Predicting the future, circa 2003

In the heat of the moment, I searched my blog this weekend for quotes that could potentially be taken out of context and found something rather prophetic that I wrote in the heat of the moment 11 1/2 years ago:

Keeping up on Microsoft security patches is becoming a full-time job. I don’t know if we can afford a full-time employee who does nothing but read Microsoft security bulletins and regression-test patches to make sure they can be safely deployed. I also don’t know who would want that job.

Who ended up with that job? Me, about a year after I left that gig. It actually turned out I was pretty good at it, once I landed in a shop that realized it needed someone to do that job, and utilized that position as part of an overall IT governance model.

Read more

Bash is worse than heartbleed! Oh noes!

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

Curious conspiracies… or maybe just progress all at once

In the wake of Truecrypt’s sudden implosion, someone sent me a link to this curious blog post. I can see why many people might find the timing interesting, but there are a number of details this particular blog post doesn’t get correct, and it actually spends most of its time talking about stuff that has little or nothing to do with Truecrypt.

What’s unclear to me is whether he’s trying to say the industry is deliberately sabotaging Truecrypt, or if he’s simply trying to make a list of things that are making life difficult for Truecrypt. His post bothers me a lot less if it’s just a laundry list of challenges, but either way, the inaccuracies remain. Read more

How to be an Apple Genius

Gizmodo got its grubby little hands on a training manual allegedly used in Apple Stores. It looks credible, and answers some questions.

Read more

Thanks for the misinformation, Disney

In one of its throwaway kid’s sitcoms, Disney insinuates that open source software contains spyware and using it is a ‘rookie mistake’.

Open source software rarely contains viruses or spyware. Since it’s open for examination, changes to the code that have any funny business in them tend to be rejected. For that matter, code with unintended bad consequences tends to either be rejected, or quickly changed.
Read more

SCO v. IBM winds toward resolution

SCO v. IBM winds toward resolution

Slashdot reported yesterday that SCO v. IBM is back on. Well, it is, sort of. The case never was fully resolved, due to SCO running out of money and filing for bankruptcy. Groklaw has the details.

If this sounds vaguely familiar, I’ll try to refresh your memory.

Read more

Open-source licenses, the CISSP, and the real world

You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.

And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.

Read more

Open sourcing code doesn’t necessarily mean people will rush to it

Open sourcing code doesn’t necessarily mean people will rush to it

John C. Dvorak wrote a nice layman’s introduction to open source on PCMag.com. But he makes at least one big false assumption.

Dvorak says he’d love to see old code open sourced. Some examples he sought, such as CP/M, CP/M-86, and GEM, have already been open source for years. Caldera, after buying the intellectual property of the former Digital Research from Novell, released just about everything that wasn’t directly related to DR-DOS, some of it as GPL, and some under other licenses. The results have hardly been earth shattering.

Read more

That PC wasn\’t broken, it was just spyware

I “repaired” a PC this weekend. Actually it wasn’t much of a repair. It had problems: disk errors, applications crashed a lot, the computer crashed a lot, startup times were slow, and at times the computer was really unresponsive.

At first I suspected viruses, but I quickly found the virus software was up to date, which was a good thing.

The problem was spyware.I found about 70 instances of it, which is right about average, depending on who you believe. I used Bazooka, Ad-Aware, and Spybot Search & Destroy (all free for personal use). It was necessary to use all three, because each found something the others had missed. I Bazooka to get an overview of the system since it’s fast. But I don’t do anything with the results since it’s not automatic. Then I run Spybot S&D first, since it’s automatic and faster than Ad-Aware. I run Ad-Aware to get what Spybot S&D misses, and last, I run Bazooka again and manually clean up anything it finds, which will hopefully only be two or three things.

The system could never finish a disk scan or a defrag, but after eliminating the spyware it could do it just fine. The system was too busy spying to do real work. I found disk errors, but all of it was consistent with a computer that crashed a lot.

I really wonder how many computer problems these days would go away if it wasn’t for this junk.

Incidentally, it took me three hours to get rid of all of it and then fix the damage it had wrought.

I recommended the owner ditch Internet Explorer, especially since he had Netscape 7.1 installed. With no ActiveX and no close ties to the OS, it’s a lot harder for a web site to install something without you knowing about it if you’re using a non-IE browser. Use IE just for Windows Update and nothing else. I also should have told him not to install free software, period, unless it’s licensed under either the GPL or a BSD license.

Just by following those two rules, I’ve been spyware-free for years.

Well, I’m a Slowlaris administrator now

Let me run down <strike>my list of qualifications</strike> what I know about Solaris.1. They call it "Slowlaris" because it initially wasn’t as fast on the same hardware as its predecessor, SunOS.
2. I don’t know if Slowlaris 9 is faster than older versions of Slowlaris, so I don’t know if this counts as something I know about it.
3. Slowlaris is based on System V Unix. SunOS was based on BSD.
4. Slowlaris runs primarily on proprietary hardware from Sun, based on a CPU architecture called SPARC. A handful of Sun clones exist, but I think Fujitsu is the only big third-party manufacturer.
5. There is an x86 version of Slowlaris. Sun keeps going back and forth on whether to continue making it or not, since they don’t make much money off it. It’s being made now. Professional Slowlaris admins argue that its availability makes it easier for up-and-coming admins to learn the OS without buying expensive Sun hardware–they can run it on their six-month old computer that’s too slow to run Doom 3.
6. "Sun" was originally an acronym for "Stanford University Network."

So most of what I know about Slowlaris is either trivia, or holdover generic Unix know-how. But I told my boss since it’s System V, I should be able to adjust to it almost as easily as I could adjust to a Linux distribution from someone other than Debian. I’ll just be typing –help and grepping around in /etc even more than usual.

Yep, it’s been that kind of <strike>week</strike> month.