the subject of suspected spam
rewrite_header subject THIS_IS_SPAM

Go to /etc/postfix/
Add the following. Postfix uses this to check or alter headers across the entire server. Don’t use this for trivial activities.

# Spam
header_checks = regexp:/etc/postfix/header_checks

Go to /etc/postfix/header_checks
Put this at the end. It routes all spam to a catch-all email account.

/^Subject: THIS_IS_SPAM/ REDIRECT spam@yourdomain.tld

Under ideal circumstances, you really don’t want to do this. You want to reject as much spam as possible BEFORE your email server processes this. Invalid helo, impersonating the server (by IP or host), not RFC 2821 compliant, etc. Blacklists are… problematic at times, but shouldn’t be ignored.

This is however handy if a) your users don’t have/use email programs with build in filters (like a Blackberry not tied to a BES) or b) your users are using low-bandwidth lines to get their email.

Additionally, you can add more filtering to header_checks, such as attachment filtering. Lot of folks block .EXE and .VBS. To do so, add the following to /etc/postfix/header_checks:

REJECT Bad attachment file name extension: $2

Some folks use a plain Linux box running postfix as solely a cheap virus/spam/etc filter for their Exchange environment. It’s not a bad idea, especially if you load balance between two or three very thin Linux boxes. Theoretically, you could also use it for cheap mail retention for DR purposes.

If you are not using virtual users/domains, you probably want to use procmail and an individual template .procmailrc (per user).

Read More

Postfix, Dovecot, PostfixAdmin, Spamassassin on MySQL and CentOS 5.5

First, let’s handle the boring dependencies. Make sure you’re running as root.

# yum install httpd mysql php php-mysql wget

Set up SQL

# mysql_install_db –user=mysql
# mysql_secure_installation
# service mysql start
# mysql -p

You should now be staring at an SQL prompt. The following should be all of the necessary SQL commands for the entire HOWTO.

mysql> CREATE DATABASE postfix;
mysql> CREATE USER postfix@localhost IDENTIFIED BY ‘your_password’;
mysql> GRANT ALL PRIVILEGES ON postfix.* TO postfix;
mysql> grant SELECT ON postfix.* to ‘dovecot’@’localhost’ IDENTIFIED by ‘dovecot_password’;
mysql> grant SELECT, RELOAD, LOCK TABLES ON *.* to ‘backup’@’localhost’ IDENTIFIED by ‘backup’;
mysql> flush privileges;
mysql> exit

I’d really recommend writing a SQL backup script, and tossing it in your crontab. It’s optional, but a bloody good idea.

# env EDITOR=nano crontab -e

You might want to tune your Apache HTTPD configuration.

# nano /etc/httpd/conf/httpd.conf
# service httpd restart

Grab a copy of PostfixAdmin

# wget
# tar -zxvf postfixadmin-2.3.3.tar.gz
# mv postfixadmin-2.3.3.tar.gz postfixadmin
# mv postfixadmin /var/www/html/
# cd /var/www/html/postfixadmin
# nano

Follow the steps in to complete configuration. Basically, you’ll need to fill in some database information and create a password for adding administrators to PostfixAdmin. You want to point your web browser at http://www.yourdomain.tdl/postfixadmin/setup.php

It’ll display a checklist. Make sure all of your checks are good and it should make the necessary structure changes to the SQL database. Be sure to log in PostfixAdmin and make sure everything is happy. Otherwise you will be sad. Toss in some info, test email addresses and whatnot.

Enable CentOS Plus repo, then install postfix. The standard CentOS 5.5 repo doesn’t include the version of Postfix with SQL support. Why, I have no bloody clue. You want postfix 2.3.x. Be sure to exclude postfix from the updates and regular base repo. I snagged the version of PHP5 from the CentOS Testing repo as well, lot of webapps want it. I configured both additional repositories to only snag the packages I want.

Run postconf to see what is being supported.

# postconf -m
# postconf -a

If it doesn’t list MySQL on the first command and dovecot on the second, you have the wrong version of postfix. You probably messed up your repo hacking. Let’s ignore postifx for a moment, and move on into the realm of insanity. Here there be dragons.

