do it. think it. blog it! ... a twisted world

Would I have ever dreamt that BoingBoing would be in a banned list ever ?. And hey, this is not in some small time organization. However the filter being used is SquidGuard, which is a content filter, redirector and access controller for Squid. Well, I thought that it would be worthwhile if I downloaded the blacklist database and crosscheck if BoingBoing was in it, luckily not, it was not; which made me believe that this was a blacklisted domain in the "organization" I was at. whew !! (BoingBoing is not banned throughout the internet) The README file from SquidGuard's Blacklist Database Download read as :

!!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!! !!! !!! !!! These blacklists are entierly products of a dumb robot (squidGuardRobot) !!! !!! We recommend that you review the lists before using them. !!! !!! Don't blame us if there are mistakes, but please report errors !!! !!! with the online tool at http://www.squidguard.org/blacklist/ !!! !!! !!! !!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!!

Interesting, yet widely used !!! I gotto go back to my hotel tonight and check BoingBoing for courtesy sake..

According to this announcement, Microsoft is releasing it's much awaited Windows Vista, today (priorly known as longhorn) to developers.

Windows Vista beta code is being released into the hands of about 10,000 technical beta participants, which include customers, partners, home users and subscribers of Microsoft Developer Network and TechNet, Sullivan said.

Microsoft also will release another build of Windows Vista to developers at the Professional Developers Conference (PDC). That code that will likely be the result of what Microsoft internally calls integrated developer workstation releases, which will be fashioned into a so-called community technical preview, Sullivan said.

Now, this part of the announcement disturbed me a bit...

Another security feature in the beta is network access protection, a feature that quarantines computers that could have malware or other unauthorized software from a network until patches clearing the offending code can be applied, he said.

From what I understand of "quarantine" procedures, is that one would need to snoop around (using something like nessus ) the computer for malicious applications and assign the machine an IP (with probably a 1,2,3 or even 10 minute lease period) that's from a subnet with restricted access. Once the machine is proven NOT to have any software applications running on it that dont abide by policies setup by individual organizations, it's then that the IP address of the machine would be released and be reassigned a NEW IP in another subnet altogether, which would enable the user to access resources from within the infrastructure; IF NOT then an IP from the "QUARANTINED ZONE" is assigned to the device / machine. (and well, the device is now quarantined) Now for wired networks it may be fine, what about wireless? when a wireless device (like my laptop for example) moves from one organization to the other would it be marked "malicious" just because the applications on the laptop didn't adhere to certain standards within that organization (Some organziations do not like outlook installed and some dont like notes, and some ban opensource apps altogether, the cases vary from organziation to organization) ? And what about privacy ? I'm so so sceptical about this ! lets see what happens ahead... guess I just gotto wait and see... UPDATE : Another thing I also remembered is that, Vista seems to have rolled back it's authentication and authorization structure, of authorizing prior to authenticating. Now what I mean by that is that an IP address is assigned to a device during startup by the DHCP server (prior to authenticating the user). IF a device / machine is first assigned a IP from a quarantined zone, then a "decision" is made based on factors that determine if the device / machine is "authorized" to be allowed onto the network, ain't that authorizaton PRIOR to authentication ? once a user authenticates, additional authorization rulesets may be applied.. I like the idea behind authroization PRIOR to authentication and have been advocating that workflow for a while (sadly nobody listened to me) and if Vista DOES do Authorization prior to Authentication, I feel good about that ONE fact. It's the privacy factor (feature) that bothers me. UPDATE II: XeroCool reports that Windows Vista may be facing legal trouble already. Vista, a Redmond, Wash., company, has stated they may sue Microsoft over the name Windows Vista. Dont you think that Microsoft may have noticed that company just down the street from their HQ ? [Read The Full Report from nwsource]

emm... Surprisingly today, my *Office Spellcheck application suggested me to change the spelling of "java" to "lava" (all lowercase characters). *Office does not portray such behaviour when I type in "java" (proper case) I wonder why? Am I not supposed to use the term "java" in lowercase ?? Interesting recommendations aye.. especially from the *Office !! Engineering, are you listening ?

This article on gearlive describes how Google Maps helped Edwin Soto get his traffic ticket thrown out of court.

Link Courtesy : Timothy from his slashdot post.

Does anybody from New York know if Cathedral Pkwy (110th street) is a one or a two way street ? BTW: Could Yahoo Maps, MSN Maps & Mapquest also be used as evidence in the courts of Law ?

This post on internetnews spells out IBM's plans to announce a significant strategic move in its server and storage systems group next Tuesday. excerpts from this post that caught eye are as follows: (I am not commenting on them as it'd be considered biased and unfair if I did.)

"There are a number of things being announced that week; some of it will likely be storage related," said the analyst, who asked not to be named.

Sources told internetnews.com IBM has been sniffing around a start-up called Incipient, which makes storage virtualization software that helps "companies more efficiently manage, move and protect their data." But this rumor was shot down.

IBM spokeswoman Lisa Lanspery flatly denied the news has anything to do with Incipient, saying that she'd never heard of the company. Robert Infantino, senior vice president at Incipient, also denied such a deal was in place and said his company doesn't discuss its OEM partners. If Big Blue were to partner with Incipient in an original equipment manufacturer's deal, it could sell the company's startup in its own products. IBM could also buy the Waltham, Mass., company outright to fortify its position in the storage virtualization market against rivals like EMC and Hitachi Data Systems (HDS), the source said under condition of anonymity. Such a deal is intriguing.

It's also possible IBM just wants to make it harder for EMC to sell its new Invista virtualization software, as well as put a crimp in the sales of HDS' TagmaStore Universal Storage Platform (USP).

Read the entire post at internetnews.com for a first hand report on this subject.

Google recently launched their "developer" website called Google Code. As part of the launch they have contributed 4 development libraries to the open sorce community. I also noticed that google.org now has a new face. google.org, supposedly the philanthropic arm of google, is busy staffing personnel, and defining goals, priorities, and principles. The open source libraries found on code.google.com site focus on compiling and debugging code and include tools for the C++ and Python languages. Google has made them available through the BSD open-source license, which means developers can use the code for commercial and non-commercial applications, said Chris DiBona, Google's open-source program manager. Goggle currently hosts these open source libraries on sourceforge.net, and is making their works available through the BSD open source license.

While the four initial contributions only reach a targeted set of developers, DiBona said they are only the beginning of source code releases coming from Google. DiBona joined Google almost a year ago to oversee its open-source efforts. He coordinates with Google engineers, many of whom are anxious to open code from the tools they are creating during their infamous "20-percent time," he said. Google engineers devote 20 percent of their time, or an average of one day per week, working on projects of their own interest. The four Google Code releases include a library called CoreDumper, which developers can compile to create core dumps of the running program, and a Python library called Goopy Functional for bringing functional programming aspects to Python, Google announced. Also provided are a project called Sparse Hashtable, containing hash-map implementations being used at Google, and PerfTools, a set of tools for creating robust applications, especially when developing multithreaded applications in C++ with templates, according to Google.

A complete list of Google's currently released open source projects are as listed below: AdWords API Java Client Library The Java client library for the AdWords API makes it easier to write Java clients to programmatically access AdWords accounts. The client library is provided in a single jar file that contains all the Axis jars and pre-compiled stub classes needed to write Java clients. AjaXSLT AJAXSLT is an implementation of XSLT in JavaScript, intended for use in fat web pages, which are nowadays referred to as AJAX applications. Because XSLT uses XPath, it is also an implementation of XPath that can be used independently of XSLT. CoreDumper The coredumper library can be compiled into applications to create core dumps of the running program, without termination. It supports both single- and multi-threaded core dumps, even if the kernel doesn't natively support multi-threaded core files. Google mMAIM mMAIM's purpose is to make it easy to monitor and analyze MySQL servers and to easily integrate itself into any environment. It can show Master/Slave sync stats, some efficiency stats, can return statistics from most of the "show" command, and more! Sparse Hashtable This project contains several hash-map implementations in use at Google, similar in API to SGI's hash_map class, but with different performance characteristics, including an implementation that optimizes for space and one that optimizes for speed. Sitemap Generator Sitemap Generator is a simple script that can be configured to automatically create Sitemaps and submit them to Google. Sitemap Generator can create these Sitemaps from a URL list, access logs, or a directory path hosting static files corresponding to URLs. You can read more about Sitemap Generator here. Google has also created a page listing the creativity that third parties have brought to the Sitemaps space. Kongulo Kongulo is a web spider for GDS, written in ,a href="http://www.python.org/" target="_blank">Python. Offered as an example of how to write a GDS plugin in the fabulous Python programming language. Goopy/Functional Goopy Functional is a python library that brings functional programming aspects to python. Perftools These tools are for use by developers so that they can create more robust applications. Especially of use to those developing multi-threaded applications in C++ with templates. Includes TCMalloc, heap-checker, heap-profiler and cpu-profiler.

