I can’t take credit for this, alas; all props go to my friend Kim. She writes:
A few weeks ago in the cafeteria downstairs I suggested, perhaps too loudly, that maybe it should be illegal for people to put stickers of American flags on vehicles that get less than 15 miles per gallon.
I think this is a brilliant idea, and I’m going to write my representatives in Congress. (Since my rep is one of the most liberal folks in Congress, I bet she’ll love the idea!)
Comments Off on A modest proposal
Filed under Musings
From a friend who shall remain nameless, lest he get flamed to oblivion. I think this speaks for itself. Physician, heal thyself.
Eric Raymond coined the term “Many eyes make all bugs shallow”. he has an open source product, Fetchmail. in the last six months there have been at least four serious buffer overruns in the product:
| Oldest affected version | Release date</td? | Vuln date | Days til found | CVE Number | Short comment |
| 5.3 | 2/22/20 | 10/11/02 | 962 | CAN-2002-1174 | long headers |
| 5.3 | 2/22/00 | 10/11/02 | 962 | CAN-2002-1175 | DNS records |
| 5.9 | 8/13/01 | 12/23/02 | 497 | CAN-2002-1365 | “@”s in local addresses |
| 2.5 | 12/23/96 | 6/25/02 | 2010 | CAN-2002-0146 | Message limits |
look at the length of time from the defective version being released to the date the defect was found (or at least made public). makes you wonder about the “many eyes” philosophy, doesn’t it 🙂
note, the version release date comes from ESR’s news page
Comments Off on For some value of “shallow”…
Filed under General Stuff
File this under “there’s never a right way to do a wrong thing”. In fairness, Sybari is proactively alerting their customers about this bug, and they still make a darn good AV product. However, if they had resisted the temptation to make their product do something that shouldn’t be done, they wouldn’t have this problem now!
From: support@sybari.com [mailto:support@sybari.com]
Sent: sometime last week
To: faithful E2KSecurity reader
Subject: Re: Configuring Scanned Folder Locations – Antigen for Exchange
7.0
Hello reader,
What build of Antigen are you running? There is a known issue with
corruption of the priv1.stm associated with use of the Disclaimer.
Several clients have seen this, and it is easily resolved by turning the
Disclaimer off. However, this is only a work-around, and, as of now, future
releases of Antigen will not have a resolution to this, since we don’t know what
the cause is. We have been unable to reproduce this in house, and we need
someone who is seeing this to run a diagnostic utility that will provide
more information and, hopefully, a solution.
[ snipped some other unrelated stuff ]
Regards,
a support person
Sybari Software, Inc.
E-mail: support@sybari.com
Comments Off on Yet another reason to avoid disclaimers
Filed under General Stuff
I’ve made a couple of minor changes to the site. First, you’ll notice that the dorky-looking Amazon blob is gone from the right side bar. No one was clicking on it anyway. Second, there’s a new form for signing up for the goodies mailing list– I’ve moved from pairlist to Topica’s paid publishing service, which means that all y’all will finally have a real interface for subscribing and unsubscribing.
Comments Off on Early spring cleaning
Filed under General Stuff, Musings
My wife’s voice floated down the stairwell, jolting me away from my exciting task of filling out a matrix showing how OCS compares to Exchange. “Honey, the FedEx man left about a dozen packages on the front porch!”
Now, you have to understand that the arrival of the FedEx lady at our house is always a time of celebration. The best times are when she unexpectedly brings some kind of goodie, like a piece of review hardware. Next-best are when she brings something I’ve been anticipating, like salmon chowder or a copy of iLife. (I’ll have to tell y’all about the 50 pounds of candy some other time). When I grabbed the boxes to bring them in, I was greeted by a curious sight on the address label: “AOL Time Warner Book Group”.
This worried me; I was briefly afraid that I was the victim of a drive-by AOL CD dropoff. A glance at the side of the box, though, revealed that the boxes contained my author copies of the book! O joy! Sure enough, when I opened the first box, two copies were staring right out at me. That means that my contributing editors and reviewers will be getting copies over the next few days; the rest of you, alas, may have to actually buy it.
Comments Off on The new phone book is here
Filed under General Stuff, Musings
Yesterday I got my author copies; today it’s Valentine’s Day, which means it’s also Julie‘s birthday! Mad props to you, birthday girl. For your birthday, I’ve invited Dick Cheney over to paint– I heard he was getting a little stressed out. (Well, not really; no one knows where he is, so I guess he didn’t get the invitation.)
Comments Off on Trifecta
Filed under Uncategorized
My friend Todd is one of the nicest guys you could ever hope to meet. He has a disarming aw-shucks manner (born of living in Alabama for most of his life), a quick mind (despite the fact that he attended Auburn), and a terrific sense of humor, as evidenced by this gem (original source unknown):
Question: You’re walking down a deserted street with your wife and two
small children. Suddenly, a dangerous looking man with a huge knife comes around the corner and is running at you while screaming obscenities. In your hand is a Glock .40 and you are an expert shot. You have mere seconds before he reaches you and your family. What do you do?
Liberal Answer:
Well, that’s not enough information to answer the question! Does the man
look poor or oppressed? Have I ever done anything to him that is
inspiring him to attack? Could we run away? What does my wife think?
What about the kids? Could I possibly swing the gun like a club and
knock the knife out of his hand? What does the law say about this
situation? Is it possible he’d be happy with just killing me? Does he
definitely want to kill me or would he just be content to wound me? If I
were to grab his knees and hold on, could my family get away while he
was stabbing me? This is all so confusing! I need to debate this with
some friends for a few days to try to come to a conclusion.