Now, to snag dovecot. This is going to be ugly.

# rpm -Uvh
( or for x86_64, use )
# rpm –import
# yum install dovecot

You should have gotten dovecot 1.0.13. Recheck your repo config if you didn’t. For the love of the odd gods, do NOT use the standard CentOS repository for dovecot, which would be 1.0.7 or whatnot. It’s broken. Yes, do not ask me why anyone would keep a royally screwed up version in the main repository of a distribution known for testing and stability. I have no bloody clue.

# mkdir -p /var/vmail
# chmod 770 /var/vmail
# useradd -r -u 101 -g mail -d /var/vmail -s /sbin/nologin -c “Virtual mailbox” vmail
# chown vmail.mail /var/vmail
# cd /etc
# cp dovecot.conf dovecot.conf.original
# echo “” > dovecot.conf
# nano dovecot.conf

# ————————————
# ————————————
mail_location = maildir:/var/vmail/%d/%u
first_valid_uid = 101
last_valid_uid = 101
maildir_copy_with_hardlinks = yes
protocol imap {
mail_plugins = quota imap_quota
imap_client_workarounds = outlook-idle delay-newmail
protocol pop3 {
mail_plugins = quota
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocol lda {
postmaster_address =
mail_plugins = quota
log_path = /var/log/dovecot-deliver.log
info_log_path = /var/log/dovecot-deliver.log
auth default {
# Having “login” also as a mechanism make sure outlook can use the auth smtpd as well
mechanisms = plain login
passdb sql {
args = /etc/dovecot/sql.conf
userdb sql {
args = /etc/dovecot/sql.conf
userdb prefetch {
user = nobody
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
dict {
plugin {
# quota = maildir:storage=10240:messages=1000
# acl = vfile:/etc/dovecot/acls
trash = /etc/dovecot/trash.conf

Save it and get back to the command prompt. We still need to connect up to the SQL database that PostfixAdmin set up for us. Remember the dovecot password from that MySQL query earlier?

# nano /etc/dovecot/sql.conf

driver = mysql
connect = host=localhost dbname=postfix user=dovecot password=DOVECOT_SQL_password
user_query = SELECT concat(‘/var/vmail/’, maildir) as home, concat(‘maildir:/var/vmail/’, maildir) as mail, 101 AS uid, 12 AS gid, concat(‘maildir:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = ‘1’
password_query = SELECT username as user, password, concat(‘/var/vmail/’, maildir) as userdb_home, concat(‘maildir:/var/vmail/’, maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = ‘1’

# Config Notes:
# Note, query needs to be on ONE line
# Your web browser and paste will wrap it.

# nano /etc/dovecot/trash.conf

Paste in the folders you want created automatically

1 Spam
2 Trash

# cd /etc/postfix
# nano

Paste the following (yes, intended on the third line)

# Dovecot LDA
dovecot unix – n n – – pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

# cp
# echo “” >
# nano

Paste all of the following into

# Local Settings
myhostname = mail.example.tld # Change this, dude.
inet_interfaces = localhost, $myhostname
mynetworks = $config_directory/mynetworks
mydestination = localhost.$mydomain, localhost, $myhostname
#uncomment if you need relay_domains… do not list domains in both relay and virtual
#relay_domains = proxy:mysql:$config_directory/
# Virtual domain start
virtual_mailbox_domains = proxy:mysql:$config_directory/
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = proxy:mysql:$config_directory/
virtual_alias_maps = proxy:mysql:$config_directory/
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/
virtual_minimum_uid = 101
virtual_uid_maps = static:101
virtual_gid_maps = static:12
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Save. Restart dovecot and postfix. Attempt to send mail back and forth. If it doesn’t work, go to /var/log/maillog and start reading.

If it works, and only once it works, we start on spamassassin.

# yum install spamassassin
# sa-update
# spamassassin –lint

If you get an error, then do the following:
– # rpm -q perl-Net-DNS perl-NetAddr-IP perl perl-IO-Socket-INET6
– # rpm -qi perl-IO-Socket-INET6
– # yum remove perl-IO-Socket-INET6
– # spamassassin –lint

If you didn’t get an error, start back here.

