www. S D Linux.com

Iomega Lets You Take Your PC Virtually Anywhere

pacneil — Tue, 05 Jan 2010 21:15:47 +0000

Is the next step virtualization of the system, so you can run it anywhere? How does this effect security in a corporate environment when an employee can carry their own computer into your network and boot it? I can think of several network tools that when run this way, could be used to compromise a network from the inside. Most networks are hard and crunchy on the outside and soft and chewey on the inside.

Quoting from the press release at Iomega:

“Iomega’s v.Clone technology represents the first time virtualization has been made easy-to-use and extremely convenient for consumers and small offices,” said Jonathan Huberman, president of Iomega and the Consumer and Small Business Division of EMC. “With v.Clone software, you can carry your PC in your pocket and access your files, email and applications on almost any computer anywhere, including netbooks.

E-voting machines compromised

pacneil — Fri, 14 Aug 2009 23:11:57 +0000

Researchers at University of California San Diego, Princeton University and University of Michigan have demonstrated a method to compromise and alter the tallies of Sequoia AVC Advantage voting machines. They presented their results at the Usenix 2009 Electronic Voting Workshop, held in Montreal this week. They used a method called return-oriented programming to modify voting tallies on the machines. The did this without access to the source code or the hardware designs.

Quoting from an article in The Register:

Sequoia and manufacturers of other brands of e-voting machines frequently discount vulnerability research into their products by pointing out that the underlying source code is closely guarded. Researchers in many studies, they argue, have unrealistic access to the devices’ inner workings.

“What we have shown or what I hope we have shown in this paper is that that criticism in untrue,” Hovav Shacham a professor at UC San Diego, told The Register. “It might take a little more work if we don’t have the source, but nevertheless we’re able to find vulnerabilities and exploit them in useful ways in machines where the only access we have is the physical artifacts themselves.”

The same method has demonstrated to defeat security measures in Linux, OpenBSD and Solaris. In return-oriented programming snippets of benign code are combined to produce malicious behaviour. The researchers were even able to demonstrate that they could alter the outcome of elections, using this method.

The development, certification and procurement cycle for voting machines is slow. The design of the Sequia AVC Advantage dates back to the early 80′s and many are still used in New Jersey, Louisiana, and elsewhere. The machines used to develop and test the exploit were bought at a Buncombe County North Carolina government surplus auction web site.

Using bright lights, magnifying glasses, a low voltage continuity tester and data sheets for the components, team members were able to develop a circuit diagram of the hardware of the voting machine. From that they were able to deduce how the unit worked. Then they used a disassembler to fill in the remaining details.

Joshua Herback used the hardware functional specifications to develop a simulator, which other team members then improved upon. The exploit was completely developed on the simulator, returning to the actual hardware only to verify the exploit. The exploit worked the first time they tried it.

The researchers have demonstrated that newly developed methods for exploiting systems put otherwise secure systems at risk.

XML Flaws disclosed

pacneil — Fri, 07 Aug 2009 20:04:39 +0000

One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.

Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.

The Codenomicon researches said:

Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.

These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.

The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.

Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.

Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.

Codenomicon said:

We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.

Linux Security Updates

pacneil — Wed, 05 Aug 2009 22:42:24 +0000

Redhat announced kernel security and bug fix update multiple vulnerabilities (Also applies to CentOS). Also Fedora 10 & 11 have kernel updates for multiple vulnerabilities.

Updates to Firefox products have also cascaded into Fedora updates: blam (F10, F11), chmsee (F11), epiphany (F11), epiphany-extensions (F11), evolution-rss (F10, F11), firefox (F10, F11), galeon (F10, F11), gecko-sharp2 (F10), gnome-python2-extras (F10, F11), gnome-web-photo (F10, F11), google-gadgets (F10, F11), hulahop (F11), kazehakase (F10, F11), Miro (F10, F11), mozvoikko (F10, F11), mugshot (F10), pcmanx-gtk2 (F10), perl-Gtk2-MozEmbed (F10, F11), ruby-gnome2 (F10, F11), seahorse-plugins (F11), xulrunner (F10, F11), and yelp (F10, F11).

Mandriva is providing security advisories for phpmyadmin and ruby.

