Correct system time is a security issue

There’s a story that hit Slashdot today about Debian (see bug #433869) not using the system to send out an update to the timezone data for a change in New Zealand daylight savings time.

The update in question is not a security fix, however having the correct time on a system is very important for security. Without the correct local time across all of your different systems (and thus having the correct timestamp on log messages) you will not be able to collate messages between different systems (e.g. routers, firewalls, other unix/linux systems) during an incident. This has already been released by Microsoft, Red Hat and, I expect, other vendors.

To me this seems just to be another reason that an commercial company should not run Debian GNU/Linux as you’re at the whims of a bunch of volunteers who are unlikely to understand the security concerns of your business (e.g. PCI/DSS or Sarbanes-Oxley). However it’s still a good OS if you’re running a personal system or if you can have a team of Debian sysadmins/developers at your call to backport important package changes.


Security training a liability?

Following seeing a link a a book called The No Asshole Rule: Building a Civilized Workplace and Surviving One That Isn’t on Cutaway’s blog (Security Ripcord) I just had to order it from the US.

Not really sure how I managed to find this blog post this evening given that it’s from January, anyway it’s a rant on security training being a liability. Given the views I’ve seen on training over the years I’m not surprised on that one.