Liquid error: undefined method `source' for nil:NilClass Liquid error: undefined method `url' for nil:NilClass

Is this your first visit? You may want to subscribe to the feed.

Articles tagged with security

Creating encrypted Zip archives with OS X

Sadly, OS X doesn’t come with a way to create or open encrypted Zip archives, even from the command line (hopefully this will change with Leopard). The man pages for zip say that it supports it, but when you pass the -e or -P option, it complains:

zip error: Invalid command arguments (encryption not supported)

Fortunately, MacPorts (formerly DarwinPorts) to the rescue! There’s a version of the command line zip utility in MacPorts that works as advertised.

Install MacPorts, and install the new command line zip utility:

sudo port install zip

Move the old /usr/bin/zip out of the way, and then create encrypted Zip archives to your hearts content.

zip -re myarchive.zip mydir/
Enter password: ********
Code: security Apr 08, 2007 ● updated Apr 08, 2007 2 comments

Number of patches != relative security

The argument, as made in a recent Slashdot post, that the number of patches released is indicative of the security of a system is annoying and just plain wrong. Vulnerability is a function of the number of remotely exploitable bugs, the rate at which the exploits spread, and the time between when they begin to be exploited and when the flaw is patched. To my knowledge, there have been few, if any, remotely exploitable bugs in Linux or OS X that have propagated fast enough to cause any form of disruption. One could argue that this is due to Linux and OS X combined comprising less than 10% of the desktop market, but that argument doesn’t hold up to the fact that they have the majority of the server market.

Either way, the number of patches released could mean many things, one of which is not the relative security.

Code: security Nov 30, 2006 ● updated Nov 30, 2006 0 comments

acts_as_audited security update

Thanks to Michael Schuerig for pointing out that malicious users could unassociate your audit records due to the use of has_many in acts_as_audited. has_many :audits creates an attribute accessor called audit_ids on the model objects that you declare acts_as_audited, which could allow users to pass an array of ids that would overwrite the actual audit records.

This has been fixed by adding attr_protected :audit_ids, which protects it from mass assignment. If you’re not using SVN externals, make sure you get the latest version.

Code: security Sep 07, 2006 ● updated Dec 01, 2006 2 comments

Secure Backups with GPG

Recently I had a client who wanted to store server backups on their hosting provider’s FTP server. The only problem is that those backups contained confidential customer data. So I came up with the idea of using a public GPG key to encrypt backups before copying them to the FTP server.

A little searching revealed that a lot of other people have also used this method. A great guide for getting set up to do this can be found here.

I already had a GPG key pair, so all I had to do was import my public key on the server, change the trust settings, and write a few bash scripts to dump the DB, create an encrypted tar archive, and FTP it.

Here are the commands I used to encrypt the database dump and tar archive: 
# dump PostgreSQL data and encrypt it
pg_dump dbname | gpg -r C0E3268C -e -o /tmp/backup.sql.gpg

# tar the directories I want to backup and encrypt them
tar -c /var /etc | gpg -r C0E3268C -e -o /tmp/backup.tar.gpg
Code: security Jul 06, 2006 ● updated Dec 01, 2006 3 comments

Subscribe

Browse by Tag