The new URL will be eldapo.lembobrothers.com.
I've migrated the content of this site over to the new domain, importing it into a new WordPress instance there. From past experience I know there are going to be some formatting issues, especially with displaying large blocks of code. There are about 72 posts on this blog right now, so it's going to take time to clear everything up. Meanwhile, all new posts are going to be at the new location, so I hope to see you there.
ISO Refuses to Adopt Microsoft Office Open XML
From the New York Times:
Microsoft is Rebuffed by Standards Body
No worry, Microsoft, you already own the U.S. market - where we have no standards, thanks to clueless IT executives and corrupt politicians.
Microsoft is Rebuffed by Standards Body
Microsoft’s bid to extend its dominance in digital documents to the new field of open-format documents was unexpectedly rebuffed today when a global technical panel refused to designate its Office Open XML as an international standard.* * * “I think many countries simply resisted what they considered undue pressure from Microsoft,” said Pieter Hintjens, president of the Foundation for a Free Information Infrastructure, a Brussels group that opposed Microsoft’s request. “In Europe our standards processes are sophisticated and Microsoft simply lobbied too hard.”* * * Mr. Hintjens said Microsoft will have a hard time winning over countries that opposed its standards bid because to do so, Microsoft would be forced to officially put into the public domain the secret coding for many of its proprietary document formats that already dominate the global market, like those in its Office software suite.
No worry, Microsoft, you already own the U.S. market - where we have no standards, thanks to clueless IT executives and corrupt politicians.
News Flash: SCO LOST
The nitty gritty details from Groklaw.
Once again, the headline from El Reg is priceless:
Novell owns Unix copyrights after all: Judge tells SCO to find its checkbook
It's all over now, except for what will certainly be months or even years of motions to reconsider, applications for trial de novo, motions for stays and appeals up through the Federal court system -- until SCO runs out of money (or it's partner in slime, Microsoft, cuts it's losses and shuts off the tap).
Someone have a beer for me (hypertension sucks).
Once again, the headline from El Reg is priceless:
Novell owns Unix copyrights after all: Judge tells SCO to find its checkbook
It's all over now, except for what will certainly be months or even years of motions to reconsider, applications for trial de novo, motions for stays and appeals up through the Federal court system -- until SCO runs out of money (or it's partner in slime, Microsoft, cuts it's losses and shuts off the tap).
Someone have a beer for me (hypertension sucks).
Pentagon Got Hacked by the PLA: Join the Club, Bob
It's now being reported that the Chinese military hacked the Pentagon's e-mail in June.
One article describes the technological equivalent of a wrestling match between "their" cyberguys and "ours".
My favorite take on all this comes from, unsurprisingly, The Register:
Pentagon: Chinese military hacked us (We'll need a whole bunch of expensive stuff).
Big deal. Join the club (Secretary of Defense) Bob (Gates)!
First, this isn't the first time we've heard this kind of thing. In 2005, Time Magazine published an article entitled The Invasion of the Chinese, about a PLA intrusion into Department of Energy systems. Of course, in that instance the guy who threw down the flag on the PLA got summarily bashed by Uncle Sam.
The pattern of attack described in the earlier 2004 incident and in the more recent acknowledgement (Clarion call? Alarm bell? Fear-mongering to fatten the next appropriations bill?) seem nearly identical.
The amazing part is that you'd think the Pentagon would find the whole experience humiliating, in that it exposes the ineffectiveness, ineptitude, of their electronic defenses. Of course this is the same organization that couldn't even defend it's own headquarters on 9-11 from a successful attack by an unarmed, subsonic, aircraft. As in so many things, they appear to have no shame in this either.
Not that I've had any experience with any effort by systems originating on a People's Liberation Army network "footprinting" and then penetrating my home network, but if I did it surely would have caused me to be embarrassed.
Now if the PLA were to have done something like that, I would have been surprised to discover that they did it using machines that were so easy to track back to their publicly known network addresses that my 7 year-old son could have found them.
Again, if such an expoit took place, they did it with a straight shot at my server through an open port on my firewall, using an incredibly well-known vulnerability in UNIX systems that only an unhardened, or an ineptly hardened, system would have succumbed to. The other professionally humiliating detail was that I discovered the breach (er, assuming there was a breach) completely by accident and only did my forensic work long after they'd had their fun.