I saw this hilarious opensource beer post on wired.com this AM:

Beer always tastes better when it's free, or so the saying goes. So leave it to a group of college students to find a way to make sure their beer is always free. Well, at least the recipe they use to brew it is. A group of students at IT University of Copenhagen have produced what they claim is the first open-source beer. The recipe and brand of their beer is published under a Creative Commons license, which means anyone can use the recipe for pleasure or profit. The only catch: If you make money selling their unique beer, you have to give them credit and publish any changes you make to the recipe under a similar license. Their inspiration wasn't just to get drunk, but to see what happens when an open-source structure is applied to a universally known product like beer. "Why not take the legal framework, the open-source licenses, and apply them on analog products?" said Rasmus Nielsen, a member of Superflex, an art organization that helped create the beer in conjunction with a student group called Vores Øl (Our Beer). On their website, the students said they are interested in seeing how their beer will get better once it is out in the world, acquiring slight improvements as the recipe is shared. Vjores Øl hopes that the beer "perhaps one day becomes the Linux of beers." Version 1.0 of the libation is brewed using classic techniques but has a special ingredient to make it unique. Each batch of the golden-brown ale has guarana, a South American stimulant, added to it. The guarana is equivalent to 35 milligrams of caffeine, which Vores Øl suspects should counter the drowsiness-inducing effects of the 6 percent alcohol level. Proponents of open source are always quick to counter the assumption that they make software code "free." A famous quote on the open-source GNU Project website explains the kind of freedom they really promote: "Free software is a matter of liberty, not price. To understand the concept, you should think of 'free' as in 'free speech,' not as in 'free beer.'" The guarana-infused beer isn't going to be handed out at frat parties, because it isn't free of charge. But the recipe to make a batch of the beer is open to all and is being enjoyed by beer lovers from Brazil to France, judging by guestbook entries on the Vores Øl website. As open source spreads beyond software to online encyclopedias like Wikipedia and biological research, it was only a matter of time before somebody created an open-source beer. According to the site, Vores Øl created the beer "as an experiment in applying modern open-source ideas and methods on a traditional real-world product." While the idea of open-source beer has been around since 1998 as a joke, the students and Superflex decided to make it a reality. "Beer was chosen for its universal qualities as a commodity that we would like to think of as free," said Nielsen. In an industry where taste is everything, a beer seller's recipe is typically kept under strict trademark. Home brewers, however, commonly share tips with each other, and home-brew recipe books abound. "Home brewers enjoy telling the story about how they made it and what the recipes were. There are very few secrets kept by home brewers," said Charlie Papzian, president of the Brewers Association. In the beer business, more than just recipes are moving toward open source, as some brewers are adopting an open-source business model as well. An ex-Red Hat employee in Australia has developed his love for spirits into an open-source project by creating a brewery that is owned in part by its customers. Brewtopia allows its patrons to own part of the brewery and chime in on important brand decisions that relate to Blowfly, its beer. "We second-guessed our choices every day that leaving the company open was the right thing to do," said Liam Mulhall, Brewtopia's CEO. "But when you have Harvard Business School using your company as a case study ... it's extremely satisfying." Brewtopia's libations are a hit in the IT industry, with employees from Cisco Systems, Mitel and Alcatel all making it their choice of beer at company parties. Brewtopia even supplied the beer at Yahoo's 10th anniversary party.

after del.icio.us and furl being extremely good resources for online bookmark management, tags are taking the blogosphere by storm. I just discovered TagCloud early last week. TagCloud is an automated Folksonomy tool. Essentially, TagCloud searches any number of RSS feeds you specify, extracts keywords from the content and lists them according to prevalence within the RSS feeds. Clicking on the tag's link will display a list of all the article abstracts associated with that keyword. I have setup a LDAP and Identity/Access Management Tag Cloud, You can readup on just about any content on the web, blog or otherwise by simply looking up tags rather than blog post titles. Here's my Tag Cloud for Identity And Access Management: Click here to See ALL my Identity & Access Management Tags.

