Gilles Gravier's Weblog
Gilles Gravier's rants about things in general... security, open source, privacy, java, music... in particular.
Evil maids attacking? Nothing new. Really!
So, I've been reading Bruce Schneier's blog on the Evil Maid Attack. He's falling to one of the behaviors he usually criticizes. Just a new holywood industry plot for something not really new, not really changing the world.
The thing is... The assumption is that thee attacker has access to your laptop.
Which has always been an issue. Inserting a keylogger into your
hardware (keyboard cable on a desktop, or a bit more subtle on a
laptop, but nothing beyond the capabilities of your typical spooks) and
you get the same access to all keystrokes, including those for the
passwords to the encrypted disks, firefox datastores, and pretty much
anything else.
So appart from having a fancy name... nothing new.
It's like Java... If you let an attacker change your bytecode loader /
verifyer... yeah, they break your system. But then again... it's not
really running java anymore at this point.
Same here... if you let an attacker change the behavior of your machine
(hardware or software) then you're not really running your machine
anymore at this point either.
Sure, multi-factor authentication is the solution. But "Evil Maid Attack" is just a fancy name for something not really new.
Posted at 06:37PM Oct 23, 2009 by gravax in Security | Comments[0]
2020 FLOSS Roadmap version 2009 is out!
So the new version was published and announced about 2 weeks ago, right after the Open World Forum in Paris (quite an impressive event, with a very interesting speech from Mark Shuttleworth). Check out the new (2009 edition) of the 2020 FLOSS Roadmap! Very interesting reading!
Gilles.
Posted at 03:42PM Oct 22, 2009 by gravax in Opensource | Comments[0]
You know you've been using OpenSolaris too much when...
... when you start typing "pfexec" in Linux instead of "sudo" and wondering why it doesn't work.
Time to "alias pfexec sudo" for me. 
Posted at 08:25PM Oct 16, 2009 by gravax in Opensource | Comments[2]
Oracle Beehive and IRM
Just out of the session at Oracle Open World on Beehive and IRM. I think these 2 products make a fantastic combination. The capability of sharing extremely sensitive documents between users is known for a long time. My friends at Cyber-Ark Software have been doing it for quite a few years now.
The issue I have with this Oracle combination is that it is windows targetted. The IRM client/plugin for desktop, which provides great functions like preventing copy/paste, printing, re-saving the documents, only runs on Windows...
In Europe, where many (if not all) of the governments are progressively moving to open source (Linux desktops, OpenOffice.org productivity suite...), this basically locks them out of that market.
Posted at 08:51PM Oct 15, 2009 by gravax in Oracle | Comments[2]
Last day at Oracle Open World
The first session I listened to today was about security coding best practices. It was interesting to learn that Oracle finds 87% of their security bugs internally, 10% through customers finding them, and 3% from external non-customer sources...
I can't help but wonder how many more, and how much faster, they would find, were they to open source the software.
Our history at Sun has shown us that open sourcing our OpenSolaris operating system definitely increased the code quality by helping us find, and correct bugs (including security ones) much faster.
Posted at 07:17PM Oct 15, 2009 by gravax in Oracle | Comments[0]
Second day at Oracle Open World - Exhibition floor and public sector
So today's my second day on the conference. So far, it's enlightening.
The exhibition floor opened today. It's huge. It's in Moscone South AND Moscone West. Will the conference still fit in Moscone next year?
On the floor, I saw my friends from Cyber-Ark Software. Pity Udi Mokady, their CEO wasn't there. It's always a great opportunity for an interesting discussion when we meet. These guys have a great solution for sharing with extreme security information between people / entities.
I also attended a general session on Oracle in Public Sector. I and several other people left in the middle. Comments I heard (and share totally) included "this is useless, it's only focused on North America". Pity for a session that was not labled as being focused on only the North American market (1/3rd of the world market)... The speaker then details the multiple tracks focused on public sector... and they are all US centric. Oh well... I DO know Oracle has a global public sector team. They just don't give that idea here at Oracle Open World.
On a side note, I'm playing with a social networking tool called Aka-Aki... run it on your mobile. It tells you who's around... and you can chat, hook-up. You post your status there, it updates Twitter, which updates Facebook, which updates Plaxo... you get the picture. It's very popular in Europe... but for some reason, I seem to be the only user in San Francisco city most of the time. The only user the system has identified in the region is in Fremont... not really walking distance. Pity, as it would have been fun to meet other users. There has to be at least a few geeks at Oracle Open World. Come on, geeks of the bay... Try Aka-Aki! Find me there as "ggravier".
