Planet NYLUG

Ordered a new toy yesterday

2008-05-09T12:51:47+00:00

Yesterday, I broke down and ordered a Thinkpad R61. I had originally planned to go with the T61, but I did some research, and found that really the only difference between the two (I got the 14.1" R61) is that the T61 is slightly thinner and lighter (but not by a huge margin). Both have the LCD roll cage (NOTE: the 15.4" R61 does NOT have the LCD roll cage, whereas the 14.1" model does), they're both built like tanks to withstand my abuse, and it's about $150-$200 cheaper than the T61. The total price of the machine after all the discounts was $958.15, not a bad machine for the price. Yes, I know that Centrino 2 is coming out next month. Having the absolute latest and greatest is not really important to me (except in the operating system realm :) ), and I think I''ll really enjoy it and it will last awhile I'm sure. Of course, the included Vista goes bye-bye quickly and gets replaced with F9 :)

So here's what I got (note the 5/22/08 over there, that's the estimated ship date :( ):

1	7732CT	CONFIGURED SYSTEM	05/22/08	$958.15	$958.15
	42X5952	SBB INTEL CORE2DUO PROC. T9300
	42V8012	VBB MS WIN VISTA HOME BASIC
	42W7293	SBB MSWINVISTA H-BAS32 US ENG
	42V9324	SBB 14.1WXGA +TFT,W/OCAM
	42X5956	SBB INTLGMA X3100 GM965W/1394
	41W2068	VBB 4GB PC2-5300 667MHZ 2DIMM
	42V8195	SBB KEYBOARD US ENGLISH
	42W7033	SBB ULTRANAV(TRCKP+TOUCHP) +FINGR
	42V8712	SBB 100GB HDD,7200RPM
	42V8718	SBB DVDREC.8XMAXDUAL L.ULT.ENH
	42V8177	SBB INT.WIRE.WIFI/LINK4965AGN
	42V9338	SBB 6 CELL LI-ION BATERRY
	41W1787	SBB CPK NORTH AMERICA
	42W7087	SBB LP,US ENGLISH

I'm bankrupt!

2008-05-08T23:10:06+00:00

What you ask? How am I writing on the blog if I'm liquidating all my assets in order to pay off debts? Not that kind of bankrupt, silly! I'm going to declare laundry bankruptcy this weekend.

I have nothing but a small stackable washer and dryer in my apartment, so doing all of the laundry that has accumulated that doesn't absolutely have to be done is going to take weeks if I were to undertake the entire endeavor.

What, exactly, is a laundry bankruptcy and how does one declare such a thing? Fortunately, there are no costly lawyers involved, nor is your credit tarnished for 7 years. Rather, one feels better immediately after declaring laundry bankruptcy. You know that you're a candidate for laundry bankruptcy when the mountain of laundry in your apartment is taller than you are (no, not really my case, but you get the point). So how does one declare laundry bankruptcy?

The procedures may vary slightly, depending on where you live. The gist of it, though, is a trip to the local laundromat. You can either do the laundry yourself there, or, for a fee, they will generally do the laundry for you and you can pick it up later. After all, is doing umpteen loads of laundry really worth my time and effort? I don't really think so.

After all this is done, I'll probably have enough clean clothes for a year! :)

It's all about the Chases

2008-05-08T19:56:39+00:00

Maybe I only notice these things because Gerv has so religiously run the "n00,000 Bugzilla bug"-contests...

Or maybe it was randomly running across Wil's post about all of the web team's commits the other day...

Or maybe... it's just because I'm a dork about these sorts of things...

... buuut I was amused to realize the other day that here at the nest, we're due to hit the 10k mark on both bugs (I just filed bug 9087) and commits (changeset 9200 just went in).

I'm betting we'll probably hit 10k on both before 0.6 ships... although, I find myself wondering who will make it across the milestone first. Even though Bugzilla is behind at this point, I'm betting it'll catch up to commits before we ship.

Anyone bets on when we'll hit 20k?

(I was going to ask about the next-order-of-magnitude milestone, but... a Wilson party is probably a couple years away... at least.)

Essential Truths in Information Security: Understand what you protect

2008-05-08T13:11:38+00:00

For the last few days, I have been thinking about doing a series of blog posts around the theme Essential Truths in Information Security. In these posts, I will discuss a number of lessons that I learned while working in information security.

Today's truth is: Understand what you protect. For an information security professional to be successful, just understanding how to protect a resource is not enough. A deeper understanding of your organization's assets is at least as import: what are the resources that you are trying to protect? How important are those resources to the organization? What kind of controls are appropriate?

Understanding what you protect requires knowledge about the business side of life. After all, information security is not a goal; it is a means to manage risks to information and to ensure that those risks are at an acceptable level. Who decides what is acceptable and what is not? Most certainly it is not the information security professional; our job is to identify risks and point out what the consequences might be if a risk manifests itself.

We will also suggest how those risks may be mitigated, but in the end, that decision is not up to us. Once the decision has been made, we will work to implement, operate, and monitor information security controls to see how effective they are. More often than not, information security professionals will also coordinate how information security incidents are resolved.

Determining what measures will be taken while responding to an incident is something that we need help of "the business" for. They, not us, know what the impact of containment or eradication actions are.

