Yup once again the adoption of open standards by the EU has come under attack according to this article on Slashdot. They accuse Kroes of trying to get the open standards and open source off the agenda. Kind of weird isn’t it? She has been European Commissioner for Competition… go figure.
Well as many developers already know: security is a concept, not a product! You can’t just throw “some security” at a piece of software. Security considerations must be part of the original design and development of software. The Pwn2Own hacking contest shows –once again– that there is too little security awareness in current software design. Look at these embarrassing results: all major browsers took a fall: Internet Explorer, Firefox and Safari. Most browser are compromised by popular plugins like acrobat reader
These OS’s took a fall: Windows 7, Windows XP, Mac OS X snow leopard. The only OS that is still standing is Linux. Because Linux is indefinitely more secure? Well maybe but there’s also something else: Linux is an open source OS where highly skilled developers are coding. Changes are reviewed by others before they are merged into the main kernel tree. In other words: security is part of Linux. Another thing is that people who run linux are people who are aware of abuse. These are –in general– not the people who would click on the ‘cute-kitten-movie.exe‘ attachment. So Linux is just not that interesting to Black Hat Hackers. True: Mac OS X is build on an open source OS as well: FreeBSD but the presentation layer and Safari is proprietary code from Apple (except for the WebKit on which it is build).
Microsoft currently runs the Security Development Lifecycle (SDL) model. This should make security an integral part of the development lifecycle. Well to be honest when budgets are getting tight and deadlines are running out: documentation and code quality are the first areas that take the fall. So really I don’t expect much from SDL. Especially since MS is trying to develop a ‘catch all’ (silver bullet) security measure inside the kernel… I’m not saying these measures aren’t worthwhile, they are (Linux has them for ages now), it’s just not enough.
The phrase ‘security is a concept, not a product‘ proves its point when you look at the measures current OS’s are implementing to prevent ‘arbitrary code execution’. Windows XP, Windows Vista (still in use?) and Windows 7 has DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). Both ‘techniques’ should prevent (or make it harder) to execute arbitrary code… but they don’t. Dutch security researcher Peter Vreugdenhil showed an impressive circumvention of DEP and ASLR in windows 7. See: security is not a product…
The good thing is that the hackers are not just updating the vendors on the leaks they found. Instead they tell the vendors how to find the leaks themselves in an attempt to raise awareness.
Just a quick link to a website who has some evidence of a beta for StarCraft 2. The shots of the Blizzard people drinking beer are just a few frames from a movie. In the background you can see a projection screen with StarCraft 2 on it. It says “welcome to StarCraft 2 Beta”. Maybe they are celebrating this milestone, maybe not. Let’s hope we hear some official statement from Blizzard soon.
Please help to stop software patents in Europe by signing the petition against software patents. Background information (and the petition) can be found on the website against European software patents.
The patent system is misused to restrain competition for the economical benefit of a few but fails to promote innovation. A software market environment is better off with no patents on software at all. Healthy competition forces market players to innovate.
The patent system should not be misused -which is happening- to control competition for the economical benefit of a few, but should promote innovation. In the case of software, more innovation and a healthy independent SME economy means no patents on software at all. European court decisions still accept in many cases the validity of the software patents granted by national patent offices and the European Patent Office (EPO) that is beyond democratic control. They not only continue to grant them, but also to lobby in favor of them. Despite the current deep crisis of the patent system, they are unable to reform and put at risk too many European businesses with their soft granting policy.
If you care about freedom & innovation please consider signing the petition:
Oh now… as a fractal lover (especially the Mandelbrot set) I was amazed at the 3D extension of the mandelbrot set which they dubbed the Mandelbulb. Here you can find detailed information on the set. But maybe you don’t care for formula’s… you just want the images? I have to sink my teeth into this puppy for a while before I fully understand how this is created. Meanwhile here’s a nice video of the mandelbulb. Fractal dimensions now in 3D… what a day…
I’ve blogged about World of Goo before on this site. It’s a great game that will entertain you for many hours. I got a tip yesterday from Sander (thanks mate!) about the World of Goo birthday sale. In short: you can determine your own price for the game. Watch it… this will only last until october 19!
You will get all downloadable versions… so one for Windows (why would I want that?) & one for Mac OS X & even the versions for Linux. I’ve donated $1.00 for the game and it makes me feel like a cheap ass but I think that’s the whole meaning of the birthday sale. I think you can donate as less as $0.01 to get the game but I didn’t try it out myself.
So if you want it rush over here before october 19.
Whahahaa… nice. The EFF (electronic frontier foundation) has filed a request at the DMCA to allow jailbreaking of Apple’s iPhone. Users must be able to install any software they wish.. not just the software apple approves of.
Just this week apple removed any voice-based application from the App Store to protect their exclusive deal with AT&T because it “duplicates features that come with the iPhone”. This just proves the necessity of people having the right to install any software they want.
Soooo Apple had to respond to the DMCA why jailbreaking would be bad…. well.. hold on tight.. according to Apple the iPhone is not just a phone… it’s a weapon of mass-disruption. I call “FUD“
You may have noticed some downtime of the blog. This was due to a major system upgrade in which the entire system was recompiled against a new gcc/glibc combination.
