Older blog entries for mjcox (starting at number 120)

24 Jul 2004 »

So continuing the dual-head experiment I went and bought a USB mouse from PCWorld today. My new Microsoft USB mouse works better with Fedora Core 2 than Windows XP, which I find quite amusing. So now I can use the keyboard and mouse under the second display as well as the first, just by switching a single USB cable. I wanted to buy a KVM but no local shops had any USB versions. Anyway, the mouse that felt the nicest was this optical Microsoft USB mouse, and for under 20 pounds. Plugged the mouse into the hub built into the USB keyboard which was plugged into my Fedora 2 laptop. Immediately it was recognised, configured, and "just worked" at the same time as all the other pointing devices (the laptop has two and my USB keyboard has a mouse stick thing too). Time to make sure that the new mouse worked when I switched the keyboard over to my Windows XP machine. Well, I plugged it in and waited a bit, and waited. After a while Windows seemed to decide it was going to try and configure this new device, popped up a little window, copied some files around, and then the mouse worked. Amazingly when booting XP I can't move the pointer until some point when XP decides to configure the mouse. XP has a similar problem with my USB keyboard, refusing to let me push a key to abort a disk check if the system needs one at startup.

19 Jul 2004 (updated 19 Jul 2004 at 18:19 UTC) »

The last couple of months have been quite busy and any spare time I've been using to go Geocaching. Only up to 8 finds so far, but I'm picking locations that sound interesting and worth visiting. Scottish Geocaches have some pretty amazing scenery and they've taken me to all sorts of places I'd never think of visting. So it took until today to finally getting around to configuring the T41 laptop the way I wanted to. It's running Fedora Core 2 and I figured it was time to use a dual-head so I'm not stuck at 1024x768 forever when theres a perfectly good 22" CRT next to me. "system-config-xfree86" had it working immediately; with just a manual tweak needed to XF86Config so the second screen was at 1280x1024. To complete the setup I plugged the USB IBM Trackpoint keypad into the laptop and it configured itself, set itself up, and now moving any of the trackerpoint mice moves the pointer, typing on any keyboard just works. What I've been putting off for the last two months took less time than typing this entry, I love it when that happens. Meanwhile, trying to get a bluetooth USB dongle working so I can just simply send and receive SMS via Fedora Core 2 is one of those more impossible missions that just sucks up time.

29 Apr 2004 »
29 Apr 2004 »

I was away for a few days to go to Red Hat HQ - the whole thing felt like an episode of 24, trying to fill every minute with some activity or other. Only Jack Bauer doesn't have to wait for an hour for an Airport shuttle to the hotel; or a five minute queue for the gents toilets. Those would be pretty unexciting episodes. Fortunately everything went to plan and on the last day was able to fit in exchanging my laptop (from an old Dell to a new IBM T41), doing two interviews, attending various sessions, receiving a long-service award, packing, and making it to the airport with time to spare.

Anyway, I normally put on a ton of weight when I visit the US so I weighed myself before and after my trip. I actually ended up losing 5 lbs because the food was dreadful and we didn't have time to go get alternatives. Fortunately I'd taken a gift of English chocolate for a friend and ended up keeping one of the bars for emergencies.

16 Apr 2004 »
Super Caffienated

I bought a Gaggia Titanium super automatic coffee machine yesterday. Interestingly the software and menu system looks just like the Solis Master 5000 Digital. In fact the brewunit is identical too. The Gaggia seems to have improved some of the flaws in the original though; it's got twin boilers, a better air-tight seal on the bean hopper, nice metal bits, and a timer so it can turn itself on in the morning. My plan is to replace the morning can of Coke with a coffee.

You know that you've had too much coffee in a day when you've run out of all clean cups that will fit under the machine.

14 Apr 2004 »
Apache Critical Flaw!

So according to a Secunia advisory I just read there is a new flaw in Apache that allows attackers to "compromise a vulnerable system". [source]

They got that information from a Connectiva security advisory. That advisory actually says "trigger the execution of arbitrary commands" but if you read the context you'll find that in fact what it means is that a cunning attacker could use a minor flaw in Apache that allows it to log escape characters in order to exploit possible flaws in terminal emulators to execure arbitrary commands if you view the log file. [source].

So we've magically turned an issue which is of quite minor risk and minor severity into one classed as "Moderately Critical". Using the same logic you could then use publicised (but fixed) flaws in the Linux kernel to gain root privileges and we've got a remote root exploit in Apache folks! It's Chinese Whisper Security Advisories at their best.

7 Apr 2004 (updated 7 Apr 2004 at 08:11 UTC) »
95% of statistics....

So our joint statement in response to the Forrester Study is now available and it got to slashdot and other places. It should be an identical statement from each vendors site - although I think the European -ise's got replaced with -ize's in some of the statements. It's quite an event to have four competing Linux distributions giving a joint statement on an issue - but behind the scenes this goes on all the time. Every day we work with our competitors in the other Linux vendor security teams to make sure that Linux users get quality, peer-reviewed, security fixes in a timely fashion.

1 Apr 2004 »
Embargoed Diary

During my short part of the world tour I got asked why I didn't keep my blog up to date with interesting stuff about what I do. The problem working on security vulnerabilities is many of them are embargoed; I spent many hours working on the recent OpenSSL issues, many days working on the Forrester Study, and all these things I couldn't talk about. Then when the embargo gets lifted I've moved onto something new and it doesn't seem worth dredging up the past.

So in the last month: I've learnt that sending the press a written statement usually gets you a better and more accurate quote than talking to them. It's probably the British accent that throws them. I've learnt that no matter how hard you try you can't find everyone who uses OpenSSL in their product to tell them in advance about security issues, and the ones you miss end up being annoyed. I've learnt that the latest attempt to cure my migraines has a side effect in that I don't get nervous before giving presentations (it felt like I was watching myself from above). I've learnt that April fools jokes on the web are not funny (well apart from the "Klingon Eye for the Human Guy" one and our Apache PDA one from a few years ago).

Just a month before the end of life of Red Hat Linux 9 I finally got around to upgrading some old Red Hat 7.1 machines to run Advanced Server 2.1AS; only one reboot and about 20 minutes of my time required. I was so pleased with myself I spent an hour sending in one of my patches for ZoneMinder which is used to record and upload cctv stuff that goes on outside my house.

28 Mar 2004 »
Red Hat World Tour

Just back from a couple of days in London with the Red Hat world tour folks. It was awesome fun and I got to meet loads of interesting people. I've no idea how these guys have managed it, especially their rule on having no checked-in luggage. Two weeks without scissors or sharp instruments. Actually, given their close confinement that's probably a good thing.

I'm sure at the end of the Linux user group meeting yesterday a guy walked off with a couple of dozen of the world tour t-shirts we were giving away; wonder if they'll turn up on ebay.

My attempt to photo blog the event with my phone camera failed as I ended up sending all the pictures to the wrong email address. D'oh.

17 Mar 2004 »

What a busy day; doing the OpenSSL release manager role for the recent security updates, testing packages, dealing with the third parties, being a third party, rolling, pushing, correcting.

What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.

Going to be in London next weekend?

111 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!