# adduser spamfilter -s /sbin/nologin
# nano /etc/postfix/

Add to bottom:

spamfilter unix – n n – – pipe
flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} — ${recipient}

Change from near top

smtp inet n – n – – smtpd
-o content_filter=spamfilter:dummy

# nano /usr/local/bin/spamfilter

Past in the following


/usr/bin/spamc | /usr/sbin/sendmail.postfix -i “$@”

exit $?

# chown spamfilter /usr/local/bin/spamfilter
# chmod 755 /usr/local/bin/spamfilter
# postfix reload

You can generate a config file from SA Configuration Generator. The output goes to /etc/mail/spamassassin/


user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT domain FROM domain WHERE domain=’%s’ and backupmx = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT goto FROM alias WHERE address=’%s’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT domain FROM domain WHERE domain=’%s’
#optional query to use when relaying for backup MX
#query           = SELECT domain FROM domain WHERE domain=’%s’ AND backupmx = ‘0’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name

query           = SELECT quota FROM mailbox WHERE username=’%s’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name

#query          = SELECT CONCAT(domain,’/’,maildir) FROM mailbox WHERE username=’%s’ AND active = ‘1’
query           = SELECT maildir FROM mailbox WHERE username=’%s’ AND active = ‘1

Read More

Making wine

Making wine hasn’t exactly changed very much in the last thousand years. Crush any type of fruit or other edible plant to produce juice, sterilize it as best as possible, add yeast, keep air out but vent the CO2, and wait a while. Obviously modern technology has simplified things greatly. Advances in bioscience have made it possible for labs to grow high purity yeast strains at low cost. Virtually any packet of yeast is well under a dollar. Advances in chemistry have trivialized sterilization, with some minor cost reduction. I pay about $18 for a sterilizing concentrate that’s mostly phosphoric acid, probably last about ten batches or so. Aside from the invention of plastic, the rest is pretty similar. Wine is typically stored in a glass carboy during fermentation. This was introduced in Europe in the 1400s, from Persia where it was invented quite a bit earlier. On a commercial level, the wine is aged in a metal or wood cask before being put in a glass container sealed with typically wood. This is also unchanged over the last several hundred years.

Basically the only major change is that some wineries are using plastic corks now, which has mixed reviews. You don’t want to use synthetic corks for red wines in general. Plastic corks also prevent aging. Synthetic corks are complete oxygen barriers, natural cork allows a very small amount of oxygen. The day you open your wine will basically be chemically the same as the day you open it.

Anyways, down to “how to make wine”

Grab a food grade bucket, clean and then use a no-rinse sterilizer. Most folks call the food grade bucket a “primary fermenter”. You use a bucket because this is the stage where you’re adding and mixing the majority of ingredients. Buckets are a lot easier to work with than a carboy, because they have a much larger opener. You could use a glass carboy and a funnel, but it doesn’t have that many advantages. Don’t forget to sterilize the cap as well. Drain. Should take roughly 3-6 minutes, filling with water being the most time. I clean and sterilize all of my equipment before and immediately after using. Makes it significantly easier. If you don’t, or forget, you’ll have to be a lot more diligent in cleaning/sterilizing before the next use. Cleaning carboys with dried out crud can be very problematic, so be very diligent in cleaning them after use.

Add bentonite and some water for removing excessive amounts of protein from white wines and aiding clarifying for red and white wines. Mix well. Pour in grape juice. Top off with water to reach 6 gallons. It might be overkill, but I’d use filtered or bottled water. I’ve used tap water, and it has turned out fine. You want to take a sample with a hydrometer at this point, so that you can determine the relative alcohol content when you are finished. All and all, should take maybe 10 minutes. I try to go slowly so I don’t dump juice, water or implements on unsterilized surfaces. If I do drop a sterilized piece of equipment, I resterilize before use.

Gently sprinkle yeast on the top. I most often use Red Star Premier Cuvee, which come in sealed packets. I try to more or less evenly distribute the yeast on the surface of the grape juice, but it’s not that important. Don’t mix in the yeast. Should take maybe 30 seconds.

