2003/10/14
Yesterday was pretty much a rest-and-recuperate day, not so much from the
weekend as from life in general. I spent much of the day sitting and reading
the stuff that's been piling up, finishing a leather kittyband (which didn't
turn out quite the way I thought it would) and starting to work on another fur
one, driving around to get some Halloween decorations for the family, and
reading some more. I spent a lot of the day jacked out, which I find I enjoy
quite a bit anymore. Now that it isn't a requirement that I stay plugged in I
find that I've got a good deal less stress to handle. I also picked up a few
things for the Witches' Ball this weekend, namely some stuff to put together my
costume (Paul Muad'dib; unfortunately I have neither the money nor the time (as
I only decided yesterday that I'd be going) to get a pair of blue prosthetic
contact lenses). I've got just about everything else I need to put it together,
so I should be able to assemble it in about three hours, if I work on it
tomorrow night.
Tonight I plan on storming the local mall to pick up a copy of The Matrix
Reloaded (come on, you knew that was coming) and possibly X: Seven.
That'll take enough time that I won't be able to work on it then. Amazingly,
I'm caught up on a lot of reading; between the whitepapers for work and the
printouts, messages, and text files that keep trickling into my inbox in a
steady stream, I've made decent progress. The text files are going into the
web-enabled version of the archive once I get around to actually writing the
HTML files.
A couple of months ago some guys at MIT proposed a reaction to the
now-defunct T[otal/errorist] Information Awareness programme enacted by the US
Government called Government Information Awareness, in which the citizens of the
US could pretty much do the exact same thing (keep an eye on their elected
leaders, report on what they're doing, use database techniques to examine
patterns in behaviour, et multiple cetera) only on government employees and
leaders. This project came under some heat due to the number of people who
Slashdotted the system, to say nothing of the legal implications of this. They
may have found a way to dodge the legal bullet by applying some techniques used by peer-to-peer filesharing networks. They plan on distributing the database across many
dozens, if not hundreds of systems all across the Net, using a single
application or website to access and correlate them (this is a bad idea because
there is a single point of failure in the accessibility scheme; I suggest a
tactic similiar to that used by the GNUtella network, which is fully
decentralised access by broadcasting and caching sharing network edge
locations). By applying a few mathematical transformations they could further
obfuscate who has what by breaking down any one entry in this distributed data
base such that if a particular datum is broken into n fragments, any
n - 3 (for the sake of argument) fragments may be reassembled into the
original entry. I wish I could remember the technical name of this technique..
Anyway, it's something I'm suggesting to them.
The only thing that pisses me off more than people who don't read the
documentation is people who don't even read the bloody error message. They just
see "ERROR" or "WARNING" and call for assistance without even reading what the
error in question is (for example, 'ERROR: User "snort" unknown'). Anyone with
half a brain in their head would actually parse the words, realise that an
account named 'snort' does not exist on their box, and create it. It's not
hard. It doesn't take long. Whatever happened to actually reading, let alone
reading comprehension??
One of these days I'm going to have to polish my boots - they're looking kind
of shabby right now.
Local outfit Vigilant Minds has
confirmed that the MS-RPC vulnerabilities do indeed still exist in fully patched installations of Windows XP Pro, XP Home, and 2k workstation. Nothing MS has released thus far
has fixed these very serious holes. They suspect that other versions of Windows
are just as vulnerable but they havn't found any proof yet. The best thing you
can to do protect yourself is set up your firewall to block any and all activity
on ports 135, 139, 445, and 595 for TCP and 135, 137, 138, and 445 for UDP.
They have also released a Snort signature
to detect this attack. Good luck, everyone.
I just discovered that the sweater I'm wearing today has more than a torn
seam at the shoulder (hidden by a vest at present), the right elbow's shredded
as well. How did that happen? And how did I not notice it?
Something most unusual appeared on Groklaw.net last Friday regarding SCO's threatening to sue Linux users and vendors. In
June of 2003 a group of protestors gathered outside of SCO HQ and managed to
talk to Darl McBride, Chief Executive Officer of SCO. Someone managed to record
the conversation, record it into Ogg Vorbis files, and upload that to the Net.
A transcript of that conversation makes up the lion's share of the article.
McBride was quoted as saying that SCO has no plans to sue users, really, his
anger is directed at the community of UNIX developers because they are donating
code to Linux in general and not paying royalties to SCO as a result. The
interview is quite interesting, take a few minutse to read it all the way
through. Makes you wonder, sometimes... most interesting of all is McBride
stating that Linux is infringing on quite a few contracts with other
companies and not necessarily with SCO itself. The amount of doubletalk
that McBride uses is also kind of scary. On one hand, he accuses Linux
developers of releasing copyrighted code; on the other, he says that by saying
exactly what pieces of code are infringing on their copyrights, he would be
releasing the code. Assuming that there is a problem, without knowing where it
is how can it be fixed?
It can't.
Also, given a few pointed questions from protestors who were working on
specialised applications of the Linux kernel, McBride refused to state what
would or would not be considered copyright infringement. It seems to me like
these tactics are meant to freeze all development out of fear that it would step
on a copyright that happens to be kept secret by NDA. SCO's demanding much but
not justifying its demands. It's hard to take their claims seriously without
proof.
You are Form 1, Goddess: The Creator.
"And The Goddess planted the acorn of life.
She cried a single tear and shed a single drop
of blood upon the earth where she buried it.
From her blood and tear, the acorn grew into
the world."
Some examples of the Goddess Form are Gaia (Greek),
Jehova (Christian), and Brahma (Indian).
The Goddess is associated with the concept of
creation, the number 1, and the element of
earth.
Her sign is the dawn sun.
As a member of Form 1, you are a charismatic
individual and people are drawn to you.
Although sometimes you may seem emotionally
distant, you are deeply in tune with other
people's feelings and have tremendous empathy.
Sometimes you have a tendency to neglect your
own self. Goddesses are the best friends to
have because they're always willing to help.
Which Mythological Form Are You?
brought to you by Quizilla
2003/10/13
Well, I've been enjoying my day off so far. I got to sleep in, eat a
leisurely breakfast, and sit down to read for a couple of hours. I don't ask
very much out of life, but I do try my hardest to enjoy times like that. They
make life worth living. Right now I'm catching up on the news and my e-mail,
and I plan on going out a bit this afternoon to window shop. It's a nice day
today and I'd like to spend it driving around listening to music, singing at the
tops of my lungs, and seeing what's going on Outside.
The Samba project should be proud:
Samba v3.0 was benchmarked as being two and one-half times as fast as Windows 2003 Server. Samba scales much
better than Windows does natively, IT Week Magazine says, in terms of data
throughput (which tends to be a function of the number of systems on a network
segment, I've noticed, due to all the broadcast traffic). Very cool.
2003/10/12
Let's see... what's happened so far this weekend?
I spent most of yesterday getting ready for the Fall 2003 Furbecue. I made
one of my favourite potluck dishes for everyone, a ham, cheese, and green bean
casserole that people seem to go nuts over (once you can convince them that
there aren't any peppers in it, anyway...) It doesn't take long to put
together, the hard part's finding the cubed ham to put in the filling. I could
tell that something was going to be amiss yesterday because I'd been on mood
swings since I'd gotten up that morning. Not pleasant. Once I'd taken the
casserole out of the oven and put a few things together I thought I was home
free. I will only say that I really don't appreciate extra stops being added
to my plans. It's hard enough to rouse the energy to want to go anywhere
anymore, let alone to get away from everyone.
I'm still surprised that I found the park the furbecue was held at; it isn't
far from Swift and Sil's house, in fact it's just one street down. By the time
I arrived the party was in full swing, with folks playing horseshoes, sitting
around talking, playing on the playground equipment, and catching up on old
times. I ran into An old aquaintence of mine from my BBS days there and spent
some time ogling his latest electronics project - a BASIC stamp microcontroller
(a single-chip fully programmable computer ideal for embedding in small devices)
that he was using to control the facial expressions on the headpiece of his
fursuit. The attention to detal and time he's putting into it I find amazing,
even though I'm not a 'suiter myself. I also ran into another IT geek, whom I
spent a considerable amount of time talking to. Sometimes it's nice just to
have someone to talk to and rant about this and that.. Gabran brought one of
his more unusual toys with him from Pennsic, a small crossbow that can shoot
miniature marshmallows (!) the breadth of a picnic pavillion. We spent some
time hanging out as well, catching up on times. Regrettably, his mate is still
down south and wasn't able to attend.
Swift Fox was the designated grillmeister for the day and did a yeoman's job
of turning out hamburgers from the grill. The picnic spread was such that there
was something for everyone and no one left empty-handed or hungry. The box of
halloween candy was most welcome by everyone, and a good sugar buzz at the end
of the afternoon was a welcome mood-booster. Silaria made a double-batch of
taco schmutz, that special chip-dip that never seems to last, and was astonished
to see it devoured before sunset. The stuff's addictive, there's no other way
to explain it. Azanti's adjusting well and preparing to reappear as a daywalker
on Samhain, an event that we're all waiting for.
I had to leave early last night because I was attendig the Bipitt meeting
last night. I've missed three of them, mostly due to being too tired to want to
go anywhere on the weekends and I decided early last week that I was going to
make the effort to join everyone. Four of us met in the coffee shop near the
Pittsburgh GLCC to figure out what,
exactly, to do. Lara and Lupa were already there, and a newcomer, Heron, joined
us shortly after. Coffee was nice but most everyone hadn't eaten yet so we
retired to a local diner to talk and eat. I'd eaten a good bit at the furbecue
so I opted for dessert, figuring that some chocolate would help get me through
the low point of my cycle. I honestly wasn't keeping track of how long we were
there because I was having too good a time getting to know Heron and catching
up with Lupa. We eventually decided to go people watching for a while and then
go club hopping to see what was going on. After a quick stop back at my car to
pick up my jacket and a pair of earplugs we piled into Lara's car to drive down
to the South Side to see what we could see. The people wandering around were
mostly the beutiful people going to bars, drinking, and doing what it is there
is to do in Pittsburgh if you're fine with a couple of beers and top-40 music.
On a lark we decided to stop in to Slacker, a local counterculture store that
keeps late hours. Lupa picked up a new outfit to wear around Saturday night
while I bought another mesh-with-dark-bits shirt. I've got this odd addiction
to them anymore.... Slacker's collection of toys isn't the greatest in the
world (I'd much rather go to Don's) but
their selection of clothing is quite good. We wound up wearing our new
purchases out of the store last night. Our next stop was back at Lara's car for
the trip to the Strip District.