Understand what you protect

Realize that putting information security controls in place is not a goal, but a means to achieve a business goal. Understand what you protect.

Playing with Photoshop

2008-05-07T16:59:18+00:00

I’ve never been a big fan of Photoshop and the whole modify a photo after taking the shot, this because it really doesn’t make you a good photographer if you’re always fixing up your mistakes after taking the shot instead of working at getting better with getting the shot, but I find that there is always…ok sometimes…a way to enhance the colors of the photo so that it pops out and doesn’t have a washed out look.

I recently got the Totally Rad Actions for Adobe Photoshop, as well as the Kubota’s actions which I’ve mentioned before, and using them didn’t really caused much change or enhancement to the photo which made me think that the actions didn’t really apply to my photos but I later found out that I was actually implementing them wrong and once I got the hang of it I was able to actually enhance the photos and make the colors pop. The bad side of this is that it takes time and patience on photos that have a lot of details. The photo below, which I took from the second floor of my house with my Panasonic Lumix DMC-LZ3, and the first shot doesn’t have the colors popping out and look a bit washed out:

Once I learned to use the actions correctly I applied the “Technicolor Dream World” and after taking the necessary actions I proceeded to apply the “Big Blue” action and also took the necessary steps to activate the action correctly. Once that was done I ended up with the shot below:

The shot looks a lot better and the colors really pop out. What are your opinions and views on the subject?

-LM

EDUCAUSE/Internet2 Security Professionals Conference

2008-05-07T13:25:28+00:00

I have spent the last few days at the EDUCAUSE/Internet2 Security Professionals Conference. Of all the conferences that I have attended over the years, this might have been the best. Not only were the logistics very well taken care of (I did not detect many problems), the sessions that I attended were relevant, interesting, and of an acceptable quality.

In addition, I was able to put a face to many of the names that I have seen in the past year, and I have enjoyed it a lot. Attending the conference was definitely worth my time (and my employer's money). Well done, EDUCAUSE!

OpenSolaris 2008.05

2008-05-06T22:17:31+00:00

The first official binary distribution based on OpenSolaris was released yesterday! It comes on a single LiveCD that lets you check out all the much talked about features before installing. Some of the highlights are the new IPS package manager, DTrace, Service Management Facility, XEN, and the new ZFS filesystem!

I have been looking forward to experimenting with Zones and ZFS (after being very disappointed with the current ZFS implementation on FreeBSD) more. I have downloaded the LiveCD and got ready for the painful Solaris installation. To my surprise the LiveCD booted to a very attractive GNOME desktop with a GTK2 installer comparable to desktop oriented Linux distribution. The installation was quick and painless, it completely blew me away. I highly recommend OpenSolaris to anybody interested in exploring ZFS!

Cellphone photography

2008-05-06T21:46:43+00:00

I had taken these photos some time ago and just found them last night on my cellphone so I uploaded them for everyone to see

I really like how they came out…what do you think?

How to Find the Blog Service that’s Right for Your Photoblog

2008-05-06T19:47:52+00:00

Natalie posted on Digital Photography School or DPS the last post on the three part series to get the DPS community or anyone else that’s interested blogging to show off their photography work. On this last post she asked a couple of the professional photographers about their blogs and where they host them, I guess her e-mail asking me about it got lost in all the spam…no I’m just kidding

You can find her article on the Digital Photography School website and you can go to her blog as well and link from there.

As far as what I do is pretty simple…well at least for me…I bought a hosting plan with DreamHost which is pretty cheap compared to other options I’ve seen out there and has really nice specs as far as the package they offer. I installed Wordpress using their one click install system and upgrade the blog through there as well. The theme I use on Wordpress is K2 which I love and have done a couple of modifications to it so that it does what I need.

For my photos I actually upload them to Flickr, I got the pro account after I hit the 200 photo limit that they have established, and then I installed a plugin called FAlbum on Wordpress so that the visitors to my site can see my photos directly from my blog and not have to go to Flickr, though they can still go to Flickr and comment on the photos there and also download bigger versions of the photos if they wanted to.

My e-mail is actually administered by Google. I got an account on their Google Apps service and they provide the e-mail system which is the same one they use for gmail so I can even chat with my friends who use google talk. I love this option though the free version allows me to have up to 25 e-mail addresses but it’s ok since I really have my girlfriend and myself using it

I will often just blog directly from Flickr, what I like about this is that it will organize the photo on the top right hand corner and wrap the text around the photo, or sometimes I will blog from Wordpress and add the medium sized photo to the post and clicking on it will take you to the Flickr page though I might change it in the future so that it stays on my blog and doesn’t go directly to Flickr.

The monitor calibration can turn out to be a problem and I’ve noticed this since I’ve seen the photos from my desktop at home, which I’ve attempted to calibrate my monitor as best as possible, from my work computer, which has not been calibrated at all, and from my mom’s computer which I had to play a little with the color correction on the nVidia control panel in order to get the images to look like they should though I’m still not completely happy with that.

