Author: Dave Farquhar

Bash is worse than heartbleed! Oh noes!

Dave Farquhar security , , , , , , , , , ,

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

That time I told a tech support scammer my name was Naim

Dave Farquhar scams , , , ,

The other night my phone rang. The caller ID said some state I don’t ever get calls from, so I knew what was going to happen when I picked up the phone. I didn’t have much time, but I answered anyway.

“Hello, I am calling from Windows Technical Support. My name is Daniel,” the caller said with a very slight Indian accent.

“Oh, hi, Daniel.” I said, pausing for a second to think of a name. The last project manager I worked with was a nice guy named Naim, who had emigrated from India to Minnesota. So I stole his name. “My name is Naim.”

Long awkward pause. I grinned. Too bad “Daniel” couldn’t see me.

“Your name is Naim,” he said. His sarcasm and disbelief was so thick it was bulletproof.

“Yes Daniel, my name is Naim,” I said pleasantly, making no effort whatsoever to disguise my midwestern accent. I’ve lived my whole life in Missouri and Ohio. Read more

Don’t like paying for software? There’s an answer but old software isn’t it.

Dave Farquhar Linux, security, Windows , , ,

Corporations are in business to make money. That’s the premise of the classic business book The Goal, and the point of The Goal is that a lot of companies forget that.

That also means they’re not exactly happy to spend money unless there’s an obvious reason why spending that money is going to help them make more money. So that’s why you see 30-year-old minicomputers in data centers. That old system is still making the company money and with no clear financial benefit to replacing it, most businesses are perfectly happy to run the machine until the minute before it will no longer power up anymore.

That’s what makes quitting Windows XP so difficult for businesses. At this point, Windows XP and that 30-year-old minicomputer are both about as sexy as a Plymouth Volare station wagon. But they get the job done, and they’re much better than what they replaced, so the business leaders are content to just keep right on using what’s already paid for. Read more

More Home Depot details emerge

Dave Farquhar security , , , , , , , , , , , , , ,

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target.  Read more

Compact fluorescent life expectancy

Dave Farquhar Saving money , , , , , , ,

There’s a lot of talk about compact fluorescent life expectancy. I actually tracked my CFL lifespan. Here’s what I found.

I noticed this week that a compact fluorescent bulb in the kitchen had burned out, so this week I bought an LED bulb to replace it. I started writing the dates on bulbs back in 2008 so I could track how long they last. This particular bulb was dated 1-2011. So the bulb lasted 3 years, 8 months. That’s a lot better than a standard incandescent light bulb. I suspect I may have had CFL bulbs last less time than that, but I know I’ve had bulbs last longer, too. The most recent bulb I replaced prior to this one was from 2008.

If your CFL bulbs are burning out early, here are some tips. They work. Remember, my bulbs lasted three years or more.

I have about 16 CFL bulbs left in the house now, and I’ll continue using those until they die. I have around 28 LED bulbs. All in all I prefer LED; they give more lumens per watt, tend to reach full brightness faster, and generally give off a better quality of light, but the biggest advantage–an advantage they have over incandescent bulbs as well–is the complete lack of ultraviolet light so they don’t fade the paint on your walls or the stuff hanging on your walls. Supposedly they don’t attract bugs either, but that seems to not be entirely true. Still, cutting down on ultraviolet light and saving money are good things.

How to repair a Marx electrical pickup shoe

Dave Farquhar Toy trains ,

Unlike most of its competitors, Marx trains don’t use rollers to engage the center rail for electrical pickup. Instead, Marx utilized a copper shoe that slides along the center rail. It was cheap and effective, but the increased friction means the shoes wear out much more quickly than rollers do. Indeed, the shoe usually is the first part of the train to wear out.

The fix is easy, if non-obvious.

Read more

Revisiting Microsoft/Sysinternals Du as a batch file

Dave Farquhar security, Windows , , ,

My tips for using Sysinternals’ Du.exe were well received last week, and my former coworker Charlie mentioned a GUI tool called Windirstat that I had completely forgotten about. For the command-line averse, it’s an incredibly useful tool.

But there’s one thing that Du.exe does that makes the CLI worthwhile. It will output to CSV files for further analysis. Here’s the trick.

DU -L 1 -Q -C \\SERVERNAME\C$\ >> servers.csv

Sub in the name of your server for servername. You have to have admin rights on the server to run this, of course.

For even more power, run this in a batch file containing multiple commands to query multiple servers, say, in your runup to Patch Tuesday. Open the file in your favorite spreadsheet, sort on Directory Size, and you can find candidates for cleanup.

Read more

Windows 9 rumors

Dave Farquhar Windows , , ,

I picked up some various Windows 9 rumors from across the Web yesterday.

In no particular order: Read more

Home Depot: A security pro’s dilemma

Dave Farquhar security , , ,

I was listening to podcasts about the Home Depot breach, and something occurred to me.

Home Depot isn’t talking much about the breach. And it’s driving security pros nuts.

But the general public takes silence as a sign that everything’s going great. So their silence is winning the PR battle in the court that matters, which is public opinion at large. Read more

Phil Kerpen, net neutrality, and socialism: A post-mortem

Dave Farquhar net.culture , , , , , , , , , , , , , , , ,

I learned the hard way a few weeks ago how net neutrality can be equated with socialism, an argument that puzzles people who work on computer networks for a living and see networking as a big flow of electrons. I think it’s very important that we understand how this happens.

Here’s the tactic: Find a socialist who supports net neutrality. Anoint him the leader of the movement. Bingo, anyone who supports net neutrality follows him, and therefore is a communist.

Political lobbyist and Fox News contributor Phil Kerpen told me Robert W. McChesney was the leader of the net neutrality movement, and he sent me a quote in the form of a meme longer than the Third Epistle of St. John. Yet in a Google search for the key words from that quote, “net neutrality bring down media power structure,” I can’t find him. So then I tried Bing, where I found him quoted on a web site called sodahead.com, but I couldn’t find the primary source.

For the leader of a movement the size of net neutrality, he sure keeps a low profile. Google and Netflix are two multi-billion-dollar companies that support net neutrality. I’m sure it’s news to them that they’re taking orders from Robert W. McChesney. Read more