[ Home | Articles | Account | People | Projects | FAQ ] Anyway, I normally put on a ton of weight when I visit the US so I weighed myself before and after my trip. I actually ended up losing 5 lbs because the food was dreadful and we didn't have time to go get alternatives. Fortunately I'd taken a gift of English chocolate for a friend and ended up keeping one of the bars for emergencies.
I bought a Gaggia Titanium super automatic coffee machine yesterday. Interestingly the software and menu system looks just like the Solis Master 5000 Digital. In fact the brewunit is identical too. The Gaggia seems to have improved some of the flaws in the original though; it's got twin boilers, a better air-tight seal on the bean hopper, nice metal bits, and a timer so it can turn itself on in the morning. My plan is to replace the morning can of Coke with a coffee.
You know that you've had too much coffee in a day when you've run out of all clean cups that will fit under the machine.
So according to a Secunia advisory I just read there is a new flaw in Apache that allows attackers to "compromise a vulnerable system". [source]
They got that information from a Connectiva security advisory. That advisory actually says "trigger the execution of arbitrary commands" but if you read the context you'll find that in fact what it means is that a cunning attacker could use a minor flaw in Apache that allows it to log escape characters in order to exploit possible flaws in terminal emulators to execure arbitrary commands if you view the log file. [source].
So we've magically turned an issue which is of quite minor risk and minor severity into one classed as "Moderately Critical". Using the same logic you could then use publicised (but fixed) flaws in the Linux kernel to gain root privileges and we've got a remote root exploit in Apache folks! It's Chinese Whisper Security Advisories at their best.
7 Apr 2004 (updated 7 Apr 2004 at 08:11 UTC) »
So our joint statement in response to the Forrester Study is now available and it got to slashdot and other places. It should be an identical statement from each vendors site - although I think the European -ise's got replaced with -ize's in some of the statements. It's quite an event to have four competing Linux distributions giving a joint statement on an issue - but behind the scenes this goes on all the time. Every day we work with our competitors in the other Linux vendor security teams to make sure that Linux users get quality, peer-reviewed, security fixes in a timely fashion.
During my short part of the world tour I got asked why I didn't keep my blog up to date with interesting stuff about what I do. The problem working on security vulnerabilities is many of them are embargoed; I spent many hours working on the recent OpenSSL issues, many days working on the Forrester Study, and all these things I couldn't talk about. Then when the embargo gets lifted I've moved onto something new and it doesn't seem worth dredging up the past.
So in the last month: I've learnt that sending the press a written statement usually gets you a better and more accurate quote than talking to them. It's probably the British accent that throws them. I've learnt that no matter how hard you try you can't find everyone who uses OpenSSL in their product to tell them in advance about security issues, and the ones you miss end up being annoyed. I've learnt that the latest attempt to cure my migraines has a side effect in that I don't get nervous before giving presentations (it felt like I was watching myself from above). I've learnt that April fools jokes on the web are not funny (well apart from the "Klingon Eye for the Human Guy" one and our Apache PDA one from a few years ago).
Just a month before the end of life of Red Hat Linux 9 I finally got around to upgrading some old Red Hat 7.1 machines to run Advanced Server 2.1AS; only one reboot and about 20 minutes of my time required. I was so pleased with myself I spent an hour sending in one of my patches for ZoneMinder which is used to record and upload cctv stuff that goes on outside my house.
Just back from a couple of days in London with the Red Hat world tour folks. It was awesome fun and I got to meet loads of interesting people. I've no idea how these guys have managed it, especially their rule on having no checked-in luggage. Two weeks without scissors or sharp instruments. Actually, given their close confinement that's probably a good thing.
I'm sure at the end of the Linux user group meeting yesterday a guy walked off with a couple of dozen of the world tour t-shirts we were giving away; wonder if they'll turn up on ebay.
My attempt to photo blog the event with my phone camera failed as I ended up sending all the pictures to the wrong email address. D'oh.
What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.
Going to be in London next weekend?
11 Mar 2004 (updated 11 Mar 2004 at 21:07 UTC) »
FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!