This white paper contains the results of a security review conducted by Network Associates, Inc. Labs on Microsoft’s implementation of Internet Protocol Security (IPSec) in Windows 2000.
Dec. 12, 2003
Bill Kendrick of the Linux Users’ Group of Davis, California, was invited to speak at a nearby PC users group this week — the Mission Oaks Computer Club, which is composed mostly of seniors, and focuses on PC basics as a ‘life skill.’
Mr. Kendrick’s presentation, composed with OpenOffice.org Impress presentation software, is now available online (also in PDF format). The talk covers what Open Source and Linux are, why people would want to use them, some dramatic reasons to be concerned about proprietary software, and describes some popular Open Source software which has been made available for Windows, including OpenOffice.org, Mozilla and The Gimp.
[Begin Brian’s Comment]
This one is of special intrest to me since my Father has worked for AARP for the last 20+ years. Hmm I wonder if I can help to get AARP to take a look at Linux and Open Source.
[End Brian’s Comment]
DoS Web Service with a Single Packet
Just saw on Bugtraq that you can send a specially crafted SOAP packet that has a modified DTD in it to a Web Service and the XML parser will cause the CPU load to remain at 100% for as long as the process keeps running. Another effect is that memory (hundreds of megabytes) could not be freed, even after the CPU came down from the high load. In some cases, the parser returns an out of memory error after some time.
Nothing like a single packet to DoS your machine. *sigh*
There is a fix for it. Microsoft has released an update to the .NET Framework that fixes this. It is documented in KnowledgeBase article 826231, but this article isn’t actually online yet.
Brian’s Comments: Due to the nature of my work web services are going to remain a prevalent part of my work. In addition we are currently looking into Layer 7 web application firewalls. While they do an excellent job of protecting us from maliciousness web hackers no one currently is protecting or has any idea how to protect web services. Scary proposition considering the news above.
It seems Microsoft published its first Security Newsletter today.
And you know what, its an online newsletter actually worth reading. (I can’t believe I am saying that… I hate online newsletters that do nothing but self-promote themselves and have no useful information)
Happy reading.
So I haven’t talked much about my love of Tivo but I was browsing O’Reilly’s Hacks and came across this new Open Source HMO project called JavaHMO. Now putting together my love of Tivo and my love of open source software is just enough justification for me to spend the $99 for Tivo’s Home Media Option. Why didn’t I buy it while it was on sale. ARGH… JavaHMO looks like it has some great features.
[via O’Reilly’s Hacks]
So my buddy Jermy who is a bigger geek than I am has decided to try and put a PC in his car. Here is where he got the idea. It looks really cool and I love that it is all open source. I am going to wait to see how he does before trying it out.
So I finally got around to installing the Toolbar I had mentioned way back when and I can’t believe I waited. While it is extremely complex the power it brings is exponetial. It is deffinietly one of my favorite tools. So without further ado here is The Best Toolbar in the World.
Slashdot has a bunch of comments from folks who have build their own digital video recorders. Some of the software that has been used and recommended include:
- Freevo
- MythTV
- KnoppMyth
- XMLTV
If you have built your own DVR with open source software, we’d love to hear more about it. It’s clear that this is still the domain of pretty determined folks, but it is impressive to see the growth in this area.
Slashdot | Building A Low-Budget TiVo Substitute?
Seamless applications with terminal services / RDP
AppliDis seamless client publisher is a program from Infostance which enables you to publish seamless applications using only RDP from MS terminal services. This feature was normally reserved for users of Citrix MetaFrame and the ICA protocol. Now Infostance gives this much used feature away for free for a maximum of 5 connections for RDP users.
AppliDis must be installed on a server with Windows 2000 or Windows 2003 with terminal services enabled in either application or administration mode. Although the later will, offcourse, limit you to the default maximum of 2 RDP connections to that server but doesn’t need the expensive Client Access Licenses from Microsoft.
The clients can run on anything from Windows 95 to Windows XP. Interesting is that Infostance claims you don’t have to have the RDP client installed on the clients workstations.
I installed AppliDis on a Windows 2000 server with terminal services in administration mode for evaluation purposes.