Install air lock into the bucket cap. Check the O-ring in the cap to make sure it’s well and uniformly seated. Put cap on bucket. Again, I’m overly paranoid, but I add a very small amount of sterilizing concentrate to the water in the airlock. I’ve heard of people using bleach or vodka. Both would work fine, but I’ll stick with the sterilizing concentrate that is made specifically for homebrewing. Should take a minute or two.

Wait a week. Look at the airlock and if it’s bubbling more often than once every roughly 20 seconds, wait a bit longer. Rack. Racking is transfer liquid to another sterilized vessel, but not transfer sediment in the process. At the first rack, I transfer from my primary fermenter to a glass carboy.

Easiest way to rack is to elevate the container with the liquid and run a sterilized plastic tube between the two. Some people suck start the tube, which I personally don’t. I fill the tube with water prior connecting everything up, and use a plastic squeeze valve (it just clinches the plastic tube) to keep the water from leaking out. Once I have everything nicely rigged up, I release the squeeze valve and gravity takes care of the rest. You want the hose to be near the bottom of the empty container, mixing oxygen into the wine isn’t good. Pay attention to your primary fermenter once the wine is flowing nicely. You want to get as much wine out of the primary fermenter as possible without disturbing the sediment that has collected at the bottom. I’m conservative, and try to stay half an inch from the sediment. But that’s less wine that could be drank later. Everyone makes their tradeoffs. This does take a while, roughly 30 to 40 minutes total.

Wait 14 days. You could rack to another glass carboy at the 7 day marker, but for kit wines follow the directions. Use your own judgment and experiment with smaller batches if you’re making wine from scratch. You should only see roughly one bubble from the airlock every minute. If it’s not that slow, let it ferment longer. Whenever you decide it’s finished, stop the fermentation with metabisulphite and sorbate. Stir vigorously to drive out CO2 for at least two minutes. I use a metal stir rod attached to a drill, and that is a highly recommended practice. Add isinglass clarifier. Top off. I don’t rack at this stage on most wines.

Wait 14 days. Keep an eye on the airlock, and make sure everything is properly sealed. If you’re keeping tabs on it (and you should), the wine will start to clear at the top and gradually work its way down the carboy. At the end of 14 days, give it a good look. If it’s still not clear, wait until it is. Should be a max of 7 additional days.

Take a sample of the finished wine at this point. Use a sterilized wine thief, or sterilized turkey baster. Run it through the hydrometer again to calculate the alcohol content. I usually then consume the sample to verify the wine is actually drinkable. It’ll be a bit rough, but you’ll know in short order if it came out fine or not. If you spew the sample everywhere and immediately start scrubbing out your mouth, your airlock is broken or you messed up on sterilization. No point in bottling a bad batch. Dump it down the drain, try not to cry too much, start over. Pay closer attention next time. If it tastes fine, move on.


Your wine is going to spend the majority of its life in said bottles, so this stage is very critical. If you’re buying new bottles, you just need to give them a quick rinse with sterilizing solution within a couple minutes prior to bottling. If you’re reusing bottles, clean them. A lot. I let the bottles soak in extremely hot soapy water (helps take off the label too) for a bit, drain, rinse, toss in some baking soda and some water, drain, rinse, and then use a sterilizing solution approximately 2-3 minutes prior to bottling. This is kinda annoying and can take a while, but is absolutely critical. If you let your wine sit for a year in a badly sterilized bottle, it’s going to taste very bad. Small mistakes can be very costly. I also dunk my corks in the sterilizing solution prior to corking the bottles.

I sterilize perhaps five or six bottles, line them up, shake out any leftover sterilizing solution just prior to filling. I’m working on a rig to hold the bottles inverted (opening down). After I have one, I’d be a lot more comfy sterilizing all of my bottles and doing them in one go. I’m trying to minimize the time period between sterilization and contact with the open air.

To bottle, spend the extra couple bucks and buy a bottle filling wand. It’s a section of hard plastic tubing with a valve on the end. When it is pressed against something (the bottom of the bottle), it flows. When it is not pressed against something, it doesn’t. Bring the wand straight up and down out of the bottle. If you’re not paying attention, you’ll hit the wand on the lips of the bottle and spill the wine all over the floor. Yea, I still do that on occasion… That’s why I lay down paper towels in advance. You could use a squeeze valve to control the flow, but it’s annoying. I use a squeeze valve as a backup, and clinch it when I’m preparing a new set of bottles.

