jfs is currently certified at Journeyer level.

Name: Javier Fernández-Sanguino Peña
Member since: 2000-09-21 07:01:25
Last Login: 2011-02-03 19:26:20

FOAF RDF Share This

Homepage: http://people.debian.org/~jfs/

Notes:

Debian developer since February 1998, I mainly contributed at the time by giving it the "latin" hunch. I have worked in the spanish web translation team (lead developer) and contributed to the web site (giving joey some headaches :) with stuff like the check-translation, and with the DDP (giving them again to Adam) in the translation of boot-floppies documentation (revising what Enrique Zanardi did not have time to do) and writing some documentation. I manage quite a number of packages. You can check all of them on my Packages overview and also have my share of bugs.

I worked for in the area of information security. Thus, in the Debian Project I switch my focus toward security tools and other related issues.

As such, I'm the main author now of the Securing Debian Manual, I'm contributing to the Bastille (a.k.a. OS hardening) project (and ported it to Debian), and I'm the main developer of Tiger (an intrusion detection and security audit tool).

Projects

Recent blog entries by jfs

Syndication: RSS 2.0

Working on Tiger

After a week on vacation I've managed to squash quite a number of bugs on Tiger, put up a webpage (www.tigersecurity.org) and send a new release candidate (for version 3.2).

And then after more testing I send two more release candidates, so it's slowly moving towards the definite release which will be, I hope, more bug free. Once done I might need to focus on documentation (as requested in the mailing list) and on merging parts of the TARA codebase (they have developed more checks and also fixed bugs in their latest 3.0.3 release). I would like to write new checks (better integration with tripwire, crack, integrit, and other tools) but I will have to try to refrain from adding new features until I have fixed Tiger for good.

Once that it's done I believe Tiger could be a powerful tool that other free software Linux/*BSD distributions could include. Currently there a miriad of security tools to do local security checks: Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck. Steve Kemp, after a proposal I made at the debian-devel mailing list, reviewed some of these tools. I'm not sure if Tiger could replace of all of these scripts providing a common framework.

In any case I've been looking deeper into OVAL and provided a Debian schema in the mailing list (for some reason the archives seem to show only mails from a few people ????). A free OVAL query interpreter for UNIX would be very nice. However I'll have to hack it myself since there seems to be few active people at OVAL besides the Microsoft people. And the only available interpreter is Windows-only and provided with a non-free license (even if the FAQ says free to use), ouch!

As usual, it's been quite a while since I wrote anything. Too much work. However I did wanted to note one thing in the diary which I'm proud of (finally) doing: Debian Security Crossreferences. It might seem kind of simple, but, believe me, it's not that easy. One of the things that sparked it was a diary entry from Mark Cox. Now I can say: "Boo! Debian has a full crossreference mapping of security references for not one, but three different security sources" :-)

The enabler of these crossreference mapping is really the work I did on the wml security templates for the Debian web server way back in january which have been used extensively in DSAs since then.

Anyway, it's funny that no distribution/vendor (either free software or propietary) has this kind of information up on their security-related webpages. It's kind of hard to do security research without this. Fortunately, stuff like OSVDB will help to do this type of work easier (or at least cheaper than paying securityfocus to provide you with a copy of the Bugtraq database.

Oh, and hopefully Mitre will update their mapping soon, since it is not entirely correct.

I have been working with Tiger quite a bit recently, tested it with Solaris and cleaning a lot of stuff that was broken (but didn't look like it was when running under my Debian GNU/Linux system).

I expect to make a new 3.0.1 release soon. I want to finish, first, my submission for honeynet's August's scan of the month. I did not submit anything to the Reverse Challenge (too tough) but did so for the previous scan of the month (21, here is my submission). Let's see if this time I get to be in the "top three" :) It sure is taking me quite some time but it's fun time after all.

Once I'm done with tiger I will start working on Bastille, a soon-to-become Debian Developer has asked to package psad, so probably I will get to fix Bug #150614 sooner than I thought. I still have to properly test the new Bastille 2.0 scripts so that Debian GNU/Linux could be officially supported in next releases (maybe in 2.1 if we follow the roadmap).

I know, I should have finished testing Bastille 2.0 by now but I haven't got around to do it, Real Life (tm) has gotten in the way as well as the lack of a permanent Internet connection at home. In any case, working without a connection has helped getting focused and updating the "Debian Securing Manual". It seems that I do not focus enough when I have a web browser open :(

Another wild thought: why is certification so expensive? I've been looking at SANS's GIAC is just way too expensive. Even the "only certification attempt" seems too expensive (specially if I have to pay it for myself).

Anyway, another wild thought: I've recently setup a Wishlist basket at Amazon recently :) Not that I expect anyone to check-it-out, but... just in case....

Funny, I just read mjcox entry after writting mine and found out that he's working trying to have a full CVE mapping of RedHat's advisories.

