[ Main ] [ Home ] [ Work ] [ Code ] [ Rants ] [ Readings ] [ Links ]
[2024]
[2023]
[2022]
[2021]
[2020]
[2019]
[2018]
[2017]
[2016]
[2015]
[2014]
[2013]
[2012]
[2011]
[2010]
[2009]
[2008]
[2007]
[2006]
December
November
October
September
August
July
June
May
April
March
February
January
[2005]
[2004]
[2003]

[Fri Mar 31 15:25:03 CST 2006]

A good friend of mine just told me about EasyUbuntu, an easy way to add support to your Ubuntu installation for things such as MP3 and other non-free formats, libdvdcss, Real Player, Flash, Java, etc. {link to this story}

[Wed Mar 29 16:54:21 CST 2006]

Peter Chabada wrote a few days ago an excellent piece suggesting more than forty ways to improve the Linux desktop experience, including things like adding a multi-rename feature to rename multiple files using regular expressions, improving keyboard navigation in Nautilus, an easy installation of multimedia codecs by showing a dialog with information on how to install them instead of just showing an error, automatic pause of music playback when the user hits the mute button, better song notification on the GNOME bar, better progress notification for certain operations such as burning or downloading, editing root-owned files from within certain applications such as Gedit, better cellphone and PDA synchronization, etc. All in all, it is a pretty good article that shows the enormous benefits of constructive criticism. {link to this story}

[Wed Mar 29 14:30:46 CST 2006]

NewsForge published yesterday an interview with Theo de Raadt, the project leader of OpenBSD, that contains some good comments about secure coding, among other things:

We've had 10 years or nearly fanatical devotion to anything which can make OpenBSD more secure. A very important part of that is that we have not been afraid to completely overhaul anything even if it breaks backward compatibility. Secondly, when we have found a flaw in any part of the system we have assumed that the same mistake was made elsewhere, and gone on a hunt to fix them all. Thirdly, we have developed and incorporated a collection of methods that make software flaws very difficult to attack.

The important degail is that in all three of these areas we have not only been fanatical, but pretty much first. Other vendors are not treating their source code the way we treat ours —with distrust, knowing that we should always actively churn it, so that it can slowly evolve into a better state.

The same interview contains a couple of great links (one to an article published by Wikipedia on OpenBSD Security Features and the other to de Raadt's own Exploit Mitigation Tecniques paper) that are well worth a look. Of course, Theo de Raadt being Theo de Raadt, he could not avoid some controversial and highly critical comments about other people:

Nvidia did not give anyone documentation. Instead, they expect people to load a gigantic blob of binary code into their kernel, and just be happy with that. Some Linux people in Germany reverse-engineered the driver years ago, but the rough story I heard is that Nvidia asked them to stop, and they did. This just astounds me! In any case, Jonathan Gray (who started this effort) asked for their help with a few problematic technical details, and they refused. I could not believe that, so I asked as well —and they refused again. These are Linux developers, basically placing the community in a situation where they have to run a binary blob of unknown code from a vendor, instead of sticking to their guns about open source? I must admit, I just don't understand some people. They must have much more flexibility to their belief systems than I have.

Well, yeah, perhaps they have much more flexible belief systems or perhaps they just take threats of legal action more seriously. If de Raadt does not give a rat's ass about that, good for him! However, I find it difficult to moralize about something like that. It is other people's lives, after all. I am more willing to accept his criticism of the vendors who benefit from OpenSSH without contributing much to its development:

If I add up everything we have ever gotten in exchange for our efforts with OpenSSH, it might amount to $1,000. This all came from individuals. For our work on OpenSSH, companies using OpenSSH have never given us a cent. What about companies that incorporate OpenSSH directly into their products, saving themselves millions of dollars? Companies such as Cisco, Sun, SGI, HP, IBM, Siemens, a raft of medoum-sized firewall companies —we have not received a cent. Or from Linux vendors? Not a cent.

(...)