So, if this kind of thing had happened the system logs, once checked, clearly showed the origin of the dozens of connection attempts, and a couple of successful connects, by a remote system that a little backtracking through DNS revealed to becoming from a subnet owned by the PLA. Tracking that down took less than an hour.
No hacking of foreign systems was required to do the detective work described above. It was all done with traceroute, dig and a few queries on the World Wide Web. Nothing fancy, and certainly insufficient to constitute evidence in any court of law.
Ironically, a couple of rules on my router to deny access to anything coming from one of the subnets controlled by the PLA would have effectively blocked the whole effort. My home router is a $59 Linksys device. I'm guessing that the U.S. Department of Defense uses equipment that's somewhat more sophisticated and configurable than that.
I wonder if this most recent intrusion was done though a system located on network publicly known to be controlled by the Chinese government? Would the brain trust at DOD be so negligent as to not block access from addresses on such networks? Something tells me that if they were, we're not going to know about it for awhile.
You know what? I'd say the PLA has done us all a service here, by putting the spotlight on our government's weaknesses. In fact, I'd encourage them to keep it up. Given what contractors usually charge to conduct penetration tests, we're getting a good workout at a bargain price. After all, with all the U.S. debt they own, the Chinese have a vested interest in the continued good health of our economy, at least. Maybe shaving a few hundred billion dollars wasted on an failed defense establishment would improve the "bottom line" enough to give them (the Chinese) some significantly better return on their investment -- not to mention on ours (the American people).
Man, you can't make this stuff up.
P.S. Of course, even back a couple of years ago I was running Linux on all my systems, while both DOE and DOD have a preponderance of Windows boxes. Not that Windows (more particularly, MS Exchange, which is what I'm guessing is the e-mail server product most recently compromised -- all so Bob and "crew" can use their Blackberrys) can't be hardened (see the NSA's Security Configuration Guides page, which you'd never find through the main site navigation if you didn't know what you were looking for -- thank God for Google), it just takes alot more skill and effort than hardening a UNIX box -- which kind of blows the whole "Windows is better because it doesn't require expensive, highly trained, technical resources to be effective in even the most demanding environments" mantra that Microsoft has been chanting for 20 years.
BIG P.P.S. The intruders into my system (if an intrusion occured) didn't hurt anything, nor do they seem to have been interested in stealing any files they might have seen. There were no config changes or file transfers during their time on my machine. From what I can tell, their sole interest seemed to be in achieving the breach itself, and they didn't stick around long after.
One article describes the technological equivalent of a wrestling match between "their" cyberguys and "ours".
My favorite take on all this comes from, unsurprisingly, The Register:
Pentagon: Chinese military hacked us (We'll need a whole bunch of expensive stuff).
Big deal. Join the club (Secretary of Defense) Bob (Gates)!
First, this isn't the first time we've heard this kind of thing. In 2005, Time Magazine published an article entitled The Invasion of the Chinese, about a PLA intrusion into Department of Energy systems. Of course, in that instance the guy who threw down the flag on the PLA got summarily bashed by Uncle Sam.
The pattern of attack described in the earlier 2004 incident and in the more recent acknowledgement (Clarion call? Alarm bell? Fear-mongering to fatten the next appropriations bill?) seem nearly identical.
The amazing part is that you'd think the Pentagon would find the whole experience humiliating, in that it exposes the ineffectiveness, ineptitude, of their electronic defenses. Of course this is the same organization that couldn't even defend it's own headquarters on 9-11 from a successful attack by an unarmed, subsonic, aircraft. As in so many things, they appear to have no shame in this either.
Not that I've had any experience with any effort by systems originating on a People's Liberation Army network "footprinting" and then penetrating my home network, but if I did it surely would have caused me to be embarrassed.
Now if the PLA were to have done something like that, I would have been surprised to discover that they did it using machines that were so easy to track back to their publicly known network addresses that my 7 year-old son could have found them.