After doing this and sifting to all changes in the configuration files apache failed to start… How nice. Segmentation faults all over the place. A little tweaking here and there solved the problem albeit a little later than expected… Anyway… back online.
As it became clear that the outage was going to take more time than expected I wrote a small sorry-server in perl that served the webpage displayed below:
You can use the code for your own purposes if you want to:
Code can be found here
Okay okay, calm down people…. calm down… This week rumours spread all over the internet that a 0-day attack against openSSH was used to compromise computer systems. Everyone was advised to upgrade to the latest version of openSSH even though there was not a single piece of evidence of this attack. Sure there was a nice (and somewhat entertaining) ‘script’ dump of an alledged attack (also read the small comments inside the script dump, very funny at times). In this dump you can see that they used a tool called 0penPWN (also called 0pen0wn) that alledgedly breaks openSSH. But I think we are all able to fake some output aren’t we? Here’s another dump of an alledged attack.
Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded.
I protect my system against brute-force attacks by allowing only 5 failures from a single host. When 5 failures (like invalid usernames) are detected the host is blocked for 4 hours. It does have a whitelist of known hosts that I will never block. This is a simple script that is constantly monitoring messages from the ssh daemon. Oh and when I mean block I’m talking iptables so all packets are dropped and the attacker will be slowed down and the attack comes to a grinding halt. This approach works like a charm. When my server was just online I got around 10 to 20 attacks per day that lasted for hours. Now I only get a few per day which are automatically detected and killed at a very early stage.
Here’s an extract from the sshd logfile (some fields are blurred). Here you’ll see 5 errors from a specific IP (98.173.XXX.XXX) and that’s it. From there on packets are dropped from that IP address.
extract from sshd.log
Here’s an extract from the logfile of my script that shows what clients are blocked and unblocked. You will see that we block the attacker and around 4 hours later we re-enable it. When he’s still attacking he will be blocked for another 4 hours etc.
extract from the logfile of my script
Yesterday Google officially announced Chrome OS, an operating system targetted netbooks (both intel x86 & arm-based). Chrome OS will be built on the linux kernel. Google will reimplement the security architecture of Linux. A new minimal graphical interface will provide an easy to use interface. As google says it: “it should just work”.
Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.
Here’s the full announcement. You want screenshots don’t you?
Mayday… Mayday… the vehicle that tried to spread FUD (fear, uncertainty & doubt) in the open unix community is going down… The demise of SCO is neigh… Many times investors have tried to keep the warship afloat but this time it’s going down for good.
Groklaw has a nice article on it… Chapter 7 may be the last chapter of SCO.
SCO will not be missed…
Today I talked about how cool it would be if you could have all your books on an ebook reader with my friends Karel and Bas. It’s definitely something that we would love to have. Amazon just released the Kindle 2 ebook reader. However that would require you to carry around another device. But if you are the lucky owner of an Apple iPhone you can get the Kindle reader for free on your iPhone. Matthew Miller wrote a nice article on this and has some beautiful screenshots. This seems pretty useable but unfortunately the iPhone will drain its power while on a Kindle only a page change requires power. Here’s a nice video of the Kindle 2 and the Kindle software on the iPhone…
Mayday mayday… we’re going down.. we’re going down. Finally when Microsoft had an OS that actually could run more than one application at once they now use that to extort some money out of you. The Windows 7 Starter Edition will not allow you to run more than three applications at the same time (virus scanners etc. not included). Whahahahaha what is wrong with those people from Redmond?
Surely this will also raise the price of netbooks once they are preinstalled with Windows 7. I thought that Vista sucks but this is really crap. How many more arguments do you need to start using Unix? Now please be aware that Microsoft claims the average user uses only two applications at the same time. Yeah right. I don’t know about you but during the day I’ll have around 10 to 15 applications open. Tssss… I wonder what’s next. Pay extra for using multiple USB storage sticks? Pay up when you connect a new mouse? This is pathetic.
There are not many original new games nowadays. Most of the games are 1st person shooters that are mere evolutions of previous titles. Think of the Halo’s, the Grand theft auto series. There’s nothing wrong with that. Every now and then a new original game pops up that stands out against the mainstream titles. What do you think of the just released Crayon Physics Deluxe?
You’ll have to use your creativity and your knowledge of physics to roll a ball from one spot to another spot (marked with a star). No fancy graphics, no difficult pixel shader tricks… just pure fun. This looks like hours of fun. The only drawback is that you need to run Microsoft Windows for this game or an apple iPhone. Take a look at the demonstration video below. Like what you see? There’s more on YouTube.
Har har har… you might think the IT industry at large may have learned a small lesson from the millennium bug (Y2K bug). Well most professionals probably did but Microsoft still manages to screw up bigtime. In this case the Zune 30GB version has a leap-year bug. It will not start up properly due to the bug. Fortunately there is a fix at hand… Just let it run out of battery capacity. Recharge the battery and start it after noon GMT and your Zune will be fine. You got to love those Microsoft products.
With the Zune you get the full Microsoft experience. Think of continues thrill and exitement the Zune is offering you… is it going to work or will it blow up in my face? It’s like rebooting after a blue screen of death… you’ll never know whether your system will successfully restart or not. Microsoft gives just that little more excitement…
Do you still feel comfortable with Microsoft products being used in nuclear submarines?… Happy New Year, enjoy it as long as it lasts.