Archive | June, 2005

Don’t click on that attachment!

And another from InfoWorld: Top News: Fake Microsoft security alert includes Trojan patch. “A new wave of spam that disguises itself as a Microsoftæ security bulletin contains a link to malicious software that gives attackers complete access to the infected machine, security researchers are reporting.” Just a reminder folks: Never, EVER, run code from an untrusted source. There are no trusted sources.

IE bug can crash the browser; might allow malicious code to run

InfoWorld: Top News reports IE bug can crash browser. “Security researchers have discovered a bug in Microsoft’s Internet Explorer (IE) browser that can cause the software to crash, and which could possibly be used to let an attacker run unauthorized software on the IE user’s machine.” Translation: slow news day before American and Canadian holiday weekend. Nothing to see here, folks, move along…

Generate SourceSafe weekly activity reports using Visual FoxPro

Building on the work covered in Essential SourceSafe, here’s some code that will generate two text files of the activity that your SourceSafe database has recorded in the past week. This can be a handy way to keep track with what’s going on in a busy project.

(Changing the text output into an RSS feed is an exercise left to the reader. Cool idea, eh?)

I used Visual FoxPro to generate the commands for SourceSafe, as I couldn’t figure out a way to generate a date less seven days in a DOS command shell. In my next post, you’ll see a slick way to generate the current date, but that didn’t help me here.

Save this program into a Visual FoxPro project, and optionally add a CONFIG.FPW with RESOURCE=OFF, SCREEN=OFF and build it into an EXE. Place the WeekHist.exe in the root of your SourceSafe install (or change the paths in the code below to match) and you can run the exe manually or set the .exe to run on a weekly scheduler using the OS’ scheduler tools.


*==============================================================================
* Program.............:	WEEKHIST.PRG
* Purpose.............:	Generate a weekly history file from SourceSafe
* Author..............: Ted Roche
* Copyright...........: 2000-2005 by Ted Roche, licensed under the Creative
* ....................: Commons Attribution Share-Alike License,
* ....................: http://creativecommons.org/licenses/by-sa/1.0/
* ....................: Please fix and pass along - Ted 
* Last revision.......:	2005-June-30
* Parameters..........:	None
* Returns.............:	Nothing, outputs History.txt, .lst or .err
* Environment in......:	Must run in root of VSS install, ASSuMEs that the 
* ....................: data directory and win32 directories are below
* Environment out.....: History.txt is brief, History.Lst is verbose
*==============================================================================
* Format is:
* win32\ss history $/ -R -vd07/02/05~06/26/05 -O@History.lst

* Try...Catch would be nice, but this supports any VFP runtimes
#DEFINE CRLF CHR(13)+CHR(10)
ON ERROR do errhand with ERROR(), MESSAGE(), MESSAGE(1), LINENO()

lcCommand = "win32\ss history $/ -R -vd" + ;
            DTOC(DATE()) + "~" + ;
            DTOC(DATE()-7) + ;
            " -B -O@History.txt"
            
RUN &lcCommand
            
lcCommand = "win32\ss history $/ -R -vd" + ;
            DTOC(DATE()) + "~" + ;
            DTOC(DATE()-7) + ;
            " -O@History.lst"
            
RUN &lcCommand

RETURN

PROCEDURE errhand(tnError, tcMessage, tcMessage1, tnLineno)
STRTOFILE(TTOC(DATETIME()) + " Error " + TRANSFORM(tnError) + CRLF + ;
          " Message " + tcMessage + CRLF + ;
          " Message1 " + tcMessage1 + CRLF + ;
          " Line " + TRANSFORM(tnLineNo)+ CRLF , "History.err", .t.)
ENDPROC && errhand

[UPDATED]: See newer posts for updates: here and here.

Microsoft Watch: Will RSS expose Longhorn to exploit?

Microsoft Watch from Mary Jo Foley notes The Downside of Embedding RSS in Longhorn. “Microsoft watchers are thinking through the security implications of Microsoft’s plan to embed RSS in Longhorn.”

The upside is that Microsoft bundling a feature in with their OS means that developers can count on the feature being available (although uptake of recent versions of windows may mean that’s only 20% of all Windows users). The downside is that it means malicious developers can count on it being available. While Microsoft is getting better at shipping software less exposed to exploit, it still enlarged the exposed surface for exploit.

The Death Spiral

A reader flamed me recently for commenting that Microsoft was on a “death spiral.” That wasn’t just vindictive thinking because they’re killing my favorite product or because their insecure OS allows malicious software to splatter my Dad’s computer. That was a real live professional opinion from a computer consultant who’s spent 20+ years in the industry and seen ’em come and go. 8″ floppies, paper tape, Winchester drives, Business Basic, Data General, WANG, Digital, blah, blah, blah, ones and zeros? You had zeroes? Now, bear in mind I was also a big Amiga and GEOS fan, so vision is not what I sell to clients. I deliver working code.

Otoh, Mitch Kapor has a lot of experience shipping code, delivering product, selling into the Fortune 100, reviewing business plans, and working venture capital deals. He’s got some of that vision thing too. He had a profile in the Boston Globe recently (sadly, it disappears behind a paywall soon) that talked about his work with EFF and the exciting Open Source product called Chandler, which promises to be a well-thought-out PIM. The killer quote at the end of the article:

”Chandler could fail totally,” he said. ”But open source as a movement is something that Microsoft cannot defeat. . . .Their style of triumph and of dominance is part of an era whose time is passing.”

What is the best firewall for Windows servers?

Slashdot hosts an interesting question: What is the Best Firewall for Servers?. Sushant Bhatia asks: “I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn’t work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?”

Slashdot is filled with trolls, so setting your threshold around 4 raises the level of discussion and lowers the number of responses to read (although the rebar and concrete answer was a keeper). Interesting that the responses were pretty strongly “FreeBSD.” An answer near the bottom points out the latest W2K3 service pack provides the WinXP firewall to W2K3 servers. Another posting argues that each Windows machine needs its own firewall in addition to the perimeter. The perimeter defense was proven to have some serious flaws in the fall of Troy. Amazing that it is still considered.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.