Once you’ve filled your segment of bottles, use your corker. Repeat until you’re emptied the carboy. You again want to stop just short of disturbing the sediment. This whole bottling process is the most strenuous part and will take a couple hours. Goes a lot faster if you sucker a buddy into helping and specialized equipment (stuff for cleaning the bottles (buy the squeezy thing for shooting sterilizing solution into an upside wine bottle, trust me the guys at the brewing store will know what you mean), bottle tree for holding said bottles, etc etc). Don’t buy all the extra “helper” stuff the first batch, except for the squeezy thing. See how it works doing it by hand, and buy equipment for anything that is extremely annoying/hard.

Leave the bottles standing up for a couple days so the cork can fully expand and create a good seal. After that, turn them on their side so the cork stays moist. If you don’t want to buy specialized wine bottle holders, just put them back into a cardboard wine case, and tape it closed. Wait 30 days (theoretically), drink.

Read More

Beer can stove

I’ve heard of multiple versions of this concept. You can theoretically make it out of any cans. Soda cans, beer cans, soup cans, etc. I went with beer cans because they have thicker metal than soda cans and are the approximate size I wanted. The 12 oz Heineken can is appealing because of the bands around the can.

Making and assembling the stove is very simple and quick.

Take three cans.

Cut in half.

First can – Burner, cut approximately half an inch from the bottom.
Second can – Cover, cut to the bottom of the lower band (0.75 inch).
Third can – Fuel holder, cut to the top of the lower band (1.25 inch).

It is recommended to mark your holes with a Sharpie prior to drilling, but you can eyeball it and probably be fine.

Take the first section (0.50 inch). If your Heineken 12 oz can has stamped numbers on the bottom, try to sand it out as much as possible. Take a penny and put it in the center of the section (it should be acting as a bowl to center the penny). Hit it with any hard object. It should leave a slight indentation. Mark three or four holes within the indentation (ie covered by the penny), and drill them out with a 1/16th drill bit.

Drill six equally distanced holes just outside the ring at the very bottom of the can. The drill holes should be touching the outside base of the ring. Again, use a 1/16th inch drill bit. Once you complete the drilling, remove the bit and insert it into each hole. Bent towards the center of the can section.

Make 12 crimps on upper part of the first section (where you made your cut to section the can). Make them roughly equal, approximately three quarters the depth of the section. Drill a 1/16th hole in each crimp. Placement does not need to be exact.

Now sandpaper all locations that you made cuts. You want smooth edges. You want to avoid being cut, and you also want crisp fitting.

Insert the first section (the burner) into the third section (fuel holder). See picture if you can’t figure out the proper orientation.

How to test:

Pour denatured alcohol into center of the interior ring. Let completely drain. Cover intake holes with penny. Refill the interior ring until it reaches the very top of the ring. If some spills over, this is fine. Ignite carefully.

Watch the flames. After the initial burn, the flame should seperate into the six individual jets. If they don’t and it is one giant fire, you don’t have a tight fit between the burner and fuel holder sections. You can try removing the burner and bending into a better shape. You can also leave the burner in place and use epoxy along the edge.

I’ll be dorking around with the design and probably posting the modifications here.

I want to play around with the jet locations/sizes and overall size, verses time/temperature charts. Need to make a digital thermometer that outputs temperature readings. Time to fire up the soldering iron.

Read More

Useful blackberry apps

WordPress for Blackberry

Bit obvious. I’m posting from it. So far, excellent remote capacities and a lot easier to use than the onboard web browser.


Simple app, but it works well.


Best app for moving your files around. I have no idea why Blackberries don’t come with something similar installed. Install it and choose the free version.

Mobipocket Reader

Handy ebook reader. Had to move the files to its happy location, but aside from that, no complaints.

The Weather Channel

Very straightforward weather app.

BBSSH – Blackberry Secure Shell

Still in development, but works for me. Handy for working on servers remotely.

