SANS Internet Storm Center weekend monitor is reporting “WebViewFolderIcon ActiveX control exploit(s) in the wild, (Sat, Sep 30th). Rise and shine. This vulnerability is being actively exploited in the wild …” (more)
If you must run IE, restrict ActiveX controls to the highest level possible. And use a safer browser, like FireFox or SeaMonkey or Opera or Konqueror or Camino or Safari for all those web sites that don't require you to use IE.
I don't intend this blog to be a security blog; that's a full time job better served by others. However, you ought to be alert to what's going on out there:
MS “re-released” MS06-049 as version 2.0 (new and improved!) to patch NTFS file compression on Windows 2000 SP4.
The Internet Storm Center is reporting yet another Internet Explorer exploit, taking advantage of a bug in an ActiveX control.
The ISC is also pointing to reports of an exploit packaged in a PowerPoint file. I may have mentioned it before: Do not open attachments from untrusted sources and… there are no trusted sources. I wouldn't advise anyone to open a PowerPoint until they are sure their anti-virus scanners have been updated and clear the file. Better yet, open it in OpenOffice.org. Better yet… imagine a day with no PowerPoint. Wow.
Bill Sconce posts the news for next Thursdays Python Special Interest Group meeting in Manchester:
PySIG — New Hampshire Python Special Interest Group
Amoskeag Business Incubator, Manchester, NH
28 September 2006 (4th Thursday) 7:00 PM
PySIG meetings are seminar-style, hands on. Laptop-friendly: 'Net access, wired + wireless. Python questions, war stories, examples always welcome.Everyone is welcome. Free of charge. Free of braces.
7:00 PM: Introductions –Bill & Ted & Alex, Milk & Cookies –Ben, Janet
7:10 PM: Happenings & AnnouncementsL Python 2.5 Released! Hosstraders 5-6 October, Hopkinton…
7:15 PM: Anyone's question(s) about Python, Python Module of the Month, Favorite-Python-Gotcha contest, Topics for future meetings…
7:30 PM: Bytecode Disassembly & Reassembly, presented by Bill Sconce, In Spec, Inc., Milford NH
Bill: “An August announcement on python-announce-list caught my eye — a bytecode assembler/dissassembler for Python. Because I spent one of my former lives as project leader for a bytecode/stack-pseudomachine, JIT-compiled, commercial language I thought it'd be fun and instructive to poke into Python's pseudomachine. It was and is. This easy-to-use tool makes it easy for anyone to get a start looking at Python internals.”
Bill Sconce is co-founder and chief cookie-procurer at PySIG, teaches Python, and writes in Python as often as he can.
8:10 PM: TurboGears, presented by Lloyd Kvam, Venix Corp, Lebanon NH
Lloyd: “I am impressed with the TurboGears (TG) approach to combining data and templates. They have a 20 minute tutorial that took me an hour – I insist on trying to understand how the magic is done. TG has a very ingenious use of decorators to link templates and data.
“The result is very different from Myghty which is much more like PHP with lots of snippets that get combined any which way you like.
“I am not sure I really understand all of the tradeoffs between the TG and Myghty approaches. That could lead to some interesting discussion.”
Lloyd Kvam is a charter member of PySIG and has given a number of Python tutorials at PySIG and elsewhere.
Linked within these pages are longer posts that were created as “Stories” within Radio Userland, or essays that pre-date my blogging days. For other papers and articles I’ve written, check out the Ted Roche & Associates White Papers page.
GrokLaw is reporting “HP Spying More Extensive: Who Knew and When. We begin to learn now who knew and when, in an article in the Washington Post. They did broad background checks on their targets, but also on relatives of their targets. They tried to recover a stolen Keyworth laptop, so they could examine it. They targetted and sought phone records and fax records of relatives, like wives, of board members and reporters too. They got the records for 240 of 300 phone numbers they went after. The spyware sent to the reporter at CNET was not just to track email forwarding. It was keylogging software.”
And HP sells a server line called Integrity. This is disgraceful behavior.
OSNews reports Subversion 1.4.0 Released. “This is a feature release of Subversion [Updated link], featuring BDB 4.4 and repository auto-recovery support, a new tool for synchronizing repositories (svnsync), major speed enhancements in the versioned filesystem and the working copy, and of course the usual host of bugfixes and minor enhancements. Additionally, check this article on how to Set up Subversion and websvn on Debian.”
Good timing! I've been using subversion for the past year on a web development project with another (remote) developer, and have enjoyed the power and flexibility of the tool, as well as some of the cool add-ons, clients and scriptability.