If you want to judge any entity particularly harshly, judge Sun. Yearly they hold interoperability events, for NFS and other protocols, and they include SSH implementation tests as well. Twice we asked them to cover the travel and accommodation costs for a developer to come to their event, and they refused. Considering that their SunSSH is directly based on our code, that is flat out insulting. Shame on you Sun, shame, shame, shame.

I will say it here —if an OpenSSH hole is found that applies to SunSSH, Sun will not be informed. Or maybe that has happened already.

Let us forget about the last threat. As far as I know, the OpenSSH guys do not inform any vendor when an OpenSSH hole applies to their own software. Actually, what tends to happen is that they announce publicly that there is a hole in OpenSSH (well, publicly in their own internal lists before it is spead out there to the general public) and Sun's, SGI's, HP's or whichever engineers check out to see if their own implementation is also affected by the bug. Still, the point is well taken, I think, and de Raadt is right to point out the selfishness of these vendors. {link to this story}

[Wed Mar 29 09:23:03 CST 2006]

I just came across a short piece published on DebianHelp explaining how to remove Linux from DOS or Windows (well, in reality how to get rid of the information in the MBR so you can repartition and reinstall from scratch) that includes some great tips on how to zero out your MBR both from Linux and DOS:

From the Linux partition:

dd if=/dev/zero of=/dev/hda bs=512 count=1

From DOS (now, this is an interesting one!):

debug
f 9000:0 200 0
a (to start assembly mode)
mov dx,9000
mov es,dx
xor bx,bx
mov cx,0001
mov dx,0080
mov ax,0301
int 13
int 20
 ENTER (to exit assembly mode)
g (to execute)
q (to quit)

{link to this story}

[Wed Mar 29 08:46:40 CST 2006]

Harry Fuecks has published an interesting piece on Evaluating PHP Applications with some good tips on checking their security track, auditing their code, finding out about scalability issues, bug tracking and code management, etc. Along the way, we learn about functions as useful as mysql_escape_string, mysql_real_escape_string, addslashes and htmlspecialchars. While not a very in depth analysis, it is not bad as an introduction to the topic. {link to this story}

[Thu Mar 9 09:45:54 CST 2006]

I just came across the Ubuntu Sources.list generator, which allows you to generate an ubuntu sources.list file from your preferred set of repositories by simply checking the boxes in the web interface. Pretty nifty and painless. By the way, here are a couple of links to serve me as reminders:
Ubuntu community participation
Ubuntu MOTU/Packages/Candidates
{link to this story}

[Mon Mar 6 07:35:02 CST 2006]

The O'Reilly Network has published an interesting article about what corporate projects could learn from open source that makes for a good read. The following is a good example:

Say a junior developer is working on a bug fix, and realizes that the entire design of the part of the software he's working on is flawed. He comes up with an improvement and brings it up with his boss. If this is a typical corporate project, it's likely that this junior person will see his idea shot down almost immediately. His boss will brush him off, saying that it will take too long to implement, or that it's going to be too hard a change to make, and nobody else on the team will even hear about it. But what his boss is really thinking is, "How can this junior guy spot a mistake that none of the senior people caught? He must not understand all of the details".

Say that same junior developer later that week brings it up with a senior team member. The senior guy is in a good mood, and entertains the thought. Suddenly he realizes that there really is a serious problem with the project! He goes to the boss, but this time the boss listens. With the senior person's backing, the suggestion has a lot more credibility. Now it will be heard and acted upon.

This is no way to run a software project. Good ideas come from everyone, not just the senior team members. But corporate environments frequently discourage innovation from the "bottom of the food chain". In fact, many corporate environments discurage innovation altogether, dismissing it as risky and potentially expensive. There's often a sense that no new innovation should be adopted unless it has been successfully implemented in another project. This is yet another way that team members' opinions can be squelched on corporate projects. In the end, many bright (and often young) project team members routinely come up with new and insightful ideas, only to have them shot down because they didn't follow propoer channels or have enough seniority —or because a senior manager simply didn't understand them.

{link to this story}