Security Alerts
PHP Problems  Noel Davis looks at problems in PHP, Emacs, ftpd-ssl, Lynx, Roaring Penguin pppoe, OpenVPN, RAR, Fedora Core X-Chat, HP-UX xterm, libungif4, and GpsDrive.   [Linux]

Assessing Web App Security with Mozilla  If your web application expects only that users always follow instructions and can never do anything other than what you want, it's probably insecure. You might find it surprising how much information your app exposes to a potentially hostile world. Shreeraj Shah demonstrats how to use Mozilla's LiveHTTPHeaders extension to see what your app does and probe it for vulnerabilities.   [O'Reilly Network]

Michal Zalewski on the Wire  What motivates a hacker? Perhaps curiosity, the pursuit of knowledge, and the simple joy of saying "Hmm, that's funny! What happens if I ...?" Eccentric security researcher Michal Zalewski exhibits these traits. Fearless interviewer Federico Biancuzzi recently talked with Zalewski about his curious approach to computer security, the need for randomness, and how the hacker mind works.   [ONLamp.com]

Security Alerts
Ethereal Trouble  Noel Davis looks at problems in sudo, Ethereal, Apache mod_auth_shadow, fetchmailconf, lynx, Mantis, pnmtopng, gnump3d, Squid, unzip, uim, Curl, and imlib.   [Linux]

Security Alerts
KWord Trouble  Noel Davis looks at problems in KWord, SPE under Gentoo, wget, Brightstore, eTrust, Unicenter, OpenSSL, XMail, uw-imap, weex, tcpdump, graphviz, up-imapproxy, xloadimage and xli, and Ruby.   [Linux]

Security Alerts
XFree86 Trouble  Noel Davis looks at problems in XFree86, cfengine, RealPlayer 10, Helix Player, ClamAV, XSun, Xprt, arc, prozilla, AbiWord, Backupninja, Hylafax, ApacheTop, and libsnmp5.   [Linux]

Big Scary Daemons
Information Security with Colin Percival  The recent disclosure of side-channel techniques to retrieve cryptographic secrets on hyperthreading machines caused stirs in security and operating system development communities. Colin Percival, a FreeBSD security officer, reported the vulnerability and weathered the questions and criticisms. Michael W. Lucas recently interviewed him on this vulnerability, vendors' responses, and security research.   [ONLamp.com]

Security Alerts
MySQL Trouble  Noel Davis looks at problems in MySQL, umount, KDE's kcheckpass, GNOME Workstation Command Center, X.org, Squid, TWiki, ncompress, grip, Turquoise SuperStat, gtkdiskfree, and LessTif.   [Linux]

Security Alerts
Problems in PCRE, the Linux Kernel, and SILC  Noel Davis looks at problems in PCRE, the Linux kernel, SILC, Frox, MPlayer, pam_ldap, maildrop, lm_sensors, simpleproxy, backup-manager, Adobe Version Cue, phpGroupWare, and webcalendar.   [Linux]

Security Alerts
PHP Trouble  Noel Davis looks at problems in PHP, Adobe Reader, Kismet, LibTIFF, Evolution, Mutt, bluez-utils, Ignite-UX, CPAINT, Awstats, Clam AntiVirus, and Gaim.   [LinuxDevCenter.com]

Security Alerts
Apache Trouble  Noel Davis looks at problems in Apache, bzip2, Cisco devices, fetchmail, Netpbm, Ethereal, Proftpd, pstotext, apt-cacher, Compress::Zlib, Gopher, nbSMTP, and PowerDNS.   [LinuxDevCenter.com]

Securing Web Services with mod_security  Web services build atop HTTP to allow more flexible applications. However, their flexibility and ubiquity do not always protect against vulnerabilities due to the way HTTP works. Fortunately, the mod_security module and some planning can block potential attacks at both the protocol and application level before they start. Shreeraj Shah explains.   [ONLamp.com]