Again, if such an expoit took place, they did it with a straight shot at my server through an open port on my firewall, using an incredibly well-known vulnerability in UNIX systems that only an unhardened, or an ineptly hardened, system would have succumbed to. The other professionally humiliating detail was that I discovered the breach (er, assuming there was a breach) completely by accident and only did my forensic work long after they'd had their fun.
So, if this kind of thing had happened the system logs, once checked, clearly showed the origin of the dozens of connection attempts, and a couple of successful connects, by a remote system that a little backtracking through DNS revealed to becoming from a subnet owned by the PLA. Tracking that down took less than an hour.
No hacking of foreign systems was required to do the detective work described above. It was all done with traceroute, dig and a few queries on the World Wide Web. Nothing fancy, and certainly insufficient to constitute evidence in any court of law.
Ironically, a couple of rules on my router to deny access to anything coming from one of the subnets controlled by the PLA would have effectively blocked the whole effort. My home router is a $59 Linksys device. I'm guessing that the U.S. Department of Defense uses equipment that's somewhat more sophisticated and configurable than that.
I wonder if this most recent intrusion was done though a system located on network publicly known to be controlled by the Chinese government? Would the brain trust at DOD be so negligent as to not block access from addresses on such networks? Something tells me that if they were, we're not going to know about it for awhile.
You know what? I'd say the PLA has done us all a service here, by putting the spotlight on our government's weaknesses. In fact, I'd encourage them to keep it up. Given what contractors usually charge to conduct penetration tests, we're getting a good workout at a bargain price. After all, with all the U.S. debt they own, the Chinese have a vested interest in the continued good health of our economy, at least. Maybe shaving a few hundred billion dollars wasted on an failed defense establishment would improve the "bottom line" enough to give them (the Chinese) some significantly better return on their investment -- not to mention on ours (the American people).
Man, you can't make this stuff up.
P.S. Of course, even back a couple of years ago I was running Linux on all my systems, while both DOE and DOD have a preponderance of Windows boxes. Not that Windows (more particularly, MS Exchange, which is what I'm guessing is the e-mail server product most recently compromised -- all so Bob and "crew" can use their Blackberrys) can't be hardened (see the NSA's Security Configuration Guides page, which you'd never find through the main site navigation if you didn't know what you were looking for -- thank God for Google), it just takes alot more skill and effort than hardening a UNIX box -- which kind of blows the whole "Windows is better because it doesn't require expensive, highly trained, technical resources to be effective in even the most demanding environments" mantra that Microsoft has been chanting for 20 years.
BIG P.P.S. The intruders into my system (if an intrusion occured) didn't hurt anything, nor do they seem to have been interested in stealing any files they might have seen. There were no config changes or file transfers during their time on my machine. From what I can tell, their sole interest seemed to be in achieving the breach itself, and they didn't stick around long after.
Oracle 11g Insecure due to "Stupid" Developer Mistakes
Oops. I mean, "stupid mistakes made by developers".
Here's the scoop from that leader in corporate IT communications, ComputerWorld:
Expert finds 'stupid' vulnerabilities in Oracle 11g
Most of the above article lays out what the quoted db security expert says are "stupid" vulnerabilities in Oracle's latest database product that result from mistakes by it's developers. While calling on the one hand for Oracle to better educate it's developers to avoid these kinds of mistakes, he also goes on to say that there are some vulnerabilities that are related to Oracle's underlying architecture. What's striking here is that nowhere in the article do we get any idea of just what those architectural deficiencies are. Pretty amazing failure to report some really important (maybe critical) facts for what's supposed to be a technology saavy computer trade publication. Is it that the reporter was too stupid or too lazy to ask the right questions (and comprehend the answers), or just a case of an overzealous editor cutting real news to get an additional column inch for advertising?
The more interesting part of the article comes at the end though, where the horrorific costs of patching are described. Of course the reporter doesn't mention that these costs exist for almost every software product, including operating systems. The little aside about how much work this involves on the vendor side is a nice touch, leading me (not the reporter, apparently, unless this question was also cut by the editor) to ask: "How many problems go unresolved because of the cost resolving them would represent to [insert name of vendor here]?"
Hey Larry, how's that offshoring of all your development work turning out anyway?
