The VeriSign Special Session Approaches

You could almost feel sorry for Verisign given the speakers against them. But only almost...

Update: Verisign has convened its own Technological Review Panel. Let me translate the charter here:

• Solicit and gather technical information and data regarding the implementation of the Site Finder service from interested parties. : First collect the complaints and see who among them might look important. The rest simply aren't interested parties according to our definition.
• Distill the received information and data to implementation issues. : If we have to deal with a complaint anyway because the complainant can't simply be ignored, then we can maybe just claim it has nothing to do with the implementation.
• Based on the implementation issues, determine which issues are based on fact concerning the service. : If possible, just claim it's all lies or not real.
• For each issue associated with the service, determine the likelihood of the issue arising for Internet users, and the consequences of each issue for Internet users. : If we have to acknowledge there's actually a problem, try to weasel out of it by claiming it basically never happens anyway.
• Based on the resulting factual analysis of the issues, determine what enhancements could be made to improve the service. : If there's no way around it, make non-binding concessions - we won't implement the whole thing anyway.
• Report the observed implementation issues to VeriSign along with any data supporting such issues. : All the complaints we can't simply lie about, push aside, or ignore get printed out and filed away. Guarantees of fixing problems? Commitment to follow the panel's recommendations? Yeah right, forget it.

And the panel participants even volunteer for this stuff for free. There's certainly no recognition here that SiteFinder was simply monopoly abuse and should never have existed. And no sign that the idea would be dropped.

At Wortfeld you can find the original article.

Why I hate Microsoft ...

Security holes in Internet Explorer are a dime a dozen - of course there are patches for them too. So just install them. That's quite simple, right? Wrong. IE 5.5 is installed - the patch is only available for IE 6. But you can just update the browser, right? Wrong. IE6 requires Service Pack 6a on NT4. But you can just install that, can't you? Wrong.

And now it got really wild: I have an NT4 with IE 5.5 on it. Installing the normal SP6a gave me a message that I was trying to install a normal encryption version over a high-encryption version and that wouldn't work. But there's no high-encryption SP6a - you literally have to patch the normal SP6a by hand! So unpack the service pack, search for update.inf, search for the checksecurity.system32.files section, throw out schannel.dll from there. Now you can finally install the service pack. And the first reboot, because I just want to patch a browser.

Ok, then finally install IE6. It churns away for an eternity and what comes next? Of course, the reboot. Because I just want to patch a browser. The fact that it keeps working after the reboot was clear. What the heck is it doing with all that? It's just a damn browser!

Then finally install the cumulative patch for IE6. Which, surprisingly, doesn't require a reboot. I thought. Until the question came up whether I wanted to restart now. It's just a browser! A damn browser! A crummy application program that needs to be patched because the manufacturer is too stupid to do it right!

That's just bullshit. (Side note: Of course this isn't a real Windows system, but a VMware - so I could work in parallel, namely under a real operating system

)

VeriSign Takes Site Finder Offline

Only a partial success: Verisign's whining (why is it described as an ex-monopolist in the c't article anyway? As a TLD operator for .com and .net they are an absolute monopolist; no one else could have pulled off that Sitefinder stunt) suggests they want to reintroduce the mess. Hopefully ICANN will stay tough. This silly claim that 40 million users would have used the Sitefinder is also preposterous - how could anyone have prevented it? You were forced to use it. Drawing the conclusion from that, that people would prefer that part over an error message, is pretty brazen. Verisign has proven they understood nothing and are just as much of a mess as Network Solutions was before them.

At heise online news there's the original article.

Signs of Intelligence: ICANN Demands Verisign Kill SiteFinder

Good! ICANN finally takes action.

At Morons Dot Org you can find the original article.

Replication for PostgreSQL

I didn't even notice: the commercial replication solution eRServer has been open source since the end of August! Although it seems that only one-way replication (from master to slaves) is implemented, but in any case, something like that helps.

Here's the original article.

Trojan redirects browser to fake sites

People, switch to a different browser. This one is really way too broken - Swiss cheese would be a massive wall compared to it!

At heise online news you'll find the original article.

ssh for Hires-Palms (Tungsten, Clie)

An SSH client for Palms with higher resolution such as the Tungstens and Clies. However, it can only support SSH protocol v1 - v2 support is still in the works. Unfortunately v1 is quite buggy, which is why they no longer want to make it publicly available. But still better than Telnet or similar. If I ever get a Tungsten T3, it might be quite interesting Here's the original article.

