Oops, if this is true this may be a killing blow to all of you MicroSoft fanboys out there. According to Computer World a tech-worker on the oilrig crashing windows systems may be part of the problem that eventually let to the spilling of oil. And we’re not talking a little Dr.Watson, an occasional “general exception”… we’re talking about a full-blown BSOD (blue screen of death). Well maybe we learn a little lesson here. Never use a computer system for critical mission computing that can’t even keep itself alive for longer than half an hour… If this doesn’t teach us then maybe this will… one day…
Whahahaha… it had to happen one day. A problem with an anti-virus update marks a false positive and puts the file in quarantine. The OS can’t load the file anymore and… oops… reboots… and…. reboots…. and… reboots… This is actually a great feature. Rebooting windows is like 80% of normal usage and it is now fully automated.
Fixing it can be a bit hard… since the computer is rebooting all the time. McAfee could create a bootable windows CD that restores the missing file from the system but.. hey wait.. no they can’t do that. You can’t distribute a proprietary OS like windows for free… Maybe they can create a Linux boot CD to restore the windows file… Something to contemplate: using Linux to revive a windows machine.
Oh whow.. now here’s a very nice report of a recent successful XSS-attack on apache.org. No don’t worry it isn’t a huge hole in the Apache webserver… just a very clever attack. Well.. they did obtain SVN credentials so maybe the attackers could have changed the sources and inject a backdoor…
The attackers were able to penetrate at system level due to usual end-user fuck-ups like using the same account & credentials on the web applications as well as shell access to production systems. One-time passwords did prevent the attackers to gain full access to the entire infrastructure. It’s a nice read.
Oh wow.. many people I’ve spoken about the Oracle/Sun merger didn’t like the idea but also at former Sun not everyone seems to be happy about it. As always with mergers like these the most gifted and talented people are the first ones to leave. Those who actually matter don’t have to put up with management crap. Just pack up your ol’ bags and throw ‘m down at some other company who is delighted with your arrival.
So the latest rumours are now confirmed: James Gosling (father of the programming language Java) is bailing ship… who will be next? Who will stay behind? What will the impact be on Sun’s former assets like Java, Solaris and MySQL?
Oracle has already taken another approach with many of the assets they got from Sun. Former Sun Solaris, now called Oracle Solaris, used to be free (as in free beer) but Oracle Solaris has a 90-day trail period. After the trail period you’ll have to obtain a license from Oracle. Sure, you can still use OpenSolaris but unfortunately all (or most) future development to Oracle Solaris is closed source so these features and fixes will not end up in Open Solaris.
Oh this is very very nice. Google has implemented a feature on gmail to detect suspicious account activity. Suppose you always access your gmail from the Netherlands… and all of a sudden it is accessed from Poland?… Gmail will now warn you about this kind of abnormal behaviour. It’s a good read. Here’s a little teaser…
A few weeks ago, I got an email presumably from a friend stuck in London asking for some money to help him out. It turned out that the email was sent by a scammer who had hijacked my friend’s account. By reading his email, the scammer had figured out my friend’s whereabouts and was emailing all of his contacts.
Yup once again the adoption of open standards by the EU has come under attack according to this article on Slashdot. They accuse Kroes of trying to get the open standards and open source off the agenda. Kind of weird isn’t it? She has been European Commissioner for Competition… go figure.
Well as many developers already know: security is a concept, not a product! You can’t just throw “some security” at a piece of software. Security considerations must be part of the original design and development of software. The Pwn2Own hacking contest shows –once again– that there is too little security awareness in current software design. Look at these embarrassing results: all major browsers took a fall: Internet Explorer, Firefox and Safari. Most browser are compromised by popular plugins like acrobat reader
These OS’s took a fall: Windows 7, Windows XP, Mac OS X snow leopard. The only OS that is still standing is Linux. Because Linux is indefinitely more secure? Well maybe but there’s also something else: Linux is an open source OS where highly skilled developers are coding. Changes are reviewed by others before they are merged into the main kernel tree. In other words: security is part of Linux. Another thing is that people who run linux are people who are aware of abuse. These are –in general– not the people who would click on the ‘cute-kitten-movie.exe‘ attachment. So Linux is just not that interesting to Black Hat Hackers. True: Mac OS X is build on an open source OS as well: FreeBSD but the presentation layer and Safari is proprietary code from Apple (except for the WebKit on which it is build).
Microsoft currently runs the Security Development Lifecycle (SDL) model. This should make security an integral part of the development lifecycle. Well to be honest when budgets are getting tight and deadlines are running out: documentation and code quality are the first areas that take the fall. So really I don’t expect much from SDL. Especially since MS is trying to develop a ‘catch all’ (silver bullet) security measure inside the kernel… I’m not saying these measures aren’t worthwhile, they are (Linux has them for ages now), it’s just not enough.
The phrase ‘security is a concept, not a product‘ proves its point when you look at the measures current OS’s are implementing to prevent ‘arbitrary code execution’. Windows XP, Windows Vista (still in use?) and Windows 7 has DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). Both ‘techniques’ should prevent (or make it harder) to execute arbitrary code… but they don’t. Dutch security researcher Peter Vreugdenhil showed an impressive circumvention of DEP and ASLR in windows 7. See: security is not a product…
The good thing is that the hackers are not just updating the vendors on the leaks they found. Instead they tell the vendors how to find the leaks themselves in an attempt to raise awareness.