Posted at 12:24AM Oct 13, 2009 by gravax in Oracle | Comments[0]
My first day at Oracle Open World
OK... And officially my first Oracle related post.
So, today was the first day of Oracle Open World. I'm rather impressed!
First, this morning, at the SaaS / Cloud computing session of the partners' track, I learned that Oracle has a new SaaS focused sales model where you pay as you grow. Let's SaaS providers buy a (from a limited number of Oracle products) licenses in volumes that grow with their business. They can buy small, when they have small numbers of customers... and then, when they grow their business, they can increase the number of licenses... this is a great step in the right direction, and probably a response to the open source "pay at the point of value" model where you don't pay at all to begin... but only pay for support when what you have becomes mission critical and you need to be sure that it works... Let's see how far Oracle pushes that model... but I like the beginning.
Next, this evening, was the general keynote session. What a blast! It felt like the good old days of Sun Microsystems. All the keynote was done by Scott McNealy except a small part by Larry Ellison. Scott even did 2 of his top-10 lists. Lots of laughs in the room. Many serious points. Great review on Sun's track record at innovation... and James Gosling even came on stage. Then Larry stepped up and talked about his plans for the future, more investment in Sun's key technologies (SPARC, Solaris, MySQL) and how the combination Sun + Oracle is a fantastic opportunity for changing the IT world. We're going to kick serious ass. In particular IBM's, which seems to be very (legitimately) afraid. Competition is going to get very fun. In particular given the performance numbers we're announcing when we put our strenghts together.
I'm impatient to see how this will all evolve, and I have to say, I'm keeping very attentive to what Oracle's strategy for pushing (or just using) open source will be. Sun's a big advocate of open source. I hope Oracle will be just as active an activist! But I'm optimistic!
Let's go kick some big iron ass in the IT world!
Posted at 05:09AM Oct 12, 2009 by gravax in Oracle | Comments[1]
Content aggreagators... without our permission...
Hi!
You may be reading this article from a site called ekschi(.com) ... If this is the case, note, and be aware that they are copying content directly from http://blogs.sun.com/gravax/ without my explicit (or even implicit, as far as I know) permission. We encourage you to read the original article directly on our blogs where they were written. Point your browser to http://blogs.sun.com/gravax/ for the original content you found on ekschi...
Posted at 01:07PM Sep 26, 2009 by gravax in General | Comments[0]
AutoCAD Map 3D on Sun Ray - Geospatial in an ultra secure environment
I've been working with my colleagues at Autodesk, and we've come up with a very interesting way to run AutoCAD Map 3D (their geospatial solution) on our Sun Ray terminals. AutoCAD Map 3D is the only AutoCAD version that is certified on Citrix. This means that it's used both by people who need the geospatial features, but also the vanilla CAD features of the standard AutoCAD product.
What we've done is simply set up AutoCAD Map 3D and Citrix XenApp server on a Windows 2003 machine (running on really fancy Sun x86 hardware, of course). Install according to Autodesk's installation guide.
Then we set up a Sun Ray server (you know, Sun hardware - sizing guide here, Sun Ray Server Software) on which we installed the free Citrix native Solaris client. Install using Sun's installation guide. And then got a few Sun Rays.
Voila. Worked. Out of the box.
Now the result is a very secure environment. The Sun Ray terminals have no hard disk, no local state... nothing of value to steal should an employee decide to walk away with one. By default, the USB port on the device isn't configured to enable USB attached storage to work, so impossible to copy data or insert viruses either. This is perfect for very sensitive environments.
But going beyond that, you can configure the system a-la SNAP, by turning on Solaris' Trusted Extensions, to boost up the security to military grade (EAL4+ certified), with segregation of hardware, network, data, processes... even your windows on the terminal have different security levels and it's not possible to copy from a high security level window (say your geospatial application) to a low security level (say a web browser on the internet) without approval by, e.g. a security officer.
Want to make it even more scalable, move the database store (MySQL - which includes geospatial extensions natively - or Oracle) to one of our Thumper-class machines... CPU and disks all in one box...