OpenSuSE announced a security update of flash-player

Ubuntu announced security updates for firefox and xulrunner, nspr, nss, and bind 9 in the last week.

Debian anounced security updates for libmodplug, xml-security-c — design flaw, znc — directory traversal and a similar patch for bind9.

KDE to become default desktop environment for Open SuSE?

pacneil — Wed, 05 Aug 2009 21:52:16 +0000

There is an animated discussion on openFATE the Open SuSE feature tracking site. It has been proposed that OpenSuSE use KDE as the default setting for the desktop environment because:

It is confusing for new Linux users if they have to decide between KDE and GNOME during the installation. New users don´t know either of them. So it is easier for beginners if there is a default. openSUSE has more KDE users than GNOME users so it is logical to make KDE the default.

Unique Selling Point. It is important for openSUSE to provide something that Ubuntu and Fedora don´t provide. It would be beneficial for openSUSE to be the only big KDE distribution.

This could attract more developers because KDE developers need a nice distribution to develop on.

This would increase the popularity of openSUSE in the KDE user community. The negative impact on the GNOME community is not that bad because Ubuntu is the most popular GNOME distribution.

If comments on this article are correct, and the majority of SuSE users prefer KDE, this is probably a good decision. What is most important is what appeals to your particular user base.

Personally, I prefer WindowMaker. I use SuSE for my servers, so the GUI is unimportant to me, I don’t install it. I don’t choose my distribution based upon what default windowing environment they choose.

Open Source for America

pacneil — Fri, 24 Jul 2009 16:59:47 +0000

Andy Updegrove announced in a post on ConsortiumInfo.orgthe formation of a new group to advocate for the use of Open Source software in government. He also announced his appointment to the board of advisors.

A new web site has been created for the group, Open Source for America, or OSA.

The mission of OSA is to educate decision makers in the U.S. Federal government about the advantages of using free and open source software; to encourage the Federal agencies to give equal priority to procuring free and open source software in all of their procurement decisions; and generally provide an effective voice to the U.S. Federal government on behalf of the open source software community, private industry, academia, and other non-profits. The mission incorporates three goals: (1) to effectuate changes in U.S. Federal government policies and practices so that all the government may more fully benefit from and utilize free and open source software; (2) to help coordinate these communities to collaborate with the Federal government on technology requirements; and (3) to raise awareness and create understanding among federal government leaders in the executive and legislative branches about the values and implications of open source software. OSA may also participate in standards development and other activities that may support its open source mission.

We hope that OSA will provide an effective counterbalance to the hired lobbyists that are paid advocates for proprietary software companies. In this time of financial challenges, Free and Open Source Software (FOSS) can be an important tool in stretching limited budgets, both in the private sector and government.

To quote from the press release:

With the U.S. Federal Government increasingly focused on utilizing and adopting technologies to better serve citizens, there is growing recognition of the freedoms that open source software and open technology solutions can provide – an open, transparent and cost-effective option – for government agencies. Gartner recently estimated by 2011 more than 25 percent of government vertical, domain-specific applications will either be open source, contain open source application components or be developed as community source.

Best wishes to all who are working on this project. As an Open Source advocate I believe that the taxpayers will be the ultimate beneficiaries.

Are Corporations Co-opting Open Source?

pacneil — Wed, 22 Jul 2009 19:59:40 +0000

The recent announcements by Adobe and Microsoft of source code releases under FOSS licenses are attempts to co-opt free software.

Microsoft announced this week that they are releasing source code for Linux drivers that allow it to interact better with Windows, where Windows is the host OS and Linux is running as a guest OS. This is great PR for Microsoft but really does nothing to improve Linux. Now if Microsoft added hooks to their OS that allowed it to better operate as a guest OS in a Linux host, that might be something to report. However, there are rumors that Microsoft has taken exactly the opposite tact. It has been reported that Windows Vista and Windows 7 refuse to run as virtual machines.

On the other hand, Microsoft has not backed down from patent threats against Linux, claiming it contains source code that violates intellectual property rights. Steve Balmer claims that “People who use Red Hat, at least with respect to our intellectual property, in a sense have an obligation to compensate us,” However, Microsoft has never disclosed which source code or applications violate it’s “intellectual property” rights. Many in the Linux community, including me, consider this to be a simple case FUD and attempted extortion. Novell agreed to license Microsoft’s intellectual property in exchange for a patent pledge to users of Novell’s SuSE Linux. In other words, they succumbed to the extortion. Red Hat refused. Many long time Linux users are now boycotting SuSE as a result.

