* Posts by Merton Campbell Crockett

17 publicly visible posts • joined 21 Jun 2007

Apple Safari, Mail and more hit by SSL spying bug on OS X, fix 'soon'

Merton Campbell Crockett

Using Safari 7.0.1 running on an OSX 10.9.1, I am unable to "https://gotofail.com". Safari reports that it is unable to establish a secure connection to the web site.

I can use Firefox 27.0.1 running under OSX 10.9.1 to access the site. The problem is with the X.509 Server Certificate being used. The Common Name (CN) in the certificate identifies that the certificate is only valid for a host named "gotofail.com"; however, a DNS query for 184.173.139.237 returns the host name as "ec2-184-73-139-237.compute-1.amazonaws.com".

Clearly, the host names are different and the X.509 Server Certificate is not valid for the host to which the connection is established.

I've found similar problems with web sites using an improperly constructed wildcard names as the CN. The CN, *.familysearch.org, is used in a server certificate for a host named "familysearch.org". The certificate is only valid for any host in the familysearch.org domain. It is not valid for the domain name. It would have worked had the PTR record returned a name of "www.familysearch.org".

If you can establish a secure Safari connection to "https://gofail.com", your system is misconfigured.

Germans brew up a right Sh*tstorm

Merton Campbell Crockett

Die Shadenfreude über Shitstorm

The English language inherited "Scheiße" from all the Germans flocking to northern England and southern Scotland and we are returning it in an anglicized form. Seems fair to me!

Asus goes wide with Bang & Olufsen laptop

Merton Campbell Crockett

Touch pad?

Bang & Olufson laptop with a touch pad? I would have thought that you would just wave your hand over it like their old stereo systems.

IT admins: we don't need no stinkin' servers

Merton Campbell Crockett
Alert

Spirit in the Sky

I'm an Old Fart who has spent 35 years working with DoD and MoD.

Her Majesty might be a pretty nice girl but she, definitely, doesn't want me placing any of her data in the clouds to be managed by the Spirit in the Sky. Hell, she won't allow me to allow access to the servers to server admins employed by our IT subcontractor that, also, provides IT services to our UK subsidiary.

Paranoia runs rampant in governments. Companies aren't much different.

Who is going to use this "Cloud Computing"? Given the recently reported vulnerabilities of Google, Yahoo!, Facebook, Rackspace, etc. Why would anyone consider moving their government and corporate data to an organization offering software as a service?

If your business is to survive, why would you trust your data to someone who's only motivation is money and growth?

Brits decline to 'think outside the box'

Merton Campbell Crockett
Happy

Thinking Outside the Box?

I do all my thinking outside the box!

When I'm inside the box, I can guarantee that there is not much thinking going on. The medulla oblongata and hypothalamus are in charge. The cerebellum is inactive.

Apple DNS patch doesn't patch Mac clients

Merton Campbell Crockett

"Huh?" is Right!

We will learn more next week when Dan Kaminsky presents his paper at Black Hat; however, we do know that the cache poisoning vulnerability is based on being able to predict the source port that will be used for a recursive query and what will be asked in the query.

For an end-user system, the risk of cache poisoning is mitigated by the fact that it's resolver does not perform recursion. If it can't answer a query from the resolver's cache, it sends a request with the recursion desired flag set to a name server that performs recursive queries on its behalf.

Basically, "Joe Hacker" has to guess what your next query is going to be and the port that will be used for that query.

If the resolver routines on the end-user system uses a pre-allocated port for its queries, "Joe Hacker" only needs to guess when you will send the query that he wants to poison.

On Mac OS X, lookupd functions as the resolver. It does not pre-allocate ports. It requests a dynamically assign ephemeral port from the operating system for each DNS query. Mac OS X uses the classic BSD round-robin approach to port allocation.

While the BSD algorithm for port assignment is predictable, "Joe Hacker" now needs to guess when the next DNS request is going to occur, the TTL returned on the previous query, and how busy the system is to determine the port that will be used.