During dessert we'd decided to visit Club Chemistry to see what was going on. I've been there in the past
and found it a quite likeable, as well as queer-tolerant if not -friendly place,
so after some driving around to get past the closed parts of the road in the
Strip (when did that happen??) we found parking and then hiked back to the club.
In the past two months they'd started having a cover charge to get in - $5us at
the door. I hadn't expected this, nor had I heard anything about it, so I did
a good bit of apologising to everyone. The dancefloor was already standing room
only when we arrived, though we were able to stake out a corner of the platform
below the DJ booth and defend our turf all night. It felt nice to be able to
dance again. Chemistry's rapidly becoming a favourite haunt, and we've been
talking about making it the local bi hangout, seeing as how there aren't any
such places in Pittsburgh right now. Shortly after midnight we decided to see
what else was out there, and after a brisk walk back to the car drove to a local
gay lounge (the Liberty Tavern) to unwind and talk some more. In leafing
through the local periodicals we found that Don's been advertising the ER Room
quite a bit locally, which I hope will be good for business. We left when they
politely asked us to leave at closing time and headed back to Squill to get our
cars and go home for the night. I hope we'll be able to organise something
soon for everyone.
This is just plain weird - someone translated Sir Mix-a-lot's "Baby Got Back" into Latin.
Your soul is bound to the Seventh Totem,
Pandora: The Spider.
Pandora appears as an amethyst spider. She
embodies creativity, imagination, craft, and
virtuosity. She is associated with the
color amethyst, the season of autumn, and the
element of wind. Her downfall is daydreaming.
You are most compatible with Tortoises and
Cockroaches.
Which Animal Spirit Totem Are You?
brought to you by Quizilla
Your element is Spirit. You are above most Earthly
things or like to think you are. More
mysterious than any of the other elements and
twice as dangerous. You tend to be a loner and
whatever you belive in it verges on fanatical.
Be careful because Spirit has no true substance
and can get lost.
What's your element
brought to you by Quizilla
Ironic, for a burnout like me.
No one would really know your name. You would be
called by what you do. For example, if you burn
your victims to death all the time, you would
be known as The Arsonist, or if you knife them,
you would be known as The Slasher. You would be
the mysterious killer who strikes at sporadic
times, and would be very difficult to catch.
You might dress up and mask yourself when you
perform your horrible killings. Your identity
would really be a mystery. Obviously you would
be wanted all over the place, and authorities
would desperately try to capture you. Even if
you were caught, you would not say much. The
public would greatly fear you because you could
just strike unexpectedly.
What Would Your Serial Killer Name Be? What Would the Public Know You As?
brought to you by Quizilla
2003/10/11
Greetings to readers from the US Navy!
Happy Coming Out Day, everyone.
2003/10/10
19 year old Van Dinh of Pennsylvania has been charged with cracking and securities fraud. His age
aside, this case is interesting for a reason that I'll get to shortly. He
somehow owned roughly $90kus of Cisco stock options that he was looking to get
rid of before they expired, and so put together a nifty little scheme to get
hold of the login credentials of someone who uses online trading services. He
trolled a few stock trading forums to find a few targets, then spammed them with
a phony offer to beta-test a stock trend charting application which contained a
keylogger trojan called 'Beast' (what would Satsuki think?). The keylogger
recorded someone's login name and password, and then Dinh put the stock options
up for sale at a price greater than they were worth.. and then used the funds
in his victim's trading account to 'buy' them from himself, which left Dinh with
the cash and the victim with nothing at all. What I find interesting about this
is that the SEC's Enforcement Division claims that they were able to track Dinh
through all of the cut-outs and anonymisers that he is supposed to have used to
cover his tracks. My guess would be that Dinh bounced through a bunch of open
proxy servers Out There, maybe cracked a box or two and set up his own, worked
through webmail and possibly a few remailers... either Dinh did a poor job of
hiding, or the SEC team's really, really good. This says something about
exactly how anonymous we really are on the Net. I'm now very curious about how
Dinh is supposed to have tried to conceal himself... if a suspected criminal
was tracked through the Net, what about someone who's not up to anything shady
and just wants to keep a low profile? Makes you wonder, it does.
The case against Aaron Caffrey deepens.. an expert witness claims that
Caffrey's claims of being a patsy are jetwash. Neil Barrett, technical director at Information
Risk Management, says that the IRC logs on Caffrey's deck weren't altered. He
looked at either a bitwise image of the drive or the original drive (my guess
is an image, which would preserve the integrity of the real drive) and says that
he didn't see any signs of editing. When you edit a text file, a copy of the
file is loaded into memory. When it's saved, however, the old version of the
file is deleted from the file system and the new one is written to the disk.
Sometimes the new version can overwrite the old version, sometimes it's written
to an entirely different chain of disk blocks. If there's a big enough run of
disk blocks on the drive they'll be written to in one swipe. To cut to the
chase, by looking at the pattern of blocks in the file system, you can tell,
sort of, what was going on. You really have to dig into the code to be sure of
anything. I don't know the ins and outs of the XP file system so I can't say
sor sure, but I will say that it's not looking good for Caffrey.
SunComm, creator of the copy protection software that the record label BGM
is using on its new CDs is planning on suing grad student Alex Halderman for figuring out that the
AUTORUN.INF file on a CD-ROM can be bypassed by holding the shift key down.
Halderman's mistake may have been in stating in his whitepaper that his
"discovery will compel the music industry to abandon their copy-resistant
efforts." Oops - he put it in writing, which is what probably honked off
SunComm, he called them on their forgetting soemthing so elementary. They're
also crying foul because Halderman did it without having to consult their
development documentation.
How much documentation does it take to put a text file into an ISO-9660
image??
SunComm is also saying that the DMCA was violated because Halderman violated
an 'unpublished' EULA agreement hidden on the user's hard drive during the
installation process. It's hidden - of course he violated it! He didn't know
it was there! Anyone who turns off AUTORUN.INF support in Windows is violating
it too! It didn't take long for the idiocy of this to spawn a few jokes.
One thing that does bother me about all of this is that some bigwigs in the
music industry are talking about getting legislation passed to require net.users to have uniquely identifiable licenses to access the Net and to track them. The comparison was
made to Verner Vinge's short story True Names. I think all of you know
where I stand on this...
If they get that passed, how many Henry Armitages and Bart Simpsons do you
think they'll have in their registries?
Let's nip their in the bud before it gets anywhere, shall we?
I hate to say it, but I think we're screwed now. A universal exploit for the RPC DCOM family of
vulnerabilities in Microsoft Windows is making its rounds. Called "Pink Floyd",
it's only a proof-of-concept utility right now (inducing a denial of service)
but these vulnerabilities can also be used to execute code. It won't be long
before a version of Pink Floyd appears that'll do just this. Moreover, even if
you've got all the relevant fixes in, you're still vulnerable. You can read
Microsoft's breakdown of this problem here. It's grim. Windows NT v4.0, 2000,
XP, and Server 2003 are all vulnerable; Windows ME isn't.
2003/10/09
It appears that trying to clear the inventory cheaply isn't always a good
idea.. the US government has recently stopped its sale of surplus low-end lab kits, which include centrifuges, solution evaporators, sample incubators, and
biohazard suits. Moreover, the disposal company wasn't checking the credentials
of the people purchasing them - among the countries these purchasers were
confirmed to be located in were the Philippines and Egypt, where a few known
terrorist organisations are known to operate out of. The US General Accounting
Office figured this out by setting up a dummy company and buying gear over the
Net without trouble. Something like $46kus of lab equipment was purchased for
a hair over $4kus - quite a steal.
Aaron Caffrey, accused of DDoSing the computer network running a sea port in Houston, TX is claiming that
someone is setting him up by having cracked his deck and editing the system logs to incriminate him. He says that his system currently supports remote administration and at
the time had not yet been able to apply the latest round of MS security patches.
From this, he says, someone had been able to remotely access his system and set
the deck up to make it look like he did it, presumably by altering system logs
and planting the utility used to touch off the attack. Detective Constable
Stunt (first name unknown) of the Computer Crime Squad says that remotely it is
not possible for someone to have accessed the machine, planted the files, and
altered the IRC logs, stating that "It is impossible, the technology does not
exist."
I hate to break it to Detective Constable Stunt but it is indeed possible to
do this to a Windows machine. If Caffrey's deck had RDP or VNC installed in an
insecure manner (i.e., by default) then someone could easily have accessed his
terminal remotely, opened a text editor, edited the text (if I recall correctly,
IRC log files are plain ASCII on most, if not all Windows IRC clients), and then
navigated to a website to download a few files to leave behind. It's trivial
to do, I've done it myself doing tech support for another office. And gods only
know what the latest generation of remote-control trojan horse programmes can
do these days. That said, I'm inclined to give Caffrey the benefit of the doubt
at this time. Something else I found interesting was that the attack in
question took place in September of 2001, if Caffrey's machine was dissected by
law enforcement authorities in January of 2002... bit of a time delay there.
Minor update: A list of 11,000 IP addresses of computers vulnerable to the
IIS Unicode exploit was found on Caffrey's deck, which is probably what got the attention of
authorities. The plot coagulates.
SANS has released the latest edition of its top 20 security vulnerabilities list, 10 for Windows and 10 for
*nix. For the Win32 platform, the top three security vulnerabilities that
admins have to worry about are IIS (Internet Information Services), MS SQL
Server, and the Windows Authentication subsystem (which, unfortunately, you
can't tear out of the system). On a side note, I still wonder exactly why MS
thought it was a good idea to make the registry (the binary database which
stores a lot of system configuration information) accessible across the network.
I don't have my /etc directory open to everyone and their backup... to be fair,
*nix has its own share of problems, though their severity tends to be less than
the holes in Windows, mostly because everything isn't so tightly tied together.
The top three security holes are BIND (the Berkeley Internet Name Domain system,
which is what makes up DNS), RPC (remote procedure call) services (which allow
a user on one system to pass some data to a process on another system, let it
process, and then get a reply with the result), and the sundry vulnerabilities
found in the Apache webserver and its associated modules. Sendmail, nightmare
of sysadmins the world over, has mercifully fallen into sixth place. It just
goes to show that when you get right down to it, nobody is safe.
You know... even though Postnuke is
supposed to be the hottest web technology since NCSA Mosaic, its darth of
documentation is enough to make you want to blow chunks into the guts of a
running HP Netserver. I've been fighting with it for two days now, and while I
can get it installed I'm still in the process of figuring out how to make it do
what I need it to.
Oh, gods.. another bad day to play the Snort Drinking Game, I can see..
Angel of Time.
What kind of Angel are you?
brought to you by Quizilla
Huh.
