Made to Order Software Corporation Logo

security issues

Docker, an advanced chroot utility

Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

Upgrade to PHP 5.3.3 or newer because of security issue

If you are responsible for a Debian or Ubuntu server and run PHP on it, make sure to run the following command to fix several security issues found in PHP:

sudo apt-get install php5-suhosin

This will make the necessary and your PHP version (security wise) will look like you have PHP 5.3.3.

What I found quite annoying in regard to this issue is the fact that it was very difficult to find a mention of this upgrade. All I could find in large number were people saying that you'd have to get an upgrade using the source code of PHP. Somehow, I did not feel like upgrading PHP from ...

jsMath Installation

Requirements

In order to use the jsMath for displaying mathematics with TeX Drupal 6.x module you need:

Update to Drupal 6.15

In order to keep our Drupal installation secure, we quickly updated to version 6.15.

As far as we know, none of the security issues fixed by Drupal 6.15 would affect any one of our existing customers. Yet, we prefer to be at the top security wise and made the change very quickly, as usual. If you have any question or encounter any problem, let us know. This change was very smooth and did not require any database updates.

I also wanted to mentioned the arrival of our new Web 2.0 hosting system. We are still working on it, but very soon you will be able to jump on the bandwagon and get a ...

FileAttributes

Tag Info
Tag Number: 
69
Tag Type: 
Format
Tag Flash Version: 
8
Brief Description: 

Since version 8, this tag is required and needs to be the very first tag in the movie. It is used as a way to better handle security within the Flash Player.

Tag Structure: 
struct swf_fileattributes {
	swf_tag			f_tag;		/* 69 */
	unsigned		f_reserved : 3;
	unsigned		f_has_metadata : 1;
	unsigned		f_allow_abc : 1;	/* since V9.0 */
	unsigned		f_suppress_cross_domain_caching : 1;	/* since V9.0 */
	unsigned		f_swf_relative_urls : 1;	/* since V9.0 */
	unsigned		f_use_network : 1;
	unsigned		f_reserved : 24;
};

The FileAttributes tag is new to version 8. It must be present in all movies version 8 and over. It must be the very first tag in the SWF movie. It should be unique (other instances will be ignored.)

The f_has_metadata flag shall be set to 1 whenever the movie includes a Metadata tag.

Support

Support at Made to Order Software

Made to Order Software offers support for all of its products.

For our consumer products, please review your options on the corresponding consumer product page.

Create a Table of Contents from a View

Setup

There are, I'm sure, many different ways to handle views with the Table of contents.

Here is what I think is the easiest at the moment:

1. Create a view and include a Title field (which generates a header for the title, most likely <H2>)

2. Create a node and include the view in the node using the Insert view filter1

3. Select a filter on this node that includes support for Insert views and Table of contents

4. If

  • 1. Note that the Insert view filter was found to have some security issues. Use with care. The project home page has additional information about this module.

Security Issues with the US government

Some people, I have noticed, have been skeptical about the amount of care taken by the US government and agencies in the last few years. Companies are also catching up. The security measures change every year, when not every semester, every month and for some, probably every day.

For sure, making sure that the most wanted information remains top-secret, you need top level security features on your network. I do not know how much data is of interest, but I found out today that there are hackers attacking the federal websites quite a bit…

“The Pentagon last month acknowledged ...