I guess the biggest issue for digital photography is the monitor calibration and this is a big factor that affects the way others see our photos. As of right now I’m really happy with the setup I have and find it quite affordable for my budget. I have even done a similar setup for my sister, she’s no photographer, but she likes to draw and would like to show off her work as well so I’ve set it up and you can check it out on her blog that I made…I still have to teach her to upload to Flickr.

What would I change? Well so far not much really…though I’d like to add a drop shadow to the photos on the FAlbum that works well with the current theme I have set and that would be pretty much about it right now.

Pascal Wowak said that he believes that watermarks on the images ruin the images and I have to agree with him up to certain level. There are people who simply don’t want anyone else to use their work so they put this huge watermark across the photo which it sure protects it and also ruins the photo a lot. Then there are people who make a very good looking watermark, like Melissa Jill, which looks so artistic. The watermark I use is a simple small black line on the bottom of my photos and the idea I took from my friend ocnarfid

I also like the idea of having a border added to the image which basically has the signature like the one from Jasmine Star since it’s non-intrusive on the photo but I find it that, at least for myself, it would add a lot of work.

I also just post the finished work and not some raw photo which I haven’t even taken a look at. I like to do little to no retouch to the photo unless I consider that it would really come out great with certain effects applied. Most of the time I’ll just make the photo into a black and white photo or just leave it in color.

-LM

Posting code made easier (for everybody else reading your blog!)

2008-05-06T16:37:16+00:00

I've noticed something while reading my daily blogs, a lot of code is just unreadable because most blog systems (blogger looking at you), screw up indentation, unless you wrap it in a pre tag (opening and closing are both required. This makes it readable for your readers! I've left comments on the blogs that didn't know this, and now they do.

This message is primarily for the Google Summer of Code students, but is useful to the programming community as a whole. When you post code, wrap it in a pre tag and be sure to close them when your code example is complete.

Paintball Sunday

2008-05-05T22:19:06+00:00

This past Sunday I went to I.D.T. Paintball with my coworkers and some friends of theirs to play a good game of paintball. It was sunny, hot and dry which caused for me to get a sun burn on my hands and the back of my neck but it sure was worth it since we had a great time.

I didn’t take my camera because I like to play paintball a lot so I knew that I wouldn’t take photos but a friend took his Nikon D40 to take some shots and I took the time to give it a test run and get some shots. I really like the one of Venny, a coworker, that I took which you can see at the end of this post. This was taken during our lunch break that we took. We bought meat at the supermarket beforehand to grill during our lunch break.

Afterwards we took it to the go-kart tracks to run around a few times. At the end of the day we were so tired that we all decided to go home.

-LM

A day with my parents

2008-05-05T04:15:26+00:00

Pungi and mock for fun and profit!

2008-05-04T00:26:11+00:00

Alright, well maybe not profit, but certainly fun!

I had mentioned in a previous post about doing QA for Fedora, and having installation CD and DVD sets available prior to the general release of the distribution. All that Fedora Alpha, Beta, and Preview Release really is are just snapshots of the daily development tree of Fedora, rawhide. Sometimes, it might be useful to have a DVD, similar to what Fedora release engineering would produce, of the current rawhide. Now, I'm going to give a step-by-step of how to do this in 'mock', which is a program that you can use to manage chroot's. Mostly, it's used for building binary RPM's from source RPM's, however, it has grown functionality that make it useful for doing composes recently.

There are some things that pungi does that depend upon several things that make it very suitable to be run in a mock chroot. First, the distribution that you are composing and the distribution that you are composing on have to be the same, For instance, if you wish to compose rawhide, you have to be running rawhide (or at least have rawhide userspace). Also, the architecture that you are composing on and the arch that you are composing must be identical (you can't compose i386 on an x86_64 system, for example). Mock allows us to overcome both of these limitations (at least for compatible arches - i.e. x86_64 and i386). A mock chroot can have userspace that is very different from the host system, and so long as the arches are compatible, they can even be of a different arch (i.e. you can run i386 code on x86_64, but not the other way around, obviously).

The only thing that we have to do on the system that is going to produce the trees is to install the 'mock' rpm. This is as simple as typing 'yum install mock' at the command line. On my system, I also prefer to have the bash-completion package installed, because mock is 'completable' by that package, and the buildroot names can get kinda long sometimes (or am I just lazy?) :). After this is done, you need to make sure that the user that needs to use mock is in the 'mock' group. This is because being able to use mock is equivalent to having root on the machine in question, since mock is SUID (and has to be), You can accomplish this with 'gpasswd -a jstanley mock' for example.

The next thing that we need to do is initialize the chroot. This is very simply done by using 'mock -r (config) --init'. This brings up the question of which mock configuration to use. Mock comes with a number of pre-made configuration files. The ones that you're most likely to want to use 'fedora-rawhide-i386' or 'fedora-rawhide-x86_64'. These files live in /etc/mock, and the -r argument to mock takes them WITHOUT the trailing .cfg extension. If this is your first time running mock for this installroot, it will use yum to install the group 'buildsys-build' into the chroot. After that is done, it will tar up the root, and save it for future use. If you had used this installroot before, it would clean it (i.e. delete everything that was there), untar the root cache, and then run yum update to get items that were changed since the root cache was created.

