JaBbA's Hut

I've been using rsync over ssh to copy changed files from one linux host to a backup. This works fine for moving files in one direction, but not to synchronize files that may be changed on either host. It also required that I be logged on so my ssh-agent would provide the password for the ssh connection. This prevented automated synchronization. So I wanted to find a solution that would:

- Allow me to make changes on either host
- Run automatically
- Maintain security

The solution was unison and a few tricks with OpenSSH public key authentication. More after the break....

There's been a lot of uproar over a presentation at Toorcon where a pair of "Security Researchers" (which is what they would be called if they used responsible disclosure) / "Hackers" (which is the term almost universally used in press accounts) claimed to have found a bug in Firefox which they used to build a botnet.

This understandably concerned the Mozilla team, and a member of the Mozilla security team joined the presentation. Turns out they were "joking". I'm not sure how the announcement of the creation of a botnet based on a non-existent security flaw constitutes a "joke" - and I'm a geek. I "get" some pretty esoteric jokes. They wanted to tweak the "Firefox fanboys". Mischa later apologized:

he main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Nevertheless, there apparently is a little bit of fire in all that smoke - a flaw in Firefox that can apparently be used for a Denial of service. Of course, I didn't say too much about the IE setslice vulnerability on Thursday because it, too, was a DoS bug - until Friday night, when suddenly a remote code execution exploit was released and caused enough havoc to prompt the ISC to go to yellow alert. So be aware, if I hear of this escalating to an exploit I'll post asap.

The most important thing - Mozilla immediately reacted, is concerned with finding the truth, not maintaining a corporate image, and is taking this very seriously.

JaBbA says: Open Source means more than just source code.

Powerful stuff.

[T]he American values we hold most dear have been placed at serious risk by the unprecedented claims of the Administration to a truly breathtaking expansion of executive power.

As we begin this new year, the Executive Branch of our government has been caught eavesdropping on huge numbers of American citizens and has brazenly declared that it has the unilateral right to continue without regard to the established law enacted by Congress to prevent such abuses.

It is imperative that respect for the rule of law be restored.

...[T]he President not only confirmed that the story was true, but also declared that he has no intention of bringing these wholesale invasions of privacy to an end.
...
A president who breaks the law is a threat to the very structure of our government. ... As John Adams said: "The executive shall never exercise the legislative and judicial powers, or either of them, to the end that it may be a government of laws and not of men."

An executive who arrogates to himself the power to ignore the legitimate legislative directives of the Congress or to act free of the check of the judiciary becomes the central threat that the Founders sought to nullify in the Constitution - an all-powerful executive too reminiscent of the King from whom they had broken free.

From truthout

Oh, and word point, Gore, for using the word "arrogates" as a verb. Of course, I get the feeling that it was precisely his ability to use interesting words that prevented him from becoming our President. Sad.

There's been a lot of talk in the online media about how Firefox's "honeymoon" is over. Articles showing that Firefox has more vulnerabilities than IE have been cropping up frequently.

Most of the articles cite Secunia for the list of vulnerabilities. But dig into the numbers, and a different picture emerges. Secunia lays out all the numbers (see the upper right hand corner of their webpage). But they summarize it:

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

Opera 8.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Not critical

More graphs and charts from Secunia below:

I've upgraded the blog software to v0.9 of Serendipity - www.s9y.org if you haven't checked it out. I'm a very small contributor to the code - I've done some English translation, worked on the RSS feeds and fixed some category stuff.

It's getting very close to a 1.0 release - this should be the last major pre-1.0 release. I'll be playing with some of the new capabilities and plugins over the next few weeks.

Remember "Two great tastes that taste great together" ?

I have a recipie for the next time I take out my brewing supplies. It's a coffee-flavored porter, and I'll use a Dark Sumatran to flavor it.

But Nestle has gone one better - a fermented coffee beverage!

A drink somewhere between coffee and beer could soon be on the menu. Nestec, part of the Nestlé empire in Switzerland, has filed patents in every major market round the world on a "fermented coffee beverage" that pours and foams like beer, but smells of strong coffee and packs a concentrated caffeine kick.

Here's the thing - no alcohol. It looks like beer, feels like beer, tastes like coffee and kicks like coffee.

From Slashdot.

VMWare just came out with a FREE version of VMWare called VMWare Player. It's obviously not the complete $200 VMWare Workstation, but what it lets you do is run any Virtual Machine that was created by someone else. And, of course, they provide a nice selection of pre-built virtual machines.

