Last winter the Red Hat video team came to my house to record some footage for both internal and external use. On one of the internal videos they look at my home automation system, point the camera at a wall tablet, and figure out that I'd not used my treadmill in over two years. So there were really two options (1) remove the year from the display so it would never look like we were slacking for more than a year, or (2) find a way to get motivated again.

Recently we both started using Twitter, so it seemed like a natural progression to hook the treadmill to twitter and have it publicly embarrass us for slacking off.

So the treadmill now has it's own twitter page.

We called it 'twedmill' ('tweadmill' perhaps is more correct, but just sounds like a factory that weaves twead jackets). Here is how it works:

The treadmill itself is pretty standard; it's from Trimline and has a fancy computer. When I looked inside and saw a PIC I was tempted to interface direct to the computer, but didn't really have the time to get around to that. Although the treadmill does things like have a variable incline and measurement of heart rate, all I really care about it making sure we were using it, for how long, and how far we got.

Under a cover in the base are the PWM controllers, motors, and the belt drive to the treadmill deck. The treadmill itself measures the belt speed by having a single magnet on the wheel and a small sensor next to it, one revolution giving one pulse. So to keep things simple I just hot-glued a spare reed switch I had around so the same magnet would trigger it. The reed switch happily copes with the treadmill even on top speed, so no real need for anything more fancy.

I didn't have anything that could accurately measure the diameter of the roller, so by counting pulses at various speeds and comparing to the onboard display it worked out at 8122 pulses/revolutions per (uk) mile (so that's about 198mm of travel per pulse, making the diameter of the roller about 63mm).

I use a 1-wire network in the house to measure temperatures, watch the doorbell, and control the central heating system, so I wanted to use the same system to deal with the treadmill. So the reed switch connects to a DS2423 counter (Unfortunately it seems the DS2423 is discontinued now). The DS2423 was only available in a surface-mount package, so I found some converters on ebay to save having to design a PCB just for three components. The DS2423 connects into a 1-wire hub in node0, then to a 1-wire USB adapter on our main server, currently running Fedora 10.

The software used in based on the source code from 'digitemp' as it includes code in cnt1d.c to read the counter values. Every ten seconds the jabber treadmill bot switches to the right network segment on the 1-wire hub then polls the counter of the DS2423 to see if the treadmill has moved. Once the treadmill has stopped moving for a while the software stores the total distance travelled and time in a database, sends an email, and uses the perl Net::Twitter module to post a mesage to twitter. (It can also draw a graph showing speed over time, but that turned out to be not very interesting)

For the future I'd quite like to hook directly into the treadmill computer, perhaps giving two way control of the treadmill programs, as well as recording the incline and heart rate. Another idea has been to use the current treadmill speed to decide which music video to play next based on bpm (the tv is connected to an old XBOX running XMBC so could easilly be remotely controlled to switch videos). Or perhaps link it to google streets for a virtual jog through some random town. Finally, you currently have to select who is using the treadmill before (or very quickly after) using it using the touch panels in the house; which seems like a good excuse to play with some RFID in our shoes, perhaps also using that to select a playlist of music videos per person.

It was a little distracting as whenever I see security theatre I can't help thinking of ways it could fail. For example anyone entering the cinema with two cell phones would evade the more extensive searches after giving up their first phone. Bruce Schneier calls this a security mindset. However, it was definately a movie worth trading some freedoms to watch in advance, but I can't help wondering how long it will be before they try to do this at every movie.

Having a CCV of 000 seems nice and easy to remember, but actually was a bit of a curse. To start with, companies would sometimes not believe that 000 is your real CCV when you tell them by phone. But usually after a few attempts you can convince them to at least try it, and then all is well.

The real problems came when using the card online as several merchants refused to accept the card. Any programmer reading this will have guessed the ways this could fail already. Rather than web applications checking for a CCV of three digits, I imagine some of them stored the field as an integer and had "0" overloaded as "didn't enter a CCV".

Scan Computers was the first casualty; my first order with them using the card appeared to get accepted, but then got stuck and the order stalled. That took a phone call to sort out, but at least the guy I spoke to by phone recognised and understood the problem and I only ended up getting my stuff a day late. It's worked okay with them since, I guess they fixed it.