Now we have a chroot with the desired content in it, we can install pungi. Wait a minute, this is in a chroot (and yum is not installed by default in this chroot), so how do I do that? Good thing mock has the '--install' option. So you just execute 'mock -r fedora-rawhide-x86_64 --install pungi', It won't output much at all, but it will install pungi and it's chain of dependencies. Now that we have pungi installed, we're ready to actually use it in the chroot! So let's get a shell in the chroot with 'mock -r --shell', which will give you the following output:

[jstanley@rugrat ~]$ mock -r fedora-rawhide-x86_64 --shell
INFO: mock.py version 0.9.7 starting...
State Changed: init plugins
State Changed: start
State Changed: lock buildroot
mock-chroot>

The 'mock-chroot>' is my shell prompt, reminding me that I am in the chroot. From here, we can use pungi. The reference kickstart files that release engineering uses to create the releases are included in the fedora-release package, and can be found in the /usr/share/fedora-release directory. The traditional DVD configuration, which is what you want to use, is called f9-fedora.ks (note that this just landed in the fedora-release package on Friday). One piece of housekeeping that needs to be done at this point in to remove the generated rpm database files. If you are building on your native arch, this isn't strictly necessary but still a good idea. If you are building i386 images on x86_64, not doing this is fatal.

mock-chroot> rm -f /var/lib/rpm/__db.00*

At this point, we can execute the pungi command:

mock-chroot> pungi -c /usr/share/fedora-release/f9-fedora.ks --destdir=/compose --nosplitmedia --nosource

I'll take you through what these options do:

-c - what kickstart file do you want to use to use for this compose

--destdir= - where should the compose happen. It's important to note that this is different from where on the non-chroot'ed filesystem you'll find it - remember that we're operating in a chroot here.

--nosplitmedia - I do not wish to generate split (CD-sized) media for this compose

--nosource - I don't want to gather source code for this compose. Note that you MUST NOT use this option if you plan on distributing the resulting discs. Note that by eliminaiting this option alone, source ISO's will not be created, that's an additional step that I'll mention below.

When you enter this command, pungi will go about four phases of operation:

- Gather the RPM's and SRPM's as required
- Create a yum repo out of those
- Run the anaconda 'buildinstall' tool to generate installation images, etc
- Create ISO's

Using a local mirror and a reasonably fast computer, this will take about 30 minutes. Note that every RPM that would be included on the DVD is downloaded, so having a local mirror REALLY helps here. Not a show-stopper if you don't have one, but it will take longer than 30 minutes :). One word of warning, though - when the compose gets to the point of running buildinstall, it will look like it's hung - this is the longest part of the compose. So if you see something like this and nothing more on your screen, it will finish:

Pungi.Pungi:INFO: Running /usr/lib/anaconda-runtime/buildinstall --product Fedora --version 20080503 --release "Fedora 20080503" --bugurl http://bugzilla.redhat.com /compose/20080503/x86_64/os

OK, so eventually, you'll see the following (among other things):

Pungi.Pungi:INFO: Running /usr/bin/sha1sum Fedora-20080503-x86_64-DVD.iso
Pungi.Pungi:INFO: Running /usr/bin/sha1sum Fedora-20080503-x86_64-netinst.iso
Pungi.Pungi:INFO: CreateIsos is done.
All done!

At this point, the DVD and netinst.iso have been created, and are inside of our chroot. To get at the chroot from the non-chroot'ed OS, it's located in /var/lib/mock/fedora-development-$YOURARCH/root - so everything that you did is located there. You can find the completed ISO's in /var/lib/mock/fedora-development-x86_64/root/compose/20080503/x86_64/iso for example.

I said earler that source ISO's are not created by default as part of the Create ISO's stage. In order to create the ISO's, you need to run pungi again against the same tree. Here's the syntax for doing that:

mock-chroot> pungi -c /usr/share/fedora-release/f9-fedora.ks --destdir=/compose --sourceisos --nosplitmedia

Again, eliminate the --nosplitmedia option if you want CD-sized ISO's created as well.

May Challenge from PhotoChallenge: Second Entry

2008-05-03T04:41:27+00:00

Originally uploaded by tenshi_cr

Groovy 1.6-beta-1 released!

2008-05-03T01:50:20+00:00

So, i read that groovy released 1.6-beta-1. They kept the mixins syntax that was added. I love the new syntax, it's easy to use, and concise as well.

Congrats to the Groovy team! Great Job!

RE: Off to EDUCAUSE/Internet Security Professionals

2008-05-02T21:59:41+00:00

I read Kees’ post on the whole traveling and I must agree with him because it’s quite a hassle to travel through the US airports nowadays and even worst if what I heard over at Digg is true. I heard that FBI is copying some hard drives of passengers who carry laptops.

Before you go and beat me about believing everything I see on Digg, whether this is true or not, I’m sure going to keep this in mind next time I’m traveling to the US. I’ve traveled into the US a couple of times with my laptop and having to take out the laptop on every security check is enough of a hassle for me and even worst if they want to copy the contents of my hard drive.