Just a quick link to a website who has some evidence of a beta for StarCraft 2. The shots of the Blizzard people drinking beer are just a few frames from a movie. In the background you can see a projection screen with StarCraft 2 on it. It says “welcome to StarCraft 2 Beta”. Maybe they are celebrating this milestone, maybe not. Let’s hope we hear some official statement from Blizzard soon.
Please help to stop software patents in Europe by signing the petition against software patents. Background information (and the petition) can be found on the website against European software patents.
The patent system is misused to restrain competition for the economical benefit of a few but fails to promote innovation. A software market environment is better off with no patents on software at all. Healthy competition forces market players to innovate.
The patent system should not be misused -which is happening- to control competition for the economical benefit of a few, but should promote innovation. In the case of software, more innovation and a healthy independent SME economy means no patents on software at all. European court decisions still accept in many cases the validity of the software patents granted by national patent offices and the European Patent Office (EPO) that is beyond democratic control. They not only continue to grant them, but also to lobby in favor of them. Despite the current deep crisis of the patent system, they are unable to reform and put at risk too many European businesses with their soft granting policy.
If you care about freedom & innovation please consider signing the petition:
Oh now… as a fractal lover (especially the Mandelbrot set) I was amazed at the 3D extension of the mandelbrot set which they dubbed the Mandelbulb. Here you can find detailed information on the set. But maybe you don’t care for formula’s… you just want the images? I have to sink my teeth into this puppy for a while before I fully understand how this is created. Meanwhile here’s a nice video of the mandelbulb. Fractal dimensions now in 3D… what a day…
I’ve blogged about World of Goo before on this site. It’s a great game that will entertain you for many hours. I got a tip yesterday from Sander (thanks mate!) about the World of Goo birthday sale. In short: you can determine your own price for the game. Watch it… this will only last until october 19!
You will get all downloadable versions… so one for Windows (why would I want that?) & one for Mac OS X & even the versions for Linux. I’ve donated $1.00 for the game and it makes me feel like a cheap ass but I think that’s the whole meaning of the birthday sale. I think you can donate as less as $0.01 to get the game but I didn’t try it out myself.
Whahahaa… nice. The EFF (electronic frontier foundation) has filed a request at the DMCA to allow jailbreaking of Apple’s iPhone. Users must be able to install any software they wish.. not just the software apple approves of.
Just this week apple removed any voice-based application from the App Storeto protect their exclusive deal with AT&T because it “duplicates features that come with the iPhone”. This just proves the necessity of people having the right to install any software they want.
Soooo Apple had to respond to the DMCA why jailbreaking would be bad…. well.. hold on tight.. according to Apple the iPhone is not just a phone… it’s a weapon of mass-disruption. I call “FUD“
You may have noticed some downtime of the blog. This was due to a major system upgrade in which the entire system was recompiled against a new gcc/glibc combination.
After doing this and sifting to all changes in the configuration files apache failed to start… How nice. Segmentation faults all over the place. A little tweaking here and there solved the problem albeit a little later than expected… Anyway… back online.
As it became clear that the outage was going to take more time than expected I wrote a small sorry-server in perl that served the webpage displayed below:
Okay okay, calm down people…. calm down… This week rumours spread all over the internet that a 0-day attack against openSSH was used to compromise computer systems. Everyone was advised to upgrade to the latest version of openSSH even though there was not a single piece of evidence of this attack. Sure there was a nice (and somewhat entertaining) ‘script’ dump of an alledged attack (also read the small comments inside the script dump, very funny at times). In this dump you can see that they used a tool called 0penPWN (also called 0pen0wn) that alledgedly breaks openSSH. But I think we are all able to fake some output aren’t we? Here’s another dump of an alledged attack.
Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded.
I protect my system against brute-force attacks by allowing only 5 failures from a single host. When 5 failures (like invalid usernames) are detected the host is blocked for 4 hours. It does have a whitelist of known hosts that I will never block. This is a simple script that is constantly monitoring messages from the ssh daemon. Oh and when I mean block I’m talking iptables so all packets are dropped and the attacker will be slowed down and the attack comes to a grinding halt. This approach works like a charm. When my server was just online I got around 10 to 20 attacks per day that lasted for hours. Now I only get a few per day which are automatically detected and killed at a very early stage.
Here’s an extract from the sshd logfile (some fields are blurred). Here you’ll see 5 errors from a specific IP (98.173.XXX.XXX) and that’s it. From there on packets are dropped from that IP address.
extract from sshd.log
Here’s an extract from the logfile of my script that shows what clients are blocked and unblocked. You will see that we block the attacker and around 4 hours later we re-enable it. When he’s still attacking he will be blocked for another 4 hours etc.
Yesterday Google officially announced Chrome OS, an operating system targetted netbooks (both intel x86 & arm-based). Chrome OS will be built on the linux kernel. Google will reimplement the security architecture of Linux. A new minimal graphical interface will provide an easy to use interface. As google says it: “it should just work”.
Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.
I’ve blogged about 