This is VERY USEFUL. A boon to students and people interested in trying out a different OS.

TaoSecurity has a nice writeup on it.

The referrer SPAM has just gotten worse and worse. I see thousands of hits on my blog from zombies with references to various {xanax|cialis|viagra|phentenermine}, casino and porn websites.

I finally tooka little time and put in a blocking mechanism which seems to effectively stop them at the door - it's going to be like a SPAM filter, in that I'll need to keep tweaking it, but so far so good. If you need my solution, contact me. (I'm obviously not going to publicly comment on my actual solution).

But here's the somewhat scary part. Many of the refererring domains are subdomains of names that seem completely unrelated. That's not unusual - somehow I doubt that Jackie Zhao really runs a "blackfilmmakermag.com" website. (He doesn't. It's a gambling advertising domain). But at least one of them seems to be a legitimate site - did they sell access to their domain name, or has their DNS been hacked?

Registrant:
Mike Di Sabatino
*** deleted ****
Camarillo, CA 93011
United States

Registrar: DOTSTER
Domain Name: SUPERBIKECLUB.COM
Created on: 15-MAR-00
Expires on: 15-MAR-06
Last Updated on: 13-MAR-05

Administrative Contact:
DiSabatino, Michael ******deleted*******
**** deleted ******
Camarillo, CA 93011
US
****deleted****
****deleted****

Domain servers in listed order:
NS1.SJ1.NORTHSKY.COM
NS2.SJ1.NORTHSKY.COM

Northsky.com, check your servers! Michael, do you really want to be associated with buy-hydrocodone-online.superbikeclub.com ??????

The Shuttle is back in business. Sounded like everyone was holding their breath while it came down. Happened to be able to listen to the whole thing on NPR while driving to work.

Now if we could just get NASA back in the business of pure science, rather than this silly Mars expedition. But it needs to keep flying.

Oh, and I'm back from vacation.

A new firefox extension is a simple and effective addition to the Anti-Fraud arsenal.

The Petname Extension simply allows you to assign a descriptive name to any SSL-enabled website, then displays that name whenever it sees that same SSL certificate.

Any browser tricks or redirections will become obvious when you "Pet Name" for the website isn't displayed.

JaBbA recommends.

UPDATE I probably should have pointed out - this is a very small implementation of a new idea called a "Security Skin". See Bruce Schneier and this paper (PDF).

Years ago, I lusted after the non-existent Silicon Graphics laptop. With it's metal case and awesome power, it would have been sweet.

So now Sun finally announces a laptop - Years after an IBM T-Series Laptop running Linux will do everything I ever wanted it to do.

Glad I finally dumped all my Sun stock. Losers.

BEEP BEEP *BEEP*

There's a serious vulnerability in the PEAR XML-RPC code. Serendipity uses this code, so a Update is available.

Blogs on this server have been updated. You know who you are.

We now return you to your regularly scheduled program.

Well, I've been playing with Remind, which I found over at 43 Folders. I loved the idea of a unix-style full-featured calendaring app - but I've gotten very used to using Mozilla Calendar to keep track of my family's crazy schedule. There were some Applescript iCal->remind scripts listed, but nothing full featured.

So I wrote one.

I discovered that the hashes returned from iCal::Parser contained DateTime values, so I was able to use the DateTime.pm module to manipulate the dates and times - very handy.

I got ambitious and got the ToDos to print out, too. It uses the Due Date as the Remind date, or the current date if there's no Due date.

I call it from cron every day and email my reminders to myself, so I get everything from the calendar, plus the .reminders file (which has birthdays, anniversarys, and other things I need to remember):



You can get the code here or in the extended entry.

UPDATE I long ago changed to running the script out of a cron and using INCLUDE to bring in the data. That way it's always in remind, no matter how I run the script. In./.reminders:

and in crontab:

I want this program on my desktop. Now.

Yeah, I'm a map geek. (among other things)

During his Rose Garden news conference, W not only used the wrong word but then he went on to define it for reporters, apparently because he interepreted the puzzled looks on the reporters faces to mean they didn't know his fancy new word:

disassemble - that means not to tell the truth.

dis·as·sem·ble
v. dis·as·sem·bled, dis·as·sem·bling, dis·as·sem·bles
v. tr.

To take apart: disassemble a toaster.


dis·sem·ble
v. dis·sem·bled, dis·sem·bling, dis·sem·bles
v. tr.

1. To disguise or conceal behind a false appearance. See Synonyms at disguise.
2. To make a false show of; feign.