To gather this information, "Joe Hacker" needs to compromise a system between the name server and the end-user system. If he is able to do that, then it doesn't matter what changes, if any, were made to the name resolution routines.

The nCircle research reported by Don Goodin is pure shite.

Merton Campbell Crockett
Unhappy

Re: yet another Strange Unsubstantiated Observation

Anonymous Coward, my apologies I should have said 25 years or, perhaps, a quarter of a century.

BIND was included in the 1983 Berkeley Software Distribution of Unix for the DARPA community. It wasn't quite ready for prime time. The ARPANET was scheduled to switch from host tables to the Domain Name System in 1984.

RFC 881, 882, and 883 defined the Domain Name System and its deployment schedule. They were published in 1983 and based on operational code as was the IETF practice at the time.

Ahh, the good old days before the riff-raff were allowed to connect. Wasn't a lot of spam when your high speed links were 19.2 Kb/s.

Merton Campbell Crockett

Strange Unsubstantiated Observation

Whether one would or would not run BIND on a system running Mac OS X depends on how you use your system. I use mine as a workstation and a server for my network.

There's little need to install Mac OS X Server on the system unless you are using Open Directory or are uncomfortable with a BSD Unix environment. After using BIND for 30 years, I'm reasonable comfortable configuring and using BIND.

BIND 9.4.2-P1 distributed in Security Update 2008-005 is the standard version distributed by the Internet Systems Consortium. The randomness of ports used in DNS queries is similar to that of any other system upgraded to BIND 9.4.2-P1.

I don't recall anyone other than Microsoft issuing a patch for their DNS resolver routines but I suspect that Microsoft couldn't change its DNS Service without change their DNS resolver routines. Sun certainly didn't. They didn't even change the BIND version in the source or binaries.

I'm not sure what these researchers were testing. Besides, if your service provider hasn't upgraded his name server, it doesn't make any difference whether or not your DNS resolver routines have been patched. Your resolver cache will be poisoned regardless of how random the ports used for your DNS queries are.

The missing five-minute Linux manual for morons

Merton Campbell Crockett

Who's Enid Blyton?

How many will know of Enid Blyton on the western shores of the pond?

Only some of us will have received Enid Blyton books in our Christmas Care packages from our grandparents in the UK. These were replaced by The Second World War and the History of the English-Speaking Peoples as we got older.

The principal advantage of the latter volumes is that one could understand what William F Buckley was saying on Firing Line without keeping a dictionary at the ready.

Apple forbids Windows users from installing Safari for Windows

Merton Campbell Crockett

Doesn't Bode Well for Vista Class Action Suit

Jonathan Kramer claims: "You can't enforce a term that's impossible."

So, how does this impact the punters that bought piece of crap (pc) systems marked "Vista Capable" and now involved in a class action suit against Microsoft?

Kramer's interpretation implies that Microsoft wins and punters are SOL.

Mac OS X Tiger out, Leopard back in

Merton Campbell Crockett

X11 Installed by Default

Under Mac OS X 10.5, X11 is installed by default as it is required by Terminal.app.

Unfortunately, the shift from the X Org version of X11 to the XFree86 version did cause more than a few problems. These weren't fixed until the release of Mac OS X 10.5.2 and this week's security update. If you are running any Leopard release prior to Mac OS X 10.5.2, you need to upgrade your system.

For those of us that migrated to Mac OS X because it had Unix under the hood, GIMP isn't a problem because there was never a version of Photoshop released for Unix.

NeoOffice or OpenOffice supplies the tools needed to handle documents sent to you by your colleagues with Windows-based systems.

I just got a Mac Pro (2008). I selected VMWare Fusion for my virtual environment as it allowed me to create a Windows XP virtual machine from a running system. This got me around a problem with only having a Windows XP Pro OEM install disk because I had designed my own system. The old system went to the hazardous waste facility last week.

MiYahoo's future rests with open source and courage

Merton Campbell Crockett

Need to standardize references to Microsoft + Yahoo!

