Older blog entries for ib (starting at number 10)

With the AbiWord fund being on its way back to its rightful owner(s), a question is in order: how powerful is Open Source?

Obviously, some $500+ are by far not the biggest amount ever stolen from PayPal's customers and it's definitely not the only one this month.

On the other hand, we have a well known project, with thousands if not more active supporters, media attention and very powerful commincation outlets - ideal settings to force even the most customer-unfriendly, demeaning company to give in. For PayPal, the $600 are anything but a huge sum, the potential impact, both in loss of clientel and bad media coverage, however is huge.

Would Joe M. Shareware-Windows-Coder have the same impact? I don't believe so. Between its release and the forced removal, some 34.000 people downloaded my "PayPal Insecurities" white paper, but until today, the same holes I described in 2001 exist. In fact, I am almost convinced the AbiWord "heist" was done one of the ways I described back then. I've been called irresponsible for "disclosing" those holes, and still (as in this case) get the calls after each more-or-less public PayPal incident. Fact is, and I keep telling this, those "expolits" were known to thousands of script-kiddies long before I published them in my paper, and both, PayPal and law enforcement knew about the websites dedicated to this kind of fraud.

Now, with AbiWord being the victim, maybe the power of Open Source will make possible what I and hundreds of former victims could not achieve - maybe now they'll think about fixing what's been broken for way too long.

29 Oct 2002 (updated 29 Oct 2002 at 03:56 UTC) »

Thanks to ianmcd, I finally have Ruby on my Zaurus. Maybe I should have kept one Linux box around :)

jdub: That's (unfortunately) the way, open communities will always wind up. Unless there are hundreds of technical and social barriers, one will wind up with trolls, no matter where. Remember, there was a time, when Slashdot was readable :).

Now, Advogato has its mechanisms to maintain a high S/N ratio, the trust metric and diary rating are excellent tools - but either depend on a healthy base of contributors. And, like it or not (I don't :), there's more trolls and "I installed RedHat with Gnome, I am a l33t coder" users out there than even Advogato could survive, should they decide to flock over here.

On a work related note: I am still interviewing candidate after candidate though it's getting very frustrating. There's still plenty of resumes to go through, but I am slowly getting the impression that all good candidates are either outside of the SF Bay Area or already employed somewhere else.

jluster@clusterfsck.net, if you happen to know someone or are someone in the Silicon Valley with a good Unix background.

26 Oct 2002 (updated 26 Oct 2002 at 21:43 UTC) »
shlomif - welcome to the ODP. Understanding it all and getting "into" it, can be intimidating at first. Just don't be shy, only a few Eds bite :)

Recession? My behind! No matter where I go, I keep hearing about high levels of unemployment, people laid off from work and being unable to find a new job, employers who pay minimum wages for their top-Unix staff, etc. Yet, my company's been looking for some clueful Unix engineers and programmers, without any luck.

Yes, we have stacks of resumes, but only a few even survive the basic ego and resume deflating we use during the initial phone-screen and interview. It's ridiculous. Some of the gems I encountered in the past weeks include:

* The dude who claimed "Intimate Unix Knowledge", which - during the interview - translated into "Runs RedHat since 5.x and was not able to configure TCP/IP on a box without the help of RedHat's utilities, knows nothing about Unix kernel work, is unable to write even rudimentary scripts or programs and failed the "How many IPs are in a /25" test.

* The dude who'd "run FreeBSD and Linux since 1994", but had a hard time explaining the difference between Linux' and BSD's boot concept.

* The "security professional" who ran Windows exclusively.

* The "I was not promoted, because I am female" applicant who did not know what a man-page was and how to show interfaces on a Linux system.

Is it THAT hard to find someone clueful enough to stand his man or woman in an enviroment that does not believe in hand-holding and expects some level of familiarity with the basic concepts of networking and Unix OSes?

