|
Ted's Radio Weblog
 |
Saturday, September 30, 2006 |
Redhat has posted an interesting "Risk Report" outlining the security experiences with the first year of RedHat Enterprise Linux. A frank discussion of positives and negatives, with some good reminders on basic Best Practices. Worthy of a read.
4:52:05 PM 
|
|
|
Friday, September 29, 2006 |
I've always wanted an excuse to build one of those lunch-box sized PCs. I haven't come up with a good excuse yet, but Ars Technica has some recommendations on the components to build the box, whether you want a Budget Box or a top-of-the-line machine.
1:09:25 PM
|
|
|
Thursday, September 28, 2006 |
IBM joins in the fray by recalling over half a million laptop batteries. PC Magazine covers the story.
"Customers are encouraged to call Lenovo at (800) 426-7378 anytime or log on to Lenovo's battery recall web site to determine if they have an affected battery."
4:07:39 PM
|
|
I don't intend this blog to be a security blog; that's a full time job better served by others. However, you ought to be alert to what's going on out there:
MS "re-released" MS06-049 as version 2.0 (new and improved!) to patch NTFS file compression on Windows 2000 SP4.
The Internet Storm Center is reporting yet another Internet Explorer exploit, taking advantage of a bug in an ActiveX control.
The ISC is also pointing to reports of an exploit packaged in a PowerPoint file. I may have mentioned it before: Do not open attachments from untrusted sources and... there are no trusted sources. I wouldn't advise anyone to open a PowerPoint until they are sure their anti-virus scanners have been updated and clear the file. Better yet, open it in OpenOffice.org. Better yet... imagine a day with no PowerPoint. Wow.
12:00:28 PM
|
|
|
Wednesday, September 27, 2006 |
Slashdot is noting that Microsoft Patches VML Vulnerability. "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild."
For Microsoft to break their usual once-a-month patch cycle is pretty unusual, so I'd consider this patch sooner rather than later. Get patching!
2:48:05 PM
|
|
InfoWorld's Off the Record column continues to supply great tales of the software world's mis-steps, like this one:
"Ten years ago, I was the IT manager at a successful software company whose main product was aimed at large insurance companies. It was a DOS app that read records from large data files, did a little processing, and passed the results to other apps downstream. It wasn't particularly pretty, but it was accurate -- and it was fast! It worked in batch mode, processing thousands of records per minute, which was a critical feature, considering how many records our clients needed to manage each day."
"We were doing well with this app, which was pretty much the industry leader. So in a classic it-ain't-broke-so-let's-fix-it-anyway move, some of our managers and salespeople began complaining that it wasn't written for Windows."
Betcha can't guess what comes next. Read the whole story here.
11:09:32 AM
|
|
Google sites unavailable in some parts of the U.S.. (InfoWorld) - "Google Inc. users in the U.S. lost access to Google Web sites on Tuesday in a connectivity issue that lit up the blogosphere but whose causes remain unclear... An undetermined number of Google users that connect to the Internet via a specific service provider "experienced problems accessing Google and other services for a short period of time" on Tuesday, a Google spokesman said via e-mail."
Thats would be COMCAST. We lost connectivity with Google yesterday here in New Hampshire. It felt like half the internet was unavailable. Google ads on pages would grind page loads to a halt. Google Mail lost meant I missed some of my mailing list reading. And I hadn't appreciated how dependent I had gotten on typing whatever I needed into the little box in the upper right of FoxFire: JavaScript syntax questions, contact information. Why bookmark? There's Google. Sure, there were other search engines to switch to, and our business has a business DSL line with another vendor, but it was remarkable how much Google was missed.
I attempted to figure out if we had DNS problems in-house but couldn't find any symptoms, other than lack of Google. Traceroutes and pings and digs seemed to yield correct information. I even tried to contact Comcast to see if they had a page with "known outages" but never located it. Worse, I tried a "Chat with Comcast" session that turned out to be a bot with a single-digit IQ that only knew the answers to 10 questions, none of which were "Why are you blocking Google?" Quite annoying.