2003/10/08
Dataline's had her first taste of mélange this morning. We'll see where
this goes...
A news article at The New Scientist caught my attention this morning: Intel
is working on a new CPU architecture called Vanderpool which would allow
multiple operating systems to run simultaneously on the same system. The article makes
overtures toward emulating multiple platforms at once - the example they give
is running Windows XP and MacOS at the same time on the same deck. An
interesting idea... my guess would be that they'd be leveraging their
hyperthreading technology (where there are basically two CPUs on the same chip
running at the same time; a few of the servers at work have hypertreaded Xeon
cores in them and by running an SMP (symmetric multiprocessing; think multiple
processor cores) kernel on them they register (and run) like dual-CPU boxes)
to manage multiple emulations at the same time, perhaps with some form of the
Transmeta technology to emulate the
instruction sets at the hardware level. They also mention virtual machine
software in the article (a virtual machine is a software application that
emulates the hardware of some platform from the lowest levels on up to run a
non-native OS and applications on an entirely different platform; emulator fans
will no doubt be familiar with this technology), which I think they're going to
try to push, at least in part, into hardware for the sake of performance
(emulators tend to be a little on the slow side because of how much work they
have to do). I think this is something to keep our eyes on for the near future
(they're projecting five years' time, more or less).
Great Britain's cybercrime taskforce has begun to analyse the code to the most damaging net.worms released thus far to see if they are the work of organised crime or terrorist organisations. Their coders are trying to suss out
details in the code that could be clues to the identities of the authors
(assuming plurality for ease of writing this update), their motives, and
possibly future targets. So far none have been determined to fit the criteria
of organised crime or terrorism. Why is it that stuff like this always happens
in other countries? Unless the US isn't talking about it, which wouldn't
surprise me, to be fair.
Some more cheerful news for you.. Dr. Phillip Williams, directory of the
Programme on Terrorism and Trans-National Crime at the University of Pittsburgh says that attacks on the global financial system should be expected in the future. A single attack in the right place at the right time
could cripple the US economy (as if it's not on life support right now) and
bring global commerce to a screeching halt. I found it rather amusing that he
named the two networks that make up the backbone of the financial system of the
US, Fedwire (used for inter-bank funds transfer) and Fednet (used for inter-bank
transactions (there's a subtle difference there)) in the article; thanks for
telling everyone the names of two good targets.. it's also amusing that of the
delegates who attended the conference at the Centre For Conflict Studies, where
Dr. Williams was the keynote speaker, several were listed on the rosters as
"spies".
I feel the need to be critical of this now. It's to pat. I really don't
think that Dr. Williams would have gone ahead and named two major targets,
giving the idea to anyone with the time to hunt down some physical locations on
Google and round up some hardware without the US government either pulling him
off stage or walking out of there "unescorted". That smells like
disinformation to me: Give everyone two things which sound important and look
like targets, but are either nonexistent or decoys. The names don't sound
right, either, given what I've heard of other government nets from whitepapers
scattered around the US grids and at conventions (note to federal agents: If I
could find the names in a magazine, on a website, or hear them at a con, you
guys probably did too; don't disappear me for pubilcally available information).
Fedwire and Fednet don't fit their naming scheme. As for people on the
conference roster giving their profession as "spy", that has to be a joke,
probably on the part of the Register staff. You don't even hear that in comic
books.
The CD copy protection software included on the latest discs manufactured by
record label BMG may be bypassed by holding down the shift key when the disc is inserted into a CD-ROM drive. The software is executed by the AUTORUN.INF file, which
tells Windows to run a certain application whenever the disc is inserted into a
computer. There is also a control panel setting and a registry key that may be
changed to disable reading the file as well. Sorry, guys..
Holy shit - Schwarzenegger won. I'm already
hearing rumours that people want another recall election in California. I guess
Schwarzenegger getting elected messes up Somebody's plans..
Could there be a bastard-in-training at the DOJ?
Here's a lurid thought for you: We're not finding out everything we could be
about what's happening in Iraq right now. There's an article in the United Press International right now about anomalous blood clots taking out US solidiers. Pulmonary embolism (a blood clot blocking a major blood vessel
in the lungs) has killed two soldiers for certain, perhaps another eight (the
military's not talking about those right now), and no one's sure how many
others. Oddly enough, the same thing's happening to troops still in the US.
The families of the dead soldiers and not a few civillian physicians are blaming
the array of vaccinations soliders routinely recieve before shipping out. To
add a bit more unusualness to the cake, a strain of pneumonia is also making
its rounds in Iraq among US troops. Two are dead and another seventeen are on
ventilators, and those are just the reports that have gotten out. The common
thread here seems to be inoculations for anthrax and smallpox, at least from
the data I've been able to find.
Something to think about.
Today was one of those days where you're not busy but by the time you get
home you feel like the co-star of a pornographic movie featuring a succubus.
For the second time today I thought I was going to miss my bus; yesterday I
almost did, but today was a different matter. I was making my way down the
street to the bus stop when I felt the familiar tingling at my waist of my
cellphone's silent ringer. Dataline: "Hurry. The bus is running early today.
We're almost at your stop."
Me: "Shit." *click* *cyb breaking a land speed record and cutting through
traffic like a stuntman from the set of The Matrix*
I wound up jumping down two sets of steps outside of a building, each time
almost doing a face-plant into the concrete sidewalk because my body was tilted
a bit too far forward, partially due to my backpack and partially because I have
not done such a thing in quite a while, perhaps years. Running in a pair of
motorcycle boots is one thing, but long jumping down steps is quite another.
It's not a good idea, take it from me. Somehow I made it down to the stop scant
seconds after a bus very much like my usual bus pulled away. I kicked up my
land speed another notch and just made it as it stopped for a red light. I
stepped in and thanked the bus driver profusely.. and then realised that I
didn't recognise anyone on the bus. As it turned out it wasn't the right bus
but its ID number was one character off from the one I usually ride home. I
hastily got off the bus and walked back to the bus stop. Fifteen minutes later
my bus pulled up and I got on.
There's a world of difference between a bus running earlier than expected and
a bus that was running early but is now stuck in traffic.
On the whole, however, I'm just happy to have made it.
2003/10/07
This morning as I was getting dressed I happened to hear the morning show
call in programme over the radio next door. The question was, "What is a
phreaker?" Oddly enough, a definition of the word was one of the choices
(though the word is actually 'phreak' (but I'm just being pedantic)). The guy
got it on the second try. Maybe someone at the station's been reading a bit
more than just the headlines at Google News...
This popped up in my morning news feed - John Kline of Corporate Technologies USA, Incorporated has put out an
all-call for a cracker wargame The
goal is to crack one of a number of Windows 2000 Server installs running IIS,
Exchange, and MS SQLserver. Each box has three victory conditions that must be
met to be considered successful. Each successful cracker gets $250us paid via
US money order (sort of like a bearer's bond, only keyed to a specific name).
They say they're not law enforcement; the company's listed on NASDAQ (go fig),
and they're going out of their way to make this look legit. They're doing it
as part of a research effort to see how crackers think, so they can advance the
state of the art of IDS technology I'd guess. Knowing this.. how many crackers
would willingly do such a thing if it'll make cracking systems harder in the
future? I know that with each advance in technology, the technology to get
around security is advanced as well, but still..
Hey, why not?
The trance music scene in Japan has suffered a major blow recently - audio
technician Shiro Ono died recently of a heart attack (his age and the reason
for the heart attack were not given). Ono was renowned for his mastery of
accoustic environmental audio, in which the speakers are positioned and tuned
to maximise the effects of music on people by taking into account architecture,
resonance, interference patterns, reflection, and pin-point targeting.
It was only a matter of time before the effects of viruses and computer crime
got bad enough to rival most movie plots.. every morning since the Welchia worm
took out the state department I've been waiting to hear about Ellingson Oil
being hit by something called DaVinci. All kidding aside, this article got me thinking along
these lines. Aaron Caffrey of Great Britain, age 19, is accused of knocking
out the computer systems controlling automated machinery at the naval port of
Houston, TX. Reportedly, he was DDoSing a fellow IRC user in retaliation for
some anti-American statements he'd made.. Caffrey is reportedly in love with
a woman living in America right now, so if he really did it it was to defend
her honour. Caffrey is accused of creating an attack utility called the "IIS
Unicode Exploiter - Ping DDoS tool, coded by Aaron". Caffrey says that someone
implanted a trojan horse/remote control utility on his deck and used it to
initiate the attack that way. No injuries or lasting damage were reported.
Exactly how DDoSing someone in South Africa could take out a network in Houston
isn't addressed by the article. Either he got his target IP address wrong, or
the network in Houston wasn't patched at all and they probably forgot to disable
IIS on quite a few workstations. Either way, no one's talking.
If I was playing the Snort drinking game today, I'd be unconscious by now.
Well, they got the cold thing right... my current body's rigged for high
temperature existence right now.
2003/10/06
Dataline's not home from her road trip yet. I woke up this morning to a
perfectly silent house... I loved it. Didn't have to worry about running
around or trying to finish in a hurry before someone else needed something, I
could take my time and enjoy it. Which I did. Got dressed, got everything
packed, and even had a chance to sit and read a little before leaving the house
for temperatures just a few degrees above freezing.
I just realised that I havn't had any caffeine since Saturday. No headaches
since then, either. Whee. I think it's time to dry out again.
Let's see.. what else havn't I caught up on yet..? Yesterday, shortly
before the closing harvest ritual at PPD a number of us were standing around
talking and a newspaper photographer walked over. Of course, if she wants us
"to look like we're discussing something" I'm going to drag out Kabuki and pose
with everyone. I've gotten rather good at that since the last place I worked,
what with all the Financial Times photographers that kept interviewing the CEO.
But I digress... if that picture's going to be used, I'll scan it and throw it
up; somehow I doubt that it'll be published, though. That might not be such a
bad thing. I spent some time hanging out with Frater AChDAE, catching up on
things and discussing some ideas I've had about biologically generated/orgone
energies.
The harvest ritual, I'm afraid, left me somewhat disappointed. It didn't
have the spark I usually associate with gatherings in the Pittsburgh area..
there wasn't enough behind it, that I'm certain of. Titania's dances were most
impressive, I must admit, and the people drumming were quite good.. but it was
still lacking. I didn't know that Alaric would be leading this year, a welcome
surprise. After that came the raffle, and I'm still kicking myself for not
having purchased a few raffle tickets for the heck of it. I managed to get
Ruthie, who was working with Inner Vision yesterday, in touch with John (who's
part of the staff of Tekkoshocon
because she's looking to sell some of her art locally (and she's good, make no
mistake about it). I helped move tables around and clean up the lodge after
everyone else had left, which exhausted the last of my energy. By the time I'd
left I was a few sweets (from what hadn't been sold at the bake sale) and three
hogies (ditto) richer.. dinner without having to forage, yay. I drove Fern
and the twins back to their apartment afterward and picked up the leather she
wants me to use for her book of shadows.. she's going to be pleased, of that
I'm certain...