Here's the scoop from that leader in corporate IT communications, ComputerWorld:
Expert finds 'stupid' vulnerabilities in Oracle 11g
Most of the above article lays out what the quoted db security expert says are "stupid" vulnerabilities in Oracle's latest database product that result from mistakes by it's developers. While calling on the one hand for Oracle to better educate it's developers to avoid these kinds of mistakes, he also goes on to say that there are some vulnerabilities that are related to Oracle's underlying architecture. What's striking here is that nowhere in the article do we get any idea of just what those architectural deficiencies are. Pretty amazing failure to report some really important (maybe critical) facts for what's supposed to be a technology saavy computer trade publication. Is it that the reporter was too stupid or too lazy to ask the right questions (and comprehend the answers), or just a case of an overzealous editor cutting real news to get an additional column inch for advertising?
The more interesting part of the article comes at the end though, where the horrorific costs of patching are described. Of course the reporter doesn't mention that these costs exist for almost every software product, including operating systems. The little aside about how much work this involves on the vendor side is a nice touch, leading me (not the reporter, apparently, unless this question was also cut by the editor) to ask: "How many problems go unresolved because of the cost resolving them would represent to [insert name of vendor here]?"
Hey Larry, how's that offshoring of all your development work turning out anyway?
doing x over telnet with RedHat
Yes, I know how insecure X over telnet is. But sometimes interoperability trumps enhanced security, so the following is offered for those times when you just have to use telnet to run X apps remotely on a RedHat box.
Freeing up X over telnet on RedHat/Fedora is actually pretty simple, if you know the trick.
What you need to do is make a change in the system's gdm configuation. The easiest way to do this is run gdmsetup and click on the "Remote" tab. Go to the drop-down menu for "Style" and pick something, anything, other than "Remote Login Disabled". You can also do this from the command line by going to /etc/gdm/custom.conf and adding "Enable=true" under the "[xdmcp]" section of the file.
Oh, yeah, also remmember to enable telnetd on the remote server (it's not installed by default). Even if you've installed the legacy server packages you still need to go to /etc/xinetd.d/telnet and change "disable" to "no" and restart xinetd.
Freeing up X over telnet on RedHat/Fedora is actually pretty simple, if you know the trick.
What you need to do is make a change in the system's gdm configuation. The easiest way to do this is run gdmsetup and click on the "Remote" tab. Go to the drop-down menu for "Style" and pick something, anything, other than "Remote Login Disabled". You can also do this from the command line by going to /etc/gdm/custom.conf and adding "Enable=true" under the "[xdmcp]" section of the file.
Oh, yeah, also remmember to enable telnetd on the remote server (it's not installed by default). Even if you've installed the legacy server packages you still need to go to /etc/xinetd.d/telnet and change "disable" to "no" and restart xinetd.
more aix annoyances: ssh -X doesn't work
subtitle: "Screw IBM and the horse that it rode in on!"
Like Sun Solaris, IBM AIX apparently implements it's own weird build and defaults for ssh that prevents using the "ssh -X" trick to get seamless access to X apps on remote servers from working. OK, so RedHat for it's part has by default locked down Gnome and XWindows so that you can't do X into or out of a RedHat (or Fedora) box using telnet with the old "xhost +" and "export DISPLAY=xxx.xxx.xxx.xxx:0.0" trick either (well, there is a workaround, see a future post for the details).
So there. We're even. No interoperability between UNIX systems supposedly all using the same open source components.
More bullsh*t to deal with. Thanks Big Blue. I hope you choke on your own patchsets.
Like Sun Solaris, IBM AIX apparently implements it's own weird build and defaults for ssh that prevents using the "ssh -X" trick to get seamless access to X apps on remote servers from working. OK, so RedHat for it's part has by default locked down Gnome and XWindows so that you can't do X into or out of a RedHat (or Fedora) box using telnet with the old "xhost +" and "export DISPLAY=xxx.xxx.xxx.xxx:0.0" trick either (well, there is a workaround, see a future post for the details).
So there. We're even. No interoperability between UNIX systems supposedly all using the same open source components.
More bullsh*t to deal with. Thanks Big Blue. I hope you choke on your own patchsets.
Subscribe to:
Posts (Atom)