This is probably the most convenient, and lowest cost-to-manage solution for running AutoCAD Map 3D today. And you get all these benefits thrown in as well!
Posted at 04:11PM Sep 22, 2009 by gravax in General | Comments[0]
Microsoft's unremovable add-on to Firefox
See, this is why I think we should all be extremely careful when it comes to using Microsoft software.
Recently, one of the Windows updates resulted in an add-on being, well, added, to Firefox. This happened with the Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009.
First, I'm really upset that this didn't ask my permission to add the Firefox add-on. That alone is enough to break whatever confidence I had left in that company's way of dealing with user's property.
Second, when I realized what was going on, and that there was a significant security risk to that add-on, I decided to remove it. Unfortunately, Microsoft decided that I'm not supposed to remove that add-on. Maybe they think they know better than me. As a result, the add-on's uninstall button is greyed out. The only way I found to remove it was to follow the instructions on Annoyances.org.
Just to make sure this is really clear, I'll repeat those instructions here :
- Open Registry Editor (type regedit in the Start menu Search box in Vista/Windows 7, or in XP's Run window).
- Expand the branches to the following key:
- On 32-bit systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \ Extensions
- On x64 systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Mozilla \ Firefox \ Extensions
- Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from the right pane.
- Close the Registry Editor when you're done.
- Open a new Firefox window, and in the address bar, type about:config and press Enter.
- Type microsoftdotnet in the Filter field to quickly find the general.useragent.extra.microsoftdotnet setting.
- Right-click general.useragent.extra.microsoftdotnet and select Reset.
- Quit Firefox (or else step 10 won't work)
- Open Windows Explorer, and navigate to %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation.
- Delete the DotNetAssistantExtension folder entirely.
- Restart Firefox
- Open the Add-ons window in Firefox to confirm that the Microsoft .NET Framework Assistant extension has been removed.
Now repeat after me : "I don't trust Microsoft to want the best for my PC... ever. I am convinced that many more times in the future, they will resort to this kind of behavior and install code that poses a risk to my machine without asking me and making very sure I can't remove it easily".
If you have to use Microsoft software for specific tasks (I have to), be extremely careful with what they install on your machine without telling you.
If you want to be able to trust your machine, use an open source operating system such as OpenSolaris or one of the Linux variants (I like Ubuntu). But don't even start thinking you can trust Microsoft with your machine. They just proved to the world it's a trust incorrectly placed.
And while you're at it, ditch MS Office... go for OpenOffice.org. You're better off from a security perspective... and already all set to send and work with documents that all major governments are starting to define as their standard format.
Posted at 09:16PM Jun 08, 2009 by gravax in Security | Comments[0]
HADOPI - Maintenant on fait quoi?
Bien sur, on continue a luter!
D'abord, le processus n'est pas encore fini... et il reste de nombreuses etapes. C'est clair que cette loi est mauvaise. Elle ignore une bonne partie des mecanismes existants de telechargements et de partages. Elle oublie, de plus, que la plus part des outils P2P modernes sont en train de recevoir (ou ont deja recu) des fonctionallites de dissimulation (cryptographie) et d'anomymisation (Tor, ou IP2)...
De plus, elle stigmatise un protocole (BitTorrent) qui a des utilisations tout a fait legitimes par l'industrie (Sun Microsystems met a disposition ses logiciels OpenSolaris, OpenOffice.org via BitTorrent pour realiser des economies majeures de bande passante).
Enfin, elle place la France en porte-a-faux avec la legislation europeenne. A ce sujet, je me demande si il ne serait pas possible a une association, disons, par exemple, l'APRIL (Frederic, tu lis ceci?) de mettre en place une structure (des avocats, du conseil, peut-etre meme du financement) pour qu'un internaute "puni" par l'HADOPI puisse simplement remplir un formulaire et se voir mis a disposition une assistance et une procedure simplifiee pour porter sa plainte directement aux autorites europeennes...
Alors? Quelle sera la prochaine etape pour combattre cette loi inutile, retrograde, archaique, et injuste?
Posted at 04:21PM May 13, 2009 by gravax in Music | Comments[0]
Why closed, proprietary platforms are to be avoided... whenever possible!
Those who know me know I am very much against Apple's commercial behavior. With the iPod, they sell a closed, proprietary platform, which is bad enough, but they also completely control what you can put on it.
