March 2006


Well, I’m getting ready for LinuxWorld/OpenSolutionsWorld next week. Not to much to do, most things I’m responsible for, I’ve taken care of. Looking forward to it. I hope people enjoy the Security Track I’ve put together. Guess I’ll know soon.

In related news, I’ve been asked back to do be on the Program Committee for San Francisco as well! I’ll also be doing the Security Track again, hopefully I can make it even better.

Going to be fun!

Oh, it’s a good night, thanks to some hard work by others (with me cheering along, and lending what little help I could), some hardware changes, and a little fiddling on my part, I’ve got Fedora Core 5 running VERY well on my laptop now. I’ve so missed Linux on it, WinXP Pro just didn’t really have what I needed. Anyways, there is more information here:

Update for the FC3 Install guide (Untill I write up the FC5 Guide)

I’ll be writing up a Fedora Core 5 install guide in the next week or so hopefully, just been swamped recently with stuff.

There are a couple of new security threats out for Microsoft Windows and Internet Explorer. The primary one of concern is this one:

http://www.theregister.co.uk/2006/03/27/another_ie_security_flaw/

Basically, if you click on a malicious website, that website could run any software it wants on your computer and take it over. The reason for this warning is that there is proof of concept code out already, and that means that it is more likely that someone may actually develop a >malicious program (virus/trojan) to try and take advantage of this.

Currently, there is not a patch for this. It is possible to disable activeX in Internet Explorer, but this will also disable a lot of functionality you may be used to.

The best protection is to not open any web links in emails sent to you, and avoid visiting websites you do not trust.

As of now, Microsoft plans to wait till April 11th before releasing a patch for this. If we are lucky, maybe they will release it earlier.

Oh, this is a good one. If you’re not familiar with RFID tags, they are tiny chips (tiny as in they can be woven into fabric so that they are invisible to careful scrutiny) that can help provide information on an item that is easily scannable by computers from a short distance.

Now, the above statement is almost correct, except that “item” should be read as meaning anything (piece of clothes, box of cereal, your pet, you) and “short distance” should mean as far as someone is willing to build their scanner to read from (think 100+ feet possible).

Well, besides the privacy concerns, now it looks like the companies that use them have to be worried. An RFID tag could contain a virus that can infect their scanning systems and the databases they connect to, and this can be spread to other RFID tags.

Here is the article from The Register

Looks like there is a bug in GPG that would allow someone to inject misc. data into a cyptographically signed or encrypted message without invalidating the signature of the message. Basically, it means that checking the signature status of a GPG email will not guarantee that the message is what the original sender sent.

Seems to effect all versions prior to 1.4.2.2, there are updates available.

More information here.

Oh this is a good one.  Apparently, someone in the New Jersey Legislature has decided that true anonymous posting should be illegal. To make it more fun, the forum owner is the one that can be taken to court.

So, if you run any kind of forum (this can include a BLOG), and you allow posting by users, you must collect all users legal name and address, and you must verify that they are their legal realnames. If you don’t, and someone takes you to court over someone’s post on your forum, you are liable for copensatory and punitive damages as well as the cost of the lawsuit. And no, your forum doesn’t have to be based in NJ, it counts even if someone can access your forum from NJ.

More information here:

http://yro.slashdot.org/yro/06/03/06/1736234.shtml
http://www.njleg.state.nj.us/2006/Bills/A1500/1327_I1.HTM

I would be very surprised if this ever passed, but you never know, worse laws have made it through.

Well SELinux has begun the long needed improvement in simplification this week. Tresys Technology (I used to work for them for about a year), has released two new tools to make SELinux Policy writing easier. They are both very early additions (consider them Beta), and they are opensource.

SELinux Policy Development IDE (SLIDE)

CDS Frameworkd IDE

The CDS IDE is more for a very targeted audience (If you don’t know what CDS means, it’s probably not a priority for you), but the other tools are a nice first step towards making Policy writing within the reach of mere mortals (and not just Policy gurus). There is still more work needed, but I think the people at Tresys know what is needed and are trying to get there in baby steps.

Well, here’s an interesting one, a cell phone Java based trojan. It’s not a huge threat at the moment (requires a lot of user interaction), but good to know about anyway:

Description of Trojan

This just means that like your normal computer, you should not open files that you don’t know about or trust 100%. It will only affect phones with Java, and only if you let it (i.e., you click on the link and say yes to it sending SMS messages).

What’s more important are the possibilities, this isn’t as much a failure of technology as a failure of user education if this goes anywhere. Get used to this, it’s the future. 🙁

Copyright © 2015 · All Rights Reserved · Cafaro's Ramblings