Notes from the Python Special Interest Group, 18-Nov-2010

Posted on November 19, 2010 by tedroche

Four members attended the November meeting of the Python Special Interest Group, held a week early due to the Thanksgiving holiday (anticipate a similar schedule for December). The Amoskeag Business Incubator was kind enough to allow us to use their smaller meeting room, which worked out perfectly for the smaller crowd.

It was an open Q&A evening, and boy, did we have Qs and As! Topics covered included:

Getting scanners working on Ubuntu 10.10
sharing printers in Ubuntu
Why DSL isn’t always at its rated speed
what a CO and a DSLAM is
Win7 Starter Edition blue-screening on an Asus Aspire One
the New Microsoft/Verizon KinONEm KinTWOm
the disaster that was the Microsoft-Danger hiptop acquisition
Microsoft’s announcement of Java as a “first class citizen” of their Azure cloud
Microsoft’s “Embrace, Enhance, Extend, Extinguish” history
Maybe they’ll call it IronJava? And, hey, where did IronPython go?
Oracle and Java and licensing and FUD
Oracle and MySQL and licensing and FUD
A public library looking for a Linux-based solution to reserving PC use
A great suggestion to consider Gnome Nanny
generating PDF Forms out of a LAMP app using pdftk
OpenOffice.org and LibreOffice
Generating PDF fill-in forums out of OpenOffice.org, courtesy of Solveig Haugland
the difference between “business class” and “consumer grade” machines
Dell and HP, Linux support, HPLIP Open Source project
printing to PDF in Ubuntu only worked when App Armor was removed
the ease of hooking up a projector to Fedora 14 with the new video subsystem and Noveau drivers
installing NetworkManager on Debian Lenny (there’s python in there!)
a quick tour of NetworkManager on Fedora 14
a demo of using Elementree to parse and modify an XML file used to manage installs of Atlassian Jira
using BeautifulSoup to parse an HTML file and generate an INI file
the Venus software for generating an RSS aggregator page
hacking WSDLs for SOAP using suds

Those were the Qs. You needed to be there for the As. And the awesome gingerbread cookies and frosted cake.

Thanks to Janet for the desserts, to Bill for organizing the meeting, to the Amoskeag Business Incubator for the facilities, and to all who attended and participated. Look for the December meeting announcement with the date tentatively planned for the 16th.

Adding Fail2Ban to the web site

Posted on August 31, 2009 by tedroche

I swapped out web servers two weekends ago, when the old machine started showing some unacceptable behavior. Part of that swap involved switching from a CentOS-based Linux distribution to an Ubuntu-based distribution. There were some great learning moments involved in that. I also wanted to swap out a few programs that hadn’t worked as well as I had hoped.

One of the new packages I’m trying out is Fail2Ban, an Python-based application to review the logs and temporarily bans IP addresses based on the patterns of abuse. Similar applications like DenyHosts are well-rated, but DenyHosts specializes in ssh, which hadn’t been too much of a problem for me, and didn’t have a straight-forward configuration for ftp, which unfortunately I must offer. I had used a similar Perl-based application before, but it hadn’t supported a couple of a my applications, and appeared to introduce some instability in the system. Fail2Ban came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with nonsense.

So, 48 hours in and things seem to be running well. The log files clearly show some applications being blocked, other applications seems to be running well, and performance and responsiveness of the site seems to be okay.

Ideas worth repeating

Posted on January 26, 2009 by tedroche

“We reject as false the choice between our safety and our ideals.”

President Barack Obama, 20 Jan 2009

“They who would give up an essential liberty for temporary security, deserve neither liberty or security.”

Benjamin Franklin, 1775

The Patch Window has closed.

Posted on April 21, 2008 by tedroche

Over at the SANS Internet Storm Center, John Bambenek describes the increasingly grim situation for keeping machines secure. Automated patching triggers automated reverse engineering and the development of exploits in The Patch Window is Gone: Automated Patch-Based Exploit Generation. Deeply troubling.

MerriLUG Notes, 17-April-2008: Dan Walsh & SELinux

Posted on April 18, 2008 by tedroche

Eleven people attended the April meeting of MerriLUG, the Merrimack Valley chapter of the Greater New Hampshire Linux User Group. Heather called the meeting to order at 7:30 PM, noted the that attendees were pretty much The Usual Suspects, and dispensed with the long-winded announcements for new members. http://www.gnhlug.org will tell you all you want to know.

Dan Walsh was the main presenter tonight. Dan had a very special visit from the Demo Gods, just before he was to start. His hard drive decided that his boot partition wasn’t. Never heard of ext3. Ouch. Ever the good showman, he borrowed my laptop, downloaded his presentations from the web, and put on a great show.

Dan mentioned that he’d lost his previous laptop during his recent tour in Europe when it was stolen and that maintaining your home directory encrypted was a Good Idea.

Dan reviewed the history of SELinux and the iterations we saw in Fedora 3 though 8 and RHEL 3 through 5 and what to expect in 9. He talked about the evolution of the policies, the different feature sets available, how the SELinux architecture can meet the stringent requirements of DoD level organizations (with bullet points like: “RHEL5: MSP Policy: EAL4+, LSPP, RBAC” – who wouldn’t be impressed?) to the Significant Others at home who really just want a machine to use the browser on.