After installation it becomes clear this products really needs the Microsoft msrdp.ocx v5.2 in order to generate the right client startup software. So get it from Microsoft if you want to try out AppliDis. You need the Remote Desktop Web Connection 5.2.3790 package from the Microsoft download area and then extract the msrdp.ocx from the included .cab file.
Continue review (with screenshots) at source
Download
Here is Thincomputing.net’s Forum on this app.
I have been wanting to play more with 802.11 for a while. I just came across this Slashdot Article and it has inspired me. I am not looking to go for a world record or anything but I would like to offer friends and neighbor’s internet access that would be both secure and fast. Here is a site that sells tools which would help my quest. Before I do anything like this I would need to get a faster line into my apt.
Password cracking using TeraFLOP and PetaByte Resources
Now here is an interesting paper on Teracrack. Basically they have examined the use of applying High-Performance Computing (HPC) resources such as parallel supercomputers to pre-compute and store crypt() based passwords that would be found using bruteforce cracking tools.
I love some of the findings:
Using the Blue Horizon supercomputer at the San Diego Supercomputer Center, we found that pre-computing the 207 Billion hashes for over 50 million passwords can be done in about 80 minutes. Further, this result shows that for about $10K anyone should be able to do the same in a few months time, using one uni-processor machine.
Now for all you beowulf cluster fans… here is another project for ya. 
Quad Opteron Server Review 8 Dec 2003: Ace’s Hardware has published an in-depth server review featuring a 4-way Opteron 848 server, 2-way Opteron 248, and 2-way 3.06 GHz Pentium 4 Xeon DP (1 MB L3). The benchmarks include a number of real-world Java application server benchmarks, Apache HTTP benchmarking, MySQL datamining, and more. The effect of NUMA-aware optimizations on scalability is also considered, as well as the performance differences associated with 64-bit (AMD64) binaries over legacy x86 binaries.
This document meets the NSA’s Guidlines.
From the NSA “As part of a change in our development strategy for security guidance, the National Security Agency does not intend to publish a separate security guide for Windows Server 2003 beyond what was produced as a cooperative effort between the vendor and the security community. The “High” security settings in Microsoft’s “Windows Server 2003 Security Guide” track closely with the security level historically represented in the NSA guidelines. It is our belief that this guide establishes the latest best practices for securing the product and recommend that traditional customers of our security recommendations use the Microsoft guide when securing Windows Server 2003.”
Also availible are the following documents.
* Windows XP guides
* Windows 2000 guides
* Windows Server 2003 Security Guide
* Windows NT guides
* E-mail and Executable Content Guides
Via NSA
Infocus: Home User Security: Personal Firewalls This article discusses personal firewall alternatives, including freeware firewalls, firewalls included with current Microsoft and Apple OSes, and various commercial offerings of interest to the home user.
Looks like VIA have updated the 4in1 drivers, again.
VIA Hyperion drivers are suitable for any VIA chipset and all Microsoft Windows Operating Systems (Win95/98/98SE users, see **Note below). If you are looking for VIA 4in1 drivers, these are the drivers you are looking for. The “Hyperion” name was added to the 4in1 driver set name in December 2002. Users with hybrid chipsets (with a VIA southbridge and AMD northbridge for example) should obtain drivers from their motherboard manufacturer.
View: Installation Guide
Download: VIA Hyperion 4in1 v4.51
[via NTFS.org]
Security fears push users to open source: Security concerns are prompting chief information officers (CIOs) to consider moving from Microsoft to open source on the desktop, according to a report from investment h…
Debian’s Response: Debian’s response to the recent compromise of four debian.org machines was quick, open and honest, and they also engaged other Linux vendors. Companies and organizations, as well as other OS vendors, should take note.
Time is Right for Database Encryption: Are data-privacy regulations and dreams about stolen employee data keeping you up at night? It may be time to protect your data where it lives–in your database.
Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I and Part II
Active Directory Performance Testing Tool
Best Practice Guide for Securing Windows 2003 Active Directory Installations
Ever wish that task scheduler for Windows was more like cron?