Glad to see order has been returned to the universe.
9:52:09 AM
|
|
|
Tuesday, September 26, 2006 |
IBM continues its series documenting the knowledge you'll need to pass the Linux Professional Institutes certification exams. This month, they cover a portion of the second exam, LPI 102, "Linux Documentation."
7:59:32 AM
|
|
Phil Windley gave a presentation to Brigham Young University's Unix User Group on "Power Laws, Longtails, and Software." An interesting view of the power of the Internet.
7:56:10 AM
|
|
|
Monday, September 25, 2006 |
The monthly meeting of CentraLUG, the Concord/Central NH GNHLUG chapter, happens the first Monday of the month on the New Hampshire Institute Campus starting at 7 PM. Directions and maps are available on the NHTI site at http://www.nhti.edu/welcome/directions.htm. This month, we'll be meeting in the Library/Learning Center/Bookstore, marked as "I" on the map at the link above. The main meeting starts at 7 PM and we finish around 9 PM. Open to the public. Tell your friends.
At this meeting we'll cover a couple of quick demos, including a tour of the GNHLUG wiki and a demo of the NX remote desktop access tool. We'll review upcoming meetings for GNHLUG and discuss what presentations we'd like to see this fall and winter. Over the summer we had a couple of good meetings and talked about learning a bit about software development on Linux. I'd like to open up the discussion to what these "users" are that we are supposed to be a group of, and what sort of presentations these "users" might like to see. Over the summer, I attended two "Open Mike" meetings, one in Nashua and one in Peterborough, that were very interesting and highly interactive. We'll certainly include some Q&A in this meeting, and perhaps include it as a permanent part of the meeting. MonadLUG has also added a "man page of the month" to their meetings; let's consider this as well.
7:00 Welcome, Announcements
7:15 Questions
7:30 Demos
8:00 Answers
8:30 Discussion: Future meetings
There's lots more information about CentraLUG and its parent organization GNHLUG at http://www.gnhlug.org.
2:47:14 PM
|
|
Apple's made available the second patch this year to their Airport wireless NICs to prevent stack overflows and arbitrary code execution on your Mac. Details here. Get Patching!
11:34:35 AM
|
|
|
Saturday, September 23, 2006 |
Bill Sconce posts the news for next Thursdays Python Special Interest Group meeting in Manchester:
PySIG -- New Hampshire Python Special Interest Group
Amoskeag Business Incubator, Manchester, NH
28 September 2006 (4th Thursday) 7:00 PM
PySIG meetings are seminar-style, hands on. Laptop-friendly: 'Net access, wired + wireless. Python questions, war stories, examples always welcome.Everyone is welcome. Free of charge. Free of braces.
7:00 PM: Introductions --Bill & Ted & Alex, Milk & Cookies --Ben, Janet
7:10 PM: Happenings & AnnouncementsL Python 2.5 Released! Hosstraders 5-6 October, Hopkinton...
7:15 PM: Anyone's question(s) about Python, Python Module of the Month, Favorite-Python-Gotcha contest, Topics for future meetings...
7:30 PM: Bytecode Disassembly & Reassembly, presented by Bill Sconce, In Spec, Inc., Milford NH
Bill: "An August announcement on python-announce-list caught my eye -- a bytecode assembler/dissassembler for Python. Because I spent one of my former lives as project leader for a bytecode/stack-pseudomachine, JIT-compiled, commercial language I thought it'd be fun and instructive to poke into Python's pseudomachine. It was and is. This easy-to-use tool makes it easy for anyone to get a start looking at Python internals."
Bill Sconce is co-founder and chief cookie-procurer at PySIG, teaches Python, and writes in Python as often as he can.
8:10 PM: TurboGears, presented by Lloyd Kvam, Venix Corp, Lebanon NH
Lloyd: "I am impressed with the TurboGears (TG) approach to combining data and templates. They have a 20 minute tutorial that took me an hour - I insist on trying to understand how the magic is done. TG has a very ingenious use of decorators to link templates and data.
