|Latest 7 Posts
| IBM Domino and Docker Support Announced|
Wed, Aug 16th 2017 7
| Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey |
Tue, Aug 15th 2017 4
| IBM Think 2018 Session Abstract Submission Date Announced|
Mon, Aug 14th 2017 8
| MWLUG - Linuxfest DC Guest Speaker Announced|
Wed, Aug 2nd 2017 4
| "As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"|
Sat, Jul 1st 2017 5
| Do You Have An Opinion on the Domino Application Platform Direction? Read This.|
Thu, May 18th 2017 6
| The ICS on Linux Round Table Session Notes|
Mon, May 15th 2017 5
| Skype 4.3 on Linux Crashing? Here’s a Fix.|
Tue, Aug 5th 2014 68
| IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema|
Mon, Sep 26th 2016 15
| Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)|
Thu, Sep 25th 2014 13
| IBM Verse On-premises Third Post: Updated Schema, New Features|
Thu, Sep 22nd 2016 13
| "Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit|
Fri, May 22nd 2015 11
| IBM Verse On-premises Architecture and Insight|
Wed, Aug 3rd 2016 10
| Staying at The Top of Google Searches for Smart Phones|
Thu, Sep 29th 2016 10
| A Conversation with Barry Rosen, at IBM: Part I|
Tue, Sep 20th 2016 9
| Firefox Upgrade Kills iNotes, ICS SSL Product Access with Domino CA/Self-Signed Certs|
Sun, Aug 3rd 2014 8
| IBM Think 2018 Session Abstract Submission Date Announced|
Mon, Aug 14th 2017 8
||"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
Logjam (CVE-2015-4000) is the latest server exploit hitting the nation (world). In scope are 8.4x10**3 of the top 1x10**6 websites and 14.8% of mail servers in the IPv4 address space as per weakdh.org. The cause is a weakness identified in the Diffie-Hellman key exchange (explained here and here), with the exploit reported early by Ars Technica.
The root cause goes back to the 1990's. Recall when products like Lotus Notes had a North American encryption flavor and an International encryption flavor? That ended when encryption standards were lowered and the two offerings merged, for example. It helped the Feds crack encryption overseas, but now average users have incredible computing power available to them cheaply. Thus, algorithms can be broken with significant ease today, that were nearly impossible to do so 20 years ago. I expect more exploits of this nature in the months ahead.
"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography" -- J. Alex Halderman, a key scientist behind the exploit's research, posted at https://weakdh.org
Work-around and a Solution
Initially, server administrators should disable support for DHE_EXPORT ciphersuites, as they downgrade connections of the Diffie-Hellman variety.
The solution for Logjam is akin to POODLE in that TLS is the way to go. Companies like Red Hat and IBM offered TLS solutions for POODLE and the Logjam research team provided a document on how to deploy correctly Diffie-Hellman for TLS.
For your browsers, jscher2000 in Silicon Valley, CA, via a mozillaZine Logjam post offers a four step process to Disable insecure ciphers.
"(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)"
Then, test the success with the Qualys SSL Labs test in the next section.
Paul Farris, earlier this week, wrote a blog post on Domino SSL Ciphers, which is located here.
Establishing your Risk
Web browsers should be updated shortly (as of this writing). Internet Explorer on Windows 10 was the first to have a patch. Firefox and Chrome are in the works. Check here for clarity. As of this morning (21 May 2015), my browsers were still at risk.
For checking browsers beyond Logjam, Qualys SSL Labs has a browser check here which checks three key vulnerabilities, the protocol support and features plus cipher suites utilized
The TLS deployment document has a Server Test, which is easy and free to use. Here is the link. Just scroll down to the Server Test section. I tested many known sites and found that many were safe from Logjam style attacks, (which is on-par with the sub-ten percent of sites in scope), they could be further secured with Elliptic-Curve Diffie-Hellman (ECDHE).
They also offer two suggestions for many common application server programs (e.g. Apache, OpenSSH). The researchers also suggest that all your TLS libraries are patched and set to reject D-H Groups < 1024-bit in size.
More detailed results are available from these two free resources
1. An open source site entitled SSL Decoder is available to decode well as you surmised a site's SSL connection. The output is robust and the licensing allows for use internally, so start testing;
2. Qualys SSL Labs' SSL Server Test - which provides links to additional information on each exploit tested, with several linked resources on each information page.
A side point to know is that DSA-1024 bit signing keys are quite insecure and should be at 2048 or higher, with 4096 recommended where possible. If your keyrings are light on the encryption bits, make a plan to get them upgraded this year.
Notation: Know that the client fix may block some websites lacking current updates. Thus, it is a good idea to ensure that your company site is current on web security patches.
Red Hat to the Rescue
Upon learning of the threat, Red Hat did their own research with threat assessment and published their security bulletin on this exploit. The good news is that RHEL 6.6+ and 7 are NOT vulnerable to Logjam, but if you are running early RHEL6 versions (get them patched -- see advisory RHBA-2014:1525) or RHEL 5, then you are vulnerable. Specifically, RHEL 7 omitted by design export-grade cipher suites in their initial release--offering piece of mind to those that upgraded early.
To their credit, Red Hat made it clear early that they will not update the default cipher list in RHEL 5, so you need to upgrade to at least RHEL 6.6 to be safe. I do like a vendor that gets to the point quickly in an unambiguous manner. Everybody wins with this type of communication, from my perspective.
SUSE has a security bulletin with some information on resolutions, located here.