I agree on the traveling light…but that’s too light for me…besides all of this trouble one has to go through in the airports I’d still carry my laptop. I want to get one of those Asus eeePCs to just have access to the Internet and to my home network and I’m all set no need to carry anything else besides that…well with the exception of my clothing of course

-LM

Off to EDUCAUSE/Internet Security Professionals

2008-05-02T19:58:09+00:00

I am heading off to the EDUCAUSE/Internet2 security professionals conference this weekend. The event starts Sunday and completes Tuesday around noon. While getting my packing list checked off (business cards, itinerary, confirmations, reservations, schedule, etc) I was getting ready to pack my laptop, power supply, cable lock, external drive, etc.

Then I stopped.

Why would I carry all this stuff?

I consider myself an experienced traveler and I have visited a fair number of conferences all over the world. Traveling is annoying enough; I do not need anything that is non-essential.

After all; what I do not carry, I cannot lose. True, having access to email would be nice (I'm not on Crackberries). and web browsing would convenient too, but face it: I am in session Sunday from 8.30am-late (hopefully there will be some good BoF sessions), Monday starts even earlier (7am) and might end even later, and Tuesday I'll be checking out of the hotel and traveling back home. When would I even have time to get my e-fix?

Traveling in general, and navigating public transportation (incl. clearing airports) is much easier without carrying a lot of stuff.

So; what will I be taking in addition to some fresh clothes? A stack of business cards, my cell phone (with charger), my notepad and one pen.

Hello Lazyweb: GUI MySQL "IDE"?

2008-05-02T15:09:51+00:00

I want something a GUI in which I can write and run MySQL queries. For anything more than trivial work, the MySQL CLI client just doesn't cut it. A way to check out table structure in a graphical way would be nice, too.

I'm not a MySQL expert by any stretch of the imagination, so maybe there's something that I should Just Know About(TM), or is MySQL lacking such a basic tool?

City Lights

2008-05-02T04:25:00+00:00

San Jose, CR

Originally uploaded by tenshi_cr

This is my attempt at some long exposure photography. This shot was taken from the parking lot of Pricesmart in Heredia, CR. The city that you see the lights coming from is San Jose, the capital of Costa Rica.
I took this one using my 70-300mm lens since it has the lens hood. The first try of this shot was done with my 18-55mm lens but there was a strong light coming from a street light near by that ruined the shot.
I’m not a huge fan of post-processing but I did run this photo through a couple of actions in Adobe Photoshop CS3.
Any comments in regards to the photo are welcomed. Personally I think I should have either set the shutter speed to a faster time, lowered the ISO speed or lowered the aperture a bit since I do see some color, specially from the lights, that bled, for example if you pay close attention there are some lights that have a blueish halo around them.

-LM

Technology Books and Home Users

2008-05-01T17:30:29+00:00

In the past few months I have started making the transition from reading on my computer monitor to physical books, simply because my eyes can not handle the strain of focusing on the monitor for hours. After reading a good deal of computer related books I have started to realize an annoying pattern, authors and book publishers are trying to appeal to the wrong demographic. It does not matter how technical a subject may be, the author still attempts to write it from a home user perspective.

While reading Server Technologies chapter in The Complete Reference: Networking the author goes on to discuss how servers are no different than workstations! The author suggests that you should buy a workstation and use it as a server because the differences come down to servers simply lacking audio and video cards, have higher prices, and lack the free peripherals! Here are some fun quotes from the chapter

“The question then remains, what you do get when you purchase a server for more money than you would spend on a workstation with the same processor and a comparable amount of memory and disk space?”

“Although servers generally do not come equipped with high-end video and audio adapters, there is usually no reason why you can’t add them later and use the computer for tasks more traditionally associated with client workstations.”

This is not about me not liking some book and deciding that I should rant about it. Overlap of home and enterprise technologies exists in majority of books that are not directly published by the software or hardware manufacturers. The reader does not buy a reference book on networking to read about networking topologies, routing protocols, and how to convert their home PC into a server! Instead the reader wants an insight into an industry, platform, hardware, or software that is not readily available to them. In other words, when buying a 500+ page book on firewalls, I am not buying it to read about Zone Alarm. In fact, Zone Alarm and Cisco PIX should not be mentioned in the same chapter.

I am now becoming one of those people that hangs around Barnes & Noble for hours, reading chapters from random books before making a purchase.

May Challenge from PhotoChallenge

2008-05-01T02:51:02+00:00

Waiting for water to boil

Originally uploaded by tenshi_cr

So I decided to join the PhotoChallenge group on Flickr. The group basically chooses a subject each month and you basically would upload a photo everyday sticking to the subject.
The idea of these challenges is to make you get better at taking photographs. This is my first entry into May’s challenge. The theme will be different objects and it will get changed each week. This week is beverages and I’ve decided to stick with tea this week.
One of the areas I’m not that good at and definitely need improvement is in low light environments.

-LM

PATH Service Shutdown on 33rd Street Line

2008-05-01T01:05:29+00:00

Well, there was apparently a small manhole fire just east of the Christopher Street station in Manhattan today. Depending on which news report you believe, it supposedly started underneath a PATH train! All of the passengers were evacuated, and there were no injuries.

Anyhow, what does this have to do with me? I take the PATH in order to commute to Manhattan when the job requires it. Today was such a day that I had to work in our lower Manhattan office, nowhere near to where this commotion occurred. However, there was a NYLUG meeting this evening, which happens in midtown. It's easiest (I think) for me to take the PATH from midtown when I'm in midtown. Makes sense. Good thing that I knew the service was shut down ahead of the meeting in midtown, so I knew that was a no-go. Everyone was saying "Wow, we feel really sorry for the folks that live in Jersey, they're gonna have one heck of a commute tonight". Fearing the worst, I took the NYC subway down to the WTC PATH station, and hopped on the train there. I think that they had increased service frequency to that station as much as they could, since there was a train waiting for me at 10PM, and it left shortly thereafter (with the train operator telling everyone that was getting on the train that there were plenty of seats in the rear of the train - problem being everyone needed to be towards the front because of where they were going). The train got quickly underway, and I think that I got into the subway at 9:45PM or something similar, and I got out of my station in NJ at 10:20PM. 35 minutes is not a bad commute for NYC, especially since I took a massive detour from where I was in order to get home. There are people that would kill for that commute, and that's what I get when everything's messed up. So I guess this PATH commuter had some good luck!

It's unclear whether or not this will be repaired for the morning rush, so I'm planning to leave a little early since the route that I take is the only one operating between NJ and NY, and I'm expecting more crowding on the already jam-packed train. Good thing the customer meeting wars relocated (for unrelated reasons) from midtown to downtown! :)

The Changing of the Guard

2008-04-30T03:48:00+00:00

Almost four weeks ago now¹, dbaron took some time and separated out the various guts of the old Mozilla tools module, and divvied the contents of the directory² into two new Mozilla modules: a Build & Release Tools module and a Code Analysis and Debugging Tools module.

I wanted to call this change out, because I think it's a step in the right direction, for a lot of reasons; both of these new modules have seen a lot more activity in the last 2-3 years and I think it really helps to separate them out from a code management standpoint, but also from the standpoint of the way we think about these sets of tools: the guts of any organization's build/release infrastructure and analysis/debugging tools should be first-rate citizens, and this change helps to frame the way those parts of the code are thought about.

So, thank you, dbaron; it's been a long time coming, and I appreciate you taking the time to sort that goop of code all out into [more] logical units.

*** A couple of days after the announcement, I brought up the fact that with Rob Helmer's announcement, the Build & Release module would not have anyone at Mozilla Corporation who could offer reviews for the module, given that rhelmer, Chase and myself were listed as the owners, and there weren't any peers yet.

This obviously makes little-to-no sense.

After a lively discussion about how to best remedy that, I also wanted to note that long-time Mozilla community member Nick Thomas³ is the new module owner for the Build/Release Tools module, with Chase, Rob Helmer, and myself staying around as peers.

Coop was also added as a module peer, whose omission was, let's face it, somewhat ludicrous⁴. I'm happy to see that got corrected as well.

Congratulations, Nick; you follow a long line of Mozilla Build Engineers, and I know you're going to [continue to] hit it out of the ballpark.

Let me know where to send the bottle of scotch.

_____________________
¹ Wow... on my birthday, no less! What a present! :-)
² which had mostly become an "island of misfit code"
³ also known as the "Build Engineer Formerly Known as CF"
⁴ No one escapes Mozilla Build/Release, Coop. No one. ;-)

EDUCAUSE/Internet2 Security Professionals Conference

2008-04-30T00:41:51+00:00

For those of us in higher education; do not forget that the EDUCAUSE/Internet2 Security Professionals Conference will take place starting this Sunday (May 3). If anyone is going there and would like to meet up, please drop me a note! I'll be getting in Saturday evening around 8pm or so.

The things time causes

2008-04-29T02:25:41+00:00

The things time causes

Originally uploaded by tenshi_cr

Trust, but verify

2008-04-29T01:07:04+00:00

Someone asked me today if I had contacts in Law Enforcement in The Netherlands. As a matter of fact, I do. The guy (who I only know by his online alias, and "met" only once) wanted me to contact them so I could inform them of a warez site that he knew about, and of a web site that was defaced by the person who operates that site.

However, when I asked the person for some evidence to back up his claims, he went quiet. All he told me that "he knew about, but was not connected to the site that was defaced". Obviously, it ended right there for me.

It does make you wonder: why does anyone think that I would go to anyone (let alone a law enforcement officer) with a message like: hey, this guy I never met, or have any idea who he really is, would like you to crack down on a site that he claims hosts illegal stuff, but for which he cannot provide any corroborating evidence?

Uhuh.

The camera doesn’t make the photographer

2008-04-28T18:01:11+00:00

There is one thing that some people think and that is that the more expensive the camera the better the photos that person takes and this is not the case since the camera is only a tool that, like every other tool, needs to be used correctly to achieve the desired results. I must agree that the better the tool the better the result and taking photos with a camera phone, for example, is not something you would compare with those photos taken with a Nikon D3.

There is one phrase that I’ve heard and and probably have mentioned it here a couple of times and that is that the camera doesn’t make the photographer. Given the right usage of the tool you can actually achieve great photos or snapshots and many professional photographers as well as hobbyist and enthusiasts have shown this to be true in numerous blogs and contests that have been carried out.