"The result is very different from Myghty which is much more like PHP with lots of snippets that get combined any which way you like.
"I am not sure I really understand all of the tradeoffs between the TG and Myghty approaches. That could lead to some interesting discussion."
Lloyd Kvam is a charter member of PySIG and has given a number of Python tutorials at PySIG and elsewhere.
5:40:40 PM
|
|
|
Friday, September 22, 2006 |
|
Thursday, September 21, 2006 |
Scripting News points to Mary Jo Foley: "Blogging is the future of journalism." MJF drops the bombshell that after eleven years at Ziff-Davis, she'll be leaving the helm of Microsoft Watch and striking out on her own. She says, "There still is no other company in the tech space, IMHO, that matters as much as Microsoft." Keep an eye on her new blog at All About Microsoft.
11:36:17 AM
|
|
|
Wednesday, September 20, 2006 |
Just a bit of advice for folks trying to market to the A-List: Have something worthy. Else you might end up on Joel's bad side:
The phones they send us are so lame there is literally no area you can go into without being disappointed and shocked at just how shoddy everything is and how much it costs and what a rip off scam they're trying to run here with the music that costs too much and the movies that you don't want to watch on the screen that makes them unwatchable and you just KNOW that if you call to cancel the extra $7/month, their customer service department is going to give you the phone menu runaround and then put you on hold for an hour and then you'll get some cancellation specialist with an incomprehensible accent who will spend 15 minutes trying to talk you out of canceling the useless service until you just give up and let them have the goddamned $7 a month.
Great commentary. Read it all.
12:46:32 PM
|
|
GrokLaw is reporting "HP Spying More Extensive: Who Knew and When. We begin to learn now who knew and when, in an article in the Washington Post. They did broad background checks on their targets, but also on relatives of their targets. They tried to recover a stolen Keyworth laptop, so they could examine it. They targetted and sought phone records and fax records of relatives, like wives, of board members and reporters too. They got the records for 240 of 300 phone numbers they went after. The spyware sent to the reporter at CNET was not just to track email forwarding. It was keylogging software."
And HP sells a server line called Integrity. This is disgraceful behavior.
11:12:18 AM
|
|
|
Friday, September 15, 2006 |
The Mozilla folks announce a new version, 1.5.0.7, available for download from their site or by selecting updates from within the application. A number of bugs have been squashed and several security issues addressed. Get patching!
8:55:34 AM
|
|
|
Thursday, September 14, 2006 |
Linux.com has an article on an upcoming Ohio LinuxFest put on by their own corporation. There's a lot to be learned by reading what others have learned in putting on a conference...
Linux and open source software users in the Buckeye State who want to network with several hundred of their colleagues will get the chance when Ohio LinuxFest 2006 gets underway later this month. The one-day conference, to be held on Saturday, September 30, at the Greater Columbus Convention Center in downtown Columbus, features presentations, exhibits, an after-conference party, and a special appearance by some live penguins.
5:04:43 PM
|
|
On the GNHLUG-Announce list, Jim Kuzdrall announces the Septempber MerriLUG meeting, "File Carving at Home or Office"
- Who : Andy Bair, Winning Team, 2006 File Carving Challenge
- What : Unscramble randomized data sectors or packets back to files
- Where: Martha's Exchange
- Day : Thur 21 September **Next Week**
- Time : 6:00 PM for grub, 7:30 PM for discussion
:: Overview
Want to undelete some Linux disk files? Piece together fragments of a deleted file? Recover a Windows disk where both FATS are destroyed or missing? Extract files from a network capture? MerriLUG presents Andy Bair with a new and effective approach to file carving that could be used to accomplish these tasks.
Andy Bair (and teammates Klayton Monroe and Jay Smith) won the 2006 File Carving Challenge. The winners developed new tools and techniques which accurately extracted files from a 50MB disk image of containing JPEG, ZIP, HTML, Text, and Microsoft Office files.
