I am normally not the best when it comes to getting my "'s" right and whether I should be whom'ing or who'ing, but recently I have been putting a bit of effort into getting these right. I just took the Commonly Confused Words Test and was told:
You scored 93% Beginner, 86% Intermediate, 87% Advanced, and 66% Expert!
You have an extremly good understanding of beginner, intermediate, and advanced level commonly confused English words, getting at least 75% of each of these three levels's questions correct. This is an
According to the latest Netcraft survey, the Apache webserver project is now 10 years old and runs 40 million sites (70% of the web). Back when it started in 1995 it had 658 sites (3.5%).
Congrats Apache.
Congrats Apache.
According to this e-mail, Google appears to be correlating search results with Gmail account information. This is done by sending the users Gmail cookie along with a search request. This is in line with their privacy policy which states:
When you visit Google and create a Google account, we set and access cookies on your computer. We use cookies for a number of reasons, such as recognizing you when you visit the site, displaying the site according to your chosen user settings for language, and maintaining the security of your account. Google may share cookie information among its other services for the purpose of providing you a better experience. For example, you may use your Gmail account to access other Google services such as Google Groups or Google Answers. We may also use the cookies to collect aggregated information about the use of Gmail to maintain, analyze and improve the service.
I doubt they are using it for anything more than service improvement, but it still scares me. I like my privacy.
When you visit Google and create a Google account, we set and access cookies on your computer. We use cookies for a number of reasons, such as recognizing you when you visit the site, displaying the site according to your chosen user settings for language, and maintaining the security of your account. Google may share cookie information among its other services for the purpose of providing you a better experience. For example, you may use your Gmail account to access other Google services such as Google Groups or Google Answers. We may also use the cookies to collect aggregated information about the use of Gmail to maintain, analyze and improve the service.
I doubt they are using it for anything more than service improvement, but it still scares me. I like my privacy.
In the spirit of blogging about pets. This is our new cat Gaz. She is named after the evil little girl in the cartoon series 'Invader Zim'. I hate the name but it wasn't up to me. When we first got Gaz she was a very skinny stray with cystitis, but after some love and care and expensive vet bills she is looking healthy and very playful. To quote the beautiful Daniela 'I love Gaz, but not as much as you.'Continue reading "Gaz the Cat"
Well, I didn't get the Google programming job. I don't mind as the process was lots of fun and very challenging. I met some nice people and will continue to chase their security positions.
I have also been advised that I shouldn't discuss my interview and have thus removed my blog entries about my two interviews. I was never told they were confidential, never asked to sign an NDA and I asked if it would be ok to blog about them, but my step-brother Greg knows more about the 'real-world' than I do and I will defer to his judgement. His point is that these processes are usually confidential. In addition I have removed the IBM interview blog entry for similar reasons.
I have also been advised that I shouldn't discuss my interview and have thus removed my blog entries about my two interviews. I was never told they were confidential, never asked to sign an NDA and I asked if it would be ok to blog about them, but my step-brother Greg knows more about the 'real-world' than I do and I will defer to his judgement. His point is that these processes are usually confidential. In addition I have removed the IBM interview blog entry for similar reasons.
UPDATE 2005-07-22: Debain now has X.Org. Yay.
I had to have this explained to me and I have explained it to several other people since. This is a copy of a
slashdot comment explaining Debian's branches (experimental, testing, unstable/sid and stable) and how this affects packages like X.Org.More is at the X Strike Force pages, they manage X packages for Debian. In the meantime here is a mini how-to for installing a non-intrusive X.Org with Debian.
Continue reading "Debian and X.Org"
Talk about putting your money where your mouth is. This is an ad for 3M's security glass. So let's talk defense in depth, how strong is the lock? It was also pointed out that the paper could be acting as a shock absorber, although the glass is supposedly bomb resistant.
This is pretty cool. I use the very awesome Serendipity weblog system for this blog. It has tons of features, an excellent plugin system and some clued up developers. For example I didn't get touched by the recent trackback spam epidemic thanks to the very effective spam plugin.
The Serendipity team have just launched Supersized. It is a Blogger, MSN Spaces, LiveJournal clone, but running on Serendipity. I set up a test blog with three clicks and an e-mail check. Check it out. Set up your own and play around.
The Serendipity team have just launched Supersized. It is a Blogger, MSN Spaces, LiveJournal clone, but running on Serendipity. I set up a test blog with three clicks and an e-mail check. Check it out. Set up your own and play around.
We have all heard it before, but here is a real example of a real software project's distribution server being compromised by a trojan in the configure script. You should only be running make install as root and then only if you want everyone to have access to the program.
If you are running a source based distro then make sure it is dropping root privledges during compile. In Gentoo the 'userpriv' feature in make.conf will do this. I don't think FreeBSD drops privledges. This would require the port{s}{age} tree to be compromised. However this is not that unlikely and defence-in-depth is always good.