One of these photographers is Jeff Ascough where he takes a Sony Ericsson K800i and goes out to take some photos then takes them into the Digital Darkroom and touches them up to make them look better, you can see them on his post Camera Phones.

I’ve agreed with this phrase and these photographers since most of my great shots have been taken with my point-and-shoot camera.

-LM

Information security framework

2008-04-28T14:57:57+00:00

A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?
Source: Network Security Blog

Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.
While hardening systems by applying patches (operating system, as well as all applications) and limiting servers to only provide services that are required remains critical to limit your technical exposure, malicious traffic traveling on legitimate channels remains effective.

So what can be done? It is essential that deciding what is desired behavior when it comes to using information is done ahead of time. Users must be educate about proper use of information technology. Processes that use our information must be designed in a way that they reasonably prevent undesired use, and that they behave predictably when they fail. We must develop an enterprise architecture that supports our processes effectively and efficiently. We must put monitoring controls in place to detect when (not if!) our preventative controls fail. We must be prepared and know how to respond when those failures are detected. Bottom line?

1. Develop and maintain information security policy
2. Design and maintain business processes
3. Develop and maintain user awareness
4. Develop and maintain an enterprise architecture that is aligned with the business processes
5. Implement a technical infrastructure based on the enterprise architecture
6. Monitor processes and infrastructure for signs of failure
7. Respond to incidents
8. Go to 1.

Embedded intelligence

2008-04-28T13:02:52+00:00

xkcd has an excellent comic up today. The title is Zealous Autoconfig. Here it is:

Please respect their license.

700mm lens and playground photos

2008-04-28T05:56:29+00:00

Originally uploaded by tenshi_cr

My parents arrived last night from their trip to Panama, which unfortunately I was unable to go, and along with the UV Filter I had asked them to buy for me they brought me a new Nikkor 70-300mm G lens.
To test the range of this lens I went over to the terrace in my house and took this shot of the seesaw in the children’s playground across the street. This shot was taken with the focal length of 300mm and my tripod since the lens doesn’t have the VR, camera shake reduction technology from Nikon, that my 18-55mm has. I attempted to take some shots with the lens by simply holding the camera but they didn’t come out since my hand is a bit shaky and despite my tries at stabilizing the camera it would still blur the shot.
Since I don’t have a remote control for the camera then I set the timer to 5s to take the steady shot and this works so I’ll be sticking to it until I can buy the control.
I have also taken and posted on Flickr a couple of shots from the playground, using my 18-55mm lens, that I took today. All the images have been retouched in Adobe Photoshop CS3 and using Kubota’s actions as well as other presets that I got for Adobe Lightroom.

-LM

Setting account expiration in Windows XP

2008-04-27T12:42:48+00:00

I ran into a problem yesterday with my Windows installation. Since this is a laptop that is not part of an Active Directory Domain, has the Administrator account disabled and only has one other local account with Local Admin privileges, I ran into a problem when Windows informed me that my account had expired.

The problem is that I had a whole bunch of EFS-encrypted files in that account, without having backed up the EFS-certificate. The only option that I thought would provide me with a quick fix was to reboot from a Backtrack CD to re-enable the Administrator account and blow out the password on the Administrator account. Removing the account of the other user would not have worked, but even worse, it would have made all my EFS-encrypted files unavailable.

After having regained access to the Administrator account, I started messing around with clicking on all kinds of stuff, and even playing with some wmic-voodoo.

All to no avail.

As with most operating systems, Windows separates account expiration from password expiration. Resetting the password expiration was easy, but resetting the account expiration on a stand-alone Windows machine does not seem to be possible with out-of-the-box Windows tools. Even a tweet for attention did not yield the result I was looking for.

After doing quite some head-banging and even more research, I found a command-line tool called AccExp. AccExp can set or reset the account expiration of a local windows user, or a user in an Active Directory.

Lesson 1: If using EFS. backup your certificate. Instructions.
Lesson 2: Account expiration cannot be reset using and out-of-the-box Windows. Additional tools, such as AccExp are required.
Lesson 3: Windows will not expire an account while you are logged in; even going to standby/hibernate does not include an account expiration check. Windows will only check when you log on to an account.

PS: Yes, I know this Windows laptop is configured pretty much as far removed from best-practices as possible.

NANOG 43 Registered

2008-04-26T03:27:52+00:00

DNS Operations Workshop

2008-04-26T01:04:24+00:00

Operations Analysis and Research Center for the Internet (OARCI) will hold it’s third annual DNS Operations Workshop at Brooklyn College this upcoming June. Registration is now open, and you do not have to be a member of OARCI to attend the workshop! Check out OARCI DNS Operations Workshop website for more information!

The world outside sleeps

2008-04-25T23:54:52+00:00

The world outside sleeps

Originally uploaded by tenshi_cr

I attempted to shoot a good long exposure of the moon last night since it looked pretty good but since I was attempting to do it from inside the house the window caused for the shot to not have enough detail and come out messed up.
I pointed the camera to the horizon and took a long exposure shot using my tripod and the camera timer set to 5seconds to avoid camera shake.
Afterwards I used Adobe Lightroom to process the RAW file and to create a PSD file that I would use in Adobe Photoshop CS3 to add a couple of effects to the foto using the actions that I recently obtained.