The following article explains what happened to an author who wrote a nice application, and, after some updates of it, saw it banned from the Apple Store.
Apple basically has right of life or death on the software you write for their platform. Even if they don't really understand what it does (the article explains why this is the case)...
Of course, you can always jailbreak your phone (which I recommend anybody stuck with an iPhone do as soon as they can) but this voids guaranty, and some may not like it...
I chose a phone with a truly open platform : Symbian OS. Open Source. Easy to write code to. And anybody can install what they want on the phone. And it's stable! Ditch your closed phone platform. Get one that is desgined with 21st century principles!
Posted at 09:07PM May 12, 2009 by gravax in Opensource | Comments[6]
Building aMSN with audio and video on OpenSolaris - piece of cake!
I got tired of not being able to use webcam and audio with my friends on OpenSolaris... so I decided to tackle the problem. Blastwave's version of aMSN was very old... so there was no other option... get it myself and build it.
Turned out to be trivial...
Get the sources from : http://www.amsn-project.net/ and then ./configure, then gmake, then pfexec gmake install (my OpenSolaris box has already GCC and the GNU compiler suite installed). Simpler for all GNU / Linux source codes available out there.
First thing that happens when you run it is that it tells you it wants TLS to log in... so you install the SUNWtcltls package form the OpenSolaris repository with Package Manager... and in the advance preferences tab, specify that TLS is at : /usr/lib/tcl8.4/tls1.6 ... and voila... you can log in.
Of course, next thing is that there is no audio... so you figure out it wants Snack, the audio library for TCL... well, that too is available from the OpenSolaris repository through Package Manager. Just install SUNWsnack and restart aMSN. Then you can configure audio (preferences -> advanced) to use Snack...
For the webcam, it's even simpler. OpenSolaris includes USB-VC drivers for Video4Linux2, so plug in a high-end USB-VC webcam and aMSN directly supports it! Just go to the preferences->others menu in aMSN and edit the audio and video settings!
I love it when things just work!
Posted at 11:50PM Apr 26, 2009 by gravax in Opensource | Comments[5]
My first conference call with OpenSolaris's VoIP application!
Today I was scheduled to be on a conference call. I decided to be a geek and try Ekiga on OpenSolaris. It ships by default. Well, you have to install it from the default repository. It's just not called Ekiga, but Video Conference...
I started it. Gave it my Ekiga and FreePhonie account details (FreePhonie comes from my ISP and gives me SIP telephony for free to land lines all over Europe and other major countries around the planet). Once the details entered, I dialed the toll free number form Ekiga and voila!
Speaker sound was perfect. Microphone sucks on my Toshiba Tecra M2. Next time I'll test the fancy Logitech USB headset!
I love it when "technology-just-works"!
Posted at 05:00PM Apr 14, 2009 by gravax in Opensource | Comments[0]
15 minutes vs 90 minutes?
Hello!
Today we're not comparing lover performances around the globe... and certainly not from a Frenchman's perspective.
90 minutes is the average time spent per day by a smoker during an 8H work shift (as presented here).
15 minutes is the average time spent per day by a Facebook user. (Just heard this today listening to France Info, the French information radio, while driving to work.)
Now the strange thing is that some companies (definitely anchored in the long gone 20th century) block access to some social networking sites... but still let people take a walk out of the office to smoke a cig. Now while I don't smoke, I'm not suggesting companies stop letting their employees take a lung-destructive break... I'm more looking at it the other way.
Social networks (like Facebook) are becoming a part of life. Heck, they're becoming a part of work too! Here at Sun, we encourage our employees to use Facebook. We even use it professionally to communicate with our developer communities, and our customer communities.
What the retrograde companies are failing to see is that a whole bunch of brilliant students are coming out of university. And they've been used to stay in touch with their colleagues and peer bright minds through these networks. They won't give up that link easily. They will look for companies that let them stay in touch with their fellow alumni. Employers who fail to realize that will be missing out on the brightest minds, and their competitiveness will be lessened.
It's time to shift to the 21st century, people! Social networks are a fact! Your employees use them. They will spend some time on them. And it will make them more connected, more productive, more efficient. Don't fight it. Embrace it. In the end, digging your heels in the ground won't help. It will slow you down... your competition isn't slowing down.
Posted at 10:50AM Mar 11, 2009 by gravax in General | Comments[1]
Today's Page Hits: 254