Serious Security Vulnerability in Linux Kernel

In light of the recent attack on the Debian Project’s servers, researchers have found some serious security vulnerabilities in the Linux Kernel. This vulnerability can enable a hacker to gain root access to a machine. (For those of you Windows only types, this is like the Admin). Once you have root, you can do anything, root is the uber user.

The vulnerability is in the form of an integer overflow in the brk( ) system call (memory-management). When the call invokes the do_brk( ) function, using user-supplied address and length variables, the call does not check for integer overflows when adding the variables together.

I am not one to dwell on an email virus or something like that. But fundamental problems in the Kernel are pretty catastrophic. Let me explain why. Because the vulnerability is in the OS kernel itself, the problem affects just about every distribution of the operating system from kernel version 2.4.0 through 2.5.69. That means that every version of Linux installed on every computer on the planet needs to be upgraded when a fix is available.

I am not going to lower myself to the mudslinging of the MS v Linux silliness, but am going to remind all the folks out there who tell us that Linux is free. The Linux community will rally fast to address this very serious security issue and everyone everywhere will have to upgrade their Linux installs worldwide (including Nicole’s machine in my living room sitting on my nicely secure Windows network). That is a total cost of ownership (TCO) issue. Nothing is free. It costs time and money to do this (just as it does when you apply a MS patch or upgrade).

I am Your Slave

For those of you who know me personally, you know that I hate Political Correctness-I call a spade a spade. If you also know me personally, you know that I hate-despise actually the city of Los Angles. So those of you who know me personally don’t have to read anymore if you heard about the LA County who recently asked computer and video equipment vendors to consider eliminating the terms "master" and "slave" from equipment because they may be considered offensive.

PC has gone too far when the PC Police are starting to talk about device drivers and the like. The terms are an industry standard. Will someone please just tell this guy to get his nose out of my industry.

Computer Randomly Plays Classical Music

Just when I thought I have seen it all.

http://support.microsoft.com/default.aspx?scid=kb;en-us;261186&Product=win2000

Computer Randomly Plays Classical Music

View products that this article applies to.

An Open Letter to John Ashcroft

Dear John Ashcroft,

Under the Clinton Administration, companies that had problems competing used the DOJ to bring frivolous lawsuits against their competitors. Sun Microsystems did this against Microsoft in the last 90s. As documents now show, this was more about personal egos and corporate profit. Corporations used the DOJ to take a swing at a competitor because they could (the DOJ was receptive). Basically Sun and its allies used the DOJ for personal gain. This set a dangerous precedent.

Oracle is planning to buy PeopleSoft. The Europeans are all over this. Last week, European regulators (the same ones attacking Microsoft last week) extended its probe into Oracle. The European Commission announced that it will enter a second phase of its investigation into the proposed merger of the second- and third-largest enterprise software companies.

Where is the DOJ?

Silent, as it should be. Please stay that way.

Oracle is a big database company. They make great database software, maybe the best out there at the moment. (Wait for Yukon). Oracle is in trouble. Big time. For 25 years Larry has tried to move past his core competency, databases and has never gotten anywhere. Microsoft (SQL Server) and IBM (DB2) are eating away at Larry’s profits.  OpenSource databases (MySQL and postgres) while not suitable for Enterprise applications can’t be ignored either-and are eating away market share in smaller accounts. So Oracle is losing make share in the only area it has any.  It needs to compete. Since Oracle can’t grow organically, let it grow by M&A. If not, Oracle will go the way of Sun, struggle to stay relevant.

Now please call your buds over at the European Comission and tell them to back off.

Sincerely,

Stephen Forte

New York, NY

An Open Letter to My Old Friend and Client (RIAA Must Die Part II)

A group of investors led by my former client and friend Edgar Bronfman Jr. scored a victory in its bid for Time Warner Inc's Warner Music on Monday, signing a $2.6 billion deal to buy its recorded music and music publishing business. Edgar and I collaborated on a database for “Israel Experience” oh so many years ago. (And he still owes me a scuba diving trip in the Red Sea.)