Some other merchants I've been less lucky with. Some refused to accept the CCV at the time I entered it, but at least with those you know immediately and can use a different card. Other merchants accepted the CCV at the order time but then later rejected the order usually without giving a reason; probably when they did some batch processing with the stored CCV.

So you'd think there would be a lot of people with this problem: if the CCV is generated by the issuer using some hash then it ought to be 1/1000th of the card holding population. Perhaps some issuers deliberately avoid giving out a 000 security code, or perhaps I was just unlucky in my choice of merchants.

The experiment has sadly come to an end now as the card expired and was been replaced by one with a different CCV. I'm hoping one day to get 999.

I also recently bought a new phone, a HTC Touch HD, to replace my aging Mio A701. Although it has a Windows OS, it doesn't force you to use ActiveSync and you can set it to instead appear as a card reader when plugged in via USB.

It got me wondering if the Asus would boot from the phone. It does:

The phone comes with a 8Gb microSD card so plenty of room for the Fedora image without disturbing the other phone software, pictures, and so on. I just used the Live image creator to write the image to the microSD card, made it bootable, put it into the phone and set the phone to card reader mode. Now every time the phone is plugged in into a PC it appears to be just a bootable USB stick with Fedora live image installed. All I need now is a small retractable USB cable and then there is no need to carry around the separate MicroSD card (or a USB stick)

From time to time I publish metrics on vulnerabilities that affect Red Hat Enterprise Linux. One of the more interesting metrics looks at how far in advance we know about the vulnerabilities we fix, and from where we get that information. This post is abstracted from the upcoming "4 years of Enterprise Linux 4" risk report

For every fixed vulnerability across every package and every severity in Enterprise Linux 4 AS in the first 4 years of its life, we determined if the flaw was something we knew about a day or more in advance of it being publicly disclosed, and how we found out about the flaw.

For vulnerabilities which are already public when we first hear about them we still track the source as it's a useful internal indicator on where the security response team should focus their efforts.

So from this data, Red Hat knew about 51% of the security vulnerabilities that we fixed at least a day in advance of them being publicly disclosed. For those issues, the average notice was 21 calendar days, although the median was much lower, with half the private issues having advance notice of 9 days or less.

The chart below shows the total number of security updates issued for Red Hat Enterprise Linux 5 Server as if you installed 5.2, up to and including the 5.3 release, broken down by severity. I've split it into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). So, for a given installation, the number of packages and vulnerabilities will probably be somewhere between the two.

So for a default install, from release of 5.2 up to and including 5.3, we shipped 45 advisories to address 127 vulnerabilities. 7 advisories were rated critical, 21 were important, and the remaining 17 were moderate and low.

For all packages, from release of 5.2 to and including 5.3, we shipped 61 advisories to address 181 vulnerabilities. 7 advisories were rated critical, 28 were important, and the remaining 26 were moderate and low.

The 7 critical advisories were for just 3 different packages:

1. Five updates to Firefox (July, July, September, November, December) where a malicious web site could potentially run arbitrary code as the user running Firefox. Given the nature of the flaws, ExecShield protections in RHEL5 should make exploiting these memory flaws harder.
2. An update to Samba (May), where a remote attacker who can connect and send a print request to a Samba server could cause a heap overflow. The Red Hat Security Response Team believes it would be hard to remotely exploit this issue to execute arbitrary code due to the default enabled SELinux targeted policy and the default enabled SELinux memory protection tests. We are not aware of any public exploit for this issue.
3. An update to OpenSSH (August), provided to mitigate an intrusion into certain Red Hat computer systems. The attacker was able to sign a small number of tampered packages but they were not distributed on the Red Hat Network. We classified this update as critical to ensure any tampered packages would be replaced with official packages.

Although not of critical severity, also of interest during this period were the spoofing attacks on DNS servers. We provided an update to BIND (July) adding source port randomization to help mitigate these attacks.

Updates to correct all of these critical vulnerabilities (as well as migitate the BIND issue) were available via Red Hat Network either the same day, or one calendar day after the issues were public.