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice -- outlining specific attacks and how the researchers broke the 512-bit DH group
Logjam Attack Proof of Concept Demonstrations -- which lists the susceptibility to each of the three attack styles
Guide to Deploying Diffie-Hellman for TLS
Logjam: TLS vulnerabilities (CVE-2015-4000) by Red Hat
MITRE CVE's Logjam dictionary definition
NIST NVD's entry (National Vulnerability Database)
"Logjam TLS Attack (Weak Diffie-Hellman) and Novell Products"
May 22, 2015
| Recent Blog Posts
IBM Domino and Docker Support Announced|
Wed, Aug 16th 2017 2:00a Bill Malchisky Jr.
During Barry Rosen's Future directions on Notes/Domino session and again during our Linuxfest DC session last week at MWLUG, IBM announced that they will support Domino on Docker with Domino 9.0.1 FP10. Originally, this support would be announced in 2018, but due to the success of the IBM Application Insights Survey announced at Engage, IBM changed their task priorities and accelerated Docker support based upon your input. FP10 is scheduled to be released by EOY 2017. The next question is,
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey |
Tue, Aug 15th 2017 2:00a Bill Malchisky Jr.
After the success of the first IBM survey announced at our IBM Engage session in May (see link to post)---which helped to re-prioritize new capabilities like Docker---Barry Rosen announced a new survey at MWLUG. I completed it and am pleased with this survey's focus on APIs, app modernization, along with creating a new feeling that IBM is serious about Domino as an application development platform. The first survey results really had an impact and moved up significantly Docker support (more
IBM Think 2018 Session Abstract Submission Date Announced|
Mon, Aug 14th 2017 2:00a Bill Malchisky Jr.
IBM announced that commencing on 21 Aug 2017, you can submit abstracts for IBM Think 2018. As of this writing, there does not appear to be information on session tracks, other than a pop-up informing prospective presenters to be creative. As I've watched the conference site frequently over the past few weeks, no additional information being available on tracks, implies to me we will learn this on Monday, 21 Aug. Thus, if you are considering submitting a session, you can start thinking about wha
MWLUG - Linuxfest DC Guest Speaker Announced|
Wed, Aug 2nd 2017 9:31a Bill Malchisky Jr.
On Thursday, 10 Aug 2017, I will be presenting Linuxfest DC at this year's MWLUG located in DC. In order to provide an informative experience for attendees, I sought a special guest speaker to join me. Today, I am pleased to announce Barry Rosen will be co-presenting with me for an extended special breakfast session. We will be covering IBM's current Linux strategy, plus provide technical information to ensure that all session attendees gain knowledge they can use immediately upon returning fr
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"|
Sat, Jul 1st 2017 3:40a Bill Malchisky Jr.
Well, I inadvertently held this post, so let's publish it now. In early 2016---in his then 56th consecutive year of skiing at Alta and Snowbird in Utah---Mr. George Jedenoff at the age of 98 took a few minutes to discuss his Powder Philosophy. A positive uplifting message that will leave you with a smile. Worth a few minutes to view and learn a bit from his years of wisdom. He still rips groomers and fresh powder, while also enjoying tree skiing--again at 98 years old. Stay healthy, believe
Do You Have An Opinion on the Domino Application Platform Direction? Read This.|
Thu, May 18th 2017 6:15a Bill Malchisky Jr.
As Barry Rosen mentioned during our Engage session last week, ICS Offering Management is seeking feedback around the Domino application platform. This opportunity is significant enough that I felt it appropriate to author a separate post. Currently, IBM is looking for feedback in the areas of APIs, XPages, Domino on Bluemix, Docker, and well, anything else you want to add in the development space. I took the survey and found it to be straight forward with plenty of opportunity to provide you
The ICS on Linux Round Table Session Notes|
Mon, May 15th 2017 6:00a Bill Malchisky Jr.
Great session last Monday. We filled the table with overflow and discussed many good topics raised by the attendees. Below are the notes and some of the URLs cited during the event. Please feel free to comment and keep the discussion going. IBM Notes FP7 is the last update for the Linux client;, no further feature packs will be offered for the Linux client Support will be best effort from here and will continued to be support up to 9.0.1 FP7 on thee then current set of operating systems.
"Why the Largest Companies in the World Count on Linux Servers"|
Tue, May 9th 2017 3:00a Bill Malchisky Jr.
I read this morning a great piece in Linux Journal by Petros Koutoupis. The author's name being new to me, I read the article with an open mind. What I found is this introductory level article offered a decent dissection of this important topic. As I've covered over the years in my Lotus on Linux Report presentation series, more companies outside of Microsoft use Linux for their edge servers than any other operating system. That data point continues to this day. Additionally, despite recent de
Join Barry Rose, Daniel Nash, and Myself for the ICS on Linux Round Table on Monday at Engage!|
Sun, May 7th 2017 4:30p Bill Malchisky Jr.
This year at Engage in Antwerp, Belgium, I am speaking with Barry Rosen of IBM and Daniel Nash. We are covering all things ICS related on Linux. Happy to have the opportunity to present with both Barry and Daniel on such a topic. A lot has changed in the past six months with IBM's support for Linux. This is the session to learn about those changes and provide input directly to IBM. Looking forward to a great discussion and learning experience. See you on Monday! Date: Monday, May 8 Time: 11
Join Serdar Basegmez and Myself on Tuesday’s TLCC XPages Webinar Series|
Mon, May 1st 2017 4:43p Bill Malchisky Jr.
On Tuesday, May 2, Back from the Dead goes live via the TLCC's XPages Webinar Series, sponsored by Teamstudio! Time: 10:30 AM EDT / 9:30 AM CDT / 7:30 AM PDT / 3:30 PM BST / 4:30 PM CEDT Register Here! It's free! Back from the Dead: When Bad Code Kills a Good Server It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a serv