It would be funny if it weren’t so damn plausible.

Diebold Accidentally Leaks Results Of 2008 Election Early

I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

– snip –

Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

“security through obscurity is no security at all” Says the broken record.

I believe heavily in security metrics because numbers are awfully hard to argue with.

In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

One would have to statically define the port range as most port scanners quit far before 51234.

At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

– snip –

For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

‘I give up’ is not a phrase you will hear from me all that often. But I just can’t take any more. Novell has me at my wits end. I can’t believe people use this with any sort reliability.

Throughout my months of toying with it I have issues and stopping blocks with each and every component. Some servers require many, many components to effectively work.

Here’s a brief run down of just a couple of the annoyances:

Updates and patches come rapid fire (about two per day) and often leave the system broken. I have had them cause dependency issues each time I have applied them. This will do crazy stuff from switching the physical network card that eth0-2 are assigned or out right breaking NSS. In fact, every update I have run broke NSS. You just can’t have that in a production environment. Technically you could script an auto-updater, however, per Novell support “Automating the updates might have its own risks [...] because of that, rug doesn’t have a –force option the way RPM does.”

Things that should be done by installers must be done manually. A great example of this is having to manually enable remote administration of a GroupWise server. For example, you need to share out /usr/local/gw using samba. But first you have to install and configure samba. That’s essentially all the docs say on the subject is to ‘install samba’. Not ‘Download package X, install it using command Y, tweak this directive in X.conf, and so on’. So I installed Samba from source. After struggling to get it integrated into the eDirectory I discover Novell-Samba. Who knew, they just said ‘Install samba’.
The install process for the OS and packages drives me insane! The OES cd set consists of 10 CDs. During the initial install you are asked to supply almost all 10 CDs in varying order and you have to re-insert a number of them multiple times. It also asks for the Suse Core 2 CD2 and 3. Which end up being the Suse Linux Enterprise Server disk 3 and 4. I figured that out just out of desperation and feeding it random CDs.

The documentation is lacking. It assumes that all Novell customers are intimately familiar with Novell terminology and technology (see previously mentioned GroupWise/samba example).

GroupWise acts as an open relay by default and no settings changes will help that. Users hate the GroupWise client, the outlook plug-in makes Outlook buggy and slow. The cross platform GroupWise client (Linux and Mac) is really bad. The only way to remedy this is to purchase an expensive third party app

I purchased the only (at the time) official Novell Press book for Open Enterprise entitled “Open Enterprise Server, Administrators Handbook, Suse Linux Edition”. Being the only official book I assumed it would be comprehensive and cover anything and everything relating to OES. What I found was that it is entirely based on a pre-release version of OES and a large number of important things have changed since it was published. In fact, a couple of things the book tells you to do regarding updates will break an otherwise happy server.

Overall I would just Novell to hammer all these things out, test thoroughly and make the docs useful. Don’t assume everyone using the product is a 15 year Novell-Netware veteran.

Fresh after the article from security firm Sophos entitled “Sophos recommends Macs for security“, A member of Microsoft’s security team blasts Apple for not having a “security czar” and not communicating with users about security vulnerabilities.

By contrast, he points to Microsoft as a prime example of how to respond to threats, providing well-documented communications and prescriptive “how-to” guidance with alerts that are delivered through email, RSS and deployment tools.

This whole paragraph is absolutely laughable. Lets flash back for a second to Microsoft security bulletin 912840 and my rant regarding it. And now lets re-read that happy little Microsoft fud. Something doesn’t add up, does it?

If that isn’t enough to convince you, lets look at yet another reason why no software vendor should ever adopt Microsoft’s security practices. Two words; Patch Tuesday. Holy god is that a bad model. No matter how bad a vulnerability is, they will sit on the patch (leaving everyone exposed) till the next patch Tuesday. Just because its more convenient for admins.

I, as an admin, would much rather patch frequently, than sit on hands while blatantly exposed to a threat.

Once they work these things out, then (maybe) they can blast other software vendors. Until that time though, they should sit back, shut up and stop making themselves look foolish.

I started testing my GroupWise 7 server and found that I received a bounce back while trying to send to domains that block mail from servers in the ORDB (Open Relay DataBase).

Upon receiving this, one Saturday, I sent out a quick email scolding my tech who set up the gwia (GroupWise internet agent) and drove into work to fix it. I pulled up the area in ConsoleOne that contains the relay information and found a check in the box that reads “disable open relay”. Hmmm, you can’t get much clearer than that.

I quickly whipped up a web app that will attempt to relay mail off the server. No luck. So I went into my office and submitted the IP to ordb.org again for re-scan.

I was assuming that it was scanned while it was initially being set up, and that they had caught it in an open relay state.

A while later I received an email stating that it is still blocked by ORDB, because they still think its an open relay.

Puzzled I hit ordb.org faq to come with this…

My Novell GroupWise is not an open relay!

We’re sorry to say that it is. We are aware that GroupWise does not filter until after receiving the mail, but our test-method requires that at least one of our probes be delivered to its final destination before addition to the database occurs. Your server will not be added to the database just because it accepts the probe for later processing. Please see the section on securing your open relay for information on the latest patches for GroupWise. Additionally, please refer to this link for information about claims that ORDBs way of testing is flawed, when testing GroupWise and friends.
Additionally, a user has provided information that at least Groupwise6 (and possibly Groupwise5.x as well) may be vulnerable to various relaying exploits unless sufficiently patched. The patch you need to download is called fgwia63a.exe, and is so far only provided as a beta quality patch by Novell.

So, that wasn’t very helpful. I am running GroupWise 7 so that fits the “at least Groupwise6″ requirement and I am running it on Suse Linux Enterprise Server so its safe to say that an exe patch isn’t going to work.

I could ask Novell about it, but support requests cost $500/, purchased in minimum quantities of 5.

On a number of forums I heard talk of a mysterios patch, but was unable to find any mention of it on the novell download site. I also read that Novell acknowledges that its a stupid way to handle relay attempts and that it would be fixed in GW6. Well, I’m on 7 and its not fixed.

The best ways I came up with to fix this are to use a incoming/outgoing relay host. Something free like exim or postfix. This also provides you with the ability to run antivirus and antispam on this host. Set up GroupWise to allow incoming and force outgoing relays through this host.

Or you can do what I did; purchase a Barracuda 300 from barracuda networks and use the same configuration as above.

My barracuda has gone through its initial testing very well and I’m quite fond of the web interface.

But its also very sad that GroupWise forces admins to do something like this. Its almost as if they intentionaly included this inadequacy in the hopes that you will have no choice, but to go to one of their channel partners for a fix… and spend more money.

In one of the least thought out and dumbest moves made by our government in recent weeks… Assistant Secretary of State Richard Griffin said the department would alter its procurement process to ebsure no Lenovo PC’s are allowed inside secured U.S. networks.

This is dumb for a number of reasons.

1. Any software backdoor and ‘phone home’ keylogger would be wiped out when the machine is re-imaged. If they don’t re-image machines that come from hardware vendors than the brand is the least of our worries.

2. Any hardware spying mechanism that would remain after an imaging would still need a way to ‘phone home’ to China for them to obtain the data. Any ’secured U.S. network’ should have egress firewalling. So not only would ‘phone home’ attempts be blocked, but also logged and provide REAL evidence that we should be concerned.

I believe this just boils down to yet another case of someone being uninformed and uneducated making big decisions that they are not qualified to do. Either that or its a more sinister attempt to curve the amount of Chinese goods purchased by the U.S. Either case doesn’t win our government any more brownie points.

Every time I pull up google news I see a new example of our administration spying on its own citizens. Governmental domestic spying has infiltrated just about every facet of our communications. A few examples are as follows:

Government wants PayPal to help it find tax evaders
“Tax officials won permission from a federal court in San Jose to ask PayPal for account information for customers who have had money sent to financial institutions in 30 countries known to be tax havens”

EFF Has Evidence Of AT&T, NSA Spying [on us]
“The Electronic Frontier Foundation recently bolstered its class-action suit against AT&T by submitting evidence that the telecom provided the National Security Agency with open access to Internet traffic it handled.”