Take a look over at eWeek's "openhack" challenge. In its fourth incarnation, eWeek (which is heavily sponsored by Microsoft) tries once again to prove Microsoft and Oracle security.

The challenge includes an Oracle and Microsoft server, which must be owned or defaced in order to be considered "compromised".

A closer look at the infrastructure, however, reveals the truth:

Aside from the servers in question and some infrastructure (which itself is partially shielded and guarded), most servers are ... tada ... OpenBSD. Both, ns and mail are served by OpenBSD 3.2, firewalls are OBSDs pf, and the switch and routing fabric is Extreme Networks', which runs ... well, they won't tell, but everybody who ever looked at a Summit or Diamond knows...

In short, this is pathetic. The topology used is highly unlikely to be deployed in a working environment, critical infrastructure is based on Unix, not Windows (PDF file containing the topology, 127kb), and the rules exclude some of the more powerful attacks.

What will this challenge prove? For the successful attacker, it proves a modicum of knowledge, and for Microsoft or Oracle it proves nothing (other than the fact that there are things even eWeek won't run on Windows).

As sad and scary as those Sniper attacks in DC are, twice as many people die every day in the streets of Boston, LA or Detroid. Nobody gives a crap anymore. Why? Because they're poor? Because it's not a sniper-gun but a saturday night special drop-piece?


How can _anyone_ release software that is known to have security flaws. I'm not talking about the 'everything is insecure' paradigm, I am speaking about tangible, known, reported, fixable, exploits. Oracle and Microsoft seem to be prime candidates for a "truth in advertising" suit - but then, who'd want to argue the meaning of "secure" with their $1k/h lawyers.

I went over to Cupertino to meet an (here unnamed) friend of mine who spends his days being a security minion for a major DDM/data mining company. According to him, his company has found and communicated no less than nineteen root-level exploits in one of those huge database thingies, and not a single one has been fixed, despite active release cycles.

What's even worse - the company has communicated the flaws internally to its SEs and asked them to NOT discuss security other than by pointing at the official documentation, which a) claims 100% security, b) disclaims any responsibilities if a) is to be found incorrect.

Luckily enough, at least I am surrounded by Open Source. Not that there are less flaws and holes to be found here, but at least nobody will be able to lie about it for an extended period of time.

Which reminds me, I need to get back to that Oracle dude we had over here last week - he even had the guts to claim 9i was still unbreakable and there are no known exploits ever since the initial release.


Despite my aversion towards Paypal and its practices, I tried to pay my bucks for RubyConf and be done with it. Looks like I am banned from using it, but other than "we can't tell you why, but there's some block in the system" no information from Paypal itself. I guess it has something to do with me "slandering" them at SecCon last year...


Rodent comes alon nicely. rodent.pl now supports scanning for certifications, recentlog entries from people on a watch list, some standalone webserver functionality (coutesy of webrick) and the usual stuff.


Is good.


Will be back on Friday. Against my hopes, it's not totaled, so I'll have to drive it a few more years :)

19 Oct 2002 (updated 20 Oct 2002 at 01:11 UTC) »

Yesterday night, while Jill and I were moving boxes from the old to our new house, a guy on a bike rode spast, came to a screeching halt and started eyeing our garage, the house and us. Later we saw him again, some blocks down, surrounded by cop-cars and cops. Guess we won't get broken in tonight :)


First stab at rodent, an Advogato-XMLRPC method for Ruby.

  1: #!/usr/bin/env ruby
  3: require 'rodent'
  5: advog = Advogato.new
  7: advog.connect
  8: advog.my_uname = "ib"
 10: entries = advog.get_my_numentries.to_i
 12: 0.upto(entries-1) do | number |
 13:   entry = advog.get_my_entry(number)
 14:   printf( "\n-------------------[ entry #%i ] -----------------\n", number+1)
 15:   printf("%s\n\n", entry)
 16: end

Bill has posted an extensive and pretty informative list of things, Ruby newbies should know.

1 older entry...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!