Tag Archives: Open-Source

A big “d’oh,” maybe

Posted on by

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? 🙂 I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. 🙂

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

How religions spread

Posted on by

Religion is a product of evolution, software suggests. (New Scientist article about research by James Dow.)

Now who could argue with software? It’s not as if software can only give out results in the way it’s been programmed to or anything….

By distilling religious belief into a genetic predisposition to pass along unverifiable information, the program predicts that religion will flourish

Theories on the evolution of religion tend toward two camps. One argues that religion is a mental artefact, co-opted from brain functions that evolved for other tasks.
Another contends that religion benefited our ancestors. Rather than being a by-product of other brain functions, it is an adaptation in its own right. In this explanation, natural selection slowly purged human populations of the non-religious. (From the New Scientist article)

I am basing my opinion on a cursory reading of a pop-science version of real research that I have only skimmed (and I expect some more careful reader will comment to challenge my surface arguments with facts.) But, I take this to mean that the algorithm seems to indicate that telling convincing lies has evolutionary advantages. No surprise there. Otherwise politicians would have long been extinct.

But, are lies about gods in some other even-more-genetically-advantageous category than just regular lies? This experiment appears to favour the religious only when others help them:

Under most scenarios, “believers in the unreal” went extinct. But when Dow included the assumption that non-believers would be attracted to religious people because of some clear, but arbitrary, signal, religion flourished

So, this research actually implied that belief in lies was not a successful survival strategy? Unless the goalposts were moved to make it one?

I assume that the arbitrary attractors could arise from activities such as like embedding lies in interesting stories. Some myths are somehow compelling. Narrative is attractive. (The attractiveness of narrative is itself something of an evolutionary mystery.) All the same, I am largely unconvinced by the explanatory power of the arguments, the choice of variables and the specific values assigned to them

However, science being science – i.e. developed through experiment and debate rather than through accepting erroneous beliefs because they come with clear but arbitrary attractive signals – I can test it out. The software can be downloaded under the GNU public licence. This is so admirable a way to conduct and spread research that I have to tip an oversized conceptual hat to James Dow.

Wikia search project

Posted on by

Internet search engines tend to be perfect examples of the proverb “To them that have shall be given.” (I guess this is a Biblical quote. The “hath” suggests it anyway.)

Get a top ranking on Google and you can guarantee your site will get loads of hits. Which will up your ranking. Which will get you more hits. And so ad infinitum.

Which must be great if you are the website equivalent of Coca Cola. But is a bit of an obstacle when you are Joe Nobody’s Homemade Dandelion and Burdock Drink.

So it’s good that an open source Wikia Search project is slowly being brought into existence. The idea is that an open source search algorithm will inspire more confidence in the results. At the least, it will let website owners know what the goalposts are.

New Scientist of 12th June 2007 (Yes, I know, it obviously takes me a while to process information) described the Wikia search project as the project of a “rebellious group of software engineers” determined to topple Google.

Apparently, one of the biggest problems is the shortage of mountains of cash to set up global data centres to match those of Google and Microsoft. According to New Scientist, one possible solution is to use a grid computing model, along the lines of SETI, with the search processing distributed around the world on volunteer’s PCs.

Most of the stuff on the Wikia site at the moment is concerned with the project itself. There is an about page . It looks as if development has stalled a bit since the initial start push in 2004, though. (Which suggests that New Scientist is even slower than me at processing information.)

Here’s an extract from Wikia Search on some of the ranking problems they intend to address:

Several other strategies to cheat or game the search engines are based on the fact that many search engines consider a hyperlink to a site to be a ‘vote’ for that site or measure of popularity. The use of hyperlinks as an indicator of website ‘quality’ led to link exchanges, link farms, bulletin board spam and other strategies to boost sites. Search engines responded by attempting to algorithmically evaluate the quality of each page, and discount links on sites or pages of little real value. While these algorithms to assess quality have neutralized millions of web pages, they have not (and cannot?) objectively determine the value and context of all the links on the web. The number of links to a page remains one of the biggest factors in how a page ranks in conventional search engines, and remains a prime area of interest for black-hat and grey-hat SEO.

Anything that can cut down the number of pointless spam sites that can clutter up the first few dozen pages of search results from standard search engines will be a big step forward.

I hope they solve the problems and this idea takes off. I’d volunteer my puny computing power and some of my bandwidth. Persuading ISPs not to do the choking-at-peak-times thing that they have started sneaking in through “Fair use” policies might be an obstacle though.

Linux – Partial Success

Posted on by

Well it seems I have had at least a partial success with the installation of Linux onto this machine. Numerous attempts with openSUSE, Ubuntu and Solaris all failed dismally.

openSUSE 10.2 in both 32 and 64bit versions refused point blank to find the USB device (previously they found it) and certainly wouldn’t give me the facility to configure it. This is doubly strange as I have openSUSE 10.2 running on an older machine in the spare room which uses an identical USB WiFI dongle, and it worked straight out of the box. This really is a shame as over the years, I have come to like SUSE and thought it’s progress was excellent.