Opera Mini

Much better than the default browser.

Read More

My brother, the combat medic

You know, new medics are kinda creepy. They have this glazed look in their eye, praying for some unhealthy activities, ready to spring into action to put their knowledge to the test. You ask them to look over a compact medical kit, you’ll get back a list that’d fill a Sikorsky UH-60M over capacity.

Or the glories of using Celox gauze over the powdered version, as you could get it in your eyes.

Eh. I’m just hoping he snags me some spare/worn/whatever equipment. I’m kinda thinking of doing a comparison chart of tourniquets.

Read More

Server hardening notes

httpd.conf – Tune for lower memory utilization
httpd.conf – Add TraceEnable off
httpd.conf – SSLProtocol -ALL +SSLv3 +TLSv1
httpd.conf – SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

PHP.ini – expose_php off

/var/qmail/control/servercert.pem – add key
/var/qmail/control/tlsserverciphers – add ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
/etc/courier-imap/pop3d-ssl – TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”
/etc/courier-imap/imapd-ssl – TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”

General notes – Zip phpMyAdmin and keep in offline status until needed
SSH – check config to force higher cipher usage

yum -y remove sendmail openssl

yum -y install autoconf automake automake17 bzip2 bzip2-devel bzip2-libs compat-gcc-34 compat-gcc-34-c++ compat-glibc compat-glibc-headers compat-libf2c compat-libgcc compat-libstdc++-296 compat-libsdc++-33 curl curl-devel expect expect-devel gcc gcc-c++ gdbm gdbm-devel gmp gmp-devel groff httpd httpd-devel httpd-manual krb5-auth-dialog krb5-devel krb5-libs krb5-workstation libgcc libidn libidn-devel libtool libtool-ltdl libtool-ltdl-devel mysql mysql-bench mysql-devel mysql-server mrtg ntp openssh openssh-clients openssh-askpass openssh-server openssl openssl-devel pcre pcre-devel perl-libwww-perl perl-Archive-Tar perl-Digest-HMAC perl-Digest-SHA1 perl-HTML-Parser perl-Net-DNS php php-ldap php-mysql php-pear php-gd php-xml redhat-rpm-config rpm rpm-build rpm-devel rpm-libs rpm-python sed setup setuptool stunnel system-config-date wget which zlib zlib-devel ncurses-devel zip groff

Read More



Have the first batch of wine going, a Riesling. Going with a kit wine first, which I procured from Mr Steve’s. Figure I’ll do 2 to 4 kits, then switch over to doing my own from scratch once I have the hang of everything.

It’s a surprisingly geeky hobby. There’s a lot of good chemistry and biology involved. Sterile equipment is extremely important. Once I stop going with the kits, there’ll be some good math and whatnot involved.

Read More

Full Disclosure

There have been three discreet schools of thought on disclosing vulnerabilities. Totally open, partially open, and no disclosure. Fairly logical that.

No disclosure is the school of thought that the best means of security is no public and limited private dissemination of vulnerabilities is the best means of security. “Security through obscurity” is the primary phrase of this moment. The logic is quite simple on the surface. If “no one knows” about the problem, it doesn’t exist as far as virtually everyone knows. That means there will be less chance of said vulnerability being exploited, as few people will know about it.

Partially open disclosure is that the issue is acknowledged in very general terms, but no details whatsoever are given. In theory, it’s supposed to be a compromise of between the two parties. In practice, the majority hates it.

Full disclosure is just that. Open, complete discussion of vulnerabilities. All or nearly all details in the open to all parties. It’s not considered inconsistent to give the manufacturer or other responsible party a defined period of time to resolve the issue before publication of the vulnerability. The problem is that the vulnerability can be exploited by virtually anyone interested in doing so. Finding a flaw can be difficult, replicating it is often trivial.

Security through obscurity sounds like a very reasonable argument. Only problem is… Knowledge always leaks given enough time. Unless the person who found the vulnerability is a hermit, he or she is going to tell someone else. Or if that person exploits the vulnerability multiple times, it likely will eventually be noticed. A vulnerability that isn’t or can’t be exploited is of limited value to the bad people.