Conservative Answer:
BANG!
Texan’s Answer:
BANG! BANG! BANG! BANG! BANG! BANG! BANG! BANG! BANG!
click… (sounds of clip being ejected and fresh clip installed)
Wife: “Sweetheart, he looks like he’s still moving, what do you kids
think?”
Son: “Mom’s right Dad, I saw it too…”
BANG! BANG! BANG! BANG! BANG! BANG! BANG! BANG! BANG!
Daughter: “Nice grouping Daddy!”
Comments Off on Todd strikes again
Filed under Musings
Mike Masnick writes this cautionary tale: How I Accidentally Became a Porn Spammer. Be sure you have some spam filtering, or you too may end up as a p0rn kingpin.
Comments Off on Don’t be like Mike
Filed under General Tech Stuff
Computerworldrecently reported that Slammer was the work of a terrorist group. As it turns out, a reporter had squatted on a terror group’s domain name and taken the site over– he was the one who made the claim. Computerworld has retracted the original story and posted an explanation. The reporter in question, Brian McWilliams, has done a couple of other slimy things, too, as described in the . Keep this in mind the next time you see a mass-media story about anything having to do with computer security (and, beware of security shops like Mi2g.com that fall for this kind of hoax– would you trust them to provide accurate data if they’re taken in by something like this?)
Comments Off on Terrorist? No, journalist
Filed under General Tech Stuff
it’s apparent that the administration is trying to hide something in regard to Iraq. if “material breach” of U.N. Resolution #1441 is what the U.S. is striving for, then why were Blix and El Baradei not informed earlier of the U.S. Intellegence that was presented yesterday?
First off, you appear to have bought into the common misunderstanding of “material breach” (John and I already had a conversation about this.) That phrase has a specific meaning, and it’s not “Iraq gets caught holding banned weapons”. It means that Iraq is not complying with the resolution’s inspection requirements. (The exact language: Iraq is in breach if the UN “decides that false statements or omissions in the declarations submitted by Iraq pursuant to this resolution and failure by Iraq at any time to comply with, and cooperate fully in the implementation of, this resolution shall constitute a further material breach of Iraq’s obligations and will be reported to the Council for assessment in accordance with paragraphs 11 and 12 below”). Blix and ElBaradei have both said that Iraq has not complied with the inspection regime. Voilà: material breach!
The pre- and post-Gulf War UN resolutions don’t just ban Iraq from having WMD, IRBMs, and so on. They ban them from attempting to obtain them. So, even if the Iraqis haven’t succeeded in building their al-Hussein derivative, guess what? Material breach again.
As for why we didn’t share our intel, well, you can’t have it both ways. If we reveal intelligence to the UN, we are essentially betting that they will protect the sources of that intelligence and the methods by which it was gathered. This is a dangerous bet, particularly in the case of people inside Iraq who are spying for us– it doesn’t take much imagination to figure out what the Iraqis would probably do to anyone they suspected of leaking information to the US. Of course, as soon as the UN says “you’re in breach: we know you have $badThing at these coordinates”, the Iraqis move it, rendering us unable to strike it in the event of war. (I’m leaving aside the whole pre-inspection argument that the US and Britain were penetrating the inspection apparatus to gather intelligence– if those governments had such great intel, that argument must not have been true.)
Now, on to the argument about casualties: the reason for the buildup is a matter of two things, strategy and tactics. Both dictate assembly of an overwhelming force whenever possible: tactically for a massing of forces, and strategically as a deterrent or means of applying pressure.
Lastly, Brandt’s offhand suggestion that the evidence is manufactured is crazy. Take a look at a map, and you’ll see that Iraq has a significant number of different terrains, including some marshlands that aren’t all that different from south Louisiana (well, except for the Kurds…)
Comments Off on We are living in a material world
Filed under Uncategorized
Peter Gutmann’s done it again; he’s produced a wonderful paper for crypto implementers. It posits questions like “Consider whether your design can be implemented on a system with a total of 1kB of memory, or alternatively whether it can process a 1GB data block in a machine with 128MB of memory” and offers pithy comments like “No matter how cool/interesting/useful/mandated in standards a new design is, it won’t be used if it requires redeployment of all existing hardware and
software for little apparent gain.”
Comments Off on The crypto gardening guide
Filed under General Stuff
Comments Off on A little early Christmas shopping
Filed under Friends & Family
Microsoft has two upcoming webcasts that may be of interest to all you Titanium-watchers out there.
The first one, on 2/12 at 1000 PST, covers Exchange 2003 deployment methodologies. The second, on 2/20 at 1000 PST, covers Exchange security. The TechNet chat summary page lets you get reminders, add the chats to your Outlook calendar, or spam your friends with reminders. See you there!
Comments Off on Two new Microsoft webcasts
Filed under General Stuff, Musings
After my strong letter to OfficeMax, I wasn’t really expecting a response. I was upstairs stealing some of Arlene’s candy getting a snack and I noticed that the fax machine was humming. It was a letter from OfficeMax’s CEO, apologizing and promising that I’d hear from their director of customer service. What a deal! (I’ll post it when I have more time, which will probably be in 2009 sometime.)
Comments Off on OfficeMax to Paul: mea culpa
Filed under Musings
My friends Tyler and Rima have a daughter with sensory integration dysfunction. I’d never heard of it, but they’ve launched a pretty comprehensive website that explains it and provides a wealth of educational and teaching resources. Check it out.
Comments Off on Website for sensory integration
Filed under Friends & Family
Paul's Down-Home Page 