Storever Online Backup

An online backup service – that is, data backups via rsync and ssh to a central server. I was particularly struck by the following line in the waiver: Although Storever Online Backup will do the job most of the time, custommers should always consider that they have been lucky whenever they can recover lost data. That's really reassuring – that's how you sell a backup system! So you look at what the Storeever Offline Archive offers, since that's what Storever recommends when the customer wants security. And what do I find there in the waiver? Exactly: Although Storever Offline Archive is a secure and reliable service, it is not 100% reliable and involves risks which we can not control. In particular, custommers should always consider that they have been lucky whenever they can recover lost data. Wow. So with the low-cost product, I should consider myself lucky if I can restore a file. I can then pay even more per month, and I can still consider myself lucky if I can restore a file.

I don't know quite what to say, but somehow I get the impression that this is not a particularly confidence-inspiring product.

Here's the original article.

apt for RPMs

I wasn't aware of this: there's a project to make apt usable for RPMs as well. Very practical - anyone using Debian knows what apt can do. However, I doubt that all the RPMs really have useful dependencies specified (which apt relies on) ...

Here's the original article.

FTP Server ProFTPD Vulnerable

Not a good time for administrators at the moment. First the multiple holes in OpenSSH, now ProFTPd. Fortunately, Debian works quite pragmatically and delivers the patches relatively quickly - although I'm still waiting for the ProFTPd patch there (and the latest ssh patch isn't here yet either - and that's not entirely uncritical, since Debian works with PAM support).

At heise online news there's the original article.

All your .com are belong to us :: hebig.org/blog

One aspect of the latest VeriSign nonsense that I stumbled upon through Haiko Hebig is mail delivery for non-existent domains. Here's an analysis of what happens with a non-existent domain:

 muenster:~# exim -bt gb@blubberfaselblubb.com gb@blubberfaselblubb.com deliver to gb@blubberfaselblubb.com router = lookuphost, transport = remote_smtp host blubberfaselblubb.com [64.94.110.11]

So an email is sent normally to the A-record (the one with the wildcard). What happens there? You can see it here:

 telnet blubberfaselblubb.com smtp Trying 64.94.110.11... Connected to sitefinder-idn.verisign.com. Escape character is '^]'. 220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready HELO blubberfaselblubb.com 250 OK MAIL FROM: blah@blubberfaselblubb.com 250 OK RCPT TO: blah@blubberfaselblubb.com 550 User domain does not exist. DATA 250 OK quit 221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel Connection closed by foreign host.

So there's a mail rejector running at that address that rejects every mail delivery with 550 - User domain doesn't exist. Want some paranoia? Sure? OK: it's trivial to modify the mail rejector so that it collects and archives the sender addresses provided at MAIL FROM: of the misdirected emails. I'm not saying VeriSign does that - but wildcard A-records at such a central location are an abuse waiting to happen ...

Here's the original article.

OpenSSH 3.7 closes security hole [2nd update]

That's what's great about Debian: the updated patches are already available on http://security.debian.org/, simply:

 apt-get update apt-get install ssh

and the system is up to date again with all patches. That's what I like about it.

Apple has not yet released a software update for OS X ...

At heise online news you can find the original article.

VeriSign has entered a wildcard A record on *.net

That's audacious. Every query for a domain under .net is now answered with an A-record from Verisign. From there it gets redirected to a Verisign page containing a search engine and web directory. Great. Probably soon there will also be a request to register a free domain cheaply at Verisign. Verisign can of course, as the operator of .net and .com, enter something like this - but only Verisign can do it. None of the alternative .net or .com registrars can do it. That's free competition on the Internet. At Advogato there's the original article.

SenderBase

SenderBase is a server that performs evaluations of email traffic based on senders and domains. You can use it to find out which organizations and servers use domains, what belongs to organizations, which servers are mail servers, etc.

Quite an interesting thing, based on log data from (according to their own statements) approximately 9000 companies that receive email.

Here's the original article.

bash is new default terminal shell in Panther

Woah! That's almost like changing VI's default editor to Emacs

Well, I think it's good, I'll admit I'm a Bash softie (but please not Emacs. My depravity has limits somewhere!).

At The Macintosh News Network you can find the original article.

PHP under different user permissions in Apache

An Apache module that allows PHP code to run under a different user than the one Apache is running as. This would make it possible to set up a separate environment for each user on the server using Unix file permissions and restrict them to that area - safer than the normal variant where all PHP scripts run under the Apache user. However, installing it alongside normal PHP is not so straightforward, since both depend on the same MIME type. Still, I could take a look at that.

Here's the original article.