Ubuntu 6.10 (32/64bit) and Ubuntu 6.06 (32 bit) also completely failed to work. While it was similar to openSUSE, Ubuntu is a lot more frustrating with it’s problems. The way Ubuntu obsesses about hiding the inner workings and hand-holding pretty much drive me insane. As I see it, the main reason some one will go to Linux is because they want the power and capabilities offered by a great OS. Making all of this hidden and “unintuitive” strikes me as abject lunacy.

Solaris 10.2 (32 bit) bombed. I wasn’t really expecting much from this, my experiences with Solaris on desktops in the past has never been “fun.” This time was no different. It got as far as trying to set up the graphical interface and crashed. A reboot and it was the same all over again.

While the Solaris farce was no surprise, I was a bit disappointed by the first two. This time last year I was happily running multiple linux machines (SUSE and Ubuntu) and would regularly tell people about the benefits of using them (see blog archives for examples). I honestly thought that the way both were heading, there was actually a chance you could get Linux out to the broader audience (ask heather – I kept harassing her to try it, saying how easy it is now, etc.). Give my recent experiences, I think both have taken a step backwards.

No one expects a “niche” OS like Linux to have out of the box support for every hardware device on Earth, but I would expect them to make it easier for people to find the problems. Having lots of on-line resources is useless when your problem is the network connection! I wonder what the goals of the various distros are – in the case of Ubuntu, I can only assume world domination. If the distro makers want to really move away from the small home market share (in the main, people who work in technical jobs), they need to re-think their approach.

This brings me to my last attempt. PCLinuxOS. Worked straight out of the box. I even did it twice to check. Both time this ran perfectly. Given the frustrations, and the cabinet full of install DVD/CD-Roms I have, this was amazing. I am even writing this on Firefox, under PCLinuxOS.

While I am impressed with it’s ability to find and connect to the network first time (with lots more configuration options than either SUSE or Ubuntu), I am not fully convinced I “like” PCLinuxOS yet. Give me some time to play with it, and see what installing new software is like – the main reason I want Linux is to set up an Apache server with PHP5, Perl, Python and Ruby/Rails to assist with web development. If this is not up to the task….

Anyway, let me close with a big well done to PCLinuxOS. It has succeeded where the bigger names failed (Even Mepis dropped the ball).

Linux Gamble

Posted on by

Well, it is the weekend. Previously, I said I was going to get some Cat5 (or Cat6) cable and hard wire myself into the router to see if I could get 64 bit openSUSE or Ubuntu working. I have discovered that 5m of Cat5 costs £24.99 from PCWorld and that is a lot more than I intend to pay on the off chance it allows me to get Linux up and running, on the grounds the Belkin works fine in Windows.

However, there is some remaining perseverance.  Tonight I have started the incantations, I have sacrificed a square pane of glass to the LinuxGod (a window… get it? Oh I give up) and unwrapped two penguin (bars) to inspect their entrails. Hopefully this will enable me to get a working Linux system over the course of the weekend.

I suspect, if I am honest and borderline serious, I am going to resort to installing 32bit openSUSE or Ubuntu, as they have worked with this device in the past. If this still fails, I will travel to Antarctica and kill every single black and white, flightless bird I come across. In a bizarre fit of over confidence, I also have a 40gb partition put aside for Solaris. I may be online again before 2008…

Linux Hates Me

Posted on by

Seriously. I now believe linux is a collective conciousness which has taken steps to punish me on a constant basis. You can take your weak monotheistic religions which offer some abstract punishment in an afterlife and shove them, the LinuxGod is punishing me on a daily basis. For hours at a time.

Today, on prompting by Michal, I downloaded SimplyMepis 6.5rc3 (64bit version), burned it to CD and tried to install it – hoping that its claimed hardware detection abilities would solve the problem with the USB WiFi dongle. Did it work? Not a chance. Mepis was good enough to not even be able to get a graphical interface working (I use a WinFast PX7600 GS which most other distros get working instantly). For some crazy reason, Mepis demands you log in as username:root password:root on first install (as if that provides any security..) but when I tried this from a console login, all I kept getting was “login incorrect.” After doing this for about 15 mins, I finally gave up. Yes, I am a glutton for the LinuxGod’s punishments.

As I was in a *Nix frame of mind now, I gave openSUSE (still installed) another shot. I wish I hadn’t.

Still no connected network.Once more, I went through the farce of trying to configure the Belkin USB dongle. I manually entered the WEP key numerous times. I deleted the Network card setting and re-entered it numerous times. The end result? Well, the little red “x” says it all…

When I try to view the connection information window, despite it thinking it is working (and it claims the Router wants me to enter the WEP Key…), I get this:

Screenshot - Active Connection Information

Not exactly confidence inspiring, is it? For completeness I gave recompiling the driver another shot. Following the steps as given on the Wiki, with the RT73 source files and on numerous other sites, I still only get as a far as:

make

which results in this page of nonsense:

Output of make command

As you can see, the LinuxGod truly, truly hates me. I might have to get a copy of OSX and install that instead… Either that or just allow the impending nervous breakdown take its toll… (Will try Solaris 10 next week, just for kicks)

[tags]Linux, SUSE, openSUSE, Mepis, SimplyMepis, Operating System, Technology, Wifi, Networking, Belkin, Open Source, Computers, OS X, Mac, Router, Solaris, Unix[/tags]