I also had the chance to go hiking a little with Swift and Sil to kill time
before the harvest ritual.. amazingly, we didn't get lost. The ground that
far out is too swampy and there weren't any real trails in that part of the park
so we weren't able to go very far. But it was still nice to get out for a
change. I'm also amused that Swift's foxtail scared a little kid, even though
it shouldn't have.
On Friday Cisco Systems, manufacturers of so much network infrastructure
hardware that it isn't even funny announced a serious flaw in the system used
to authenticate logins to the hardware itself. The LEAP system (Lightweight
Extensible Authentication Protocol) is vulnerable to a dictionary attack, in
which the encryption key used during the challenge-response process is simple
to brute-force (a complexity of 255^2, or 65,025 possible keys), as stated by Evol on Bugtraq on
3 October 2003. There are actually a few ways to exploit this vulnerability,
check out Evol's post for more information; he released a proof of concept
exploit to prove his point.
Okay. I broke down during the morning IT meeting and got a cup of coffee.
My brain's fully functional now. I guess it's a better idea to decrease the
amount of coffee slowly...
I know that there wil be a lot of people out there shaking their heads at
this article because "it's common sense" to them, but for many others it'll be
either one of those headslapper moments or entirely novel, so I'll just get
going.. wardialing is back and it's still useful. Wardialing is when you have your computer start dialing
phone numbers one after the other from a list to see which ones are answered
by modems or fax machines. Back in the day (before the Net became the
juggernaut of today that we all know and love) there were utilities out there
that would do this for you, like Toneloc and phmap. These days it's normal to find at least a few 'rogue' modems on a
corporate network, sometimes used by people to access their workstations
remotely, using PCAnywhere, for example, though a direct link into a router or
file server can also be used for remote repairs or maintenance. It's easy for
a cracker with a little time to kill and a dialup modem to find at least a few
dialups these days.. and the only way to see if you have any rogue modems on
your LAN is to wardial yourself, of course. Word to the wise: Check before you
say you're not vulnerable. You never know.
Okay.. SCO's now officially on crack. Not too long ago they started leaning
on Silicon Graphics because of their own
version of Unix, called Irix. Irix has its own file system called XFS, which
they open-sourced; XFS was subsequently picked up by the Linux kernel project
and integrated into the codebase. SCO's going to revoke SGI's UNIX licensing agreement on 14 October 2003
because they claim that some of their "proprietary" code (which was released
into the public domain before Caldera even bought SCO a few years ago) was
open sourced as a result. SGI claims that they went through the XFS codebase
and removed all of the potentially offending code, but that's not good enough
for SCO.
Is it just me, or is SCO trying to claim proprietary copyright on source
code that was open sourced several years before SCO purchased the copyrights to
the System-V code?
As if there isn't enough to worry about right now, word's going around about a peer-to-peer filesharing application called Earthstation 5 that was deliberately designed to be insecure. It's said that it hasn't been out for longer than a year or so, maybe
about six months. While ES5 is touted by its developers as the most secure and
private file sharing application out there, there is malicious code inside the
source tree. It's possible to remotely delete any file on a system running the
ES5 client with a certain command, and it doesn't appear to be an accident.
Moreover, the ES5 team is also said to be behind some DoS attacks on other file
sharing and distribution services (like BitTorrent). There is a proof of concept exploit out there (referenced in
the article above) and an FAQ. Trust no one...
Burn's messed up again - Qmail stopped recieving SMTP traffic. I tried to
reboot her remotely and she's locked but good. Next stop: Computer show for a
new mainboard. Maybe something in a dual-CPU configuration...
Science fiction fans take note - the Hitch-hiker's Guide to the Galaxy movie is a go!
Two of the pictures taken yesterday made it into the Pittsburgh Post-Gazette,
but I'm not in any of them.. *whew* On the up-side, the article's pretty good.
It's in the hardcopy version, too; either way, take a look at it.
Is this not nifty - Eddie Izzard will be playing my namesake! That's right, he'll be
playing the Doctor when Doctor Who returns to BBC Television as a series
in 2005, thus sayeth Tom Baker (who played the fourth Doctor). Thank the gods
for BBC America...
2003/10/05
Here's an interesting story - a French company has developed solar panels
that generate twenty times more electrical power than existing solar panels.
These new-generation solar panels use organic materials instead of doped silicon
crystals (like the amorphous solar cells you can purchase in kits through
Edmond Scientific?). Their game plan
is to use less efficient materials but because those materials are cheaper the
cells can be made much larger, and as such gather more power. They're shooting
for 10% efficiency by 2004 in their production units. That seems a little
counter-intuitive to me, but if they're trying to break into the consumer
marketplace (good luck, guys... good luck) they're going to have to shoot for
cheap and easy to use. Hardware hackers and power guerillas will probably snap
them up first and turn alternative power generation into a fad, and then
everyone else who's got disposable income and wants to jump on the bandwagon
will do so ad turn it into a fad. That's how it's going to have to start if
they want to make it big, at least in the US.
Greetings readers from Fermilab!
Not too long ago I got back from the local Pagan Pride Day celebration. It was a busy day, no lie.. I got up early
this morning to have breakfast and get everything together before taking off.
Dataline left early this morning so I made sure my grandfather was okay before
taking off. First stop was to gas up the car to make sure that I could actually
get there, and then I stopped to get cash for the vendors. The drive to North
Park itself wasn't too bad, I made it in about a half hour's time by taking a
shortcut up and around the back of the neighborhood to get to the highway. Once
there, it was a straight shot out.
I ran into a great many people that I havn't seen in far too long. Frater
AChDAE was there, as was Lissa Ernst, the Promise of Iris crew, Titania, Alaric and Scott... everyone
I miss because I can't see them often anymore. I wound up only making it to
two seminars the entire day, Ritual Body Art with Kali and Lucien, where I got
the Kanji characters making up the word 'kabuki' on the inside of my arm in
henna, and Frank DeAngelis' Psychometry Workshop. The rest of the time was
spent wandering around talking to people, looking at everything on display,
playing with the ferrets that were everywhere(!), and shopping. I wound up
buying a Pagan Pride Day t-shirt from the POI team, along with some Samhain
incense and charcoal to burn it with, a bumper sticker for Dataline ("I believe
in angels"), a pin I've had my eye on for a while ("Doing my part to piss off
the religious right"), and a small carved wood box to put my collection of rings
into (and there are quite a few). Kali and Lucien did an excellent job with
their presentation; I regret not having had the chance to pick up their handouts
afterward. The henna pattern took less than two minutes to do in total - Kali's
good with it. It'll last for a few days, so I'll see if I can take a few
pictures of it.
I have to admit, there was a lot of incense in the air today. So much so
that I had to go outside a few times because my eyes were getting irritated,
which isn't good especially when you're wearing contacts. I'm really happy
that Swift and Sil came out today. I introduced them to a good many of the
people that I know.. I hope I was able to help make a few more connections
somehow.
I have to admit, I'm surprised by the psychometry (object reading) seminar
at the end of the afternoon. I've never put much stock in it but I try to keep
an open mind... the theory that DeAngelis gave for the phenomenon I have to
admit wasn't the strongest in the universe, and I was a little surprised at the
lack of understanding of metaphor that people have these days, but when it got
down to the nitty-gritty I'm surprised that I actually picked up a few solid
impressions from the ring the woman next to me handed to me. I'm even more
surprised that I was dead-on in four out of five impressions. In return I
handed her my TARDIS key pendant.. and she related a few things that I've not
told anyone. Wow. Okay.. so I'll put some credence in psychometry now.
Right now, I'm too tired to write much else. I'll write more tomorrow.
I wonder if my picture's going to be in the paper tomorrow....
2003/10/04
Yesterday passed in a haze of doing stuff and taking care of things. I'd
called off from work because there was too much that had to be taken care of
around the house and decided to catch up on my rest at the same time.. the
night before I'd jacked out at my usual time and simply neglected to set my
alarm. Fern's pillow, unfortunately, didn't work as well as it did the night
before, and I kept waking up every half hour or so. Eventually I dragged my
usual pillows back into bed and slept until 0830 the next day... these days,
sleeping until 0800 is sleeping in, but I digress.
Last night after everything was over with and done (including making chili
for dinner.. it's all in the bay leaf) I changed my clothes and drove out to
LARP to see what Lee had in mind...
Warning: Unabashed gamer's spew ahead. Feel free to hit the page down key
a few times if it's not your cup of tea.
The Year of Fire is shaping up to be the de facto end of the Camarilla's
universe... I don't know if they're going to finish the game globally or not
but no matter how you cut it the rate of character attrition is going to be
nasty. So far one character who'd gone off the deep end after having his mind
messed with one too many times got another character arrested, and then
captured. So last night was a run-and-gun plot with a lot of planning and a
strong strategic component. I'm honestly a little confused about what actually
went on last night: There were three strike teams operating simultaneously
trying to intercept the truck transporting the detainee; two teams and a third
running backup. The first truck was hit and what we thought was a successful
capture turned out to be a decoy. No real surprise there. I don't know what
happened to the decoy, I'd heard that it'd been transferred post haste to the
bottom of a river just in case. The second actually had Mr. Watson in it and
somehow (I never found out how) he'd been snatched back. At this point things
got really confusing and trying to do things remotely got confusing. I know
that there was a fire fight, a lot of teleportation, and the overwatch team
(Operand and Dr. Ansin) almost went off the road at least once. The character
rescued is all right and recovering as well as can be expected, which tied up
that plotline neatly.
The rest of the night was Dr. Ansin's tribunal, which stemmed from his
getting Mr. Watson arrested and subsequently captured. The evidence pointed
overwhelmingly that Dr. Ansin did it, even though he'd had his mind altered at
least twice that everyone was certain of. At the end of it the tribunal it was
decided that he'd be imprisoned for a year and a day, pending finding someone
or a group of someones to repair the damage done to his mind. I'm going to hit
the national in-character mailing lists soon to see what I can put together.
That's what they're for, right?
End of gamer spew. Party on.
I'm going to start cooking this afternoon to get ready for Pagan Pride Day
tomorrow. I was asked to make something to donate to the bake sale so I spent
some of yesterday going through my collection of recipe books to find something
that's easy to make, doesn't require a special trip to get ingredients, and
would be tasty. I've settled on making lemon bars, which I can put together in
about an hour and I can divide into two batches. I have to go food shopping
this afternoon, I can't do anything about that, so I'm going to pick up some
Gladware to pack them in for tomorrow. I've decided that I'm going to go in
full colours (or lack therof, as the case may be) to represent my particular
slant on life. What the hell; I'm only young thirteen times. *grin*
Dataline just informed me that on 15 November 2003 there's going to be a
mini-anime con at the local library; the theme they're running with is music.
They're asking for anime and manga collectables to put on display and there's a
call for cosplay...
The question is now.. which character?
Okay.. later today. The lemon bars are done and dusted with confectioner's
sugar. I'm going to cut them apart and package them in two boxes for the bake
sale tomorrow. I hope the go over well. While they were finishing up in the
oven I got together with Dataline and put together a shopping list. I headed
out to the store to restock for the week to come.. and came home with a
splitting headache. It feels like there's a migrane on the horizon but I can't
be sure - I havn't been under enough stress lately to cause a migrane, and as
far as I can tell I havn't taken any aspertame lately (the fastest way to cause
a migrane headache with my current body). It might be stress, it might be
something else... I think it's caffeine. I've been drinking even less than
normal lately - less than three cups of coffee in a day's time. There isn't a
coffee pot at work so I'm limited to one in the morning, maybe two cups at
night. I think my body's tolerance to caffeine has fallen so far that anything
close to my old intake is disrupting its normal functioning. I can handle the
discomfort with a little effort but I'm going to take this as a lesson and be
careful in the future.
Here's a toy that I can see backfiring in horrible ways. A toy with a bore
8.5 inches in diameter. Someone Out There has constructed a mortar out of a piece of sewer pipe.
The mortar cannon uses the coarsest grain of black powder to hurl 10 pound
bowling balls a distance better than 600 yards. The recoil on this sucker is
such that it digs out divots of earth an average of 7.5 inches deep each, even
though the entire construct weighs about as much as I do (about 150 pounds).
I know that there's something to be said for cleverness and doing things because
you can, and I'd be lying if I didn't say that this is pretty cool, but it's
also dangerous, and too easy to misuse (like taking out cars on the highway).
After a few pyrotechnic misadventures in my younger years, I also have to worry
about what could happen if it malfunctioned somehow.
2003/10/02
Last night after I got off the phone with Lyssa I pretty much crashed out.
All of my energy was gone and the only thing I wanted to do was curl up and go
to sleep.. which I did, a bit earlier than normal (which seems to be getting
to be a habit). After my shower I fell into bed and grabbed the dream pillow
that Fern gave me months ago when I was having trouble falling asleep. I
figured that it couldn't hurt to try it again (seeing as how I was having a
great deal of trouble using it the last few times I'd tried it) and if it wasn't
helping I could always push it off the side and grab the other two. I don't
think it was five minutes later that I passed out and didn't wake up until I
heard my alarm go off this morning. No dreams, I was out like the proverbial
light.
Thanks, Fern.
Someone's pager at work has a custom signal - 'SOS' in morse code. I might
be way off base, but that can't be a good sign...
This is one of the neatest hacks I've seen in a long time... someone's ported the C=64 emulator Frodo to the Nokia 3650 cellphone. Why? Because it can be done,
does it need any other reason? Personally I think it's a great idea - I can't
tell you how many times I've wished I could be playing Street Beat or
Neuromancer on long trips to pass the time. From what the page says,
it only accepts .t64 files (Commodore cassette tape images) for the software,
which pretty much limits the software to 8KB or less (if memory serves), but
it's a start. I give this one two thumbs up.
I think this says something about how highly people are valuing things
instead of people or ideas - naming one's children after name brands. I
think that says a lot about the value that people place on images and the
sources therof, and not so much on individuality and self-determination. Then
again, this also reminds me of an Arabic tradition of naming one's children
after bad things that may befall them so that they won't happen (sort of a
reverse whammy, as it was explained to me), so I guess I can't say too much
about it in that light.
That doesn't mean that I can't find it troubling.
2003/10/01
Fuck. Burn crashed again.. and guess where I'm at? At work. This really
pisses me off... I can't bring her back online from here. I guess this is
where a watchdog comes in handy.
Debian's got fixed OpenSSL packages in
the apt repositories now - start updating. Updated .rpm files are now available
through Redhat as well.
Some folks might have heard about this going around about two years ago..
apparantly the stories of a computer security testing firm cracking military
nets so deeply that the admins didn't realise it were true. Brett O'Keefe,
president of ForensicTec of San Diego, CA will be arraigned next Tuesday in federal court for compromising
the security of NASA, the US Army, US Navy, Department of Energy, and the
National Institutes of Health. The charges state that O'Keefe shared classified
data with the news media to try to generate publicity for his company. As I
was reading this story, a name jumped out at me: Fort Hood. The stores I'd
heard going around were about a computer security company contracted to test
the security of a few US military nets, of which Fort Hood's was one. The
stories went on to talk about the tiger team cracking the perimeter security
with little trouble and proceeding to compromise fully three quarters of the
hosts on the base's network.. and then they found a gateway that they weren't
told about. Because they were contracted to test the entire network
they cracked the gateway as well, and thinking that it was another network
proceeded to crack quite a few systems on the other side... which happened to
be all over the sectors corresponding to various institutions in the US, though
they didn't know it at the time.
I don't know how much of the stories I'd heard is true, but there's enough
data in that news article to corroberate a few things. As J. Michael
Strazynski once said, the truth is a three edged sword. What really happened
is somewhere in the middle. Another article has it that O'Keefe was bragging about what happened to drum
up business and denigrate the security of US government nets (perhaps rightly
so), especially since they started trying to crack down after 9/11. If he was
trying to embarass the government, then he did an excellent job of it.. he
failed to keep in mind, however, that it's a bad idea to redden the jowls of
people who are ready, willing, and able to lock you in a room and throw away
the room to retaliate. And now I wonder what really happened...
Last night I spent a lot of time trying to figure out what's been going on
inside. There's no logical reason that I can see for feeling depressed. As far
as I know I don't suffer from seasonal affective disorder; if I did I'd be in
this state year-round given how little I see sunlight, let alone the outside.
Barring further evidence I will not discount the possibility, but I will put it
to the side for later consideration. I don't suffer from clinical depression,
havn't for over a decade as it's reckoned. Doesn't feel like a change in diet,
though I am still trying to take off the weight from Forge's wedding; I'm
willing to consider this possibility as well. It could be a lack of activity:
I sit in a cube all day using a computer and barely ever get to see the
outside. Physical exercise seems to ameliorate the problem, at least
temporarily. I'm also willing to consider fatigue in that my circadian rhythms
are innately geared to run in four-hour cycles (including sleep - two four-hour
cycles) and I don't get that very often anymore. I'm lucky to get six hours,
if that. I'm not getting any of the usual problems of extended sleep
deprivation, like hallucinations or loss of motor coordination (as if I ever
had that...) so I think that it's a (so far) minor perturbation in the natural
pattern.
Not long after I got home I rebooted Burn. That itchy-burning-hollow feeling
is gone now. Yay. I've changed her over to Binc IMAP, which seems to be much less of a hit on system resources than
Courier IMAP is. Courier's
a beast when it comes to memory footprint, which is why I think it kept hitting
that memory paging subsystem bug in Burn's kernel. That I can really only fix
by replacing her mainboard and compiling a new kernel for her, but I don't know
when that'll be. I fix what I can and ride out the rest.. let's see how this
new arrangement fares. I've already caught up on today's mail and Binc seems
to be doing the trick so far.
2003/09/30
It's another cold one today.. autumn's here if this isn't just the opening
procession. Still freezing, still trying to warm up. This morning at the bus
stop, there was an unexpected bit of surprise.. a small kitten had followed
one of the middle school kids we share the corner with. This probably should
not count as excitement or surprise, I suppose, but I need something to write
about. The little guy was an orange tabby, probably not older than five months
judging by his size. He honestly didn't want to leave anyone, probably due to
the attention and the prospect of maybe getting something to eat out of them.
No collar. Judging by how clean he was and how healthy he appeared he's
probably a local cat, someone's kitten who got out either early this morning or
some time last night. I wish I could have done something to help.. I hope he
made it home. He wouldn't stay on the porch of a nearby house though he did
run into someone's driveway so I think he's safe for now. Maybe he'll go home
if he gets hungry enough today.
I've decided today that Microsoft Office XP is the worst piece of software
that I've ever had the misfortune to come across, so much so that I am going to
plunge my hands into a bucket of bleach when I get home tonight to rid myself of
the icky feeling. Trying to keep a document properly formatted has been an
exercise in futility today: Office XP does whatever the hell it chooses with
section breaks, hyperlinks, bullet-point placement and colouration, and
generation of indices and nothing that I know how to do will bring it to heel.
I've wasted a good three hours fighting with one document today and I seriously
doubt that I'll be making any progress anytime soon. If I thought the software
would do it properly I'd export it as text or HTML, clean up the formatting, and
then reload it to save it off. Sadly, I doubt that'll do any good at all given
the functionality required (internal hyperlinks with indexing), and even if I
did try to save the document as HTML I strongly doubt that it'd be readable by
any software likely to exist anytime soon on this planet. If a three page text
file can balloon to a half megabyte in size, what else is this monster capable
of?
I signed on to do computer security, not wrangle shoggotha.
Speaking of computer security, everyone, Guardian Digital Security has released an advisory regarding vulnerabilities in OpenSSL.
Not too long ago the NISCC of the United Kingdom (National Infrastructure Security Co-ordination Centre) created a set of
malformed client certificates (sort of like public keys) to test how
SSL-protected software reacted to adverse conditions. Dr. Stephen Henson, one
of the core programmers of OpenSSL
isolated and fixed a number of bugs in the OpenSSL libraries. There are
certain ways to corrupt the encoding of a certificate that can cause OpenSSL to
corrupt its stack, causing the programme to crash. Similiarly, strange ASN.1
tag values can cause the same denial of service, bad public key segments can
scribble on the memory used by software if public key decoding errors are
ignored (which doesn't happen often, it's a debugging feature), and client
certificates passed down the link when they're not requested ("Oh, why thank
you!") can force the first three bugs to be exploited. All versions of OpenSSL
including v0.9.6j and 0.9.7b are vulnerable. Versions 0.9.6k and v0.9.7c are
bugfixes that patch these vulnerabilities.
CERT, the Computer Emergency Response
Team based out of Carnegie-Mellon University,
bless its collective slow-as-molasses-in-January heart, has finally gotten
around to releasing an advisory about the bugs in OpenSSH last week.
2003/09/29
The FBI's at it again... they've been asking journalists to get ready to turn over all of their e-mails, notes, and contact information for their sources. Some of the reporters
who have been covering the Adrian Lamo case have been contacted privately and told that everything they've got about the
Lamo case can and will be subpoenaed, and they do mean everything.. even the
apocryphal and personal theories. Why does this smell like what they put
Mitnick through (hacking NORAD)? To make matters worse they're threatening
jail time for said reporters if they don't cough up once the paperwork comes
through. This seems to violate the first amendment insofar as restricting what
reporters are allowed to talk about (an ongoing criminal case and the fact that
they're being leaned on by the government - take a look at my copy of the Bill of Rights).
The article goes on to say that this began to happen the day after Attorney
General John Ashcroft ordered every US Attorney's Office to prosecute every
criminal offense they see with the harshest possible penalties.
This is being done under the laws modified by the USA PATRIOT Act that
require "ISPs and other providers of electronic communications services" to
keep copies of every e-mail passing through their systems in case they are ever
called under subpoena. An ISP's mail servers and a journalist's field notes and
research are two different things. The reporters were told that if the wishes
of the FBI are not followed for at least three months they will be prosecuted
for contempt of court. The first recorded case was in May of 2002, msnbc.com
reported Bob Sullivan. The article states in no uncertain terms that they're
probably going to use the reporters to confirm Lamo's guilt (he was, after all,
very open about what he was doing and was interviewed time and again, each time
not denying that he compromised netowrks), which they'll probably use to bury
him. Nevermind the fact that he probably saved quite a few companies several
million dollars each by pointing out holes that John Q. Scriptkid would have
abused.
As if that's not enough to make you feel queasy on a Monday morning, check
this out: lifeandliberty.gov, which
is a website that's supposed to tell everyone how the USA PATRIOT Act is
preserving our quality of life (have they actually seen the unemployment rate
lately?) and liberty (by destroying the Bill of Rights one amendment at a time).
Sorry.. I'm not buying it.
Former GeCAD programmers of GeCAD Reliable Antivirus for Linux have shifted to Kaspersky Labs after GeCAD's buyout by software giant Microsoft.
Microsoft had announced that RAV for Linux and Novell Netware would no longer
be produced or maintained, which screws two major environments out of a fairly
decent antivirus system. Kaspersky has
announced in return a transition plan from RAV to Kaspersky Antivirus.
Slackware Linux v9.1
was released not too long ago. This version of Slackware was compiled
completely using v3.2.3 of GCC, which is a
considerable step up from the earlier releases.. v2.4.0 of the Gnome Desktop
Environment is included as well as v.3.1.4 of KDE (the Pi release?), v2.4.22 of the Linux kernel, journalling filesystem
installation support galore, GlibC v2.3.2, XFree86 v4.3.0 (which is a highly stable release, as I can attest to), Mozilla
v1.4 (yay not having to download and compile it by hand!), and everything else
we've come to know and love about Slack. Start planning your Friday night now.
Before I left yesterday Lyssa gave me a few things to hold onto while she's
down in Maryland, among them a stack of back issues of Dragon Magazine,
which is a print magazine for FRPG afficionados. Among the usual letters to
the editor, product announcements and reviews, and articles I found in the
advertisements a full-page ad from Palladium Games from 1989 which talked about a Robotech RPG.. and which
also had listed copies of the first two or three episodes of Sentinels,
the sequel to the Robotech series which never went anywhere in VHS format
for $24.95... so that's how all those copies started making their rounds. For
a long time I've wondered how recordings of those lost episodes were getting
around the collector's circuit; I guess they're copies of those first-gen tapes.
Mystery solved.
Okay. Something's wrong.
The temperature's been falling more and more in the past couple of days as
September slowly fades into October and autumn follows on its heels.. this
morning I started losing feeling in my hands while I was standing outside
waiting for the bus. This is not an uncommon occurrance due to RST (repeditive
stress trauma, which amounts to the early stages of carpal tunnel syndrome)
reducing the circulation to my body's hands. However, given a warmer
environment and lack of exercise they tend to warm up and the feeling comes back
on its own. Today it hasn't. I don't think it's due to the nerves being
pinched off by anything because I can't do the stove burner trick (you don't
want to know) - I can still feel temperature if it's sufficiently high or low,
but otherwise mobility and sensation are impaired. This suggests poor blood
flow. At any rate, it sucks. I've been having a hard time typing all day
today, which is further difficult because I've been writing documentation at
work.
Quick sidebar - the vote on George Bush's bill to eliminate overtime pay for
Americans is either tomorrow or Wednesday this week - call your representative
and tell them to vote this down!
But as I was saying... I don't understand why it is that every night when I
come home from work I'm demolished. I've little energy by the time I get back
to the Lab, the only thing I want to do is curl up with a book and maybe fall
asleep, nevermind wanting to do any reading. Even riding the bus home I feel
like I'm wandering around the house after a particularly bad nightmare - not
really tired but dazed and disconnected, and feeling adrift. I havn't been
doing anything major at work, no crises have been breaking out, not even a staff
meeting. I'm just doing stuff, and getting taken down by it. Why? It doesn't
make any sense.. people shouldn't get tired if they don't expend a lot of
energy.
2003/09/28
I'm back at the Lab after driving Lyssa home at the hotel. It's been a long
weekend, and oddly enough my body's not sending me those "I'm fried" signals..
which means that I managed to recoup some energy, though I don't want to push
things right now.
Saturday morning I got up around 1000 EDT, did basic maintenance, and then
took off shortly after noon local time to pick her up.. not far from the Fort
Pitt Tunnels (does everyone I know Outside live on the other side of the
mountain??) I got a call from John and Lara offering to act as co-pilots on my
trip because Lyssa's folks live pretty far out there.. for some reason, I know
not why yet, I accepted and turned around to head back and pick them up.
Roughly forty-five minutes later we were back on the highway headed for what
very well might have been the inspiration for some of H.P.Lovecraft's short
stories.. her folks live that far out there. We picked her up around 1430 EDT
(that seems to have been a popular time this weekend) and drove to Uniontown to
meet her friends from the homefront; and what a fun crew they are. We stood
around shortly after arriving for another birthday celebration (forgive me,
everyone, as I'm very poor with names; I'll remember their names with prompting
to make sure that I don't get them wrong and likely remember them permanantly
after I meet them a few more times). We hung out talking about the good old
times, swapping stories (they rather liked story about the stripper) and generally getting to know one
another. Unfortunately, Time being what it is, we had to leave all too early to
return to Pittsburgh.
Lyssa had gotten a hotel room in Pittsburgh and we had to get her checked in
before the room was repurposed (well, it may not have been, necessarily, because
as long as they have a room open they'll give it to a reservation, it just might
take longer, a hassle we didn't feel like going through) so we stopped in and
dropped off our bags, and then headed out to the friges of Pittsburgh, near my
usual stomping grounds to visit a good friend of mine, Don, who runs The ER Room, which is one of my favourite stores.
Don's a great guy; if you go expect to get into a conversation lasting at least
a couple of hours. His prices are quite reasonable as well. I really feel for
him, as he was in an automobile wreck not too long ago and he's still feeling
the effects of it. The airbag caught him in the shoulder in the impact and he
injured his neck, back, and shoulder even more. I wish there was something that
I could do for him. We looked around the newly rearranged store to see what
there was to see.. and oh, were there things to see!
I wish I could afford more of his clothing. He's got some amazing pieces
that I'd love to try on, given more time and definitely purchase given more
money. Alas, I've little disposable income at present. Anyway, I was shopping
for the rest of Lyssa's birthday gifts (I'd already gotten her books on speed
reading and memory techniqes, which she's going to need while getting her
masters' degree, and a copy of Disconnect by Iris). Unfortunately, they didn't have exactly what I was looking
for but Lyssa knew exactly what I was looking for as I browsed the shelves and
asked Don nicely if he had any in stock. Unfortunately he didn't at the time
but he took her measurements and offered to make them on commission for her.
I'm going to pick them up for her late next week. So all was good.
After saying goodbye to Don we headed back to my car to drop off John and
Lara and then swung out to get dinner. I took Lyssa to get dinner at the Sesame
Inn Restaurant and Lounge, northwest of the Lab. The Sesame Inn is one of those
restaurants that looks too posh to be affordable (even though two can stuff
themselves for $30us), too far away to be worth the drive (just try it), and
too nice to show up in street clothes (feel free to, everyone else does). The
staff is incredibly helpful and accomodating, too: Lyssa asked for Ginger Shrimp
and recieved it without a complaint. As for myself, I had my favourite,
General T'sao's Chicken, which somehow manages to be not only filling but to
have what amounts to a candy coating on each piece. The service was rather slow
Saturday night, though, due to the number of people having dinner before going
out to do whatever and the length of the drive from John and Lara's chewed up
quite a bit of time. By the time we got back to the hotel it was past 2230 EDT
and we were already late.. we called John and Lara to see if they were still up
for going to Club Chemistry
but, alas, they weren't feeling well and decided to pass. Swift Fox and Silaria
had already declined though we did call them next, and accepted an invitation to
join them for a while.
We hung out for a while and made plans to go out for breakfast this morning
and then retired back to the hotel for the night.
This morning we were awakened by our 0930 EDT wakeup call to shower, pack,
and generally get oriented for the rest of the day. We were going to meet
Swift, Silaria, John, and Lara for breakfast downtown. Unfortunately, due to
having to square away a few things at the front desk we were running late.. the
maniacal driver on the highway who nearly sideswiped us as we were changing
lanes (I was moving left one lane; he was weaving madly through traffic (should
have seen trouble coming to begin with..) doing far better than our 65 mph and
in the process of changing from the lane to our right to the lane on our left)
not only nearly caused a three-car pileup but scared the living hell out of us,
nearly took some of the paint off my car, and made me miss my exit. We wound up
taking the long way around the Heinz Stadium (a sports structure which most
Pittsburghers can't afford to attend and single-handedly fucked the city's
budget for the next eight years, at least), getting stuck in more traffic, and
showing up a half-hour late.
Everyone finally met up at Station Square and we elected to go into the Strip
District to get breakfast. I honestly don't remember the name of the place that
we decided on, I want to say that it was DiLuca's, but it was larger inside than
it appeared on the outside, packed with a cross section of Pittsburgh, and had
excellent food on large places. Their food is reasonably cheap (no breakfasts
over $9us that I can reacall), the portions are large, and it's tasty to boot.
It's a good place to close out the weekend, I have to say.. we wound up sitting
at the counter eating, talking, drinking far too much coffee (the waiter left a
pair of full carafes, which had to be refilled several times) and generally
having a good time. We got to watch a team of short-order cooks plying their
trade up close and personal, and marvelling at the speed with which they
prepared bacon, eggs, sausage, acres of home fries, and everything else under
the sun. It was also over all too soon, as I had to get Lyssa back to her
Pennsylvania home so her brother could drive her back to Maryland.
The trip back went fairly rapidly; now that I've been out there a few times
I'm getting pretty good at finding my way around. I helped Lyssa pack some
things that she needs down in Maryland and get them moved out to her brother's
car. Once that was done we said our goodbyes (which seem to be getting longer
and longer) and parted ways. I've been home for a couple of hours now and I'm
sitting back resting, catching up on my e-mail and writing updates. To everyone
who's waiting to hear back from me, please be patient.
I find the rape reference slightly offensive and stereotypical of anime, but
other than that it's not far off the mark from how I really did look back in
high school..
At least I'm not a redshirt.
2003/09/27
I'm going to be taking off to pick up Lyssa shortly. I'll be out of touch
for about twenty-four hours or so, everyone. If you need to get hold of me
send me an e-mail; if it's an emergency call my cell phone.
2003/09/26
More and more services are being made available on the Net today, often in
the form of a Web application of some sort, running on a server somewhere Out
There. The process of submitting a credit application to a car dealership is
one of these; formerly a royal pain in the six now there is a service called
Dealerskins, which performs this
service for car dealerships to further defray costs and speed the process..
there's just one catch, however: They left the credit information keyed in by prospective customers available to whomever happened across it. Yep, all those names, addresses, phone
numbers, and Social Security Numbers were just laying around on a web page that
anyone could access if they knew where to find it. To find it all one had to do
is examine the HTML source code for the web form (a trivial task, supported by
all web browsers). Dealerskins was contacted on Tuesday and alerted to this
mistake, whereupon they promptly took the page offline but they refused to
check to see if the page was actually publically accessible for themselves, and
furthermore didn't check to see who else had looked at the page. This is
negligance of the grossest sort. That customer information is their life's
blood, and the wrong people accessing it could compromise the financial
histories of hundreds of people, potentially screwing them over for years. I
can think of another way that people could have found the page without going to
the service page, too - Google. Way back
when it was a popular pastime to plug search terms like 'passwd' and 'htaccess'
into Google to see what would come back; often you'd find the password file to
a private website or two. Nowadays you can prevent those files from being
indexed by configuring your web server properly but there are still people who
don't do this. If someone stumbled across it during one of these searches,
those people are just as screwed, and Dealerskins is just as incompetant.
Dealerskins was quoted as saying that it wasn't their fault if someone was
able to look at the HTML code to one of their web pages. I somehow doubt that
they're going to be helpful in the investigation.. call it a hunch, but they
screwed up royally and their reaction looks to me like they're going to try to
discreetly wipe the egg from their faces and cover it up.
Anyone who's been watching the net.news lately has no doubt read the stories
that Microsoft's products' lack of security are being discussed as a serious threat to the informational infrastructure of the United States of America (the State
Department being forced offline by the worm Welchia is a small sample of this).
The security firm @Stake (formerly
L0pht Heavy Industries, if anyone remembers
the L0pht crew) has stated its opinions.. and lost its CTO as a result. David A. Geer, Jr. lost his job
at @Stake yesterday. No one knows if it was a resignation, a force resignation,
termination, or what have you, and no one's talking. This came only one day
after Geer and six others published a report that stated that the US government
was relying too heavily upon insecure software, exposing it to a clear and
present threat to operations.
In case you're interested in reading the paper you can download the .pdf file
from here or
from my mirror here.
Yesterday and today have been fairly quiet but busy days. I've been writing
lots of documentation at work and tracking down tidbits of information to make
sure what I'm writing is accurate. It's not terribly hard work, just time
consuming; once I start working on it I tend to get lost in the work. Last
night was the first relaxing night I've had in a long time. I managed to clear
out half my backlog of recipes that I've been meaning to write down (I collect
recipes; they tend to pile up faster than I can write them into my cookbook) in
the past two nights and I put in the last batch of paper for Fern's book of
shadows last night. If all goes well I should be able to press the entire mass
starting next week and then start the binding process. I'd better start
designing the binding and cover, come to think of it... Lyssa's finished her
arrangements for coming into Pittsburgh for her birthday, so that's one less
thing to take care of. I plan on cleaning my room tonight just because I'm
tired of looking at clothes piled up everywhere; that shouldn't take too long.
After that all I really feel like doing tonight is sitting around the house.
It's been a long week and I'd like to recover at least a little bit of my
strength before I have to drive out and get her.
I'm thinking about curling up with a good book, a glass of wine, and some
clove incense tonight. Just because. Maybe I'll finish my kittyband tonight;
I've got the design down, I just have to attach the ears, the work of a half
hour at most. I also need to figure out what to make for the Pagan Pride Day
bake sale, too. That shouldn't be too hard, I just have to sit down and do it.
The Ultimate LiveJournal Obsession Test
|
| Category | Your Score | Average LJer |
| Community Attachment | 11.83%
You have one or two loyal pals on LJ... But you probably have better things to do with your time. | 25.04% |
| MemeSheepage | 42.11%
An expert on multiple-choice questions, an whiz at the cut-and-paste | 30.66% |
| Original Content | 45.16%
Some stories must be told - and you're the one to tell them | 40.55% |
| Psychodrama Quotient | 13.25%
Had a comment taken out of context once or twice | 16.87% |
| Attention Whoring | 13.64%
Slothfully Seeking Susan | 21.78% |
|
2003/09/25
It's been confirmed that the Welchia worm hit the State Department's network on Tuesday. Ouch. That sucker gets around.
Samba v3.0 has been released! Samba, if you're not familiar with it, is an application that
lets non-Windows machines communicate with Windows domains and shared networks
transparently, for things like remote printer access, file shares, and other
neat stuff that Windows takes for granted (when it's not being patched nine ways
from Sunday). Among the list of nifty new features in Samba is the ability to
join a Microsoft Active Directory system and not just a domain. Full support
for Microsoft's implementations of Kerberos and LDAP is engendered by this new
functionality. The user credentials authentication subsystem has been
completely rewritten. The 'net' command has been cloned, making cross-platform
users more comfortable ('s about time..). Trust relationships can now be
built with windows NT4 domains (strangely enough, trust relationships with 2000
domains could be done before, something I discovered entirely by accident).
Of course, the docs have been updated to match the new functionality, and the
ACL (Access Control List; security permissions, basically) code's been
improved. Time to start playing with this to see how well it works at the Lab.
A couple of months ago stories word got out that Diebold's electronic voting systems were insecure and
that some researchers had figured out how to crack the system; the reasoning
behind this is that if researchers could compromise the system so
thouroughly using sample data sets, so could malevolent attackers out
to tamper with an actual election. A security-in-electronic-voting advocacy
website, called Blackbox Voting
was set up to bring situations like this to greater visibiilty.. not too long
ago Diebold Election Systems had blackboxvoting.org shut down for copyright infringement. Copyright
infringement involving linking to other websites.. does anyone else think
Diebold is more interested in getting critics out of the way than they are in
fixing their voting systems? Something's not right here.. appellate courts
ruled what Blackbox Voing was doing was perfectly legal (anyone can throw up a
hyperlink to a publically accessible resource on anyone else's website, after
all). Oddly enough, blackboxvoting.com is still up and around and still making its point. Check these guys out
and fast before Diebold gets it in their collective heads to shut down this
domain as well. Voting is one of the strongest ways in the United States to
make your voice heard by those in power. A voting system that can be
manipulated easily effectively steals the words from your mouth, making your own
opinions null and void. If you wish to keep the ability to make your presence
felt in the government, read up on these matters and support the people who are
trying to keep things fair for everyone.
2003/09/24
It's been an adventures week on the bus so far.. yesterday the bus driver
was in enough of a hurry that he not only sideswiped the guardrail on a tight
bend but didn't ask if anyone who'd been thrown around in the back was all right
(there were a few close calls back in sardine land). This morning downtown on
my walk to the office traffic was snarled for a good ten minutes as another bus,
a tractor trailor, and a few cars the drivers of which didn't realise it was a
good idea to turn from the inside lane of a widely-swinging truck fought for
dominance of an intersection. The tractor trailor was in the second lane from
the kerb and trying to make a right, which means a wide swing to build a large
enough turning radius. This put it in the path of the bus. The cars zooming
down the narrow channel formed by the right-hand side of the trailor and the
kerb kept said trailor from completing its turn. Eventually a few cars were
stuck in the channel, traffic was backing up in three directions, and the
drivers got irate.
Nothing bad happened of it, it's just that the utter lack of common sense and
procedure struck me as interesting. I might not have much common sense either
but even I know better than to pull a stunt like that. Sheesh.
I feel very secure right about now... yesterday the US State Department's
CLASS (Consular Lookout And Support System), which runs background checks on
visa applicants to see if they've got criminal histories or ties to known
terrorist organisations was taken out by a virus, rendering it inoperable. There is no backup system in
place and officials can't say how long CLASS is going to be offline. There is
some evidence that the W32.Welchia worm might be the reason. I think all of you
know what comment I've got lined up next, so I think I'll forego making it and
move on.
I know this has been around for a while, I just havn't had time to talk about
it: JetBlue Airways gave identifying information of more than one million of its customers to Torch
Concepts, a military contractor, last year as seed information for a data
mining project to determine which, if any of its customers were possibly
terrorists. The Acxiom Company (which I mentioned Solar Designer found and squashed a
few buffer allocation errors.
The first casualty of friendly fire in the RIAA's war against peer-to-peer
file traders: Sarah Ward, a 66-year old sculptor accused
of using Kazaa to trade gangsta rap. No children live with her, no P2P file
trading software, and no Windows box to run Kazaa on (Kazaa only runs on Win32;
Ward has a Macintosh).
Sun Microsystems has a new desktop environment called the Sun Java Desktop..
okay... even though it's Gnome that's been
rebranded because the JVM (Java Virtual Machine) has been bundled with it. How does
that make it a Java-based desktop?
It doesn't.
At last! The manga Tokyo Babylon has been licensed by TokyoPop and will be published
in English!
Anyone who's been following the stunt that Verisign pulled a few weeks ago
(redirecting all traffic to typo'ed domains to their own website) has probably
run into their Sitefinder website. Well, that website leaks information typed into the webforms
to a marketing data analysis company called Omniture. The data is passed
inside a URL which links a web bug (a one pixel by one pixel graphics file from
another web server for just this purpose). You just can't trust anyone these
days...
2003/09/23
Holy drek.. lots going on, not much time to breathe.
Okay.
First was a meeting this morning to figure out what to do. We've decided to
shuffle around our hardware functionality a bit, which basically means
rebuilding two systems from scratch. Ouch. All that work and stored, data,
gone. I managed to back up my IDS configs insofar as the changes from baseline
but that's about it. I'm glad that I automated the installs with Redhat
because once I touch off an installation it runs until it's done.
Unfortunately, there's a lot of stuff that I still have to do by hand due to
the limitations of Kickstart. Once I get a machine up and running I can work on
it from my cubicle, which saves my back having to stand at a decidedly
un-ergonomic rack for four hours.
The odd false alarm is always good for fucking up your day, too. That threw
me off my stride, and between that and the meeting I had to catch up on my due
dilligence stuff. On the whole it's only changing the order of things but for
some reason (I think it's general crankiness) it's really messing with my head.
I've finally gotten into a pattern that works for me and having to change it I
find very disturbing.
Readers looking for a replacement for Microsoft's ubiquitous (and expensive)
Office suite might want to take a look at StarOffice by Sun Microsystems. I've been using
it for a few years now (since v5.2, lately v6.0) and it's a rock. The layout
is very similiar to Office and the keystrokes are almost identical, though there
are a few differences in the drop-down menus, from what I can tell. But this
entry is actually to point you to a review of v7.0 done by The Jem Report not too long ago.
They picked it apart module by module and reviewed each, and they gave it a
glowing review: An average of 9/10 in three categories (user experience, value,
and features). They also list some of the newer features, such as flawlessly
exporting documents into PDF files, damaged document recovery capabilities, a
much more friendly user interface, open file standards (Zlib compressed XML, as
opposed to other file formats that probably had to be reverse engineered), and
solid stability. It retails for $79.99us, though I'm pretty sure that you can
download it from Sun's website as well for free. Try it and see how well you
like it; if it becomes a complete replacement for Microsoft Office (as it did
for me years ago) consider buying a copy to show Sun the proper respect.
Hello. Free Software Heretic, at your service. If it's commercial software
and it rocks the docs, I buy it.
Adrian Lamo is in remarkably good spirits right now as he awaits trial for breaking into the computer network of the New York Times. The twenty-two year old was
quoted as saying that "It will turn out to be worthwhile in its own way, and it
will turn out to be a learning experience." Lamo is technically not under house
arrest but he cannot be away from his parents' house for longer than twenty-four
hours, and he cannot leave the area, either. The way things stand now he faces
up to 15 years in prison and a fine of $500kus. It figures: Someone who tells
the owners of the network he cracked what was wrong and how to fix it is
probably going to get a harsher sentence than someone who would have raped and
pillaged the very same network until detected and then disappeared entirely,
never to be found. I wonder if it isn't the collective ego of the New York
Times that Lamo hurt... as much as I hate to say it, I think the hardcore
systems crackers have it right here. This particular good deed could send
someone who was just trying to be helpful up the river for a long time. If he'd
kept quiet about it he might not have wound up in this situation.
On a brighter note, Darci Wood of Las Vegas, NV is quoted in the article..
and referred to as Kevin Mitnick's girlfriend. Way to go, Kevin.
Oh, for gods' sake... another vulnerability in OpenSSH?! This just came down the wire on the Bugtraq mailing list: There
are multiple vulnerabilities in the PAM authentication subsystem of OpenSSH.
Anyone running PAM (pluggable authentication modules - a system that lets you
add different capabilities to the login management system by writing modules of
code) to handle authentication is going to have to upgrade. Oh, and at least
one of them is exploitable - fun fun fun! Also, your systems now need Zlib >=
v1.1.4 to build properly, though if I recall correctly you can disable data
compression at build-time. I've got the source code mirrored already: (note:
link deleted. Just get it from OpenSSH.org.) The fix hasn't been added to the Debian project's apt repository yet
(I just checked - 1415EDT, 2003/09/23), and I doubt that Redhat's got it in.
Everyone else, you know what to do.
Fuck it. I'm going VPN.
Wait a minute.. no, I'm not. I give up.
At least there's a bright side to this pain-in-the-ass: Unless your systems
require PAM support to be turned on (in /path/to/sshd_config, option "UsePam
yes") you probably aren't vulnerable. The advisory states that if you edit your
sshd_config file and flip "UsePam" to "off" you're fine. Anyone feel like
taking a chance on that?
I don't, either.
Fight Club!
What movie Do you Belong in?(many different outcomes!)
brought to you by Quizilla
2003/09/22
I havn't even been in the office for a half-hour yet and I've just deleted
twenty-four instances of the Gibe.F worm were waiting for me in my inbox at
work. Once again, they'd all been rendered neutralised but it's the principle
of the thing. Someone's infected around here, but who?
This is rich.. someone fishing for credit card info on America On-Line accidentally tried to scam an FBI agent. Agent Joseph Yuhasz of the FBI received the spam back in February of
2001 and forwarded it to what they used to call the Special Technologies and
Applications Unit, whereupon they tracked down the suspect, raided a few of
her associated (who narked on her) and then took her into custody. Helen Carr,
indicted suspect, goes on trial in November. Gotta love probability.
Ye flipping gods, it's been a long one. I just got out of a planning meeting
about a half-hour ago and I can feel the insulation in my skull finally cooling
down. I forgot how rough those were. So much information, so much to do, and
so much that gets laid on the table and worked over. They're murder. And the
aftermath isn't much better, let me tell you. There are lots of ruffled
feathers and grumbling, and not a few complaints, which I suppose is part for
the course given what happened last weekend.
Tonight's been a reasonably productive night, I must say. I filled out three
job applications, checked them, and got them ready to drop in the post tomorrow
morning as well as paid my bills (including my student loans, which technically
come due in November but since I've got cash flow at present.. what the hell),
and filled out the survey that Pitt sent me
about my experience there. I've also written down a couple of recipes in my
notebook and cleaned out some of the mail that'd been piling up on top of the
china cabinet (where I keep the stuff I have to pay attention to). I'm coming
up with stuff to donate to the bake sale on Pagan Pride Day (5 October 2003,
North Park Lodge, North Park, western Pennsylvania). If all goes well I'll be
able to prepare everything the day before seeing as how it's on a Sunday.
Lately I've been ripping parts of my CD collection into .mp3 files to make
backups of them, in particular the harder-to-find stuff (like Cyberpunk
Fiction, a parody of the Pulp Fiction soundtrack done by industrial
bands and my latest find, Disconnect by Iris (it finally came in!)). I'm
working at a clip of one disc every night, using cdparanoia to rip them into
.wav files and LAME to encode them with as high a bitrate as I can manage. I'm
hoping to get a new CD writer soon (probably an ATAPI one) so I can get back to
backing them up. I seriously doubt that I'll be finding another SCSI writer
anytime soon so I'll probably remove the dead one in Leandra, percolate the
SCSI CD-ROM drives upward, remove the tape drive that I never use, switch the
CD-ROM for the DVD-ROM, and install the CD-RW drive in its place. I may as well
remove the 29160 card as well because it won't be needed for throughput anymore
and replace it with the 2960 that's been sitting in storage for a while. If I
ever get a chance to build a replacement for Crash I'll use the 29160 card for
a drive array. But again, that's probably more information than you really
needed.
This is kind of a neat hack: Intel's come up with a few designs for miniature keypads for handheld devices. Instead of tapping a key multiple times to cycle through
characters until you get the one you want (for example: 2-A-B-C-a-b-c-2-...)
the letter keys are placed in the gaps between the number keys. The schemes
were developed by David Levy, former ergonomics engineer for Apple. Cool stuff.
Not too long ago John Schwarz, chief operating officer of Symantec, was
quoted in an article at Wired as saying that it should be illegal to make information on
security vulnerabilities and viruses in general available because they make
it easier for people to write new exploits and viruses. I thought this had
already been done... and it doesn't seem to have worked. The irony of
Symantec owning Securityfocus, which
hosts many mailing lists that discuss just this has not escaped the computer
security and systems cracker communities. You can't make security better
without knowing how to break it. John Zdziarski wrote a scathing rebuttal to Scharz's
statement, in which he states in no uncertain terms that 'censorship
legislation' has effectively hamstrung computer security on the part of the
private sector and done nothing positive toward lessening the impact of computer
crime. In his article he states several excellent reasons why this is a bad
idea well enough that I don't see a need to reiterate them here. Suffice it to
say that he doesn't trust Scharz's reasons for his statements any farther than
he can throw a Buick.
This is weird.. I'm having trouble getting my mind set up for real writing,
i.e., journalistic-style in these logs. Maybe it's the lack of time to do it
properly (I've had to crank up my reading speed by a factor of two just to get
through the bare minimum anymore), maybe it's being tired or preoccupied with
other stuff. I don't know. I'm a little worried that the quality of what I
write is going to start going downhill if I'm not careful, which means that
the information content is going to go downhill as well. That's not good. I
don't want that to happen.
Okay. Deep breath. Calm down.
2003/09/21
After I got home from Swift Fox and Silaria's last night from game night I
found out from my folks (who'd come back from a wedding late yesterday
afternoon) that the reception was today and I was expected to go to it. I'm not
happy about this; it completely screws my plans for today. I'm not even
interested in going, and in fact I was quite relieved that I didn't have to
attend that wedding yesterday. So now I'm sitting here playing the "hurry up
and wait for me game", because they don't know how to get to the site of the
reception and they're waiting a call from the people they're going to meet
someplace and follow in. Which means that not only am I stuck with this but I'm
wasting time.
Needless to say, I'm pissed.
Last night after I got home I spent some time talking with Lyssa, because I
havn't had much of a chance to lately, and nosing around on the Net for
information on working with Sculpey, which
if you've never heard of it is one of the more popular forms of polymer clay.
Instead of clay, which is basically tiny particles of silica suspended in water,
which has the nasty habit of drying out and becoming unworkable if you're not
careful it's tiny particles of PVC (polyvinyl chloride) suspended in a matrix of
a polymer gel. It doesn't dry out, it doesn't become unworkable accidentally
unless you heat it too far for too long or expose it to UV radiation for too
long, and firing it means putting it in the oven in your kitchen for a few
minutes. Once it's fired it's a solid block of plastic, which can then be
carved, drilled, painted, sanded... cool stuff. I've been searching for
something to play around with for a long time, particularly for making jewelry
(because I don't have the money for metal casting materials or gemstones, nor
access to centripetal casting eq