Spam filter for IMAP mailboxes

Those working with IMAP4 mailboxes instead of POP3 often get ignored by various filter programmers - many can only handle POP3. The link goes to a filter that uses SpamAssassin against an IMAP4 server: emails are sorted out and thrown into a spam folder. The nice thing about it is that this filter doesn't need to be built into the mail client, but also not into mail delivery. Instead, you can simply run it outside of the mail program - it can run on any machine that has access to the mail account. Quite practical if you have your mailbox with a hosting provider and want to run the filter from your own server, but your mail program runs on a notebook (and you want to avoid downloading spam mountains while on the go, for example).

Oh, and the fact that the little program is written in Python is also not without its advantages - instead of SpamAssassin, you could also integrate SpamBayes, for example.

Here's the original article.

And once again a little something about the SCO farce

SCO did release its old Unix sources up to 32V as open source. There was an announcement from back then by Caldera (now SCO). Allegedly, there was supposed to be a restriction to non-commercial use in this release. Needless to say, there is no restriction on use anywhere in the announcement, nor is there a restriction to 16-bit versions alone, as SCO is now claiming through Blake Stowell.

Could it be that SCO was a bit unprepared for the whole operation?

Here's the original article.

SCO Licenses Also Due for SCO Linux ...

From the SCO FAQ on Linux licensing:

If I am running SCO Linux or Caldera OpenLinux do I need to obtain a SCO IP License for Linux? - Yes.

This means that SCO itself sold products that are illegal (by their own definition). But SCO certainly sold these products to customers who in good faith purchased them from SCO believing the business was legitimate. Does this now mean these customers can sue SCO for fraud?

In any case, this should be a goldmine for any consumer protection advocate — a company that sells a product and then later comes along and tries to charge people again for the same service they already purchased.

Absurd. Completely absurd.

Here's the original article.

GNU Project's FTP Server Hacked

Ouch.

heise online news has the original article.

Sun-Chef McNealy: Hands off Open Source

As usual, he talks out of his ass instead of his head

At heise online news there's the original article.

IBM Counters in Legal Dispute with SCO

SCO's claims are becoming increasingly absurd. Now it's supposedly a breach of contract when IBM ports self-developed portions of AIX to Linux, because AIX is a Unix derivative and therefore, according to SCO, everything in it should fall under the Unix confidentiality agreement. Are they completely out of their minds?

Apart from that: where in the SCO garbage heap they call UnixWare have they got anything adequate that would even come close to comparing with the AIX components? For example jfs - where is the usable journaling filesystem in UnixWare that would even allow for any kind of secret violation?

It's really ridiculous what they're pulling off. I hope that - now that it's slowly becoming clear which portions of the source code SCO apparently thinks it has licenses for - the stock market will also react to this and reduce SCO's artificially inflated stock price back to what it's worth: nothing.

At heise online news you can find the original article.

Email Archives as Time Destroyers

Oh yes, the wonderfully absurd arguments from the marketing folks. Nobody pays the total sum (assuming it's even actually that high - the assumptions of these pseudo-experts are completely arbitrary), since it's distributed across all companies. If you break it down to the individual employee, you save a few euros per year. The 6 minutes per day certainly doesn't justify the immense investments a company would have to make in an archive system. You need other motivations for that, not just a bit of email searching. But that's much more effective for advertising ...

At heise online news there's the original article.

CD-Linux Knoppix comes to the Mac

Cool! Knoppix is my favorite emergency distribution - just insert and boot, the computer remains unchanged, but a completely functional Linux based on Debian is available. With it, you can usually get just about anything repaired, except hardware damage.

Something like that for the Mac would certainly be nice too - also to show Mac users a Linux without having to repartition their disks.

At heise online news there is the original article.

SCO vs. Linux: Linux Tax or Security [Update]

It's really outrageous what this company is getting away with. Still this lazy drivel when asked for concrete evidence. I hope that finally some company will put a stop to all this. The whole SCO action stinks miserably to high heaven.

At least here in the country, a stop has been put to this nonsense.

At heise online news you can find the original article.

Former FreeBSD Developer Launches Own Operating System

Hachja, how much that reminds me of the stories with Theo de Raadt in the NetBSD project. Especially the reasoning comes across as very familiar to me

At heise online news there is the original article.

SpamBayes Outlook Addin

Anyone who has to work with one of the devil's tools (I have to at work, for example) will be happy that the Outlook spam filter plugin written in Python now works really well with Outlook 2000 (and probably XP too). Not that I'd like to use Outlook, but I have no choice, I'm forced to ...

Here's the original article.

Microsoft can't even get an HR tag right ...

