Firewall pioneer wanted a 'super-secure' blogging service ... so he's built his own

Bill Cheswick

Bill Cheswick -- best known for writing "Firewalls and Internet Security" in 1994 and his earlier work at Bell Labs -- doesn't want to let commercial blogging software within hacking distance of his hardened Web server. A self-described Apple fanboy, Cheswick does want to host his own blogs, however, one about his job as lead member of the technical staff at AT&T Research and another about personal stuff, "if I can tell the difference."

We became acquainted last fall when I needled him in a post headlined, "Hello, you have reached my iPhone." (More about the iPhone below.) Yesterday Cheswick sent me an e-mail drawing my attention to his new project, which carries this greeting: "Welcome to ... a test blog publication from iWeb.  This could be very handy, if I can get it working securely."

Seems he has done so, according this new post of his and our correspondence:

The issue is this: Most blog software is based on PHP, and most compromised BSD machines are compromised by PHP.  It has a dangerous design, and is dangerous to use.   I wish to sponsor this software on machines I care about, running Web servers I want to continue to trust. ... My (our) needs are simple: off-line text creation, copy to the Web page, RSS feeds available, no comments or other external write capabilities needed.

You can read more about how he got what he wanted in the July 4 entry of his online diary.

I asked Cheswick to elaborate on why he felt the need to go this route and what he hoped would be the fruits of his labor. Here's his reply:

For any given network service I have two choices these days: I can use a commercial or public service, or I can build it myself.

Twenty years ago there was only one choice, of course, and I tend to like to roll my own in general.  It helps me understand the protocols and the issues, and try to build something with a demonstrably high resistance to hacking attack.

Sometimes I do get hung up on this. For example, I had surgery for a rare ankle tendon problem, and wrote it up and ran a mailing list by hand for many years. The list did not work well, but I don't trust the security of the various mailing list software packages on my servers. Finally, I just set up a Yahoo group, and that has been a terrific success.  Security and maintenance are their problem, and I can move on, even if I haven't solved the mailing list security configuration question to my satisfaction.  As my father used to say, "You can't kiss all the girls."

How about hosting my own Web service vs. using a commercial service? Here there is a problem:  I have over 150GB of family photos on our Web server (more than even grandma wants to look through). Hosting gets steep vs. buying another disk at Costco.

More importantly, I really do want to jail my own servers. Belt-and-suspenders is an important security tool, and I have employed it over the years to build highly resistant read-only Web pages.  I described the details in the "Firewalls" book.

So, is blogging software insecure?  How can this be?  I am not sure about specific blogging solutions, but I do know from my sources that most Unix systems that are compromised these days are invaded through weaknesses in PHP and Web software. There is no excuse for this in my mind: We ought to be able to engineer robust solutions, perhaps requiring some limitations on capabilities.

So I need a blog, because good service requires RSS feeds. I could go to someplace like blogspot and leave it to others, but I want to understand the issues, and see if a strong solution can work with my strong Web browsing solution.

And it does, if I don't allow comments and other user-created stuff.

"Working securely" means that it meets a set of threats I have worried about for 20 years: invasion over the network from afar. I can (and have) made a list of the threats that I worry about.  The assurance level I require is higher than most people.  Am I just overly frightened, or eager not to have to clean up the mess?

I think there is a need for super-secure services of all sorts, if they can be managed. And we aren't doing very well right now, except perhaps in the financial and commercial online access area.  I discussed "super-secure" blogging with other security friends at Usenix Security last weekend, the likes of Steve Bellovin, Matt Blaze, and Ed Felton. We all care about super-secure services, and each tends to build our own.  Most solutions were similar to mine.

As a writer, you probably need a user comment area, so the solution you use is going to be more dangerous.  But you would probably just have the IT department fix the problem, and move on if you got defaced.

I want a strong level of security confidence, born of simplicity, easy auditablity, and layers to protect my services, so I can think about other things.

One example: There was an openssl security hole revealed about five years ago.  Though the hole would allow someone to spoof my Web server, it was jailed, and the server was safe.  I assume that the software I use is insecure.  Everyone should be engineering solutions that make this assumption.

Browsers and mail readers are unlikely to ever be secure: They require too much functionality.  We propeller-heads have to engineer containers to make these safe to use.

So, the fruits of this labor are two: one, a working blog, and two, a set of notes suitable to instruct the curious on how to replicate the arrangement.

Spoken like a true propeller-head.

By the way, the bloom appears to be off Cheswick's iPhone infatuation, witness this "My iPhone Sucks" rant of his posted yesterday with his new super-secure blogging set-up. "Little did I know that an update was a few hours away," he tells me this morning. "I haven't played with it enough to see if they fixed it."

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Circuit City, Mad Magazine and Barbara Streisand (really).

I apologize for that Verizon/pit-bull post.

Doing the Laptop Drive of Shame.

Bank of America to support Firefox, finally.

What does Cisco have against Quebec? (Answer: silly contest rules.)

Attrition.org nails another nitwit ... this time with Monty Python's Holy Grail.

"I have a lost laptop horror story for you."

This Year's 25 Geekiest 25th Anniversaries.

Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT