return to OCLUG Web Site
A Django site.
January 12, 2013

Rob Echlin
Talk Software
» New Java 1.7 vulnerability

I found this in my email:

I will disable Java plugin in all browsers on my machines at work on Monday. is taking this seriously:

This could be used against Linux, Mac or Android, not just Windows, if anyone cared to try. They would not have access to root without further exploits, although popping up a window that looks like your Updater, or Microsoft’s, would catch some inexperienced Linux users.

Tagged: security, software

March 17, 2011

Michael Richardson
Michael's musings
» Dreamhost SSL certificates --- insecure

Dreamhost sells third-level GeoTrust SSL security certificates for $15/year. (You have to be an existing customer).

It seems however, they do not give you the chance to upload a CSR file. Instead, you are expected to fill out the DN information online, and then they generate a private key for you. And they keep the private key around in their database.

It also winds up in your browser cache, and if you have kind of a "trusted" SSL proxy between you and the Internet (like half of corporate users have), then it's gonna be in the cache of that device too.

This is a FAIL. Not only is your private key subject to whatever insecurity their might have, but it's total FBI Patriot Act fodder.

(If there is some place to upload a CSR, we couldn't find it)

October 15, 2010

Rob Echlin
Talk Software
» Ralph Langner discusses Stuxnet

Ralph Langner discusses the Stuxnet attack that hit the Iranian nuclear plants and accidentally hit lots of other places. I especially appreciated his comments on Symantec’s paper. He doesn’t appreciate their conclusions: “… few attackers will be capable of producing a similar threat.” etc.

Tagged: security

April 23, 2010

» Blogrotate #24: The Weekly Roundup of News for System Administrators

Good afternoon and welcome to another edition of Blogrotate. Though I have been contributing to Blogrotate since its inception, this is the first time I have had the honour of posting it myself. Go me!

Operating Systems

Red Hat has announced the availability of a public beta for Red Hat Enterprise Linux 6 (RHEL 6). There are a number of changes, for which Dave Courbanou at The VAR Guy does a pretty good job of providing an overview. Of note are that Red Hat has completed its migration from Xen to KVM as the supported virtualization technology (which began with RHEL 5.4), and that ext4 is now the default filesystem.

There have been a couple of tidbits of news in the Ubuntu world. The first being a bug with memory leakage in affecting beta 2 of Ubuntu 10.04. The discussion on Slashdot became a debate on the merits of time vs scope-based release schedules. Per the bug report, a fix has since been committed, which is good because — and this leads into the second bit of news — Ubuntu has announced the availability of the release candidate for 10.04. Things are moving fast as we approach its release next Thursday.

And for something that’s not release announcement related, M. Tim Jones has an interesting article over at IBM’s developerWorks about Kernel Shared Memory in the Linux 2.6.32 kernel. Without going into a lot of detail (I’ll let him do that), it’s basically the implementation of a daemon to handle de-duplication of memory pages. This has obvious implications in a virtualization environment as there is the potential to run more virtual machines on a host without increasing the memory footprint.


The big news on this front was that McAfee pushed out a virus definition update that falsely identified svchost.exe as a threat, resulting in Windows automatically rebooting. Peter Bright from Ars Technica has some good coverage of this, and linked to McAfee’s official solution. Meanwhile, Dave Courbanou over at The VAR Guy has a follow up on the situation with some additional detail, and Barry McPherson from McAfee has posted an official response stating that a ’small percentage’ of enterprise accounts were affected. And finally, Ben Grubb of ZDNet Australia reports that Coles had 10 percent of its point-of-sales terminals affected and shut down stores in WA and South Australia as a result.


Oracle has decided to charge for an ODF plugin for MS Office which allows users to import/export documents in Open Document Format. Matt Asay, COO at Canonical, provides some commentary on this stating that “$9,000 is the new ‘free’ for Oracle“.

Jono Bacon, Canonical’s Community Manager, wrote that Canonical has made the single sign-on component of Launchpad available as open source under the AGPL3 license. There is some coverage from The H on this as well. Launchpad itself was released under the AGPL3 license about a year ago.


On a final (interesting) note, ‘Cyber Cynic’ Steven J. Vaughan-Nichols writes that HP and Likewise to release Linux-based storage line about HP and Likewise partnering on a line of StorageWorks products that will make use of the Likewise CIFS stack to support Active Directory authentication.

Well, that’s all I have time for this week. Will Brad be back at the helm next week, or will I continue my reign? You’ll just have to wait and see…

February 12, 2010

» Blogrotate #16: The Weekly Roundup of News for System Administrators

Welcome to another edition of Blogrotate. This has been an interesting week in the IT world, with Microsoft security issues being the major focus of attention.


Once again, security flaws in Microsoft Operating Systems caused major problems for system administrators this past week. It began with Microsoft’s Security Response Center’s posting of February’s security bulletin.

Microsoft’s attempt’s to fix a 17-year-old bug resulted in a large number of computers having problems restarting. More information can be found here Restart issues after installing MS10-015 and Security patch results in BSOD, stops Windows from booting. It appear that this issue may have been caused by machines being previously infected by a rootkit

Another patch from Microsoft, the reliability update for Windows 7 and Windows Server 2008 R2, turned out to be not so… reliable.

But what was of most concern to many system administrators was Microsoft’s security advisory concerning a vulnerability in the TLS and SSL protocols, since this affects not only the Microsoft Windows operating system but as TLS/SSL are an Internet standard, multiple vendors. Emil Protalinski at Ars Technica provides full coverage of the TLS/SSL flaw in Windows.

Just to prove that Microsoft is not the only one with security problems, Ryan Paul at Ars Technica has an interesting article about a hack announced at Black Hat where a researcher was able to circumvent a Trusted Platform Module (TPM) component. Although it requires physical access, it does prove that even hardware-based protection mechanisms considered “unhackable” are indeed still vulnerable. Here are a second and third link for further reading: Supergeek pulls off ‘near impossible’ crypto chip hack; and Researcher Cracks Security Of Widely Used Computer Chip.


Rumours that Microsoft was interested in purchasing RIM caused a stir this week.


The big news on the training front was that Novell and Canonical are joining forces to bolster Linux Certification and training efforts to compete with Red Hat.

Operating Systems

More from Ubuntu, with Canonical’s new COO Matt Asay speculating that the Apple iPad is attempting to bring about a new paradigm where the operating system is largely invisible to the user and the applications themselves are the operating system.


Computerworld’s Eric Lai had interesting article discussing the announcement of Ksplice Uptrack. It provides an overview of what the service is and raises concerns about security compliance, support from major vendors, and funding.

Facebook’s previously undocumented chat protocol now supports Jabber/XMPP, so a user may now communicate with contacts via third-party IM clients such as AIM, Pidgin, and so on. Facebook 24/7 anyone?

This wraps up another episode of Blogrotate. See you next week, same Blogrotate channel, same Blogrotate time.

February 5, 2010

» OVSAGE Meeting Presentation January 21st Notes

On Thursday, January 21, Pythian hosted the Ottawa Valley System Administration Guild (OVSAGE) Ottawa Valley System Administration Guild (OVSAGE).

The highlight of the meeting was an interesting presentation on security by the founder of OVSAGE, Scott Murphy. The focus was on the fact that security is a mindset, not a product. Scott’s presentation looked at a large number of security issues and explained in detail while technology alone cannot fix security issues. The presentation was a response to the Amrit Williams Blog post Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It.

Scott’s presentation can be viewed here: security-quagmire-pdf. I hope you find it useful.

January 16, 2010

Bart Trojanowski
Bart's Blog
» adding an external encrypted volume under Debian

One of my old(er) USB-connected disks started to make a noise. So, it's time to replace it.

Here are the steps I took to create an encrypted USB volume that I can attach to my laptop.

[Read More]

January 15, 2010

» Blogrotate #13: The Weekly Roundup of News for System Administrators

Welcome to another edition of Blogrotate. This has been a busy week in the IT world. Here are some of the most interesting highlights.


Without a doubt, the topic of the week is security. The revelation that China has been hacking into Google and over 30 other US companies sent shock waves through the IT World and beyond. There were a huge number of articles generated about this in the last week. Ironically, the best source for articles on this issue turned out to be Google’s own news aggregator: see China Google hack.

In another China-related security issue, The Money Times reports that Iranians hack China’s Baidu; Chinese hack back.

Despite these and other security scares that have appeared over the last few months, Help Net Security reports that only 27% of organizations use encryption. As the song says “When will we ever learn?”


ArsTechnica raises some interesting questions regarding the growth of fiber networking in the the article Fiber fail? Hong Kong booms as Verizon retrenches

Data Centers

Do you find the service at your data center to be below your expectations? If so, the source of the problem maybe that half of all data centers understaffed, Symantec survey finds as Jon Brodkin of Network World reports.

Operating Systems

The big news in operating systems the week was the announcement that Google is switching to EXT4 filesystem as reported by Digitizor.


Cloud computing received a major boost this week because Microsoft and Hewlett-Packard have announced a new three-year $250 million effort aimed at helping businesses move toward cloud computing as reported by ArsTechnica

That’s it for this week in the wild, woolly world of IT. This week is a reminder that the Internet can still be a jungle at times so hey, let’s be careful out there. Thanks for reading. See you next week.

October 30, 2009

» Blogrotate #4: The Weekly Roundup of News for System Administrators

Welcome to the all hallowed eve eve edition of Blogrotate. It was a relatively quiet week this week but the 2 standouts are from the OS department with more reviews of the just released Windows 7 and the release of Ubuntu 9.10. Here’s some of the stories that we took note of this week.

Operating Systems

Ubuntu 9.10 is released. Anyone who reads my blogs knows by now that I am a Kubuntu user and I think that it’s the best desktop Linux available right now. They’ve put a lot of work into this one and it’s the best version of Ubuntu yet, easy to install and use with all the features you could ask for. Ryan Paul at Ars Technica has his own review called Ubuntu 9.10 brings web sync, faster bootup, GNOME 2.28, check it out.

Here’s a short list of some types of Ubuntu you can get, and their niche.

  • Ubuntu – The standard desktop featuring Gnome.
  • Ubuntu Server Edition – Just how it sounds.
  • Ubuntu Netbook Remix – A version of Ubuntu designed to work on your netbook.
  • Kubuntu – The KDE desktop version of Ubuntu. With KDE it’s an easier conversion for Windows users in my opinion.
  • Edubuntu – Edubuntu is an educational operating system that is designed for kids, parents, teachers and schools. I have not tried this one yet, but my 3.5 year old is ready for it.
  • Mythbuntu – A replacement for Windows Media Center featuring MythTV. I use this for a PVR at home, easy install and great interface.
  • XUbuntu – A version of Ubuntu using the xfce desktop, and designed for older or less powerful machines that have trouble with the Gnome or KDE desktops.

Windows 7 is still fresh in the minds of many. If you want an exhaustive review of all the pros and cons of Windows 7, how about trying to get through a 15 page review by Peter Bright. For the impatient, he sums it up at the end saying “…Windows 7 is, overall, a fantastic OS. It builds on a solid platform, and just makes it even better”. Read the full review in Hasta la Vista, baby: Ars reviews Windows 7.

PC Pro has an interesting article up called The Crapware Con. This article has some interesting information on what sort of extra software each of the major manufacturers are adding to your laptop, and what sort of effect this has on your performance. If you have an Acer, Sony or HP laptop they are apparently the worst offenders.


Dan Goodin has an interesting article about a free Microsoft product that can identify and harden applications against common avenues of attack without even needing access to the source code itself. Read the scoop in Free Microsoft security tool locks down buggy apps.

Dan Goodin reports on a new Mozilla site that will check the plugins in your FireFox for old versions which may have security issues and allow you to update them easily. Mozilla service detects insecure Firefox plugins has the full story, and the plugin check page is here.


Paul Lorimer, Group Manager for Microsoft Office Interoperability, writes in his blog that “In order to facilitate interoperability and enable customers and vendors to access the data in .pst files on a variety of platforms, we will be releasing documentation for the .pst file format”. This will open up the specifications for the pst file, used by MS Outlook to store email, making it easier for other software vendors to tap into the file format. See more in Roadmap for Outlook Personal Folders (.pst) Documentation.


The Internet celebrated its second 40th birthday on Thursday marking the date that the first word, “Lo”, was sent between 2 machines at UCLA on October 29, 1969. Get more of the story in Internet pops champagne on (second) 40th birthday. On an unrelated note, this happened 40 years after the 1929 stock market crash.


Neil Mcallister at InfoWorld has an interesting article on the rise of the ARM processor as a competitor to the Intel’s Atom for mobile devices. Read on in ARM vs. Atom: The battle for the next digital frontier.

Computerworld has an article about the recent Intel release and recall of it’s SSD firmware update due to issues with data corruption. Intel pulls firmware for SSDs just a day after release has more details. Ars Technica also covered the story in Intel’s SSD firmware brings speed boost, mass death (again).

That’s all we have time for this week folks. Be sure to tune in again next week. Same bat time. Same bat channel.

October 16, 2009

» Blogrotate #2: The Weekly Roundup of News for System Administrators

Welcome to week 2 of Blogrotate. It was a short week due to Thanksgiving (Canada) and Columbus Day (US), but the world of IT is always buzzing. So as they say at the race track, pitter-patter, let’s get at ‘er.


Have you ever wondered how much trouble can be caused by a single typo? This week a single typo in a script to update all zone files for the .se (sweden) TLD (top level domain), dropping the entire .se domain off the internet for almost 2 hours. Royal Pingdom has the full story in “Sweden’s Internet broken by DNS mistake”. This is why we need tight controls on change management. It’s called testing guys. Sweden. Give me a call.

Facebook now has 30,000 servers and produces 25TB (that’s tera-byte kids) of log data per day. The Data Center Knowledge site has some interesting details in “Facebook now has 3000 Servers”.


Lot’s of buzz this week about T-Mobile’s service disruption and subsequent loss of users data. Discussion over whether the problem was a cloud failure or not was one hot topic. Data Center Knowledge discussed it here in “The Sidekick Failure and Cloud Culpability”. Ars Technica had some more on the cloud debate with “T-Mobile and Microsoft/Danger data loss is bad for the cloud”. It looks like most or all users will have lost their data due to the lack of backups, see “Some Sidekick Users May Recover Data” for more. I am sure there will be more fallout from this one.

Enterprise Storage Forum has an interesting evaluation of the limitations of cloud computing for corporations, specifically due to bandwidth limitations and hardware error rates. See Henry Newman’s article titled “Why Cloud Storage Use Could Be Limited in Enterprises”.

Nate Anderson over at Ars Technica has an interesting read about fear mongers who say our beloved intertubes are going to die in “The Internet is about to die. Literally die!”.

Operating Systems

IT Wire claims “Microsoft teams up with Family Guy to sell Windows 7″. That’s just sad. If they are going to glorify Windows then I really can’t see how they can funny it up. I am guessing Seth will get to pan Microsoft just to spread word that Windows 7 is coming.

VMWare has announced that their new “VMware Fusion will support Windows 7 in more Mac-like way” says IT Wire. This “Unity” feature looks a lot like VirtualBox’s “seamless” mode. Check out the You Tube video “Unity in VMware Fusion for Mac OS X” to see it in action.

Jim Zemlin, the executive director of the Linux Foundation gave the keynote address at the Maemo Summit and said that he thinks Linux could be the dominant OS for mobile phones and devices. Ars Technica has more in “Will Linux be the dominant OS for consumer electronics?”.

And from the wicked cool idea department

An interesting study from McCormick University on using your PC’s existing hardware as a sort of sonar to detect when you are there. See “Research Group Uses Sonar for Computer Power Management”. They plan to use this as a method of detecting if you are close to your computer and to turn off your screen if you are not, then turn back on again when you return. The group is currently looking for guinea pigs testers to evaluate if there is any real world power savings. The link to the software is in the article. Hey, if my TV remote control can do it, why not a laptop?

That’s all we’ll have time for this week. Come back again next week for more Blogrotate and, as always, feel free to speak your mind or post your interesting stories in the comments.

October 9, 2009

» Blogrotate #1: The Weekly Roundup of News for System Administrators

Welcome to the inaugural edition of Blogrotate. This blog is weekly filter of some of the most interesting news items as it applies to system administrators. We’ll be tackling such topics as operating systems, hardware, software and utilities and even some humorous items. The SA team here at Pythian all love of crawling through RSS feeds and tech blogs, and we’ll bring the best to you every week.

Operating Systems

Ubuntu 9.10 beta 1 released for both Gnome and KDE desktops. The newest version of Ubuntu, code named “Karmic Koala”, is coming out in 20 days, but the first beta release was released this week. The adventurous can download the install images from the Ubuntu site (or Kubuntu if you prefer). Your editor reports on his first look at installing and running the newest version.

Microsoft licensing is complicated? Steve Ballmer has come out and stated point blank that the Microsoft licensing is too complex, but “I don’t anticipate a big round of simplifying our licensing”. We all knew it, check out Ballmer: Don’t expect simpler licensing soon for more.

Virtualization and Cloud Computing

Creating your own cloud with Ubuntu. Thierry Carrez has a really neat blog post showing how to set up a cloud environment using the new Ubuntu: Run your own Ubuntu Enterprise Cloud, part 1. Part one goes through the steps for installing the packages you need and configuring the node controllers.

Red Hat and Microsoft virtualization interoperability. Red Hat, Microsoft deliver on virtualization interop promises is an interesting blog by Paula Rooney on zdnet discussing the new promises Red Hat and Microsoft have made to each other about validating the respective operating systems on each others virtualization platforms. It will be interesting to see how this plays out, or if we’ll just end up with more tainted kernels.

Amazon will win cloud battle says Mark Shuttleworth of Canonical Ltd. In it he states “The winner will be either explicitly Amazon EC2 or, if [other players] get into gear, an IETF standard closely modelled on EC2″. Read Shuttleworth: Amazon will win cloud battle to get the rest of the story.

Virtualization Shootout: VMware Server vs. VirutalBox vs. KVM. If you happen to get Linux Journal, check out this month’s article comparing the different virtualization technologies available for Linux. The results are surprising. Unfortunately there is no cyber-version of this article (if you are not a subscriber) but it may be put on the site for free in the coming months.


Computerworld reports on the coming patch storm from Microsoft: Microsoft plans monster Patch Tuesday next week. In it there will be no less than eight patches released as Critical. The patch cluster will also include patches for yet to be released (for consumers) Windows 7! The mind boggles.

Webmail hit by phishing scam. John Leyden at The Register writes about the recent phishing attacks on webmail providers GMail, Yahoo! and AOL. He states that “The attack emerged after a list of 30,000 purloined usernames and passwords was posted online” . While the list has been taken offline, the damage is done.

Slow brute force attacks. Peter Hansteen aka “The grumpy BSD guy”, follows up on his previous work studying these attacks and has some good thoughts on how to mitigate them. See A Third Time, Uncharmed.


Thunderbird 3 is available for testing, currently in beta 4. Our own Bill Fraser has been testing it and posted a great blog on how to get it installed on your Ubuntu system, and how to fix some issues with email threads. See Testing Thunderbird 3: What to do if it ’shreds’ your threads.

Perl 5.11 released. The newest development version of Perl has been released as version 5.11. This is a pre-release for what will eventually be Perl 5.12 available for testing applications in case you plan to migrate to 5.12.

Firefox 3.6 beta due out next week. The register is reporting that Firefox 3.6 will be released in beta form on 13 Oct, 2009. This release will add some features, but it’s mostly just optimizing code and bug fixes.


Has your DRAM failed you? Google released results of their 30-month study on DRAM failure rates. Jon Stokes at Ars Technica goes over the results and gives you the skinny.

That’s all we have time for this week. Please feel free to comment or share your favorite news items of the week. We’ll be back next week.

April 30, 2009

Rick Leir
» Computer network security as your new profession

Change your career. Computer network security as your new profession / Troy McMillan, Kaplan, 2007

If your cheese has been moved, and you are thinking of working in the security field, this is a useful book for planning the change. 200 pages of common sense, easy reading.

