I was away for a few days to go to Red Hat HQ - the whole thing felt like an episode of 24, trying to fill every minute with some activity or other. Only Jack Bauer doesn't have to wait for an hour for an Airport shuttle to the hotel; or a five minute queue for the gents toilets. Those would be pretty unexciting episodes. Fortunately everything went to plan and on the last day was able to fit in exchanging my laptop (from an old Dell to a new IBM T41), doing two interviews, attending various sessions, receiving a long-service award, packing, and making it to the airport with time to spare.
Anyway, I normally put on a ton of weight when I visit the US so I weighed myself before and after my trip. I actually ended up losing 5 lbs because the food was dreadful and we didn't have time to go get alternatives. Fortunately I'd taken a gift of English chocolate for a friend and ended up keeping one of the bars for emergencies.
I bought a Gaggia Titanium super automatic coffee machine yesterday. Interestingly the software and menu system looks just like the Solis Master 5000 Digital. In fact the brewunit is identical too. The Gaggia seems to have improved some of the flaws in the original though; it's got twin boilers, a better air-tight seal on the bean hopper, nice metal bits, and a timer so it can turn itself on in the morning. My plan is to replace the morning can of Coke with a coffee.
You know that you've had too much coffee in a day when you've run out of all clean cups that will fit under the machine.
So according to a Secunia advisory I just read there is a new flaw in Apache that allows attackers to "compromise a vulnerable system". [source]
They got that information from a Connectiva security advisory. That advisory actually says "trigger the execution of arbitrary commands" but if you read the context you'll find that in fact what it means is that a cunning attacker could use a minor flaw in Apache that allows it to log escape characters in order to exploit possible flaws in terminal emulators to execure arbitrary commands if you view the log file. [source].
So we've magically turned an issue which is of quite minor risk and minor severity into one classed as "Moderately Critical". Using the same logic you could then use publicised (but fixed) flaws in the Linux kernel to gain root privileges and we've got a remote root exploit in Apache folks! It's Chinese Whisper Security Advisories at their best.
So our joint statement in response to the Forrester Study is now available and it got to slashdot and other places. It should be an identical statement from each vendors site - although I think the European -ise's got replaced with -ize's in some of the statements. It's quite an event to have four competing Linux distributions giving a joint statement on an issue - but behind the scenes this goes on all the time. Every day we work with our competitors in the other Linux vendor security teams to make sure that Linux users get quality, peer-reviewed, security fixes in a timely fashion.
During my short part of the world tour I got asked why I didn't keep my blog up to date with interesting stuff about what I do. The problem working on security vulnerabilities is many of them are embargoed; I spent many hours working on the recent OpenSSL issues, many days working on the Forrester Study, and all these things I couldn't talk about. Then when the embargo gets lifted I've moved onto something new and it doesn't seem worth dredging up the past.
So in the last month: I've learnt that sending the press a written statement usually gets you a better and more accurate quote than talking to them. It's probably the British accent that throws them. I've learnt that no matter how hard you try you can't find everyone who uses OpenSSL in their product to tell them in advance about security issues, and the ones you miss end up being annoyed. I've learnt that the latest attempt to cure my migraines has a side effect in that I don't get nervous before giving presentations (it felt like I was watching myself from above). I've learnt that April fools jokes on the web are not funny (well apart from the "Klingon Eye for the Human Guy" one and our Apache PDA one from a few years ago).
Just a month before the end of life of Red Hat Linux 9 I finally got around to upgrading some old Red Hat 7.1 machines to run Advanced Server 2.1AS; only one reboot and about 20 minutes of my time required. I was so pleased with myself I spent an hour sending in one of my patches for ZoneMinder which is used to record and upload cctv stuff that goes on outside my house.
Just back from a couple of days in London with the Red Hat world tour folks. It was awesome fun and I got to meet loads of interesting people. I've no idea how these guys have managed it, especially their rule on having no checked-in luggage. Two weeks without scissors or sharp instruments. Actually, given their close confinement that's probably a good thing.
I'm sure at the end of the Linux user group meeting yesterday a guy walked off with a couple of dozen of the world tour t-shirts we were giving away; wonder if they'll turn up on ebay.
My attempt to photo blog the event with my phone camera failed as I ended up sending all the pictures to the wrong email address. D'oh.
What a busy day; doing the OpenSSL release manager role for the recent security updates, testing packages, dealing with the third parties, being a third party, rolling, pushing, correcting.
What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.
Going to be in London next weekend?
I'm off to London in a couple of weeks to be part of the Red Hat world tour. Looks like the event is going to be pretty busy (so if you want to come see us you'd better register now). There are a few different things I want to talk about, but I've not had the chance to write it up yet as I've spent the weekend most entirely dealing with a migraine and talking to folks about the Red Hat security response team.
ZOË rocks. www.zoe.nu. It's built on Apache Lucene and it actually works. I've just let it spend 3 days importing and indexing over 100k messages (8 years worth, after stripping mailing lists). Now I can search my old emails in seconds, get threaded lists, and easily find all the attachments. It even dealt with duplicates perfectly, which given the state of my mail archives is definately no easy task. 3 days is a long time, but then it was running on a 512Mb 450MHz old machine. I've already found mails I never thought I had and pictures in attachments I didn't remember. Awesome stuff.
Keep up with the latest Advogato features by reading the Advogato status blog.