Sun JVM Class Loader Security Zone Bypass
I somehow missed the initial mention of this on Bugtraq and the other usual sources but finally picked up on it via SANS.
There is a vulnerability in the Sun JVM that is used in browsers to execute applets that can be exploited by a malicious web site or HTML email to bypass all security restrictions imposed by the applet sandbox. This is a major issue as it will allow for mass exploitation of machines - not just Windows but all desktops with Java enabled browsers - by spammers, worms and other nasties.
This may possibly be the entry point that could lead to the first true multi platform worm. Developing such a worm would be a big challenge especially if it is to be truly multi platform, but you would only need to target certain distributions of Linux and Windows in general to make a big impact. The days where every Unix user will notice an additional process on his box is also long gone, how many of the masses of recent Linux converts run ps regularly and even if they did can tell you what the processes mean?
Web Comics RSS
Via McGee's Musings I got a link to Tapestry which contains a lot of web comics in RSS format, finally a way to keep up to date with these things.
RedHat and the Linux Kernel
CNet News.com has a very interesting article on the stance that RedHat and others are taking on the 2.6 Linux Kernel.
The bottom line is that there seems to be some lack of trust in the stability of the kernel at release time and that the big players will rather wait and spend money on backporting features from 2.6 to 2.4 and stick to 2.4 for a while. RedHat also has unfortunate timing with the release of its Enterprise Edition that came out recently and they stick to making yearly releases of that.
I think finally the world has learnt from the burning it took on the 2.4 kernel branch, the file corruption and other bugs that was present in a number of "production" kernels, and is now being more cautious about what it will take and what it will not. This is a very good step one that may bring Linux - in my mind - back to being something you can trust in production. I can only hope that the Linux developers learn from this and treat the stable branch more like a stable branch and less like a play pen.
Anti Spam plans by the clueless
Derek Wyatt MP has some brilliant ideas about spam and he is not afraid to sound off about it in public. On his site he has a short write up about his plans which involves incorporating a post code in all email addresses in order to track spammers to their homes. He suggests putting the postcode inside the domain name, so user@whatever.co.uk would become user@whateverpostcode.co.uk - visionary. In true British don't-even-think-of-looking-at-my14-year-old paranoia fashion he even has a plan for minors who do not want to hand out their postcodes - a PIN number instead of the postcode and the PIN would be assigned by none other than the Information Commissioner. Read the whole proposal here
This is the man who in his own biography says he went into politics because "I thought the British people deserved better."
NTK has the following to say, and I really cannot do any better.
Derek, unfortunately, appears to be fighting the good fight with the Shield of Wholesale Technical Misunderstanding and the U-Shaped Gun Of Shooting One's Own Mouth Off.
Derek is the Chairman of the All Party Parliamentary Internet Group it really is encouraging to see such capable hands in charge of such an important group, from their website they state their mission as:
The All Party Parliamentary Internet Group exists to provide a discussion forum between new media industries and Parliamentarians for the mutual benefit of both parties. Accordingly, the group considers Internet issues as they affect society informing current Parliamentary debate through meetings, informal receptions and reports. The group is open to all Parliamentarians in both the House of Commons and House of Lords.
So much for living in the first world.
The Global Spam Fight
A number of welcome items in the news in this week regarding Spam.
Yahoo introduced a feature where users can create unique email addresses that can be disabled later on. Hot on the heels of this announcement Hotmail has announced plans to introduce a White List for users.
On a larger scale the US Senate has passed a bill that promises to get tough on spam, the bill is a good start but The Reg mentions some concerns with this bill.
On my own little system I have introduced a black list that blocks mail at SMTP time to blacklisted recipients this has kept about 2000 spam messages from entering my box this month, a very welcome change. This was made easy by my reporting module for iScan that puts detailed meta information about all mail handled by my machine into a SQL server, using this I can track down big spam recipients and trends and target those with specific fixes or safe guards.
The legal system has a long way to go
Today Aaron Caffrey was acquitted for hacking. The bbc has the following bit in their story.
Prosecutor Paul Addison asked him whether if he had seen the film Hackers.
Elite is the name given to the best of the group targeting the FBI in the film.
The teenager said he had seen the film but denied there was any link to his group.
I really pity anyone being put on trial for any hacking - or any computer crime - today, the legal system just has no clue.
iTunes for Windows
Apple today released iTunes for Windows and new iPod firmware. The firmware introduces a whole lot of new features that was not previously available:
Firebird 0.7 and Flat Things
I have been a bit busy sorting out the new flat but think I am finally getting there, my new study is nicely settled now and I can close the door on the humming of machines. I have also minimized the amount of machines I have - less noise etc.
The big news for today is all about Mozilla releasing a new Firebird, Thunderbird and Mozilla Suite. I am very glad to see a new Firebird arrive and I hope they will soon work on a better install/upgrade method.
New flat and ADSL
Well I have now moved to my new place and BT managed to get my ADSL in 2 days in advance of their projected install date, so far it seems nice and stable and I can finally sleep soundly again knowing I wont be stuck with dial-up for the next 6 months
The Rise of the Spammers
I got this pdf via Boing Boing Blog, it is a full account and analysis of a spammer who owned a box via some PHP, Gallery and Geeklog vulnerabilities, installed some processes that tried their best to look like webservers that acted as bulk senders.
What makes this really interesting is the lengths that the spammers goes to in order to get their mail sent, custom written daemons, reporting back to the mother ship and so forth. Also interesting to read this for a view on some real world forensics performed and what looks like a good solid investigation into a compromised box.
This proves to me that the spammers have most definitely taken the fight to the next level and that those combating spam have a long way to go still before the spammers are going to admit defeat.
Links
- @ripienaar
- Flashpolicyd
- Flickr
- London DevOps Group
- MCollective Plugins
- R.I.Pienaar
- Ruby PDNS
- The Marionette Collective
- Wiki
Tweets
- Sent a bug report about broken ruby stomp gem in 1.1.4, hopefully this mail does not fall on deaf ears like previous ones :( #activemq
- Damn you apple for inviting me to reserve an iPad when I do not live in the states and so cannot.
- Blog Post: New release of my Puppet Concat tool with 0.24.8+ support http://bit.ly/aA9RYh #puppet
- French village went insane after CIA spiked its bread with LSD http://bit.ly/9r2307
- It's ironic how you cannot send email with google charts api images to gmail users and expect it to work. way to go.
- Google charting API really is very sexy
- High Scalability: Saying Yes to NoSQL; Going Steady with Cassandra at Digg http://bit.ly/9Kli5f
- Caffiene infused. 2am to bed day before delivering the last talk of the day is not recommended
- Once again discovering that something as simple as correct MX and NS records is a very effective CAPTCHA to weed out idiot hosting companies
- I love the E4 ipad ripoff ad http://srt.ly/epad
Reading
Planned books:
- The Science of Fear: How the Culture of Fear Manipulates Your Brain by Daniel Gardner
- Relentless by Dean Koontz
- Mind Over Ship by David Marusek
- The New Space Opera by Gardner Dozois
- The New Space Opera 2 by Gardner Dozois, Jonathan Strahan
Current books:
-
Ariel: A Book of the Change by Steven R. Boyett
Recent books:
- Hacking Vim: A Cookbook to Get the Most Out of the Latest Vim Editor by Kim Schulz
- Beautiful Architecture: Leading Thinkers Reveal the Hidden Beauty in Software Design by Diomidis Spinellis , Georgios Gousios
Categories
Archives
Licence
