Digital Choke Daynotes

Busy day yesterday, relaxing day today.

As you regular readers (yes, both of you) might recall, the Jensen's (our daughter Christine, her husband Jared, and their children Joelle and Liam) were at the house Friday night. Pam and I were babysitting while Christine and Jared went to see the new "Harry Potter" movie. The grandkids went to bed at about 8:30pm, and Christine and Jared got here late, so they also spent the night.

Saturday morning started out with a nice breakfast of pancakes and bacon and eggs. Then Jared and I headed to the dump and then over to my mother-in-law's house, while Pam and Christine and the kids went 'garage sale-ing'. Jared and I got a another truckload for the dump; an old dryer and electric water heater. The dryer had died last week (it was about 14 years old), but the electric water heater had been sitting in a corner of the garage for several years.

We also got rid of a really old boat motor. It was my father-in-law's father's, so it is quite old. The guy that bought it wanted to restore it and perhaps donate it to a maritime museum in Lake Tahoe. (You'd think that most maritime museums would be next to the ocean. But there are a lot of boats on Lake Tahoe, including a big paddlewheel steam boat.) And I found some of the original manuals for the power tools (saws, etc) that someone bought last week, along with the power cord for the arc welder and a couple of welding hoods.

Jared cut down a dying tree. Not sure what kind it was; it had cherry-like fruit, with dark purple leaves. The tree was about 70% dead, with just a few live branches left, and was only about 15 feet high. So we got out the chain saw and got rid of it. I fixed one impulse sprinkler that was plugged up with some dirt. There was also a bit of sweeping dirt off the garage floor (and cobwebs off of garage walls). So we are making progress in getting the garage cleaned out.

Pam and I left about 1pm in the big truck (Ford F250 super diesel) and headed once more time to the dump. Actually, it's more of a recycling center. There is some pre-separation of incoming trash: wood waste and garden waste in separate piles for shredding. Other waste goes into a pit that leads to another shredder that separates the materials. And household garbage goes into another area for separation and shredding. Appliances go into the metal pile for recycling. And there's a separate area for hazardous waste like paint, used motor old, garden chemicals, batteries, etc. And the price is quite reasonable. It's also a very popular place on weekends.

After the "Lone Ranger" trip (you'll have to think about that one), it was back home. Pam wanted to do some shopping, so I let her go. I puttered around the garage and back yard doing some odds and ends. We topped off the day with some 'steak on the barbie', and relaxed in the evening.

This morning, there were no morning meetings at church, just the afternoon one. And there were no kids/grandkids after church, the Jensen's had a family thing with Jared's family. So the evening was quite quiet.

We cooked some chicken breasts and ribs in BBQ sauce on the barbie. Although there were just the two of us, the BBQ chicken breasts will be really good for sandwiches this week.

And we remember those that fought and died on the beaches of D-Day, sixty years ago today. It was an impressive effort. My uncle was a paratrooper in the 101st Airborne that day, and he had some good stories to tell. My father was in the Philippines during WWII. Stories for another time.

Security news:

From the "@RISK Consensus Security Vulnerability Alert" (subscribe here https://portal.sans.org ; their newsletters are recommended; their information security training classes are excellent).

Note the phrase "...[the update] fixes many vulnerabilities for which the technical details have not been published" (by Apple). At the risk of offending Mac zealots, what would be the reaction if Microsoft fixed something but didn't tell you why?

<snip>
Mac OS X "disk://" URI Handling Vulnerability

Apple has released an update OS X 10.3.4 that fixes many vulnerabilities for which the technical details have not been published. However, more details about one of the corrected vulnerabilities, CAN-2004-0485, can be obtained from the information in the CVE database. This information indicates that the problems with the "disk://" URI handling have been fixed. This vulnerability has been discussed in two preceding issues of @RISK. It allows an attacker to silently execute arbitrary code on a client system. Hence, it is important to apply this update on a priority basis.

Council Site Actions: Four of the reporting council sites are using the affected software. Three of these sites provide support for MacOS and have started the patch deployment process. The final site has notified their user base and requested them to install the patches.

References:
Apple Security Updates http://docs.info.apple.com/article.html?artnum=61798
CAN 2004-0485 Description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0485
Previous @RISK newsletter postings http://www.sans.org/newsletters/risk/vol3_21.php (Item #5) http://www.sans.org/newsletters/risk/vol3_20.php (Item #3) SecurityFocus BID http://www.securityfocus.com/bid/10400 , http://www.securityfocus.com/bid/10432

</snip>

Apple has been pretty quiet about this one. You might also take a look at the Wired article about this.