Google will have to turn over search data to the government
“The DoJ had subpoenaed search records from a one-week period covering 1 million random web addresses in an attempt to make its case for reviving the Child Online Protection Act, which was struck down in 2004.”

DOJ Subpoenaed Dozens of Companies in Addition to Google
“The Department of Justice has gone beyond Google in its quest for evidence to develop a case in preparation for an October trial in Philadelphia over the Child Online Protection Act (COPA).”

President Bush, NSA accused of wiretap abuse
“the National Security Agency (NSA) has and continues to engage in covert, extralegal domestic surveillance of American citizens and foreign nationals under a classified executive order signed by President Bush in 2002″

And if any negative word is uttered in the press or courts to combat these issues you will see the administration pull the same trick, every time. “Simply talking about these programs is aiding the terrorists”, and then they refuse to release any details and continue doing these things as if everything is fine.

“We the people” are powerless to do anything about it. Look at the large and whell funded organizations like EFF, MoveOn and the ACLU. I admire the fact that they are pushing on and challenging these things, but it hasn’t really made a bit of difference.

I’m not against Bush and I’m not against conservatives or republicans. I just think that these freedom destroying policies are killing our “land of the free” irreparably.

I had previously bloged about the liquid cooling system leak in my dual powermac g5. Since the major hardware replacement (mother board, cpu module, hard drive, power supply and trim pieces) I had been having intermittent mouse problems. I know, it sounds weird.

After working for a random amount of time my mouse would ‘lock up’. The light on the bottom of the mouse goes out and no amount of swirling it or chucking it at the wall would make the cursor move.

After this I would use launch bar to open iterm and issue ’sudo shutdown -r now’ to shut it down properly. It reboots to come back with still no mouse support. I reset it again and it works.

Some times it locks up multiple times per day, other times I will go two whole days without a reboot.

I have used three different mice, spread out over every usb port the som’a'bitch has. I have no other usb devices plugged in and have no after market ram.

Called AppleCare again and they sent out another mother board and repair technician.

Once the new mother board was installed the machine wouldn’t start.

They put a new mother board (the fourth) and power supply on order and the technician is scheduled to return tomorrow.

Wow has this machine been a nightmare! Don’t get me wrong, I don’t blame Apple. I have had a number of other Apple machines that proved to be absolute work horses and tough as nails… this one is just… different.

The good news of the whole thing, is that I got to take pictures of the G5’s liquid cooling system with its top down. No fancy logo’d shield covering it.

Enjoy.

In this image you can clearly see the Delphi logo. How strange to see that logo in a computer.

The pump and some hoses.

In this one you can see the radiator hoses, clamps and radiator cap.

I recently purchased a SanDisk Cruzer Titanium 1gig flash drive.

I loved that drive! Past tense. I loved the fact that it was an ‘all in one’ unit. No stupid cap. I loved the fact that it nicely retracted inside its impressive looking titanium casing. I loved the fact that (the marketing would have you believe) a truck can run over it and it will continue to function.

Its use was not bus intensive. I would keep common drivers, tools and install files on it. Things that I use constantly through out an average day at work. I wasn’t storing MP3 files or the like, that would cause the drive to constantly be written to and read from. It would normaly be plugged in, used for about 5 minutes, and ejected… properly. I ALWAYS eject or stop my flash drives before removing them.

Now, one week into its use it stopped working. All together. Not a normal “I can’t read the file system, do you want to format?”, but more along the lines of “I don’t recognize what this USB device is”.

Having purchased it from mwave and not newegg, I was unaware of the horrible horrible reviews this drive got. But apparently this is a common issue.

I RMA’ed the drive directly to SanDisk. They had me another drive in about a week so I started using it in the same manor I did the last one.

One (1) week of using this one it stopped working again with the same problem as the last one.

I got annoyed and purchase a new 4gig Corsair flash drive from newegg. I used it in the same way I used the last two deceased SanDisk drives, and now (after about 3 weeks of use) it says it can’t read the file system.

I think it may be that I am using the drive in about a half dozen machines a day (apple and pc), but my two techs think its because I acutely take the time to properly disable the device as opposed to just yanking it out and letting the operating system scold you.

Does anyone have any opinions or data that could explain what the real reason is?