Andy's talk will explain the contest, contest data sample, methodology, and tools. There will be examples and a question-answer
session. You might want to build a script to automate his method for your purposes (or entice him to do so). Get contest information at http://www.dfrws.org/2006/challenge/. Get a preview of the team's methodology, updated results and additional information at
http://www.korelogic.com/Resources/Projects/dfrws_challenge_2006/.
>>> RSVP to Jim Kuzdrall for dinner to assure adequate seating. <<<
Driving directions
12:54:52 PM
|
|
|
Tuesday, September 12, 2006 |
Picking up an example presented in 1998 for using COM Automation on SourceSafe from Visual FoxPro, I created the same example in Python with just as little code. Using Mark Hammond's Win32All to supply the Win32 and COM support, the following code will list all the files in a particular SourceSafe project and their version numbers.
import win32com.client
SSafe=win32com.client.Dispatch("SourceSafe")
SSafe.Open("c:\Projects\VSSPath\srcsafe.ini","troche","secret")
Root=SSafe.VSSItem("$/MyClient/MyProject")
VSSItems=Root.Items
print VSSItems.Count
for loNode in VSSItems:
print loNode.Name, loNode.VersionNumber
10:17:24 PM
|
|
OSNews reports Subversion 1.4.0 Released. "This is a feature release of Subversion, featuring BDB 4.4 and repository auto-recovery support, a new tool for synchronizing repositories (svnsync), major speed enhancements in the versioned filesystem and the working copy, and of course the usual host of bugfixes and minor enhancements. Additionally, check this article on how to Set up Subversion and websvn on Debian."
Good timing! I've been using subversion for the past year on a web development project with another (remote) developer, and have enjoyed the power and flexibility of the tool, as well as some of the cool add-ons, clients and scriptability.
Now, it's time to consider moving existing projects out of Visual SourceSafe and into subversion. The folks at Pumacode offer an vss2svn tool that runs as a native Windows executable, written in Perl and C, with the source available under an open license. Pumacode tried an interesting tactic to convert the VSS repositories: rather than interogate the VSS binary to retrieve files, it reads the repository files directly and interprets the results from there. There are some advantages where older versions might be corrupted, or to retrieve files flagged as deleted, which they say VSS will not allow.
On a 2 Ghz Pentium-M with a gig of RAM, it took about 2 hours to process my current VSS repository, which consists of forty thousand files and around 1.4 Gb of disk space. (The authors of vss2svn caution that it's better to convert the entire repository than to risk further corruption by pruning it first; leave that task to subversion post conversion.) This generated a dump file of 850+ Mb. Transferring that to the Linux box with a new repository took a few minutes, and loading the data about 20 minutes. Using RapidSVN from the Windows box, I was able to browse the subversion repository and confirm that files and folders and log history comments look about right. I'll confirm by checking out projects of interest and diff'ing them against the current development copies.
I had anticipated a different tack, using COM Automation to drive VSS, as I described in Essential SourceSafe. As a learning project, I had proposed using Python to browse the repository via COM Automation and use the excellent Python-svn bindings to migrate portions of a VSS repository to subversion. I still plan to try that, and to compare-and-contrast the results between the two techniques, while I learn a little more Python.
1:47:38 PM
|
|
|
Sunday, September 10, 2006 |
SlashDot misses the mark completely with in inaccurately-titled and summarized pointer to a great Tom's Hardware story on MythTV. There's nearly nothing in the story about the Microsoft media device, nor does there have to be. The MM is a plug-in-and-work device that locks you into their choices, their protocols and few extensions. MythTV is for the do-it-yourself tinkerer who wants to do lots more. This one's been on my to-do list for way too long.
The comments on the Slashdot article are much more worthwhile than the post. Set your threshhold high and you'll see the moderated posts. A pointer to Chris Wilson's installation guide was worth the browsing. Chris integrates the great documentation on the MythTV site with his own experiences.