Dan showed off the new kiosk policy, xguest, which was essentially a minimal-permissions user (no setuid, no executables in the home directory, no installation abilities, etc.) extended to run FireFox. Perfect when someone wants to borrow your machine for a second! In the default settings (installable in F8 or 9 with sudo yum install xguest), it creates a fairly ‘safe’ user that can’t do a lot of harm and whose directories are temporary RAM-based and vanish when the user logs out. (You can modify it to keep a persistent home to store cookies and bookmarks.) Ideal for a library or public kiosk situations. Yes, the evil minded boys in the room could come up with some work-around exploits, but this is a promising start!

Thanks to Dan for a great presentation under trying circumstances, to Heather and Jim for managing and promoting the meetings, to Martha’s Exchange for providing the facilities, and to all who attended and participated.

UPDATE: Dan’s posted an article to Red Hat Magazine, “Confining the user with SELinux” that covers a lot of material in the presentation, with more detail than my notes and links for further study.

YA Javascript library: Ext

Posted on April 10, 2008 by tedroche

Sometimes I think the community of Javascript libraries is like a high school popularity contest, with crowds swarming one cool thing before dropping it and moving on to the next. In a project last year, we started with a little hand-coded JS to spice up the site a little bit, then started dipping into the bigger UI libraries of Dojo, script.aculo.us, Prototype and more as the clients expectations went through the roof. I still have deep misgivings on making a web site work like a rich client application using HTML, CSS Javascript and/or AJAX. It’s still a web page, not an RIA, and concerns over web-scale scalability, responsiveness, variation in the client machine (six different browsers, JS on or off, Flash on/off, various readers for accessibility to the visually impaired, rendering on small devices, etc.) make rolling-your-own a fool’s mission.

We’d stabilized on a set of tools long enough for me to start to dig deep into its capabilities, when along comes a suggestion we look at Yet Another JS library, Ext. It is impressive at first glance, no doubt, and the demos have the requisite whiz, bang, oooh and aaah. But concerns over maturity, licensing, suitability to task, cost of retooling existing pages make it a questionable switch. At some time you have to commit, people. Live with what you’ve got or face the costs of serious rewrite. The tenets of RAD, XP and “Agile” as promoted by Scott Adams in DIlbert, not true practitioners, have given folks in charge the impression that they can just chase after the next shiny thing and follow the fashions without concern to the engineering implications of launching a world-class web site. Ah, well, my consultant friends tell me. This is why we get the big bucks.

Now I hear tell jQuery is where its at…

Security firm cracks encryption for Microsoft’s wireless keyboards – heise Security

Posted on December 9, 2007 by tedroche

Ouch! Encrypted communications between your computer and peripherals have to be impractically difficult to crack. The encryption scheme described in “Security firm cracks encryption for Microsoft’s wireless keyboards – heise Security” is beyond pathetic. I hope other manufacturers have more reasonable encryption schemes. In the mean time, don’t type anything on a Microsoft wireless keyboard you wouldn’t want to see published like, say, your bank account password. Disgraceful!

Link via Schneier on Security

When is a document not a document?

Posted on October 23, 2007 by tedroche

When is a document not a document? Perhaps when it contains executable code. Executable code can do bad things to your computer if it has the security permissions to do so or if it exploits flaws in the way the document readers execute the code. A Word document with AutoRun macros is an executable program in the form of document. A web page containing Javascript (or JScript or VBScript or Java or Flash) is an executable. Without limiting what functionality these executables can access, an action as simple as opening a document or navigate to a web site can open your machine to exploitation.

The latest instance of this is a flaw in Adobe Reader for Windows that allows a specially crafted PDF file to exploit your machine via the mailto protocol link. The SANS Internet Storm Center documents that the PDF mailto exploit documents in the wild, that is, it’s possible for you to catch this nasty bug off a web page or via the mail.

If you’re running Windows and have Adobe Reader installed, make sure you are running the latest version (links are in the article above). And don’t open any files from untrusted sources. And don’t trust any source.

Clippy on a rampage: exploit code appears for Microsoft Agent bug

Posted on September 13, 2007 by tedroche

September 13, 2007 Computerworld –Exploit code appears for Microsoft Agent bug “It took less than 24 hours for attackers to crank out proof-of-concept code targeting the one critical vulnerability disclosed — and patched — Tuesday morning by Microsoft, security researchers warned.” Ouch. A Day One exploit. Hopefully, Microsoft’s distribution of their updated Agent patches via Windows Update will be speedier than the bad guy’s spreading of their exploit.

September 2007 Microsoft patches on their way…

Posted on September 12, 2007 by tedroche

The SANS Internet Storm Center presents an overview of the September 2007 Microsoft patches and their status: several “remote code exploit” issues with Office, Messenger, the Crystal Reports bundled in Visual Studio and the Microsoft Services for UNIX. Exploits are in the wild for some of these, so plan on patching soon!

Ted Roche's weblog

Mission: Interoperable. Working Well with Others Is Good. Competition breeds Innovation. Monopolies breed stagnation.

Category Archives: Security