... anyway, that's what the linked article says. A buffer overflow through an overly long ALIGN attribute on the HR tag. That's really embarrassing – Microsoft can't even get a horizontal line right in Internet Explorer without producing a security hole.

Here's the original article.

Threat of Fines for Missing Website Blocks in North Rhine-Westphalia

No class. So the district government is not only unable to grasp that the blocking measures are almost ineffective, but they're also unable to oversee how they can verify their own demands. Pathetic. And downright embarrassing, this demonstration of total lack of professional expertise.

At heise online news there's the original article.

The Hercules System/370, ESA/390, and z/Architecture Emulator

Because I just talked about it in chat: the link points to an emulator for IBM /370 and /390 hardware. And IBM supplies operating systems for it - old ones of course, but completely legal. OS/360 or MVS 3.8j or even an old VM/370 version on a Linux box is really a neat toy for the geek from back then

And as I just see there's now also an OS X version. Very nice.

Here you can find the original article.

IP addresses sold on the black market

IP addresses that lie dormant in network blocks because they're being used up in internal networks, for example, are stolen (through forged letters, etc.) and then traded on the black market. Weird.

You can find the original article at Workbench here.

Renewed Dispute over Draft on Publication of Security Vulnerabilities

What? 30 days after receipt until the patch and then another 30 days to secure important infrastructure, and then - after 60 days! - only then the publication? Ridiculous! If the vendor is given any chance at all, it should be a maximum of a few days! After all, it's about security holes through which attackers can compromise a system.

At heise online news you can find the original article.

Sendmail also now protects against spam

And who protects us from sendmail?

At heise online news there is the original article.

SAP relies on MySQL

Well. So far SAPDB was quite an interesting database alternative (ok, I like PostgreSQL much better, but whatever). But if the MySQL people start tinkering with it, that can only get worse. I wonder if they'll remove outer joins from SAPDB's SQL? And throw out transactions? Because nobody needs that anyway, as they used to argue back in the day

At heise online news there's the original article.

Matrix Reloaded features nmap

Cool, in Matrix Reloaded, there's actually real hacking in a hack scene: first finding a host with nmap and then using an ssh exploit to break into the host. No more of the silly Stone Age login screens with nonsensical commands and ridiculous text, but a somewhat realistic situation with actual programs. Cool! On http://insecure.org there are a few screenshots with explanations. On bbums rants, code & references I found the original article.

Routing tables under Linux vulnerable to denial-of-service attacks

Ouch. 400 packets per second isn't much. Patching seems to be in order.

At heise online news there's the original article.

Send spam back?

To the remarks by Jutta, I'd like to add just my perspective as a system administrator. Because in addition to the problem of the data volume that accumulates (and which many still pay for based on data volume), there's another problem: bounces on bounces. The result of "contaminated" address lists is that many emails bounce. Those that bounce to forged but real user addresses land in that user's mailbox and annoy them. The others that cannot be delivered usually end up as corresponding system bounces in the mailbox of the system administrator of one of the involved mail servers.

I'm quite directly affected on several systems where I'm admin - the result is often unreadable bounce mail folders because so much flows in that you don't really want to wade through it to search for real problems. As a result, system problems that lead to mail delivery issues are often only noticed when users complain - nobody looks at the mess of bounce mail before that, just as little as the error reports of the mail server.

So if you like your system administrators (or simply want your mail to be handled properly), then think about them too when you carry out such anti-spam actions.

At Hexentanz there's the original article.

Trusted Debian 0.9

This actually sounds like I could give it a try now. It might be a path to upgrade my home firewall box to, as that currently is running an older debian release and must be upgraded. But I need to pull down all those stupid applications I have thrown at that little box, first. Because a firewall with so much applications is everything else but a firewall

Bei freshmeat.net gibts den Originalartikel.

OS X 10.2 upgrade - all software sucks

Crashing like Winblows. This is stupid. If I want crashing systems, I install something from Microsoft. Unix-based stuff is supposed to work. Yeah. This stinks.

Letters to the Editor

Yep, that's a problem with Microsoft systems, patches often don't work, conflict with each other or are just not there (or you don't know about because nobody tells you). That's why I prefer systems where the systems developers / maintainers give you a useable security feed. Like most Linux or BSD systems with working distributed software repositories. I don't quite understand why Microsoft doesn't do the obvious and set up a mechanism like the Debian apt-get stuff in their current OS and distribute working patches this way. But maybe it is too obvious ... Bei New York Times: Technology fand ich den den Originalartikel.

TINC hopelessly borken?

At least they can't resolve any .org any more. There nameservers where a bit fucked up already for some weeks, but now it's really silly. Sorry, guys, but your network of root nameservers once was a proposal to do it right, but currently it's just a show of how to do it wrong ...