Important Notice for Security DevCenter Readers About O'Reilly RSS and Atom Feeds  O'Reilly Media, Inc. is rolling out a new syndication mechanism that provides greater control over the content we publish online. Here's information to help you update your existing RSS and Atom feeds to O'Reilly content.  [Security DevCenter]

Security Alerts
Problems in Oracle Reports  Noel Davis looks at problems in Oracle Reports, Skype for Linux, MediaWiki, Kate, Kwrite, Shorewall, ekg, libgadu, PHPNews, phpSurveyor, Affix, Heartbeat, and phpPgAdmin.   [LinuxDevCenter.com]

Security Alerts
Problems in SpamAssassin, PEAR, and Bugzilla  Noel Davis looks at problems in SpamAssassin, PHP PEAR, Bugzilla, Heimdal/Kerberos telnetd, Vipul's Razor, TikiWiki, poppassd_pam, zlib, FUSE, the Solaris kernel, HT Editor, GNATS, JBoss jBPM, Trustix Secure Linux, and Trac.   [LinuxDevCenter.com]

Security Alerts
Problems in OpenSSH, Sudo, and Java  Noel Davis looks at problems in OpenSSH, Sudo, Sun Java, Blackdown Java, tcpdump, cpio, JBOSS, Adobe Reader and Acrobat, gedit, Gaim, and Trac.   [LinuxDevCenter.com]

Security Alerts
Problems in the Kernel, OS X, and WordPress  Noel Davis looks at problems in the Linux kernel, Mac OS X, bzip2, WordPress, WebSphere, Peercast, PHPMailer, Binutils, Popper Webmail, Dzip, and FreeBSD's gzip.   [LinuxDevCenter.com]

Security Alerts
Problems in the Linux Kernel, LISTSERV, and gdb  Noel Davis looks at problems in the Linux kernel, LISTSERV, gdb, FreeRADIUS, shtool, mailutils, Qpopper, davfs2, libmagick6, picasm, cheetah, and ppxp.   [LinuxDevCenter.com]

Security Alerts
Mozilla and Firefox Flaws  Noel Davis looks at problems in gzip, Mozilla and Firefox, OpenOffice.org, the FreeBSD kernel, Ethereal, TCPDump, libTIFF, Smail, Apache2's htdigest, and SCO UnixWare's chroot.   [LinuxDevCenter.com]

Security Alerts
CVS Trouble  Noel Davis looks at problems in CVS, PostgreSQL, Squid, Gaim, Debian's lsh, Xine-lib, Caroline, Convert-UUlib, Rootkit Hunter, snmppd, Kommander, kimgio, RealPlayer, Helix Player, xli, and Debian's samba.   [LinuxDevCenter.com]

Security Alerts
Linux Kernel Vulnerabilities  In Noel Davis' latest column, he looks at problems in the Linux kernel, Telnet, sharutils, Ethereal, Midnight Commander, mpg321, OpenMosixView, cdrecord, ImageMagick, and grip.   [LinuxDevCenter.com]

Anatomy of an Attack: The Five Ps  The five Ps--Probe, Penetrate, Persist, Propagate, and Paralyze--represent a model of how a security attack progresses. In this excerpt from Managing Security with Snort & IDS Tools, the authors discuss an attack's progression through these five steps, whether the attack is sourced from a person or an automated worm or script, with emphasis on the Probe and Penetrate phases, the stages that Snort monitors.   [O'Reilly Network]

Security Alerts
KDE Trouble  Noel Davis looks at problems in KDE, MySQL, Perl, Ximian Evolution, GnuPG, OpenSLP, Ringtone Tools, LuxMan, and Ethereal.   [LinuxDevCenter.com]

Security Alerts
Problems in GProFTPD  Noel Davis looks at problems in GProFTPD, bsmtpd, Uim, phpMyAdmin, Vim, Cyrus IMAPd, the Kodak Color Management System on Solaris, Arkeia Network Backup, curl, and PuTTY.   [LinuxDevCenter.com]