Dear Edgar-

How are things going? Long time no speak. I really miss our days down on West 4^th street arguing about the database I was building for you. Sorry I sat in your chair that day too. We have had our differences over database schema in the past, but you were still a great guy to work for (yes I want something). I am writing to you today on something more important than ever before. The RIAA is the devil and you are now the owner of the 4^th largest record company in the world.

Please lead by example old friend. Extend your business model for file sharing and selling MP3s over the Internet. Figure out a way to monetize the electronic side of your business. Apple’s iTunes is a good start, talk to your pal Steve Jobs. Don’t litigate, innovate. You can’t fight technology, it is here to stay. So embrace it and make lots of money. Be the first to market, sell Madonna’s next album only on the Internet or something like that. I know you want to make a splash, so this can be it.

Being the first to market you will reap the financial rewards. Right now I openly admit to illegally downloading music to my heart’s content. That is because I hate the RIAA and it is my form of civil disobedience. Create an electronic distribution system of music and charge me for it and I will gladly pay. But be fair to both the artist and the consumer, or the artist will one day not need you. Remember that as part of your business plan, for you to make money, the artist needs higher compensation and the consumer lower cost of the product. Win-win for everyone, including you.

I know that Canadians enjoyed Thanksgiving last month, but do enjoy the holiday season.

Your Pal-

Stephen

Leila Called Today

It was 11:46am and I was riding my bike against traffic down E89th Street after an exhausting training ride in Central Park and the cell phone rings with a strange caller ID. I stop my bike to the oncoming traffic on Lexington Avenue and answer it. It was Leila, Wally Berg’s wife and our base camp manager on the Everest trip. When you travel to Everest with someone, you have a lifelong bond that can’t be broken, and the minute I heard her voice it brought me back to the mountain. The sights, the sounds, the smells. Also the calmness and tranquility of life all came back.

She filled me in on the fact that while they did not bag the summit, the team did have a successful summit of the South Summit (the second highest peak in the world) and assured me that a good time was had by all despite Mother Nature getting in the way. She also said that the sherpas were STILL singing the songs I taught them and saying the sayings that I taught them-a part of me is still in Nepal and that makes me feel special since a part of Nepal is definitely still in me. She was calling to tell me that they found a new blue hat to send me (one that I whined all trip for that I wanted) and took down my new address to send it to me.

While it is impractical, everyone should go to Everest, or at least their own personal Everest.

Vulnerable Systems Taken Down for 36+ Hours By Hackers

From eWeek:

“An unknown cracker this week compromised several machines belonging to the Debian Project, including servers that house the project's bug-tracking system and security components. Officials from the project said they discovered the intrusion within the last 36 hours and are still working to restore all of the affected machines.”

Debian is cool. It is an open-source operating system that uses the Linux kernel and also includes a number of packages and tools from the GNU Project.

So I have been saying this for years, but now it looks like it is true, as Linux gains more momentum and marketshare, it too will be just as vulnerable to malicious attacks. Not sure what can be done, but I think international law has to be changed to take care of hackers easier.  

Rob Howard Started a War

On Stored Procedures v InLine SQL (heavy business logic in middle tier) in his blog on Monday..

1. SPs are more secure. Most DBAs do not allow select permissions on any base tables-for obvious reasons. Using SPs gives you a nice abstraction layer. Don’t want someone accidentally deleting everything from a table, don’t create a SP to allow it.
2. SPs can save your butt. What if a developer creates a dynamic SQL statement that looks ok but will not use an index, etc. And then in a few months your dynamic SQL is super slow since they are restricting on a billion row table without an index. Your procedure will never allow that if you say so.
3. SPs are way easier to maintain in your code.

So what does Yukon with the ability to create SPs with C# or VB .NET do to all of this? Nothing, Microsoft still recomends TSQL for your data access/CRUD code.