Older blog entries for ib (starting at number 6)

Take a look over at eWeek's "openhack" challenge. In its fourth incarnation, eWeek (which is heavily sponsored by Microsoft) tries once again to prove Microsoft and Oracle security.

The challenge includes an Oracle and Microsoft server, which must be owned or defaced in order to be considered "compromised".

A closer look at the infrastructure, however, reveals the truth:

Aside from the servers in question and some infrastructure (which itself is partially shielded and guarded), most servers are ... tada ... OpenBSD. Both, ns and mail are served by OpenBSD 3.2, firewalls are OBSDs pf, and the switch and routing fabric is Extreme Networks', which runs ... well, they won't tell, but everybody who ever looked at a Summit or Diamond knows...

In short, this is pathetic. The topology used is highly unlikely to be deployed in a working environment, critical infrastructure is based on Unix, not Windows (PDF file containing the topology, 127kb), and the rules exclude some of the more powerful attacks.

What will this challenge prove? For the successful attacker, it proves a modicum of knowledge, and for Microsoft or Oracle it proves nothing (other than the fact that there are things even eWeek won't run on Windows).

As sad and scary as those Sniper attacks in DC are, twice as many people die every day in the streets of Boston, LA or Detroid. Nobody gives a crap anymore. Why? Because they're poor? Because it's not a sniper-gun but a saturday night special drop-piece?

How can _anyone_ release software that is known to have security flaws. I'm not talking about the 'everything is insecure' paradigm, I am speaking about tangible, known, reported, fixable, exploits. Oracle and Microsoft seem to be prime candidates for a "truth in advertising" suit - but then, who'd want to argue the meaning of "secure" with their $1k/h lawyers.

I went over to Cupertino to meet an (here unnamed) friend of mine who spends his days being a security minion for a major DDM/data mining company. According to him, his company has found and communicated no less than nineteen root-level exploits in one of those huge database thingies, and not a single one has been fixed, despite active release cycles.

What's even worse - the company has communicated the flaws internally to its SEs and asked them to NOT discuss security other than by pointing at the official documentation, which a) claims 100% security, b) disclaims any responsibilities if a) is to be found incorrect.

Luckily enough, at least I am surrounded by Open Source. Not that there are less flaws and holes to be found here, but at least nobody will be able to lie about it for an extended period of time.

Which reminds me, I need to get back to that Oracle dude we had over here last week - he even had the guts to claim 9i was still unbreakable and there are no known exploits ever since the initial release.

Despite my aversion towards Paypal and its practices, I tried to pay my bucks for RubyConf and be done with it. Looks like I am banned from using it, but other than "we can't tell you why, but there's some block in the system" no information from Paypal itself. I guess it has something to do with me "slandering" them at SecCon last year...

Code

Rodent comes alon nicely. rodent.pl now supports scanning for certifications, recentlog entries from people on a watch list, some standalone webserver functionality (coutesy of webrick) and the usual stuff.

Life

Is good.

Car

Will be back on Friday. Against my hopes, it's not totaled, so I'll have to drive it a few more years :)

Yesterday night, while Jill and I were moving boxes from the old to our new house, a guy on a bike rode spast, came to a screeching halt and started eyeing our garage, the house and us. Later we saw him again, some blocks down, surrounded by cop-cars and cops. Guess we won't get broken in tonight :)

Code

First stab at rodent, an Advogato-XMLRPC method for Ruby.

  1: #!/usr/bin/env ruby
  2:
  3: require 'rodent'
  4:
  5: advog = Advogato.new
  6:
  7: advog.connect
  8: advog.my_uname = "ib"
  9:
 10: entries = advog.get_my_numentries.to_i
 11:
 12: 0.upto(entries-1) do | number |
 13:   entry = advog.get_my_entry(number)
 14:   printf( "\n-------------------[ entry #%i ] -----------------\n", number+1)
 15:   printf("%s\n\n", entry)
 16: end

Bill has posted an extensive and pretty informative list of things, Ruby newbies should know.

Why the f****, does that guy certify himself as master? Well, I don't really think I am one, but others seem to, and since I switched my account from jLoki to ib, I might as well carry that over.

I know, it's XAB to do this, but jLoki is some period in my past, I'd rather not deal with any more than I have to, and since I use ib everywhere but here, I decided to switch.