11:29:24 AM
|
|
Over at fiat volpes, Rick Borup points out a remarkable Fox Sighting: the second most recommended download at Microsoft? Surely the least-promoted!
11:14:34 AM
|
|
Tired of the abuse I'm getting on one of the servers exposed to the Internet, I've installed APF, the Advanced Policy Firewall, and BFD, Brute Force Detection on the machine. Webhostgear.com has easy-to-follow installation instructions for APF and BFD respectively.
While plain vanilla iptables was enough to protect the machine from most routine attacks, incessant attempts at logging in to a couple of well-known services on well-known ports was filling the logs and consuming an extrodinary amount of the bandwidth. Now, a script kiddie attempting 13,000 logins will find the machine no longer responding on that IP address.
Interesting technology. BFD uses a script run as a timed job to parse logs, pick up repeats, and bans them by scriping a command line and submitting it to APF. APF also uses the excellent DShield.org list of known problemmatic machines and networks. Very cool. While BFD comes with a set of scripts to parse common exploits, it didn't have one for my ftp server. I'm not sure I've grokked what's needed to set up my own script of rules, but as I couldn't find one on Google, I'll give it a shot, and share my results back to the community once I've got it working.
9:09:03 AM
|
|
|
Saturday, September 9, 2006 |
|
Thursday, September 7, 2006 |
NeoOffice: OpenOffice.org native for Mac OS X. "The NeoOffice project has released the first free public beta of its upcoming 2.0 software. NeoOffice is a port of the OpenOffice.org codebase to native Mac OS X APIs and toolkits. The result is an office suite that is integrated with OS X core functionality." Link via LXer
Cool! I've enjoyed NeoOffice/J in the 1.x version and look forward to seeing a 2.x release. OpenOffice.org 2.x has been my primary office suite for a while now on Windows and Linux, including some pretty intense collaboration with Windows users.
12:37:08 PM
|
|
|
Wednesday, September 6, 2006 |
|
Sunday, September 3, 2006 |
Bill McGonigle announces two great presentations for the September meeting of the Dartmouth-Lake Sunapee Linux Users Group: Joomla! and AJAX. Should be a great show.
12:01:43 PM
|
|
LXer reports OpenOffice Suite Gets Font Freebies. "OpenOffice.org Premium can be downloaded from the SourceForge Web site, but is available only for Windows. A native Mac OS X version of the suite will be previewed in France in September."
[You can also grab the accessories from the SourceForge site, if you already have OOo. - dcparris]
What great timing! I've been looking for a package that includes OpenOffice with some additional fonts, templates and clip art to hand out at Software Freedom Day. On the OO.o site, they have an Extras disk, but it's a couple of micro-versions behind and in need of a lot of attention: files are still in StarOffice format, installers are rough, HOWTOs are missing. There is a lot of great documentation and stuff on the disk (theres an Excel VBA <-> StarBasic concordance that's 63 pages long and looks worthy of further examination), however, and I encourage every OO.o power user to grab the Extras disk (and find out how you might be able to contribute back a little to the disk). But the OOOP disk looks very promising. Will report what I discover
11:54:55 AM
|
|
|
Saturday, September 2, 2006 |
|
Friday, September 1, 2006 |
OSNews reports NX Server, Client Released Under GPL. "2X today announced the release of 2X TerminalServer for Linux, an open source terminal server for Linux, which enables users to run a Linux desktop and Linux / Windows applications over any type of connection. "If Linux is going to happen on the desktop, it will require a terminal server approach such as that of 2X Terminal Server for Linux. Only with the more advanced thin client approach, will Linux be able to outdo Windows fat clients in a company's network. 2X is proud to contribute to this by opening the source code of its terminal server software for Linux."
'Way cool. NX uses the underlying ssh technology to provide an encrypted tunnel to a remote machine. Through that tunnel, you can support VNC, RDP or compressed X Windows traffic for remote desktop access. I've cobbled together ssh-VNC-http solutions before, but they were typically a bit awkward. I'm looking forward to trying this one out.
9:32:48 AM
|
|
|
