March 29, 2006
For the second time this year Microsoft has failed to release a patch for a vulnerability that has public exploits already made available. This time the flaw is browser related. Exploits are already floating around out there, but Microsoft is still “testing” their patch and the last I saw not planning on releasing before April’s Black Tuesday. And this time there are two unofficial patches that beat Microsoft to the punch. One from eEye and one from Determina.
I know Microsoft says that big corporations only want patches released once a month, but I think that methodology fails to work anymore. People are still releasing their working exploit code into the wild before Microsoft will release their patches. I say Microsoft should release their patches as soon as they have been sufficiently tested. Companies can easily decide to only patch once a month if that is how often they are afforded scheduled downtime, that is their decision to make. Other, faster moving companies, would rather protect their users as soon as a patch is available. Especially when exploit code is already circulating about the Internet.
March 29, 2006
I installed Fedora Core 5 this weekend at home. The first run was in a VM. The install was very smooth and no issues to speak of during the install. The new Fedora logo is used in the distribution this time around as well as a bit of a bubble theme.
This time around I went with a Gnome only desktop despite my usual preference for KDE. I am already thinking I should have gone with KDE, there is something about Gnome that just doesn’t suit me. I think it must go back to my years of having used KDE.
I haven’t installed it on either of my other two main Linux machines. I think this coming up weekend I might put it on the new PC. I have purposely been keeping the new PC pretty lean in light of this Fedora release, so it shouldn’t take too much. The laptop has some data I need to shuffle off before I undertake putting Core 5 on it. That and since it is slower than the main machine will make the install take a little longer.
More Core 5 updates as I get it up and running on a machine I use on a regular basis.
March 29, 2006
Jerry Taylor the city manager for Tuttle, OK can’t let it go. Now he’s sent an email to the Register asking them to make the flood of emails stop! Read all about it here.
And don’t miss the Wikipedia Entry.
March 25, 2006
I first saw word of this on the #centos. A city manager for Tuttle, OK accused Johnny Hughes of CentOS fame of hacking their city sites. His proof? A default Apache post-installation page included in CentOS installations when the website is unconfigured. That’s right, the default post-installation web page for Apache. Email after email with Johnny Hughes being more polite than I ever could be with the city manager (who claimed “22 years in computer systems engineering and operation”).
Read some of the stories yourself:
The Emails (CentOS site)
March 20, 2006
I have been making some heavy use of VMware in a corporate test environment and at home in my own test environment. I have used VMware in the past for various small tasks, but due to low powered machines I wasn’t able to utilize it as much as I would have liked. For testing it has proven awesome.
At work I have been able to roll out some testing servers for development in no time at all – without the need to add new hardware or rebuild a box from scratch. I also needed to test something where the server would have a second disk. It was only a matter of minutes before I had a VM rebooted with a new disk to continue my test. No hardware swapping, just add a new virtual disk and set it up in Windows. Nice.
This weekend I have been playing a lot with Grub, Lilo and software RAID under Linux. The snapshot feature has been a *huge* time saver. Re-installing boot loaders, removing disks and using the snapshot to roll back to a good config. It has definitely sped up my testing process at home for some things I am working on. There is no way I could have gone through as many configurations as quickly as I did this weekend with a more traditional hardware setup.
March 14, 2006
With the help of a friend this past weekend I finally finished getting the home network punched down. When we built the house a few buddies came down to help run cable to several of the rooms. Sixteen network drops in total.
It took getting a new computer to finally get me moving on finishing the project! The new computer sits upstairs in the dinette area, right where I had put drops with that in mind. Since I have been running VMs on the new machine it was really easy to over burden the wireless NIC I had in there to get me by.
So we have everything wired up now. My friend loaned me a GB switch, so once I get a GB NIC for my file server in the basement I can get some wicked fast transfers between the new machine and the server in the basement. It’s nice to finally have that project wrapped up!
March 11, 2006
There was an interesting article on Slashdot yesterday about Virtual Machine based root kits. Apparently some Microsoft and University of Michigan security researchers have figured out a way to hijack your OS and get it to run on top of a VM. This can be done through any number of unpatched exploits (either existing or future). Suddenly you are running your OS on a VM layer which can be doing any number of things your current scanning software has little chance of detecting. Worth a read and some insight as to what the future may hold for security professionals.