-LM

Be careful with what you leave behind

2008-04-24T20:23:38+00:00

One of my responsibilities is security awareness training, and I am currently in the process of establishing a baseline. This will allow me to evaluate the effectiveness of any future efforts that I am going to develop. Whenever you embark on something like implementing a new program, make sure that you establish baselines. Without them, you will have no way to evaluate the effectiveness of your efforts. But, I digress.

Today, I re-confirmed that most attacks against IT infrastructure are just too simple to pull off when the attacker targets the users, rather than the technology. Today, I did an experiment using low-tech methods.

I went down to some public terminals, typically used by students when they have some time to kill. Whenever someone left their terminal, I walked over to see what I could find. Most were smart enough to close their browsers before they left, but very few went so far to clear their browser's cache, or even actually log out of the application they were using.

Most web applications use a session-based cookie to authenticate a user and to establish a context. That session will be destroyed automatically when the last window of a browser closes. A well-written web application will then require the user to re-authenticate themselves. Note that many web applications are friendly enough that they will cache the user's identity, even across sessions. The login field is typically already populated, providing an attacker with useful information.

These particular kiosks are iMacs. Macs are interesting things in that windows completely disappear when they are minimized, except of course when you know where to look. I initiated by attack by starting an instance of Safari and an instance of Firefox, and I minimized both.

Next, I walked away from the browser and let students use the kiosk. Those students did their thing (usually browsing Facebook or MySpace) and then closed their window, but not their browser. As a result, the session states were maintained and I had full access to accounts logged in to these social networking sites, and even the occasional Google Checkout or eBay account.

Of course, I immediately logged the user out when I established that she was logged in and after I had taken a photo of the screen. I also made sure not to capture (or even look at) any personally identifiable information.

Please note that our policies allowed me to do this. My job function requires me to monitor the use of IT resources, and to establish information security program, and establishing a baseline is part of that process. While connected to our network, or while using equipment that we own, no user has a "reasonable expectation of privacy.

How do you defend against this? Clear "private data" when you leave a browser in a public space. This will not defend against key loggers, but it will make it a lot harder for people to hijack your session.

Another thing that I found interesting is that nobody approached me to find out what I was doing there. I was very open about the fact that I would walk immediately over after someone left, play with their browser, and even take photos of their screen using the camera built-in to my cell phone.

Josh Weiss: Networking The Poor in Guatemala with Partners In Solidarity

2008-04-24T10:42:17+00:00

I recently had the opportunity to talk to Josh Weiss, who works with Partners in Solidarity. Partners in Solidarity was founded by Matthew Rutman with the vision of bringing computers and technical education to the rural schools and NGO's of the Guatemalan state of Quetzaltenango. The project facilitates the donation of computers, supplied by Next Step Recycling in Eugene, Oregon, to allow for

Vulnerability notifications?

2008-04-24T00:14:28+00:00

Interesting.

ESI is running an article about a potential information disclosure at Southern Connecticut State University.

Southern Connecticut State University has alerted current and former students after a review of a university web site discovered a vulnerability that could have allowed an unauthorized individual access to personal information. During a recent review of a web server, the university discovered that unauthorized individuals could have had access to applications for graduation dating back to 2002.
Source: ESI press release

What I find interesting in this is that the university chose to notify students, while there does not seem to be proof of a disclosure, just a vulnerability that could potentially have been abused. All affected students (past and current) are offered two years of credit watch.
Even if a vulnerability was exploited on a server that also contained that information, notification might not be required:

Connecticut breach notification law states:

Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security.
Source: CT notification law

The next question becomes: when is it reasonably believed to have been accessed? Most compromised web applications that I have seen were exploited for defacement, to host malware, or to host other illegal content. Hardly ever were they used to go after other data that is stored on them. This is especially the case for Universities, who are typically on high-bandwidth pipes.

What is the implication for other institutions if it becomes common practice to notify when a vulnerability has been identified, without there being any signs of an actual breach? While it commendable that Southern State University is taking such a transparent and pro-active position, the decision to do so may have been taken too quickly.

It is same to assume that at least half of all web application that are currently in use have some form of vulnerability in them. If all organizations that deploy such applications have to start notifying their users that program may contain vulnerabilities that could be exploited to possibly gain unauthorized access to information, we might as well pull the plug and sit in our corners until we learn to develop applications that are 100% secure. I do not see that happening any time soon.

I am a very big advocate of privacy and due care. However, I cannot help but feel that this notification is a bit premature. I would also be very interested to see if any research has been done to find out how many times people that have been put on credit watch after a breach have actually become a victim of identity theft, and of those victims, how many can actually be tied to the unintended disclosure.

Breach notification laws are a good thing, because they make us look after our data a lot better, but I cannot feel that we cry wolf much too often.

Accepted to google summer of code!

2008-04-23T01:16:59+00:00

I was accepted to participate in Google Summer of Code. I will be blogging regularly about my progress. The project I will be working is a Groovy Forms Module, which will enable administrators of OpenMRS to quickly create forms along with HTML and controllers. I think it will be a fun experience.