Retro-vulnerabilities: Remember to do your Windows updates, because one cracker in the latest Patch Tuesday is a modern version of an old classic, the Ping of Death. MS13-065 notes pretty much all versions of Windows are affected by a denial of service when hit by an specially crafted ICMPv6 packet. Some folks are suggesting disabling IPv6 if not in use to reduce exposure to this find of flaw. Details of three critical fixes and other patches are in the Microsoft monthly advisory.
Cloud Fuel: Mirantis just updated their Fuel deployment tool for OpenStack. Fuel 3.1 now has both its web based UI and command line tools in the one package, works with Red Hat’s OpenStack Platform and is able to run a health check on deployments. The Red Hat support was expected, what with Red Hat investing in Mirantis.
Yes, but no. GoDaddy didn’t swap Apache Web Server out for IIS resulting in the 5% drop observed by Netcraft and reported as a blow for the Apache Web Server elsewhere. As Netcraft say, the switch was from Apache Traffic Server (ATS), acting as a proxy, over to proxying with Microsoft IIS 7.5. When GoDaddy turned the Apache Traffic Server proxy on in May, after apparently testing it with content delivery networks in the previous months, 28.3 million sites appeared to be using ATS, numbers that were added to the Apache total, despite it not being Apache Web Server. This also made GoDaddy the operator of 99% of the ATS served sites out there. GoDaddy have yet to comment on why they switched to IIS 7.5.
The Apache Web Server numbers do appear to be trending down, but in 2009 it was at the same 47% share in raw hostname counting before rocketing back up. The raw hostname count and share is an interesting figure, but it’s counting a lot of dead ended sites managed by registration companies like GoDaddy and other services which use a proxy server to help front-end millions of sites behind them. This is why the graph flip-flops around like it does; one change in configuration at a major user of their proxy and boom, there’s a couple of million hosts just changed server. So deriving a proxy market share while counting these proxies is going to have a margin of error of “oodles”.
Back over in the working would though, Apache still holds 54% of active sites in the survey (number 2 is Microsoft with 15%) and 57% share in the top million (number 2 there is nginx at 15%). These numbers are better indicators, as they exclude the dead zones of the web, but they still count proxies. When reading these number, keep that in mind.
Google has announced that it has past the $2 million mark in the total number of security rewards it has paid out. Thats a million for its Chrome/Chromium/Pwnium bug hunt and a million for its lower profile web application security programme. The former programme has been, predominantly, the headline grabber with headlines galore when the various cracking competitions kick off, but its the money paid out to the web application security programme which is more interesting as it demonstrates that a web surface is a rich seam of vulnerabilities waiting to be mined.
That should provide a wake up call for web application developers outside Google – if Google’s seams are that rich, how many vulnerabilities do you have in your own code. Don’t panic over it though, start engineering in better processes to check and test, and this about rewarding responsibly disclosed vulnerabilities yourself, if you can afford it. In the comments, Google’s Eric Grosse says that $2M is “very reasonable compared to the security value received” but does note that anyone planning reward programmes will need a well-staffed internal security team to triage and act. He also suggests that top reporters on such programmes would make top candidates for such a team.
But also remember, just because these programmes exist, like a gun amnesty only some of the guns get handed in. There are companies who will happily stockpile vulnerabilities for sale to government agencies, for example, and for the really good holes, they do pay well. That Google are upping their rewards again, by up to 5 times for Chrome/Chromium bugs, vividly indicates there is a market at work.
SDL 2.0: Version 2.0 of SDL (Simple DirectMedia Layer), the widely used zlib licensed library which offers a Windows, Mac OS X, Linux, iOS and Android library for driving graphics, audio and input has just been announced. New features, and there’s a lot, include 3D hardware acceleration, support for OpenGL 3.0 and ES, support for multiple windows, displays and audio devices. The Migration Guide has all the details. You can get the source and binaries from the download page and find all the other documentation on the wiki.
Perl update: Perl 5.18.1 has been released by the developers just two months after the release of 5.18 in May of this year. The developers have December pencilled in for 5.18.2 and are aiming for May 2014 as the arrival date for Perl 5.20.0.
PingFS: Described as “like holding up the clouds by swatting the rain back up”, PingFS is a strange project which uses Linux and Python to create a filesystem which is transmitted over the network in the form of ping packet payloads which are bounced back and forth, and so the data isn’t actually stored anywhere.
Been waiting for a Firefox OS phone to land in the UK or US? ZTE have announced that they will be eBaying the ZTE Open Firefox OS phone in both territories through their existing UK and US eBay stores. They have even been running auctions for pre-order collectible versions of the phone – you still have 3 days to bid on the UK pre-order auction but it’s already up to £73 (the list price in the UK will be £59.99).
So, what’s the ZTE Open got? Well, the product page shows a 3.4″ HVGA display with one and two point touch, 2G, 3G, Bluetooth and Wi-Fi, GPS/AGPS and a MSM7225A Qualcomm chipset – Wikipedia lists that as a up to 800 Mhz Cortex A5 core with Adreno 200 GPU. This is the kind of low end level device that Firefox OS was initially targeted at and if you are a developer, its probably the cheapest way to get yourself a Firefox OS phone especially now the Geeksphone devices are either pre-order for a €149 Peak+ or the discontinued (and €91) Keon.
And when it comes to the crunch, there is nothing like running your app on an actual device, no matter how good the emulators.
Not Telling Tails: If you need to cover your tracks on the internet and locally, then Tails (The Amnesiac Incognito Live System) will help as its a Debian GNU/Linux distribution with built in Tor support and other privacy tools which doesn’t even leave local logs. Latest version is 0.20 and details can be found in the Tails 0.2.0 announcement.
Vim scrubs up: Vim 7.4 was released last week. Highlights are a new, faster regexp engine, a thousand fixes and small improvements according to the announcement on the developer mailing list which also contains links to the various versions and a reminder to contribute to the ICCF Holland to help children in South Uganda if you like Vim.
Wi-Fi SD Hacked : Want to ding into a Wi-Fi SD Card? This blog posting shows how to get into the embedded Linux system on the card all the way to a remote shell. There’s a lot you can pack into an SD card.
Random numbers are hard to get right and it appears that faith in the word “Secure” in front of the word “Random” has tripped up developers again, this time with Bitcoin wallets on Android. Those developers have now been alerted to the fact when they are generating a random number to sign Bitcoin transactions, that random number isn’t of high enough quality and make it a lot easier to crack the signing.
These Android apps have been using the Java SecureRandom class as implemented on Android, which in turn took its code from the Apache Harmony project. As shown back in March by Chris Meyer and associates at the RSA Conference 2013, the Apache Harmony SecureRandom implementation is actually not very random at all. The less entropy there is seeding the random number generator, the more likely it is to generate the same random numbers and the more likely someone can use brute force in a reasonable time to crypto that uses those random numbers. With the Android implementation, most cases have an entropy down at 64 bits and in the worst case it goes as low as 31 bits.
But this problem does not apply to other implementations of Java’s SecureRandom: OpenJDK’s version shows “no obvious weaknesses” while GNU Classpath’s version is fine under normal load but does have some issues on heavily loaded systems. Even then, Meyer’s advice is to never use a PRNG (Pseudo Random Number Generator) in critical environments and rely on hardware entropy collectors and random number generators.