1. Gentoo Linux Security Advisory Version Information Advisory Reference GLSA 200507-13 / pam_ldap nss_ldap Release Date July 14, 2005 Latest Revision July 14, 2005: 01 Impact normal Exploitable remote Package Vulnerable versions Unaffected versions Architecture(s) sys-auth/nss_ldap < 239-r1 >= 239-r1, 226-r1 All supported architectures sys-auth/pam_ldap < 178-r1 >= 178-r1 All supported architectures Related bugreports: #96767 Synopsis pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text. 2. Impact Information Background pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications. Description Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting. Impact An attacker could sniff passwords or other sensitive information as the communication is not encrypted. 3. Resolution Information Workaround pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS. Resolution All pam_ldap users should upgrade to the latest version: Code Listing 3.1 # emerge ——sync # emerge ——ask ——oneshot ——verbose ">=sys-auth/pam_ldap-178-r1" All nss_ldap users should upgrade to the latest version: Code Listing 3.2 # emerge ——sync # emerge ——ask ——oneshot ——verbose sys-auth/nss_ldap 4. References CAN-2005-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069 http://www.gentoo.org/security/en/glsa/glsa-200507-13.xml

When I was working on a project a long time ago, I had implemented a zero knowledge Login module for the Sun Java Systems Access Manager (formerly known as identity server). Here I find myself again trying to advocate the use of zero knowledge password authentication techniques for web aplications and am having to explain and provide information to all those folks who are not aware of this authentication method. Well, I thought that it would be good to post a small blog on the same subject with links to all those resources online which can give you a pretty good idea of what zero knowledge password protocol (ZKPP) is all about. Phoenix Systems has a product called SPEKE (simple password-authenticated exponential key exchange) which uses this technology. For those who would like to obtain an off the shelf product that emabled zero knowledge password protocol authentication SPEKE is a good start. Wikipedia has a very good explanation on ZKPP. This paper on Secure Login Protocols is another good resource for learning more about ZKPP. Hannu A. Aronsson from the Helsinki University of Technology also has a very nice paper on Zero Knowledge Protocols and Small Systems. Thomas Wu from Stanford University has a paper on The Secure Remote Password Protocol which gives a very nice background of the framework and the logistics behind implementing a ZKPP authentication structure. RSA Security has a nice writeup by example on how the ZKPP system works. For those seeking ore information on ZKPP, Google the term and you'd find volumes of information on the subject.

With this announcement, the Sun Java Access Manager (version 7.0) and it's product updates & enhancements would soon be available as part of the openSSO project. I am all excited and thrilled about this move even though several folks think otherwise. With the freely available source code, one could not only gain an indepth understanding of the workflow and logistics that power sun products, but also gain an edge over other developers who have been trying hard to develop their own single sign on products, JOSSO being one of them. I further see and emphasise that openSSO and JOSSO would complement each other extensively. JOSSO uses JBoss as it's core container, whereas openSSO uses Sun Application Server (which is also on it's way of being Open Source'd) as it's core. Here's an opportunity for all those developers out there to maximize on the opportunity !! so GO FOR IT. & all those startups who plan to develop SSO & Access Management / Security products, here's your chance to INNOVATE. My take is that, you could start off from THIS codebase rather than from scratch. You could INNOVATE further rather than REPLICATE. AFter all it's all about INNOVATION. UPDATED : (on the same subject) Earl Perkins, an analyst with market research company Gartner, was quoted saying :

I am taking a break from blogging here for a little bit. Am too busy with other work that drains out all my time. I shall be back soon.

So hey!! Bookmark me and come back another day