In fact for Red Hat Enterprise Linux 5 since release and to date, every critical vulnerability has had an update available to address it available from the Red Hat Network either the same day or the next calendar day after the issue was public.

To compare this with the last updates we need to take into account that the time between each update is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:

Red Hat Enterprise Linux 5 shipped with a number of security technologies designed to make it harder to exploit vulnerabilities and in some cases block exploits for certain flaw types completely. For 5.2 to 5.3 there were two flaws blocked that would otherwise have required updates:

1. A double-free flaw in unzip. The glibc pointer checking limited the exploitability of this issue to just a crash of unzip, a client application, which does not have security implications. No security update was needed.
2. Two format string flaws in c++filt. The format string protection caused these issues to have no security implications. No security update was needed.

This data is interesting to get a feel for the risk of running Enterprise Linux 5 Server, but isn't really useful for comparisons with other versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

A moose is for life, not just for Christmas. Tracy managed to arrange to buy some from the store to save them being thrown away. So we are now the proud owners of 6 large and 6 medium sized wooden moose.

Perhaps we can find some way to integrate them into the decorations for our wedding next year.

Actually this isn't surprising and is exactly what I'd expect; it's all down to third party applications.

Let's say you're browsing the web. It's more than likely that at some point you'll want to view some PDF files, watch some Flash content, or play a Java game. Those tasks are all dealt with by third party applications, although to the end user it's all part of the browser experience. Since your system is only as secure as its weakest link, you need to manage security updates for those third party applications just as carefully as you manage security updates for the rest of your system. That's why Adobe Reader, Java, Flash, and all the myriad of other applications you've installed in order to make your system useful have their own update mechanisms. Some applications on Windows will 'phone home' when they are run and check to see if they need to be updated, others deploy services that sit in the background looking for updates from time to time, others even check every time your system starts. Many don't get automated updates at all.

How do you deal with all that risk? I believe it's possible by providing an OS distribution which includes all the bits you'll likely need to make a useful computing environment, thereby taking away that update uncertainty. Red Hat ship several PDF viewers in our distributions for example, but we also ship (in an Extras channel) Adobe Reader. Our Security Response Team are monitoring for security issues in everything we ship, all the third party applications, and providing a single point of contact, a single notification system, and a single way to get the updates.

If Microsoft knew that say 25% of all their users installed Firefox, wouldn't they be better bundling it and providing their centralised automated updates for it, to reduce their customers overall risk? They do already bundle some third party applications, although it's been with mixed success as we found 3 years ago when they didn't provide security fixes for bundled Flash (ZDNet coverage).

This is, in part, why you've not seen me respond recently to the Vista security reports which compare vulnerability counts. In these reports they use a cut-down minimal Red Hat Enterprise Linux installation in order to make it look more like Windows for the comparisons. But this is completely backwards -- the fact that we're including and fixing the flaws using a common process in so much third party software is actually helping reduce the risk and protect real customers. For example we could easily cut our vulnerability count by shipping only one PDF viewer instead of four. But if we know that these other viewers are going to get installed by the customer anyway all we've done is to hide the vulnerability count elsewhere, and you've made the customers overall risk increase.

So it may seem counter-intuitive but we should ship as much third party applications (that we know people use) as we can, because a single managed security update and notification process will decrease a users overall risk. The fewer third party applications that users have to get from elsewhere and install and manage for themselves the better in my opinion.

There are plenty of new products to come, so we're currently hiring for another engineer to join the response team. The full job details are here:

https://redhat.ats.hrsmart.com/cgi-bin/a/highlightjob.cgi?jobid=3685

Although the location is specified as the Czech Republic there is actually no specific restriction on the location of this position, and the candidate could be located at any one of the world-wide Red Hat offices, or potentially even remote.

If you are interested please submit your resume through the online application process, or feel free to mail me with questions.

See 26 May 2008: Enterprise Linux 5.1 to 5.2 risk report

tags: all,

apache, apachecon, apacheweek, bryce, cve, fedora, financial, fudcon, geocaching, gps, ha, jabber, metrics, microsoft, nashville, north carolina, oscon, red hat summit, security, trips