If you are running a source based distro then make sure it is dropping root privledges during compile. In Gentoo the 'userpriv' feature in make.conf will do this. I don't think FreeBSD drops privledges. This would require the port{s}{age} tree to be compromised. However this is not that unlikely and defence-in-depth is always good.
Yusuf has posted a nice summary of the thesis writing workshop held by Chrissie Boughie of the Academic Development Centre
Continue reading "Thesis Writing Workshop"
I am back from my recurring illness and I am still suffering from mild stomach cramps. There have been a few big security events while I was away. The two most prominent being:
The IDN spoof is quite old but was brought to the fore at Shmoocon. It uses International Domain Name character support to display foreign characters that look like english characters. For example %D0%BE is an 'o' and %D0%B0 is an 'a'.
Also from Schmoocon comes XSS-Proxy. It was created to show clear up some misconceptions about XSS attacks and show how a real-time XSS hijack can be performed.
The chance of finding a collision in SHA-1 was 280 but the new cryptanalysis has reduced that to 269 which is about 2000 times faster. Schneier says this is 'at the edge' of current computational technology. He also calls for an NSA competition to find the next hash function in the same way they replaced DES with AES.
As for patch tuesday, here is Susan Bradley's summary.
- The IDN spoof for all browsers other than IE
- Microsoft patch Tuesday
- SHA-1 is broken, Schneier has a nice summary
- XSS-Proxy leverages XSS attacks
The IDN spoof is quite old but was brought to the fore at Shmoocon. It uses International Domain Name character support to display foreign characters that look like english characters. For example %D0%BE is an 'o' and %D0%B0 is an 'a'.
Also from Schmoocon comes XSS-Proxy. It was created to show clear up some misconceptions about XSS attacks and show how a real-time XSS hijack can be performed.
The chance of finding a collision in SHA-1 was 280 but the new cryptanalysis has reduced that to 269 which is about 2000 times faster. Schneier says this is 'at the edge' of current computational technology. He also calls for an NSA competition to find the next hash function in the same way they replaced DES with AES.
As for patch tuesday, here is Susan Bradley's summary.
A belated happy one year birthday to my blog, which was tenchically on Feb 5th. This blog mostly focuses on computer security with a few other bits from my life thrown in. I often get confused as to wether I am writing for myself, for my friends, or for the greater internet. That is why I have created categories:
Geek
Security
Masters
Play
SRC
All categories
To quote myself:
"The new structure is on the right under 'Categories' and is indicated with indenting. Thus 'Geek' will list all my geeking, 'Security' will list only my geeking related to security and 'Masters' will list all my Masters work (which is in the field of security). 'Play' is for my personal life and 'SRC' was a description of my life on the SRC, which is now over."
In honour of this momentus occasion I have provided some stats.
Geek Security Masters Play SRCAll categories
To quote myself:
"The new structure is on the right under 'Categories' and is indicated with indenting. Thus 'Geek' will list all my geeking, 'Security' will list only my geeking related to security and 'Masters' will list all my Masters work (which is in the field of security). 'Play' is for my personal life and 'SRC' was a description of my life on the SRC, which is now over."
In honour of this momentus occasion I have provided some stats.
Continue reading "Happy Birthday dear Blog"
No, not a computer virus this time. I have been bed ridden for three days now with this blasted thing. This is one of the worst sicknesses I have experienced. It is going around South Africa at the moment, which means that Grahamstown (a small city with students from university and school having just returned) is bearing the brunt of it.
Continue reading "Rotavirus"
Thanks to Guy Halse, and his comment to my last post, we will be able to have a go at breaking the Cisco Call Manager. This will only be available to people inside Rhodes University. The three conditions are: "you wait until we've finished our evaluation and announce open season
on the box, you don't break anything other than the Cisco call manager
AND if you get in, you provide us (and in turn, Telkom) with a full
disclosure of how you did it."
I won't have much time to try much outside of canned exploits and some modifications. It has some "Telkom specific modifications" which might provide an avenue.
Here are some places to start looking. They are mostly searches for 'Cisco IOS' and 'Cisco Call Manager'.
I won't have much time to try much outside of canned exploits and some modifications. It has some "Telkom specific modifications" which might provide an avenue.
Here are some places to start looking. They are mostly searches for 'Cisco IOS' and 'Cisco Call Manager'.
- Google
- PacketStorm
- K-Otik
- Milw0rm
- Bloglines (subscribe and 'search all blogs')
Last week our only1 telco, Telkom, came to give our IT dept. a variety of talks. One such talk was to show off the VoIP implementations they have started using at some campuses.
Continue reading "Telkom and CISCO VoIP"