mark :: blog
Just back from a couple of days in London with the Red Hat world tour folks. It was awesome fun and I got to meet loads of interesting people. I've no idea how these guys have managed it, especially their rule on having no checked-in luggage. Two weeks without scissors or sharp instruments. Actually, given their close confinement that's probably a good thing.
I'm sure at the end of the Linux user group meeting yesterday a guy walked off with a couple of dozen of the world tour t-shirts we were giving away; wonder if they'll turn up on ebay.
My attempt to photo blog the event with my phone camera failed as I ended up sending all the pictures to the wrong email address. D'oh.
What a busy day; doing the OpenSSL release manager role for the recent security updates, testing packages, dealing with the third parties, being a third party, rolling, pushing, correcting.
What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.
Going to be in London next weekend?
ZOË rocks. www.zoe.nu. It's built on Apache Lucene and it actually works. I've just let it spend 3 days importing and indexing over 100k messages (8 years worth, after stripping mailing lists). Now I can search my old emails in seconds, get threaded lists, and easily find all the attachments. It even dealt with duplicates perfectly, which given the state of my mail archives is definately no easy task. 3 days is a long time, but then it was running on a 512Mb 450MHz old machine. I've already found mails I never thought I had and pictures in attachments I didn't remember. Awesome stuff.
So I nearly missed a staff meeting last week, my iPAQ forgot to remind me. In fact it now doesn't bother reminding me about any appointments. To cut a very long and annoying story short it turns out to be a known problem with Microsoft Pocket PC 2003 where in some circumstances alarms don't work. Hold on, this is a PDA, and isn't one of the main functions of a PDA the ability to keep alarms? I'm glad I didn't sell my Palm vX now, looks like I'll be switching back to it.
As I was commiting the template for this weeks issue of Apache Week I noticed that it has now been exactly eight years since I wrote the first issue. Back then Apache wasn't so popular and the documentation was lacking. Apache Week was designed specifically to give administrators the confidence to try the Apache web server on their machines without having to parse the hundreds of messages each week on the developer mailing list. That first issue was written over a 64k ISDN dial-up line from a computer perched on stark IKEA tabletop. Friday afternoons were spent writing up what had happened during the week. Not much has changed. Actually, I think that IKEA tabletop is still sitting in storage somewhere at Red Hat in Guildford. I wish I'd kept hold of it, it would have been useful for my girlfriends sons train layout.
Over the years there have been many times when we've thought about stopping production, usually when a competitor announced some other Apache magazine that we thought would do a better job than we do. But most of them gave up. They probably realised that there wasn't any money to be made from an Apache httpd journal.
UK Web became C2Net which became Red Hat, and Apache Week is still going strong. We'll have to think of something exciting to do for our tenth birthday.
I wrote a Windows application last night! Then realised that I'd actually not written any windows stuff for over ten years. The last Windows app I wrote was with Paul Sutton back in 1993 when the Windows Sockets Library had just been brought out. We wrote a winsock Connect-4-type game. When I visited Microsoft whilst working at C2Net I actually met one of the winsock original authors who even remembered using our game. Anyway, Windows applications seem to be a whole different world; with hundreds of web sites trying to sell you utilities. Awful utilities. Things you could do with 3 lines of Perl that the author has made shareware and wants you to pay $15 to unlock.
So to spread some good Karma my OTP OPIE S/KEY client thingy is free, with source. Although I have to admit that it's probably about 40 lines of code linking to existing libraries, and it probably took me longer to write the web page and draw the icon than write the app.
Now I can get back to doing the work on the system that I needed to use the OTP calculator to log into in the first place ;)
Two hours searching the web trying to find a S/KEY OTP or OPIE generator for my new Pocket PC. Another hour trying to get a Java environment running on it and failing to remember how to write Java that doesn't run inside of Applets. Annoyed and frustrated I found the C source to OPIE, grabbed the VC++4.0 embedded studio from Microsoft and within an hour had knocked together a hacky app. It's not pretty (I thought I'd banished such things as CStrings and LPCSTR pointers to the back of my memory) but it works.
I wrote some stuff for Apache Week about the new Apache Planet aggregator, and Joe wrote up the Bugtraq wont-die thread about leaking fds.
Am I expecting too much? I bought a iPAQ h4350 this week to replace my aging Palm Vx. Except I can't replace it yet. My Palm has a cute free application to do memo encryption, a one-time-password generator, a unit converter with every unit you can think of (including knowing that US and UK gallons are different) and even a ssh client. Finding replacements for these is a nightmare. The iPAQ comes with f-secure file crypto, but try to find it on the f-secure site and you get pointed to some new company they sold it to, that doesn't have any upgrades or useful information. The f-secure filecrypto stuff doesn't integrate very well anyway. I bought a drive crypt program from SecureStar. It crashes. Microsoft Money won't sync my foreign currency accounts. People want me to pay USD30 for a silly unit conversion utility, and don't even get me started on ssh or otp/skey programs.
It's been a frustrating week!
Vcard implementing application suck. Over the holidays I decided to unify my contacts, I had different people in different places. When a flight got delayed for 24 hours in New York I was lucky that I had a friend in New York in the right contact database. Anyway I decided to standardise on vcf (vcard) format. One long big text file with entries for all my contacts. Sounds good so far, right? Well it turns out everyone deals with vcf files in a different way. Palm Desktop (win) will import such a file but trashes fields it doesn't understand (which means its a one-way import). Updating entries, even keeping the same serial number, causes it to create a duplicate entry.
My T610 phone will happily email me a vcf file and cunningly even embed the photo associated with the contact. But it isn't so happy having vcf's pushed back to it (you have the same duplication issues and it ignores the pictures). Outlook will only import one VCF entry at a time and seems to trash fields it doesn't understand. I can make Outlook express crash badly given a certain VCARD 3.0 format vcf file.
Time to go play with kdepim (although the version I had installed on Red Hat Linux 9 didn't cope with version 3 stuff) and we just issued a kdepim erratum yesterday due to vcard processing vulnerabilieis. Hmmmm.. perhaps it's safer and quicker to just print out my contacts and stick the pages in my Franklin Covey planner.
For historical reasons I use the USA version of Microsoft Money. Unfortunately
the US version will only connect to US/CA banks and the UK version to UK banks
and I wanted a version that would connect to both. There is no reason why
it shouldn't work because the protocol used to talk to the banks is open
(OFX). In fact it does work, and here is how to do it.
Unfortunately Microsoft changed the way financial institutions
work with Money 2005 onwards, so this hack will only work for Money 2004
Disclaimer: Back up everything, I'm not responsible if you lose 6
years of data or if you suffer heart problems after Money reports your
net worth is now negative.
But unless you use the UK Nationwide bank or the Woolwich you'll be
disappointed; they seem to be the only ones that are fully integrated
- You need a copy of the file FIPARTNR.INI from the UK version of
Microsoft Money. Or if you know the details you can make one up yourself.
- Backup everything, exit Money
- Find your current version of the US FIPARTNR.INI file (it will be in
the SYSTEM subdirectory of your Money installation)
- Append the contents of the UK FIPARTNR.INI file to the end of the current one
- Go into Money (make sure you don't do an internet update)
- Goto your finanacial institution (Nationwide say), click "online setup"
and with luck it will recognise, configure, and connect to Nationwide
- After connecting Money thinks it's being clever and will notice you've
altered FIPARTNR.INI and will download a new one. At this point Money will
complain that "New online settings are available for Nationwide". You can
safely ignore this message (and you'll have to ignore it each time you
do an Internet update
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
red hat summit,