Post without title

The case against crawler918.com. I saw some hits on my web site the other day from machines in crawler918.com. Always curious about new developments in web searching, I thought I'd find out about it. It's not a happy story. [ Advogato]

Nuke them from orbit ...

Found at Advogato.

Post without title

Political consultant Dick Morris wants politicians to spam. "E-mailing is the new front of political campaigning," he writes after spamming one-fourth of all residents in Arkansas last fall. [Workbench]

This deserves no comment. Only politicians and marketing guys can be that stupid.

Found at Workbench.

Beitrag ohne Titel

Rich Bowen: "After putting me on hold for a lengthy period of time, apparently talking to other experts, he came back and told me that the problem was beyond their expertise to deal with. He encouraged me to read the .htaccess file tutorial on the Apache web site at apache.org. Now, for those of you who don't already know, the reason that this was so very surreal is that I wrote the .htaccess tutorial on the Apache web site."

One to bang your head on the table over. Reminds me of the Korn-Microsoft debate. Lusers. [via Workbench]

Gefunden bei Workbench.

Beitrag ohne Titel

For your stylish recovery: > Riedel Wine Glasses. Can I Have A Glass For This? Yes, you can. Riedel make the best glasses in the world (well, with a little competition...), painstakingly suiting each drink to the best shape and size of container, for the benefit of nose, mouth, eyes and hold. A very recent addition, not yet found on their official list, is the bourbon glass, made with expert advise from Fred Noe, of the legendary Noe family, overlords of Jim Beam. Form means content indeed! More's the pity that the great majority of drinks are served in inappropriate glasses and therefore never fully enjoyed. [ MetaFilter]

Although I think that Eisch makes much better glasses, especially the Scotch Malt Whisky glas of the Jeunesse series is superior to all of the multiple other glasses I tried (and I do usually use Riedel glasses for Scotch).

Gefunden bei MetaFilter.

Ingo Rammer: "Exchange Server 2000 rocks. Within a couple of hours, I've been able to render my ...

Ingo Rammer: "Exchange Server 2000 rocks. Within a couple of hours, I've been able to render my weblog posts directly from an Exchange public folder." - shudder. If you think you know it all you find that deep in the pits of hell there is even more torture ...

Found at Scripting News.

Polyhedra Polymath

Polyhedra Polymath. > Prof. George W. Hart, of the Computer Science Department at SUNY Stony Brook, has an enviable web presence. His Encyclopedia of Polyhedra alone is worth the visit, his geometric sculptures make the nerd in me weep at their beauty, and his trilobite recipe looks mighty yummy.

Damn. This could have been straight from asr, but it's just something I found on Metafilter. But Trilobyte recipe? This would even be strong for asr people ...

Gefunden bei MetaFilter.

MS licensing

MS licensing. >An explanation of Microsoft's licensing model (from a person that actually likes their software... but not their licensing). Read it and weep. Specially interesting is the situation they got in which they had to pay a license for the new Office (XP) simply to be able to run Office 2000.... which they had already purchased!!

Truly insane. Another one of the advantages of a monopoly: you can force people to pay for a product they don't use, but rather to continue using the one they have already purchased from you. >[via Abort, Retry, Fail?]

Not much can be said about this. Only that people who buy from the devil will suffer what the deserve - okok, we do have some Microsoft stuff, too. And usually we do weep when we read the licenses ...

Gefunden bei Abort, Retry, Fail?.

more viruses

more viruses. From News.com: Email viruses doubled in 2002. And this, with MS's supposed new focus on "security". Oh well. Good thing that other virus-free solutions are coming along :-).

[via Abort, Retry, Fail?] Yep, looks like Microsoft really succeeded in their security focus - especially IE and OE should be burned, blown up and pulled out of reality. Please.

But it won't happen, I fear. Instead of that they will produce even more shit and name it .NET and even more stuff will go bozo.

Gefunden bei Abort, Retry, Fail?.

Post without title

It's a delight to just switch off and configure out broken NT machines, when they go bozo. Ok, usually we try to repair stuff, but since the machine that broke down twice today is the last NT based machine in our production environment, I wasn't that keen on getting it back to work. So I just switched the last three shops running on that box to dummy pages, unconfigured everything monitoring this POS and am done with it. On Monday the shops are transferred to a newer box on Linux.

But there is still a question: when a machine has automatic memory error discovery and automatic bank disabling, why can't this POS just do what it is expected to do and switch off the broken memory bank and go on? It worked the last time, why doesn't it work this time? Bah.