Wednesday, February 25, 2009

How long do I need to keep logs?

Today I talked to a guy at an ISP where I do the SQL maintenance and I asked him what they keep in their logs about what people do with their services (telephony and Internet access for companies and private persons).

For the telephony part, the law in Belgium asks them to keep which number called which number and matching them with the contracts of the customers of the telephony providers the law officers can trace your calls. I asked him if this is still the case if you use something like Skype out and according to him there is no way to trace this for the telephony provider, the cops have to have an agreement with Skype (who are based in Luxembourgh).

For the internet behavior he told me that they just keep the IP address leases for the dynamic IP customers and they don't care to what websites you go or what chatrooms you frequent. The only thing that the law requires them to do is to give the name and address of who owned that IP at that particular point in time.

I asked him what the most common case for requesting the users identity and he said that it is usually a case of copyright violation.

He wasn't aware of the TOR network and when I explained to him how it works, he said that it becomes a very difficult task for the cops to trace your particular visit to a website back to you.

One particularity he told me is that the public (companies and private persons) are responsible for keeping their own router logs and should be able to show them to the men of law in case of an investigation. For how long you have to keep them if your not an ISP he couldn't tell me.

If anybody can tell me more about this subject please post a reaction. I think that it is important for the public to know this.

Monday, February 23, 2009

Fosdem 2009


A couple of weekends ago I went to Fosdem 2009. This is my report of the talks I went to. I choose to go to the security track and to go to the mysql developer room.

The first talk I went to was OWASP Testing guide v3 given by Matteo Meucci. The OWASP testing guide is basically a must read for everybody these days. Back in the good old days when the internet used to be static it was easy to make a website and then things suddenly got more complicated which added nice features that have lead up to web 2.0. Like most of us know everything has a price. As websites get more "layers" of complexity, the more layers that will require you to look into to secure them. The OWASP Testing guide v3 does this. It is a nice example of structured knowledge about what there is to know about making a secure web app.

The other security talk I went to was Fusil by Victor Stinner. I just know what a fuzzer is but never played with one and learned a lot from it :). I asked Victor why he coded Fusil since he clearly states that there are other fuzzers out there. He answered me by telling me he is a hacker and wanted to write a fuzzer. You just got to love such an answer :)

The rest of my day I sat down in the dev room of MySQL. I am not a developer myself (although I write my own code occasionally when I need something). It was very interesting. The first talk that I went to was about mysql clustering. Geert Vanderkelen introduced us to the basics of database clustering and I learned a lot. The following MySQL-talk wasn't actually a talk. It was Kaj Arnö, who asked us what we liked, disliked and how we would like things to be. It is nice to know that MySQL still is listening to its non-commercial user base.

I 've seen some strange partitioning at customers in Microsoft SQL and was curious about Giuseppes Maxia talk. He gave the best explaination about partitioning there is and I will use his example to explain the advantage to those customers who need it and those who implemented it in that 'not so efficient' manner. He showed us the map of Brussels and tore it appart and showed us visually that it was far more efficient to find something on only a part of the map than on the big map. He got an applause for this.

The last talk I went to was about database sharding. I never heard the word before and it was Jurriaan Persyn who gave that presentation. It is still not clear to me how it works but it seems to me that is not the easiest thing to accomplish. There were some guys in the room who were asking a lot of questions and their questions were not actually about sharding but about availability issues and at a certain point it became annoying that Jurriaan wasn't talking anymore about his subject.

It was a long but very interesting day and I look forward to do stuff with all the new knowledge I gained and was happy to meet so many interesting people.

Thursday, February 5, 2009

Howdy readers,

I found this nice website .

Security Media

Everybody knows youtube. The other day I stumbled upon securitytube. A site with currently more than 165 video's about security and related items. Yes, I like video as a format. I enjoy reading but if a video is as it should you can learn a lot. I learned quite a lot from Irongeek his website too. And of course on youtube you can find some interesting stuff. If you like to watch a nice tech-show check out Hak5.

I like to listen to podcasts as well, one of my favorite security podcasts is PaulDotCom.

If you have interesting websites, podcasts, RSS feeds, ... share them with me :)

Monday, February 2, 2009

Securing a LAMP Server ... follow up

Recently I've been working on a LAMP Server. I learned a lot and got an interesting pointer from Christophe Vandeplas. The center for Internet Security has a collection of nice scoring tools/benchmarks to verify if a system is correctly implemented.

I recommend this exercise to everybody. You make a VMWare server on machine (or use a virtual box if you like open source). Set a box up and do the homework :).

Next Wednesday I'll be joining our Belgian OWASP chapter. On the agenda:
  • Best Practices Guide Web Application Firewalls
  • Research on Belgian bank trojan attacks
I hope to meet you there. If you can't be there I'll make a post with my impressions.