“Those who follow Linux have certainly heard of Btrfs, a relatively new high performance file system that has a lot of people excited about its potential. Two months ago during LinuxCon Japan, we were pleased to sit down with lead developer Chris Mason from Oracle to record a short webinar that focuses on demonstrating RAID5 and RAID6 as well as recently completed features in Btrfs. …….”
I recommend it.
By Brian Proffitt
The promise of cloud computing is very compelling. Just listen to the pitch for hybrid clouds: “If your organization needs more computing resources, why purchase extra hardware? Just set up a connection to a public cloud, use the extra machines to your heart’s content, and stop using them when your needs are satisfied.”
Sounds nice, doesn’t it? To be sure, the advantages of any type of cloud computing, be it completely private and internal, public and external, or something in-between, are very real. But there’s potentially a big difference between the promise of instantly expanding your company’s infrastructure and the reality of getting your systems and the cloud’s completely and securely talking to each other.
Thinking about this on the network level alone brings up some daunting questions: if your organization is a public company, you can’t just trustingly connect to a public cloud infrastructure. Your company may have procedural and even regulatory security requirements to meet that would prevent such connections.
read more …….
While Ububtu 10.10 doesn’t officially “come out” until Sunday, previews galore have been running everywhere this week. Of interest to readers of this weekly Enterprise Linux blog is NetworkWorld’s review of the server edition. Julie Bort reports on the new release’s tight integration with Amazon and makes the following comment: “One of the more interesting things Ubuntu 10.10 has done is that it lets an Amazon Machine Image (AMI), which is an instance of your Amazon cloud app, run on your local server in a KVM virtual machine.” This points to two of the key things about Ubuntu 10.10 for the enterprise: KVM is in and Xen is out, and Amazon is the focus for their cloud integration. If you’re looking for an overview preview, check out Nathan Willis’ story here on Linux.com.
read more …….
The Internet, September 28, 2010 – The community of volunteers who develop and promote OpenOffice.org, the leading free office software, announce a major change in the project’s structure. After ten years’ successful growth with Sun Microsystems as founding and principal sponsor, the project launches an independent foundation called “The Document Foundation”, to fulfil the promise of independence written in the original charter.
The Foundation will be the cornerstone of a new ecosystem where individuals and organisations can contribute to and benefit from the availability of a truly free office suite. It will generate increased competition and choice for the benefit of customers and drive innovation in the office suite market. From now on, the OpenOffice.org community will be known as “The Document Foundation”.
read more …..
Is the next step virtualization of the system, so you can run it anywhere? How does this effect security in a corporate environment when an employee can carry their own computer into your network and boot it? I can think of several network tools that when run this way, could be used to compromise a network from the inside. Most networks are hard and crunchy on the outside and soft and chewey on the inside.
Quoting from the press release at Iomega:
“Iomega’s v.Clone technology represents the first time virtualization has been made easy-to-use and extremely convenient for consumers and small offices,” said Jonathan Huberman, president of Iomega and the Consumer and Small Business Division of EMC. “With v.Clone software, you can carry your PC in your pocket and access your files, email and applications on almost any computer anywhere, including netbooks.
Researchers at University of California San Diego, Princeton University and University of Michigan have demonstrated a method to compromise and alter the tallies of Sequoia AVC Advantage voting machines. They presented their results at the Usenix 2009 Electronic Voting Workshop, held in Montreal this week. They used a method called return-oriented programming to modify voting tallies on the machines. The did this without access to the source code or the hardware designs.
Quoting from an article in The Register:
Sequoia and manufacturers of other brands of e-voting machines frequently discount vulnerability research into their products by pointing out that the underlying source code is closely guarded. Researchers in many studies, they argue, have unrealistic access to the devices’ inner workings.
“What we have shown or what I hope we have shown in this paper is that that criticism in untrue,” Hovav Shacham a professor at UC San Diego, told The Register. “It might take a little more work if we don’t have the source, but nevertheless we’re able to find vulnerabilities and exploit them in useful ways in machines where the only access we have is the physical artifacts themselves.”
The same method has demonstrated to defeat security measures in Linux, OpenBSD and Solaris. In return-oriented programming snippets of benign code are combined to produce malicious behaviour. The researchers were even able to demonstrate that they could alter the outcome of elections, using this method.
The development, certification and procurement cycle for voting machines is slow. The design of the Sequia AVC Advantage dates back to the early 80’s and many are still used in New Jersey, Louisiana, and elsewhere. The machines used to develop and test the exploit were bought at a Buncombe County North Carolina government surplus auction web site.
Using bright lights, magnifying glasses, a low voltage continuity tester and data sheets for the components, team members were able to develop a circuit diagram of the hardware of the voting machine. From that they were able to deduce how the unit worked. Then they used a disassembler to fill in the remaining details.
Joshua Herback used the hardware functional specifications to develop a simulator, which other team members then improved upon. The exploit was completely developed on the simulator, returning to the actual hardware only to verify the exploit. The exploit worked the first time they tried it.
The researchers have demonstrated that newly developed methods for exploiting systems put otherwise secure systems at risk.
One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.
Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.
The Codenomicon researches said:
Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.
These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.
The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.
Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.
Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.
We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.
Redhat announced kernel security and bug fix update multiple vulnerabilities (Also applies to CentOS). Also Fedora 10 & 11 have kernel updates for multiple vulnerabilities.
Updates to Firefox products have also cascaded into Fedora updates: blam (F10, F11), chmsee (F11), epiphany (F11), epiphany-extensions (F11), evolution-rss (F10, F11), firefox (F10, F11), galeon (F10, F11), gecko-sharp2 (F10), gnome-python2-extras (F10, F11), gnome-web-photo (F10, F11), google-gadgets (F10, F11), hulahop (F11), kazehakase (F10, F11), Miro (F10, F11), mozvoikko (F10, F11), mugshot (F10), pcmanx-gtk2 (F10), perl-Gtk2-MozEmbed (F10, F11), ruby-gnome2 (F10, F11), seahorse-plugins (F11), xulrunner (F10, F11), and yelp (F10, F11).
Mandriva is providing security advisories for phpmyadmin and ruby.
OpenSuSE announced a security update of flash-player
Ubuntu announced security updates for firefox and xulrunner, nspr, nss, and bind 9 in the last week.
Debian anounced security updates for libmodplug, xml-security-c — design flaw, znc — directory traversal and a similar patch for bind9.