Just recently, on the debian-security mailing list Phillip Hofmeister asked if there was some way to retrieve stats easily regarding security. Well, it's not easy IMHO, but I did so (manually) for Debian some time ago (on december last year) and answered this same question in a section of the Securing Debian Manual.

However, I have recently automated the way DSAs get published on the web (here) and there are automatic ways to link DSAs to many security databases. (It's all in the web source code at the secrity template, see a DSA sample here). It should be pretty easy to automate references now (but they have to be kept uptodate).

We do need, in any case, a common database format that could be used to link many security databases like Bugtraq, CERT, CVE, ICAT. That's one of my pet projects, I will try to have an automated tool working....

30 Jul 2002 (updated 30 Jul 2002 at 13:27 UTC) »

Not too much to say, but I haven't written for a long time. Guess what, I got married June 29th (no online pictures currently, move along...). It has brought a lot of changes, but all for good (YMMV).

I did three interesting things on the same month: getting married, ascending, and submitting an entry to the Honeynet challenge (after all the ork wI didn't win though :( )

OTOH, I will hopefully get Internet access at home soon, and probably would be able to fix the huge number of bugs I currently have open (help is appreciated :)

I do have, however, an almost finished 3.0.1 release of Tiger which should fix a lot of Solaris issues (hopefully cleaning the code and making it easier to port and spot issues too). One of the reasons I'm testing it in a non-free platform is to check out how easier would be to port to other platforms (and hopefully document it soon). I promised the guys at LinuxSecurity an article about Tiger (which will hopefully also draw some attention to the new developments I included). I have only a draft written but I expect to have it finished by the end of the month...

If time permits I should test also the latest pre-release of Bastille (pre BETA 2.0) in Debian, but I haven't setup a proper environment to work (and not mess up with my environment). I'm looking at bochs and plex86 to make it (instead of using vmware). I learnt about (and tested) them while writting an article (in Spanish, not yet online, sorry) featuring Emulators for linux.

Funny, I just read mjcox entry after writting mine and found out that he's working trying to have a full CVE mapping of RedHat's advisories.

Just recently, on the debian-security mailing list Phillip Hofmeister asked if there was some way to retrieve stats easily regarding security. Well, it's not easy IMHO, but I did so (manually) for Debian some time ago (on december last year) and answered this same question in a section of the Securing Debian Manual.

However, I have recently automated the way DSAs get published on the web (here) and there are automatic ways to link DSAs to many security databases. (It's all in the web source code at the secrity template, see a DSA sample here). It should be pretty easy to automate references now (but they have to be kept uptodate).

There needs to be, in any case, a way to automatically link all the security databases like Bugtraq, CERT, CVE, ICAT. That's one of my pet projects, I will try to have an automated tool working Very Soon Now (tm)....

8 older entries...

 

jfs certified others as follows:

  • jfs certified wichert as Master
  • jfs certified joey as Master
  • jfs certified Joy as Journeyer
  • jfs certified Jordi as Journeyer
  • jfs certified bcollins as Master
  • jfs certified branden as Master
  • jfs certified ole as Journeyer
  • jfs certified villate as Journeyer
  • jfs certified olea as Journeyer
  • jfs certified gwolf as Journeyer
  • jfs certified alvaro as Journeyer
  • jfs certified jjamor as Journeyer
  • jfs certified julio as Master
  • jfs certified Barbwired as Journeyer
  • jfs certified rodrigo as Journeyer
  • jfs certified juantomas as Journeyer
  • jfs certified era as Journeyer
  • jfs certified rms as Master
  • jfs certified jgb as Journeyer
  • jfs certified grex as Apprentice
  • jfs certified miguel as Master
  • jfs certified jsogo as Journeyer
  • jfs certified BrucePerens as Master
  • jfs certified Bryce as Journeyer
  • jfs certified mjcox as Master
  • jfs certified arhuman as Apprentice

Others have certified jfs as follows:

  • zed certified jfs as Journeyer
  • lerdsuwa certified jfs as Journeyer
  • jhasler certified jfs as Journeyer
  • Jordi certified jfs as Journeyer
  • Joy certified jfs as Journeyer
  • sh certified jfs as Journeyer
  • ole certified jfs as Journeyer
  • Pitr certified jfs as Journeyer
  • villate certified jfs as Journeyer
  • olea certified jfs as Journeyer
  • Barbwired certified jfs as Master
  • era certified jfs as Journeyer
  • arhuman certified jfs as Journeyer
  • macana certified jfs as Journeyer
  • acero certified jfs as Journeyer
  • pasky certified jfs as Journeyer
  • tanis certified jfs as Journeyer
  • egerbier certified jfs as Journeyer
  • gwolf certified jfs as Master
  • afernandes certified jfs as Journeyer
  • esteve certified jfs as Journeyer
  • aramin196 certified jfs as Journeyer
  • chakie certified jfs as Journeyer
  • hiddenpower certified jfs as Journeyer

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page