Another consideration is that virtually everyone, including black hats, are motivated by MICE. Money, Ideology, Coercion, and Ego. Black hats are motivated to do what they do. Previously, it was a historical trend that they did their work for ideology or ego. These days, black hats motivated by ego is the minority (in terms of being a threat). The majority are motivated by money, plain and simple. Primarily spam, but also harvesting personal/corporate/government information for resale or private exploitation.

The “individual” non-profit Black Hats are also starting to die off. They still exist, but are an extreme minority compared to the folks acting as independent or dependent contractors or specialists. Specifically, organized groups that have taken to information and electronic exploitation. Organized crime, intelligence services, military units specializing in IEW, paramilitaries (Security Services, terrorists, PMC’s, et al), corporate espionage groups, etc. They have a specific motivation, whatever it is. These motivations (MICE) have existed since the dawn of civilization and will not disappear until humanity does. Electronical medium is a new playing field, but the overall themes are extremely old.

Outlawing full disclosure is akin to outlawing firearms. People will still engage in their behavior and the only people hindered are the victims. Throughout time, people have always reacted to bad news by shooting the messenger in hopes that the underlining information or situation will expire with the messenger. This is never the case, but the mentality survives.

Full disclosure is very painful to virtually every party in some way. The originating manufacturer of the vulnerability must fix it, the researcher who discovered the vulnerability faces legal or reputation liability, the criminal now much deal with a potentially informed and prepared victim, the potential victim must mitigate the vulnerability.

This sounds like a major pain in the fourth point of contact. So why would any sane person advocate it?

Because it has been shown to be the only historical way of gaining real security.

This is not a new debate. The first published debate on full disclosure is traced to the 1850’s, but existed long before that. Guilds had elaborate procedures of restricting information to only acceptable parties in order to maximize profit at the expense of the consumer and public. Often, dangerously restricted. The milk processing guild restricted knowledge of their milk adulterating procedures, which happened to be very dangerous and not infrequently life threatening.

We are in the same boat as the public in the 1850’s. The overwhelming majority of people do not have the time, training or ability to thoroughly examine every bit of their operating system, every aspect of their locks, etc. It can and often does take a decade or more to master just one area of study. As humans are not immortal, it is impossible to have a mastery of all subjects.

It is in the public’s interest, as well as the manufacturer’s long term interest, to openly disclose vulnerabilities. If a batch of milk was contaminated, people who purchased it must be told. If a lock can be bypassed trivially, the owners should know. If a car has faulty brakes, the driver must know. If there is a major hole in a computer system, the operator must know it exists. Without this knowledge, it is impossible to mitigate the risk. The public will suffer. After being burned, they will not trust and will extract retribution (hopefully through the courts) on the responsible party, the manufacturer.

While it is painful, the manufacturer who discloses a vulnerability greatly reduces their long term liability for a defective product. They then build a better product. Short term loss, long term gain.

Unfortunately, the “shoot the messenger” instinct is still very very strong. In the US, there are laws in place that severely restrict reverse engineering. Free speech prohibits blanket bans of security publications, but Congress does its best to infringe on behalf of people who solely focus on the short term. This has extended to the point of security researchers literally being dragged off the podium in handcuffs. (Sklyarov) It is not infrequent for the manufacturer of the vulnerability to threaten or engage in legal proceedings to silence security researchers. (MIT students v MTA metrocard, et al) People just naturally get angry when they are given bad news. Especially if bad news is directly attributable to the person receiving the bad news.

If you think hackers get treated unfairly, try giving open disclosure lectures on locks. People are absolutely shocked, horrified and angry that their $20 pot metal piece of garbage lock is easily bypassed. Rather than accept personal responsibility and make reasonable steps to mitigate the issue, it’s just plain easier to be angry at the person who told you the information. It doesn’t change the reality of the situation. The vulnerability exists, whether folks know about it or not.

Professionals inform each other. Criminals circulate information. When open disclosure is banned, only the consumer or potential victim is in the dark. Exactly like gun control. When you attend to infringe or ban firearms, you do not stop the police or criminals from owning firearms. Only the public is hurt. Information on vulnerabilities is no different.

Read More