Now, it's time to consider moving existing projects out of Visual SourceSafe and into subversion. The folks at Pumacode offer an vss2svn tool that runs as a native Windows executable, written in Perl and C, with the source available under an open license. Pumacode tried an interesting tactic to convert the VSS repositories: rather than interogate the VSS binary to retrieve files, it reads the repository files directly and interprets the results from there. There are some advantages where older versions might be corrupted, or to retrieve files flagged as deleted, which they say VSS will not allow.
On a 2 Ghz Pentium-M with a gig of RAM, it took about 2 hours to process my current VSS repository, which consists of forty thousand files and around 1.4 Gb of disk space. (The authors of vss2svn caution that it's better to convert the entire repository than to risk further corruption by pruning it first; leave that task to subversion post conversion.) This generated a dump file of 850+ Mb. Transferring that to the Linux box with a new repository took a few minutes, and loading the data about 20 minutes. Using RapidSVN from the Windows box, I was able to browse the subversion repository and confirm that files and folders and log history comments look about right. I'll confirm by checking out projects of interest and diff'ing them against the current development copies.
I had anticipated a different tack, using COM Automation to drive VSS, as I described in Essential SourceSafe. As a learning project, I had proposed using Python to browse the repository via COM Automation and use the excellent Python-svn bindings to migrate portions of a VSS repository to subversion. I still plan to try that, and to compare-and-contrast the results between the two techniques, while I learn a little more Python.
SlashDot misses the mark completely with in inaccurately-titled and summarized pointer to a great Tom’s Hardware story on MythTV. There’s nearly nothing in the story about the Microsoft media device, nor does there have to be. The MM is a plug-in-and-work device that locks you into their choices, their protocols and few extensions. MythTV is for the do-it-yourself tinkerer who wants to do lots more. This one’s been on my to-do list for way too long.
The comments on the Slashdot article are much more worthwhile than the post. Set your threshhold high and you’ll see the moderated posts. A pointer to Jarod Wilson’s installation guide was worth the browsing. Jarod integrates the great documentation on the MythTV site with his own experiences.
Tired of the abuse I'm getting on one of the servers exposed to the Internet, I've installed APF, the Advanced Policy Firewall, and BFD, Brute Force Detection on the machine. Webhostgear.com has easy-to-follow installation instructions for APF and BFD respectively.
While plain vanilla iptables was enough to protect the machine from most routine attacks, incessant attempts at logging in to a couple of well-known services on well-known ports was filling the logs and consuming an extrodinary amount of the bandwidth. Now, a script kiddie attempting 13,000 logins will find the machine no longer responding on that IP address.
Interesting technology. BFD uses a script run as a timed job to parse logs, pick up repeats, and bans them by scriping a command line and submitting it to APF. APF also uses the excellent DShield.org list of known problemmatic machines and networks. Very cool. While BFD comes with a set of scripts to parse common exploits, it didn't have one for my ftp server. I'm not sure I've grokked what's needed to set up my own script of rules, but as I couldn't find one on Google, I'll give it a shot, and share my results back to the community once I've got it working.
LXer reports OpenOffice Suite Gets Font Freebies. “OpenOffice.org Premium can be downloaded from the SourceForge Web site, but is available only for Windows. A native Mac OS X version of the suite will be previewed in France in September.”
[You can also grab the accessories from the SourceForge site, if you already have OOo. – dcparris]
What great timing! I've been looking for a package that includes OpenOffice with some additional fonts, templates and clip art to hand out at Software Freedom Day. On the OO.o site, they have an Extras disk, but it's a couple of micro-versions behind and in need of a lot of attention: files are still in StarOffice format, installers are rough, HOWTOs are missing. There is a lot of great documentation and stuff on the disk (theres an Excel VBA StarBasic concordance that's 63 pages long and looks worthy of further examination), however, and I encourage every OO.o power user to grab the Extras disk (and find out how you might be able to contribute back a little to the disk). But the OOOP disk looks very promising. Will report what I discover
OSNews reports NX Server, Client Released Under GPL. “2X today announced the release of 2X TerminalServer for Linux, an open source terminal server for Linux, which enables users to run a Linux desktop and Linux / Windows applications over any type of connection. “If Linux is going to happen on the desktop, it will require a terminal server approach such as that of 2X Terminal Server for Linux. Only with the more advanced thin client approach, will Linux be able to outdo Windows fat clients in a company's network. 2X is proud to contribute to this by opening the source code of its terminal server software for Linux.”
'Way cool. NX uses the underlying ssh technology to provide an encrypted tunnel to a remote machine. Through that tunnel, you can support VNC, RDP or compressed X Windows traffic for remote desktop access. I've cobbled together ssh-VNC-http solutions before, but they were typically a bit awkward. I'm looking forward to trying this one out.