Adobe announced at OSCON two new “Open Source Initiatives”. The products are Text Layer Format and Open Source Media Framework. To quote Dana Blankenhorn “Adobe is delivering an open source project so that open source, as a concept, can live in its world of corporate media.” Text Layer Format is an Action Script layer that adds typographical features to the Adobe Flash Player. Open Source Media Framework is an attempt to inhibit the use of the tag in HMTL-5 and the inclusion of Ogg-Theora open source video player as a part of that specification. By announcing the release of these “Open Source” initiatives, Adobe is attempting to preempt any criticisms against it’s proprietary product Flash, by being able to claim that it too is “open source”.

Microsoft and Adobe are pursuing the same divide and conquer Public Relations strategy. Big splashy announcements about “Open Source” while pursuing a strategy of market dominance with proprietary closed source products. HTML5 and the inclusion of the tag threatens both Microsoft Silverlight and Adobe Flash. Expect to hear more FUD from both in order to prevent the inclusion of truly open standards in HTML5.

GeeXboX 1.2.3 released

pacneil — Tue, 21 Jul 2009 18:35:46 +0000

Version 1.2.3.of GeeXboX is released. GeeXboX is a standalone media player, running under Linux and based on MPlayer. GeeXboX runs from a CD on any Pentium-class or Apple Macintosh computer. Nearly every kind of media file can be played with GeeXboX,

- MPEG 1/2 movies (MPG files, VCDs, DVDs …)
- MPEG 4 movies (DivX, XviD, H.264 …)
- RealMedia and Windows Media movies.
- OggMedia streams
- Matroska streams
- Audio streams like : MP3, Ogg/Vorbis, WAV (AudioCD), AC3, DTS, MusePack (MPC), FLAC …
- Network streams : WebRadio and WebTV through SHOUTcast.
- Watching analog TV and digital DVB
- Playing analog Radio streams.
- Playing files from your local network (LAN) through remote NFS, Samba (i.e. Windows) or UPnP shares.

To learn more ….

Standard and Poors announce Red Hat in CIT out

pacneil — Mon, 20 Jul 2009 15:14:02 +0000

At the close of trading Friday July 24, Standard and Poors, the leading index provider will replace CIT Group with Red Hat Inc, in the 500th place. As of July 17, CIT Group had a market capitalization of $275 Million.

Red Hat is an open source software solution provider to enterprises worldwide. Founded in 1993, Red Hat is the leader in enterprise Linux and is the most recognized open source brand in the world. Headquartered in Raleigh, NC, the company will be added to the S&P 500 GICS (Global Industry Classification Standard) Systems Software Sub-Industry index.

Standard & Poor’s is a provider of financial market intelligence. Standard & Poor’s is a source of credit ratings, indices, investment research, risk evaluation and data. Standard & Poor’s is the world’s largest index provider. Standard & Poor’s Indices provide a full spectrum of services assisting investors and asset managers to measure market performance.

Red Hat’s stock rose after the announcement

Automate backups on Linux

pacneil — Sun, 19 Jul 2009 21:22:30 +0000

Here’s an excellent article on automating backups on Linux systems. I use many of these same scripts to archive data to my backup server, nightly. If you haven’t already started using automated backups, I strongly urge you to do so. Remember if it’s not backed up, it must not be important. — Neil

No excuses: do-it-yourself, secure, distributed network backups made easy

Carlos Justiniano, Software Architect, Ecuity Inc.

Summary: The loss of critical data can prove devastating. Still, millions of professionals ignore backing up their data. While individual reasons vary, one of the most common explanations is that performing routine backups can be a real chore. Because machines excel at mundane and repetitive tasks, the key to reducing the inherent drudgery and the natural human tendency for procrastination, is to automate the backup process.

If you use Linux, you already have access to extremely powerful tools for creating custom backup solutions. The solutions in this article can help you perform simple to more advanced and secure network backups using open source tools that are part of nearly every Linux distribution.