Get it here at OPL

April 28, 2009

Rick Leir
» Managing the human factor in information security

Managing the human factor in information security : how to win over staff and influence business managers / David Lacey, Wiley, 2009

Here is a really useful book for the IT admin in charge of security. Attackers con insiders too easily, and we need to counter the problem with the help of all employees. “I’m really interested in reading this book and, frankly, once it’s published, I’ll be one of the first to buy it.” — Dr. Eugene Schultz

Get it here at OPL

March 26, 2009

Michael P. Soulier
But I Digress
» Why browser certificate warnings fail

Everyone’s probably seen one. You visit some website with a URL prefixed with “https” and you get a pop-up or warning of some kind in your browser, telling you that the certificate for the site is not signed by a known authority, and warning you not to continue. You continue anyway since, surprise surprise, you needed to go to that website for a reason.

Lately in more recent versions of Internet Exploder and Firefox, these warnings have become more obtrusive, and it’s on purpose. Browser vendors want you to have to work to get to a secure site with an invalid certificate, and it’s for more than one reason, good and bad.

  1. Websites running certificates not signed by a known authority can be put up by anyone, and the current site may not deserve your trust.
  2. DNS hijacking could direct your browser to a completely different website than you think you are visiting. The point of the host certificate is to ensure that you are talking to the people you think you are talking to.
  3. Valid certificates are big business, employing many people at Verisign, Thawte, etc. If just anyone can put up an SSL-enabled website then it undermines their business model.

I could care less about Verisign’s business model, I think that valid Certs are way too expensive so I run a self-signed one myself. Furthermore, I work on applications and infrastructure for a Linux distribution that has an SSL-enabled web interface for management. We want SSL to secure the user’s session key, and any privileged information being transmitted between the client and the server. But, we cannot afford to buy a valid certificate for each and every box. No way.

So, we compromise. We generate a self-signed cert and we provide a mechanism to install your own if you choose to buy one. Problem solved, right? Wrong.

We have teams here that don’t want customers to be scared off by the certificate warning when they first visit the interface. So, they just use unencrypted, insecure HTTP instead.

Yes, that’s right. They’re more afraid of the warning in the browser than the fact that the session is unencrypted, potentially over the Internet. So, what are the browser vendors accomplishing by making the warning more prominent? They’re encouraging application developers to stop using SSL.


March 11, 2009

Rick Leir
» Essential PHP security

Essential PHP security / Chris Shiflett, O’Reilly, 2006

This 100 page slim book is required reading for all PHP programmers (that’s all of us, isn’t it?)

Get it here here at OPL

January 29, 2009

Rick Leir
» Creating the secure managed desktop

Creating the secure managed desktop : using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and other management tools / Jeremy Moskowitz, Wiley, 2008

Here are 700 pages of very readable guidance to managing workstations in a business environment.

Get it here at OPL.

October 16, 2008

Rick Leir
» Linux firewalls

Linux firewalls : attack detection and response with iptables, psad, and fwsnort / by Michael Rash, No Starch Press, 2007

Here is a good introduction to iptables and related tools, with script examples. Make good use of this book, and there is a good chance you and your company will never get hacked.

get it from OPL

October 15, 2008

Rick Leir
» Security data visualization

Security data visualization : graphical techniques for network analysis / Greg Conti, No Starch Press, 2007

How do you analyze the logs from your firewalls, IDS’s, and web servers? They are large, and many people don’t have time to even peek at them. This book discusses ways to use graphical tools to display patterns gleaned from the logs so you can visualize the problem. Several open source projects are discussed.

Get it from OPL

October 2, 2008

Rick Leir
» The new school of information security

The new school of information security / Adam Shostack, Addison-Wesley, 2008, hard cover

The economics of security. This is not a large book, but it is very readable and full of insight, suggesting a new approach to security. One of the best books I have read this year.

Get it from OPL

August 28, 2008

Rick Leir
» Professional rootkits

book coverProfessional rootkits / Ric Vieler. Wiley, 2007.

A programmer’s book on writing root kits for Windows. Here are lots of details on how to hack someone’s machine, though minimal discussion of virtualization. Written by an ‘Ethical Hacker’, this book will be useful to security pro’s who need to harden systems, or reverse engineer malware. Unfortunately, it might be quite useful to blackhats.

Get it from OPL