I spent a bit of time with a pop-up windows in a Cold Fusion application. It displays database records in a row format. There is a description-type field that is typically longer than the display area for a row. The intent is to have the full description pop-up when the mouse hovers over a certain area of each row.

The pop-up code is a little JavaScript I found on a forum. It works quite well, but non-alphanumeric characters in the description field will cause the pop-up box not to appear. There is a way to filter for formatting codes, but I haven't found the right combination of characters to filter out. I probably need to filter the description text when it is stored, so that only alphanumeric text is stored in the database record. I'll have to do a bit more searching, I suspect that somebody has already 'invented' such an animal.

And we'll close with this from Brian C (unofficial editor and corrector of errant apostrophes). He responded to the "Lone Ranger" reference from yesterday:

I know that one. How about Beethoven's favorite fruit? Or what happens when the Pink Panther steps on an ant?

I'm open for suggestions...it's too late to think about this now.

I spent some time today getting RedHat 9 to work in a vmWare partition. The install went OK, using the original disks ... the same ones that I had problems with last week. The installation was fairly easy, it has about the same level of questions as a Windows install.

I installed the Gnome desktop, and played around with it a bit. Then I tried to get an Internet connection, and that didn't work. The system didn't recognize the network card. After a bit of poking around, I found the solution on the vmWare site. It involved adding a few lines to a couple of configuration files. Once that was done, the network connection was active. By then, I had run out of time to play with it, so will go back to it tomorrow. Some more exploring of RedHat is needed.

I was using Bindview again to find inactive users on the network. The current policy is that if a user hasn't logged on in three months, they are eligible for removal from the network. It was a simple process to modify a Bindview report to get the list of inactive users. I exported the list to a spreadsheet, and sent it out to the various network admins in charge of those users.

But I quickly noticed (via a complaint) that some of the entries on the list had actually logged in lately. It turns out that not all user 'containers' are set up for auditing (which they are supposed to be), so the user login date/time was not being stored. It looks like I need to check out a bunch of security settings on the Netware side of the network, as I continue work on the security settings for the Windows side.

Jerry Pournelle's BYTE column (you have to subscribe to Byte to read it) talks about using a portable router whenever he travels. When he's on the road, he connects to the 'net via the hotel connections, which are quite insecure. So he got a D-Link DI-624 Router, got it configured securely (with a bit of help, although the 'wizard' works well to do that), then brought it with him on his last trip. In the hotel room, he used that with his connection to the hotel's network. The result was a pretty secure connection.

You should learn from his experience. Even dial-up connections are now vulnerable to the latest fast-moving/acting worms (like "Sasser"). A properly configured router (and they are under $75) will protect your home computer. Add a firewall (WinXP firewall at a minimum, ZoneAlarm is also good), keep updated with Windows Update (new ones out today; mostly DirectX problems), and anti-virus updates, and you will be well protected.

He also talks about installing the Release Candidate of WinXP SP2. He says that it is pretty stable, and recommends it. The security settings that are installed are worth the update.

Watched "Always", the movie about the forest fire-fighting pilots, with Richard Dryfuss. Good movie, nice story, good forest fire effects. Sort of a chick flick, but enough action and humor to keep us guys happy.

Yep, he's back....just like a bad penny.

But I was busy. Working on a lot of security audits, writing some policies, playing around with various Linux systems (but not enough).

I noticed that there is some sort of class action suit against McAfee that has been settled. Evidently, there was a lawsuit against McAfee holding that owners of VirusScan versions 3 and 4 had a provision in the software license for perpetual free upgrades. McAfee apparently changed the terms to remove the perpetual license, resulting in the lawsuit.

The lawsuit was given class action status, and the parties have agreed to a settlement that will allow all owners of those versions to get a free download of the perpetual license version of McAfee VirusScan version 8, or AntiSpyware version 10 or QuickClean version 4.01.

All the details are on this page: http://software.mcafee.com/lcas/ , including the legal stuff and the "coupon" that must be completed. Users have until July 16, 2004 to fill out the coupon and download the free software. The form only asks for your shipping info and email address; no credit card info is required.

So, if you or your readers had purchased those versions of the software, get your free software soon by going to the above page, fill out the form, and download the software.

Of course, the lawyers get $227K in legal fees; the original plaintiffs get $5K each. And I haven't seen much publicity on this on other sources, but the docs on the McAfee site look legit (I'm not a lawyer...).

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story