mark :: blog

<< prev [ 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 ] next >>

So our joint statement in response to the Forrester Study is now available and it got to slashdot and other places. It should be an identical statement from each vendors site - although I think the European -ise's got replaced with -ize's in some of the statements. It's quite an event to have four competing Linux distributions giving a joint statement on an issue - but behind the scenes this goes on all the time. Every day we work with our competitors in the other Linux vendor security teams to make sure that Linux users get quality, peer-reviewed, security fixes in a timely fashion.

What a busy day; doing the OpenSSL release manager role for the recent security updates, testing packages, dealing with the third parties, being a third party, rolling, pushing, correcting.

What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.

Going to be in London next weekend?

As I was commiting the template for this weeks issue of Apache Week I noticed that it has now been exactly eight years since I wrote the first issue. Back then Apache wasn't so popular and the documentation was lacking. Apache Week was designed specifically to give administrators the confidence to try the Apache web server on their machines without having to parse the hundreds of messages each week on the developer mailing list. That first issue was written over a 64k ISDN dial-up line from a computer perched on stark IKEA tabletop. Friday afternoons were spent writing up what had happened during the week. Not much has changed. Actually, I think that IKEA tabletop is still sitting in storage somewhere at Red Hat in Guildford. I wish I'd kept hold of it, it would have been useful for my girlfriends sons train layout.

Over the years there have been many times when we've thought about stopping production, usually when a competitor announced some other Apache magazine that we thought would do a better job than we do. But most of them gave up. They probably realised that there wasn't any money to be made from an Apache httpd journal.

UK Web became C2Net which became Red Hat, and Apache Week is still going strong. We'll have to think of something exciting to do for our tenth birthday.

I wrote a Windows application last night! Then realised that I'd actually not written any windows stuff for over ten years. The last Windows app I wrote was with Paul Sutton back in 1993 when the Windows Sockets Library had just been brought out. We wrote a winsock Connect-4-type game. When I visited Microsoft whilst working at C2Net I actually met one of the winsock original authors who even remembered using our game. Anyway, Windows applications seem to be a whole different world; with hundreds of web sites trying to sell you utilities. Awful utilities. Things you could do with 3 lines of Perl that the author has made shareware and wants you to pay $15 to unlock.

So to spread some good Karma my OTP OPIE S/KEY client thingy is free, with source. Although I have to admit that it's probably about 40 lines of code linking to existing libraries, and it probably took me longer to write the web page and draw the icon than write the app.

Now I can get back to doing the work on the system that I needed to use the OTP calculator to log into in the first place ;)

I've just realised that I never finish anything that I do in my spare time. I tend to keep getting distracted by new and exciting projects so everything sits about 80% complete:

Spare time over the last few weeks has been a bit limited what with the OpenSSH and Sendmail issues, and I guess I need to finish off my talk for ApacheCon.

Protocol: Jabber

I toyed with several ways of dealing with the home automation system. Misterhouse looked very impressive and was written in Perl so easy to extend, but it also liked to take control directly itself of any hardware. I wanted each bit of home automation hardware to have its own intelligence, it's own bot, allowing the hardware to exist on separate machines and architectures. So I started out writing bits of custom perl for each of the bits of hardware (with some C for things like serial interfacing which was hard for me to get to work perfectly with Perl). I then heard about the XAP project which looked quite interesting but seemed to have a number of weaknesses - it mostly relied on udp broadcast packets for the components to talk together (I wanted components on different network segments, some on wireless, some on links I share with video traffic - udp broadcast packets just are not reliable enough), the other problem was that the components already written were under a license that prohibited commercial use at all. Not that I intend to sell this, but if I'm going to work on software I want that sofware under a BSD-style license or failing that GPL. So my requirements were to have a lightweight messaging system ideally using XML that could run over a security layer (for the wireless network) that I could extend and easily write a custom client for. The answer of course was Jabber. With the Net::Jabber module I can easily write bots and clients in Perl for speed, and with the Perl Tk interface writing user interfaces takes no time at all and they work across platform: Linux or even Windows.

The nice thing about Jabber is that clients for Jabber exist for just about every platform. It's simply to take the source code for a Jabber client and add some buttons and things to make it control any aspect of the home automation system. And if no source exists you can simply chat to the lighting bot and tell it "lights living 18". The plan is to be able to control this all from a wireless PDA too.

Controller: Fujitsu Point

The big test; would Perl and Tk and a Net::Jabber client run okay on a AMD 100MHz processor running in 800x600 256 colour mode? The startup time is about a minute, but then once it's done it happily refreshes the screen with no real visible delays and sends and receives (and parses) messages without a hitch. Here are some pics from the initial interface written over Christmas vacation 2002.

Figure 1: Lighting interface (a Jabber x10 bot)

Figure 2: TiVo interface (a Jabber TiVo bot communicating with a custom tivoweb module that returns XML status information)

Figure 3: Heating interface (a Jabber to one-wire bot that talks to the one-wire temperature sensors, logs data using rrdtool, and talks to the one-wire heating switch)

Figure 4: Misc stuff interface (the DSL bot talking to the cable modem and the UPS bot talking to the UPS device. Alerts also come in here)

Figure 5: Caller ID interface (a Meteor caller id bot with pop-up pics for most of the people we know)

Figure 6: Interface to front door camera (rear only goes into the MV1000 so far)

Each hardware component has it's own bot that can be queried for status and can also be made to broadcast status information either when something changes or every minute. The client simply parses every message it receives and displays it in the right place. Software will be here soon.

I wanted to be able to mount the Fujitsu Point 510 on the wall. I looked for the official cradle but many months went by without one appearing on ebay. A couple of sites show how they mounted their Fujitsu Point into the wall, but I wanted to be able to lift it off and use it as a tablet from time to time too.

Inspiration hit when looking at the back of the Fujitsu and finding a large number of circular sticky covers - covering really nice screw points. So a couple of drywall fixings into the wall and custom brackets later and here is the result. The custom brackets were made from spare PC expansion card slot covers, nice and thin but quite strong)


NetworkLightingHeatingAVThe rest

Plans (as time and money permits)

My paper on "Security Response and Vendor Accountability for Open Source Software" was accepted for Linux World 2003 in San Francisco and I'm giving a similar talk at Linux for Business in London on the 10th June. The role of the open source vendor is often neglected when folks talk about the security of open source software.

House modifications are coming along well, with updates to the Home Automation security software (a few suprises for any intruder), and some large black marble balls on a rockery out the front. Tracy has been spending a few days pressure-washing the driveway which is fun apart from the occasional lump of sand that gets blasted at random parts of your body. Sand in your nose is quite annoying.

Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in Apache Week this week.

<< prev [ 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 ] next >>

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.