I suggest that the standard reference be "Microscroo!" sans quotes. The exclamation point is required to allow El Reg to continue to use its existing headline standard.

"Ballmer! Microscroo! Bash! Google! Again!"

"Microscroo! Tells! EU! Where! To! Go!"

BBC redesigns and 'widgetizes' homepage

Merton Campbell Crockett

BBC Weather: London Five Day Forecast

It seems a bit strange to show only three days of a five day forecast. Perhaps, they should change the title to "The best of the five day forecast".

The weather graphic for "Sunny" appears to be a depiction of a day when the fog hasn't burned off. Other than the bluish tint, it doesn't look that much different from the "Cloudy" graphic.

M C Crockett

Appraisals are dishonest, waste of time

Merton Campbell Crockett

Annual Review: Waste of Time!

To justify their existence, Human Resources develops a new annual review process or a new spin on an old process every few years. Well, it's not really new. They just reword the form and reorder the sections to conform with what is being taught in university today. They seem to spend significantly more time developing a new logo and name for the annual review process.

I suspect that there may be some value in the process during the first five years of employment. I don't know for sure. During the first 25 years working for my company, I was on the road at a customer site when it was time for the annual review. I never saw the form and assume that my supervisor, at the time, filled it in for me.

Now that I've worked for the company for 30 years and don't travel as much, I've had to fill out the forms. They're ridiculous.

Identify what training you need to perform your job. What? Why didn't you make this offer 30 years ago? You're paying me 75 percent more than the average annual salary of others performing the same function because I had to learn what I needed to know while the technology was being developed. And, in some cases, I had to develop the technology because none existed.

Where do you want to be 10 years from now? Retired! However, given the Pension Protection Act of 2006, I may need to retire next year because I'm going to be penalized should I continue to work.

I've been blessed with supervisors that haven't had a clue about what I do or how I do it. They have been looking at the success of their projects and listening to their customers. On more than one occasion, I have received an annual salary increase exceeding 20 percent as a result.

I have won numerous company awards for special projects. In the United States, the Engineering Council has an event similar to the movie industry's Academy Awards. I was nominated by my company for my work in IT Security. Unfortunately, I didn't walk away with that year's "Oscar". That went to a lead engineer on a much "sexier" NASA project.

Although I only received a Merit Award for being a finalist, it did translate into a sizable salary increase. When you get down to it, this is the most important metric of your value to a company.

The point of this diatribe? The annual review process is a waste of time! You are much better off doing the best that you can on every assignment with a touch of creativity and as much elan as you can muster. It translates to the most important metric of all: the interest of the Internal/Inland Revenue Service in your well-being.

Malware license agreement tells it straight

Merton Campbell Crockett

Fixed fee versus Commission

Were Microsoft's lawyers paid a fixed fee, they would have most likely produced a similar EULA but being paid on a commission basis it is, clearly, in their best interest to use many words as possible to say the same thing.

Amazon.com sells empty Vista boxes for $200?

Merton Campbell Crockett

Truth in Advertising?

I have numerous colleagues that would simply commend Amazon on its "Truth in Advertising" stance.

Operating systems are old and busted

Merton Campbell Crockett

Interactive Application System (IAS) Anyone?

Rosenblum's quest might be answered by porting the RSX-11D, or it's successor IAS, operating system to current hardware.

It provided the bare basics. It handled interrupts, hardware or software; scheduled processes; and provided interprocess communications.

All devices were handled by a special class of processes known as device handlers. They were special in the sense that they serviced interrupts in kernel mode but otherwise ran as any other applications but at higher priorities.

Except for the physical aspects of I/O provided by device handlers; file systems, databases, keyboards, displays, etc. were applications called by other applications to perform some function.

RSX-11D was implemented by Digital Equipment Corporation in the Seventies. Carnegie Mellon University re-introduced this approach in the Nineties calling it the Mach kernel. Rosenblum seems to want to re-introduce the same approach calling it ... VMWare?