Older blog entries for ib (starting at number 9)

29 Oct 2002 (updated 29 Oct 2002 at 03:56 UTC) »

Thanks to ianmcd, I finally have Ruby on my Zaurus. Maybe I should have kept one Linux box around :)

jdub: That's (unfortunately) the way, open communities will always wind up. Unless there are hundreds of technical and social barriers, one will wind up with trolls, no matter where. Remember, there was a time, when Slashdot was readable :).

Now, Advogato has its mechanisms to maintain a high S/N ratio, the trust metric and diary rating are excellent tools - but either depend on a healthy base of contributors. And, like it or not (I don't :), there's more trolls and "I installed RedHat with Gnome, I am a l33t coder" users out there than even Advogato could survive, should they decide to flock over here.

On a work related note: I am still interviewing candidate after candidate though it's getting very frustrating. There's still plenty of resumes to go through, but I am slowly getting the impression that all good candidates are either outside of the SF Bay Area or already employed somewhere else.

jluster@clusterfsck.net, if you happen to know someone or are someone in the Silicon Valley with a good Unix background.

26 Oct 2002 (updated 26 Oct 2002 at 21:43 UTC) »
shlomif - welcome to the ODP. Understanding it all and getting "into" it, can be intimidating at first. Just don't be shy, only a few Eds bite :)

Recession? My behind! No matter where I go, I keep hearing about high levels of unemployment, people laid off from work and being unable to find a new job, employers who pay minimum wages for their top-Unix staff, etc. Yet, my company's been looking for some clueful Unix engineers and programmers, without any luck.

Yes, we have stacks of resumes, but only a few even survive the basic ego and resume deflating we use during the initial phone-screen and interview. It's ridiculous. Some of the gems I encountered in the past weeks include:

* The dude who claimed "Intimate Unix Knowledge", which - during the interview - translated into "Runs RedHat since 5.x and was not able to configure TCP/IP on a box without the help of RedHat's utilities, knows nothing about Unix kernel work, is unable to write even rudimentary scripts or programs and failed the "How many IPs are in a /25" test.

* The dude who'd "run FreeBSD and Linux since 1994", but had a hard time explaining the difference between Linux' and BSD's boot concept.

* The "security professional" who ran Windows exclusively.

* The "I was not promoted, because I am female" applicant who did not know what a man-page was and how to show interfaces on a Linux system.

Is it THAT hard to find someone clueful enough to stand his man or woman in an enviroment that does not believe in hand-holding and expects some level of familiarity with the basic concepts of networking and Unix OSes?

Take a look over at eWeek's "openhack" challenge. In its fourth incarnation, eWeek (which is heavily sponsored by Microsoft) tries once again to prove Microsoft and Oracle security.

The challenge includes an Oracle and Microsoft server, which must be owned or defaced in order to be considered "compromised".

A closer look at the infrastructure, however, reveals the truth:

Aside from the servers in question and some infrastructure (which itself is partially shielded and guarded), most servers are ... tada ... OpenBSD. Both, ns and mail are served by OpenBSD 3.2, firewalls are OBSDs pf, and the switch and routing fabric is Extreme Networks', which runs ... well, they won't tell, but everybody who ever looked at a Summit or Diamond knows...

In short, this is pathetic. The topology used is highly unlikely to be deployed in a working environment, critical infrastructure is based on Unix, not Windows (PDF file containing the topology, 127kb), and the rules exclude some of the more powerful attacks.

What will this challenge prove? For the successful attacker, it proves a modicum of knowledge, and for Microsoft or Oracle it proves nothing (other than the fact that there are things even eWeek won't run on Windows).

As sad and scary as those Sniper attacks in DC are, twice as many people die every day in the streets of Boston, LA or Detroid. Nobody gives a crap anymore. Why? Because they're poor? Because it's not a sniper-gun but a saturday night special drop-piece?

Code

How can _anyone_ release software that is known to have security flaws. I'm not talking about the 'everything is insecure' paradigm, I am speaking about tangible, known, reported, fixable, exploits. Oracle and Microsoft seem to be prime candidates for a "truth in advertising" suit - but then, who'd want to argue the meaning of "secure" with their $1k/h lawyers.

I went over to Cupertino to meet an (here unnamed) friend of mine who spends his days being a security minion for a major DDM/data mining company. According to him, his company has found and communicated no less than nineteen root-level exploits in one of those huge database thingies, and not a single one has been fixed, despite active release cycles.

What's even worse - the company has communicated the flaws internally to its SEs and asked them to NOT discuss security other than by pointing at the official documentation, which a) claims 100% security, b) disclaims any responsibilities if a) is to be found incorrect.

Luckily enough, at least I am surrounded by Open Source. Not that there are less flaws and holes to be found here, but at least nobody will be able to lie about it for an extended period of time.

Which reminds me, I need to get back to that Oracle dude we had over here last week - he even had the guts to claim 9i was still unbreakable and there are no known exploits ever since the initial release.

RubyConf

Despite my aversion towards Paypal and its practices, I tried to pay my bucks for RubyConf and be done with it. Looks like I am banned from using it, but other than "we can't tell you why, but there's some block in the system" no information from Paypal itself. I guess it has something to do with me "slandering" them at SecCon last year...

Code

Rodent comes alon nicely. rodent.pl now supports scanning for certifications, recentlog entries from people on a watch list, some standalone webserver functionality (coutesy of webrick) and the usual stuff.

Life

Is good.

Car

Will be back on Friday. Against my hopes, it's not totaled, so I'll have to drive it a few more years :)

19 Oct 2002 (updated 20 Oct 2002 at 01:11 UTC) »
Life

Yesterday night, while Jill and I were moving boxes from the old to our new house, a guy on a bike rode spast, came to a screeching halt and started eyeing our garage, the house and us. Later we saw him again, some blocks down, surrounded by cop-cars and cops. Guess we won't get broken in tonight :)

Code

First stab at rodent, an Advogato-XMLRPC method for Ruby.

  1: #!/usr/bin/env ruby
  2:
  3: require 'rodent'
  4:
  5: advog = Advogato.new
  6:
  7: advog.connect
  8: advog.my_uname = "ib"
  9:
 10: entries = advog.get_my_numentries.to_i
 11:
 12: 0.upto(entries-1) do | number |
 13:   entry = advog.get_my_entry(number)
 14:   printf( "\n-------------------[ entry #%i ] -----------------\n", number+1)
 15:   printf("%s\n\n", entry)
 16: end

Bill has posted an extensive and pretty informative list of things, Ruby newbies should know.

Why the f****, does that guy certify himself as master? Well, I don't really think I am one, but others seem to, and since I switched my account from jLoki to ib, I might as well carry that over.

I know, it's XAB to do this, but jLoki is some period in my past, I'd rather not deal with any more than I have to, and since I use ib everywhere but here, I decided to switch.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!