Security Alerts
Trouble in the Kernel, VMware, and PostgreSQL  Noel Davis looks at problems in the Linux kernel, VMware, PostgreSQL, Squid, MySQL, mailman, Apple OSX HFS+, movemail with GNU Emacs or XEmancs, KStars, typespeed, awstats, and synaesthesia.   [LinuxDevCenter.com]

OpenBSD 3.6 Live  Right on schedule, the OpenBSD team plans to release version 3.6 on November 1. Federico Biancuzzi recently interviewed several members of the core team about new features and changes in the code and the project.   [ONLamp.com]

Deploying a VPN with PKI  Security and convenience often conflict with each other. It'd be nice to have access to your office network from anywhere, but you can't trust the Internet. Virtual private networks are one solution. Scott Brumbaugh explains how to deploy a VPN using OpenVPN and OpenSSL.   [ONLamp.com]

Security Alerts
Perl Trouble  Noel Davis looks at problems in Perl, PostgreSQL, ncpfs, Squid, cpio, UW IMAP, ChBg, FireHOL, Clam AntiVirus, and f2c.   [O'Reilly Network]

Security Alerts
Linux and Darwin Kernel Trouble  Noel Davis looks at problems in the Linux kernel, the Darwin/Mac OS X kernel, iSync, Ethereal, enscript, hylafax, rssh, Xine-lib, mpg123, and Konversation.   [LinuxDevCenter.com]

Security Alerts
DB2 Problems  Noel Davis looks at problems in DB2, SHOUTcast, nasm, Vilistextum, libtiff, wxGTK2, phpGroupWare, Vim, namazu2, and htmlheadline.   [LinuxDevCenter.com]

Security Alerts
Linux AMD64 Kernel Bug  Noel Davis looks at a Linux 2.4 kernel bug on AMD64 machines, problems in Samba, changepassword.cgi, MPlayer, the MIT Kerberos 5 administration library, logcheck, Sybase Adaptive Server Enterprise, Konqueror, Debian debmake, Xpdf, and xzgv.   [LinuxDevCenter.com]

Security Alerts
J2SE Woes  Noel Davis looks at problems in the Java 2 Runtime Environment, wget, FreeBSD's procfs and linprocfs, OpenSSL, OpenSSH, AbiWord, Blogtorrent, scponly, rssh, and kfax.   [LinuxDevCenter.com]

Security Alerts
ELF Trouble  Noel Davis looks at problems in the Linux kernel, sudo, TWiki, phpBB, cscope, Cyrus IMAP, Bugzilla, ProZilla, unarj, libxml2, and fetch.   [LinuxDevCenter.com]

Security Alerts
Media-Tool Trouble  Noel Davis looks at problems in libgd, mtink, zip, ruby, Samba, freeamp, Kaffeine and gxine, Portage, zgv, shadow, and BNC.   [LinuxDevCenter.com]

Security Alerts
Trouble in iptables  Noel Davis looks at problems in Linux iptables, OpenSSL, PuTTY, rssh, Quake II Server, libmagick6, HP Serviceguard, Xpdf, FreeRadius, WVTFTPD, GNU tftp, and pppd.   [LinuxDevCenter.com]

Secure Your Wireless with IPSec  Wireless can make your life much, much easier, but those pesky radio waves won't stay put. Sometimes this is good, but sometimes you want to lock down your network. WEP and MAC address filtering aren't secure enough. IPSec, the same approach used to secure VPNs, is much better. Dan Langille explains how to configure Wifi with IPSec.   [ONLamp.com]

Security Alerts
mod_ssl Problems  Noel Davis looks at problems in mod_ssl, LibTIFF, mpg123, LessTif, the Cyrus SASL library, MySQL, CUPS, ProFTPD, and the Squid web proxy cache.   [O'Reilly Network]