Deception and people

A friend of mine, that is known of being very trustful as well as trusty (y'know: that trusts everybody), recently told me that she's very dissapointed in people in general now. Her boss' a bitch, and other situations have aroused her untrustiness in other people.

I was in a very similar situation a long time ago (yeah, I always tend to talk about me... I'm an only child, so deal) and that got me thinking: have we all being in that situation? Many people that I've known that have being betrayed or heartbroken (which is not the same) always tend to a very intense disbelief in everybody. Like a shell of ice that grows outside the heart with protection purposes... the problem that I have with that is that that shell chokes it's inhabitant as well: the persons that I know have become very easily irritable and have lowered their expectations in life to a point that it becomes very hard to actually get up in the morning. And like ice, it grows very slowly so it's very difficult for one to notice it's appearance.

Mmm... interesting: that's me right now, but I still feel trustful... or do I? Woah! I think I have to sit down and think this through: I may not be the warm person that I think I am.

Rant 2006-03-10: Linux unpatched's better than Windows unpatched

Notes before reading:
*For an explanation on how this rant is organized, please: read this.
*This rant is posted in this thread.
*The discussion is about an article that is about a study that tested the security of unpatched version of different OS'es, including Windows 2000 Server, XP Profesional, 2003 Server, Red Hat Entreprise Linux 3, and SuSE Linux 9 Desktop in which Linux came on top.
-SP is Service Pack, usually followed by a number indicating the consecutive version of it's installment. Windows 2000 has up to SP4 and XP Professional has up to SP2 (SP3's for XP is coming, but don't hold your breath).
-Many pro-Windows users were argumenting that the comparison was unfair because Windows 2000 Server and XP Professional were released very long before the Linux OS'es and their usual use is with their respective service packs installed which provide a lot of added security.
-The #9 remark on the beginning is the unstandardize way to reply to a given post in ActiveWin; #9's a post by someone by the name of chris_kabuki that proved by bibliography that the comparison between Windows 2003 Server and the Linux OS'es was in fact fair.

Rant:
#9 ja, chris_kabuki beat me to it, jeje. Thanks, though, I've wouldn't thought on putting the different patches between the releases =).

The point of the article was to see the behaviour of unpatched OS'es security wise, but I have to admit: to throw Windows 2000 without SP4 (which came out in June 2003, http://en.wikipedia.org/wiki/Windows_2000) and Windows XP Professional without at least SP1 (which came out September 2002, http://en.wikipedia.org/wiki/Windows_xp) was very unfair for both of them. But, to include these two with those service packs would be a bit incongruent for this study: SP4 it's a patch for Windows 2000 as SP1 is for XP, so the whole point of seeing the behaviour of UNPATCHED OS'es would be lost. Then again, it's still unfair to observe the behaviour security wise of an OS in an obviously unsecure state compared to others that were released almost five years later obviously having being pre-patched against all the illnesses that were wreaking havoc before they arrived. Nevertheless, if you take out the comments about these two OS'es, there still lies Windows 2003 which is in a very fair position compared to the others (explained in chris' post).

Although for me is quite surprising that Windows XP Professional lasted almost as long the 2000 Server edition, which I've used many times to put up small file sharing servers inside BSD protected LAN's. I'll probably switch to Windows XP Pro, jeje.

User fanboys should be glad, though. It's a good "patch yer machine up!" article to make more XP users stop ignoring the Windows Update bubble in their system tray.

And finishing off Apple's Security

I think that this subject, at least for me, has been discussed to death, so let this be my last Apple's Security post... unless some dimwit in a thread entices me to produce another rant of mine.

I love irony, it can be so subtle sometimes, and you know I love subtly:

This column was published about a year ago (11 months, in fact) and it explains beautifully my opinion.

So I'll let him do the writing for me... a writing done so long ago, that it's kind of disturbing to think that it still viable today. I may even try to post this once or twice in different forums to see their reaction, jeje.

"
And with it, he said goodbye to the naysayer.
And the naysayer replied positively.
"

Mmm, I kinda liked that =)

Rant 2006-02-21: so tired...

Notes before reading:
*For an explanation on how this rant is organized, please: read this.
*This rant is posted in this thread.
*The discussion is about a new Mac OS "virus" that posed a big threat to the Apple user community.
-Studly is a forum user that is very pro-Microsoft stating that an Operating System with so much market share is a very good Operating System.
-IMO is In My Opinion.
-A lot of pro-Microsoft users were complaining that this was an unfair comparison to Microsoft if Apple users were not giving such a big deal to this bug because it was patcheable, as all the deal that they were giving Windows with all it's patcheable bugs.
-This rant is divided in two parts, one beginning a thread, another replying to a person agreeing with me but saying that this virus wasn't such a big deal.
-If you want more information about this "virus", I've posted about it before in this blog, or you can go here.
-By the way, here's the guy that discovered it.

Rant:
Part 1.
Ah! So much to say:

"Three flaws in a week." Fair enough (although I'm doubtful about if it's a week, but that's not the point)... three *concept-of-proof* vulnerabilities (not out yet), two of which have been reported with a very low severity. This last one, fine: a big one... can be easily disabled by the instructions that apparently every other Mac Fanboy has dictated here (disabling an option on Safari, or moving the Terminal), at least until the Apple releases the patch.

Something very similar happenned to Windows in the last few months: the WMF vulnerability, you don't even have to download the thing, just visit a page with a WMF on it's page and the executable code inside the WMF runs locally. And you know what was Microsoft response to that? "Don't go into the Internet until we patch this thing up." Nice, and it took so much that a guy (don't remember his name) came up with a patch of his own, openned up it's code and some Security Vendors actually recommend his patch more than Microsoft's.

You wanted a fair comparison? There you go...

Frankly, right now I want to see Apple's quickness to respond, because you have to admit: Apple's very new at this... Mac OS X is not totally unvulnerable (no OS is), so this kind of stuff was going to happen sooner or later: took five years, but it finally came. It's been way overannounced but fine, like any Windows user out there when it comes about a new vulnerability: I've taken note and the extra precautions to guard myself from it, like I've been doing since I knew what a virus was, independently of what machine I was using. A computer's not secure if a stupid ignorant's using it: so Mac Fanboys, get off your cloud, I can stick a finger up your ass if you're not careful, the same way someone could delete all of your files if you double click a document that you don't know what it is.

And Studly... shut the hell up... if you want to judge Windows vs. Mac OS X over who's 'better' by the size of the market share of each OS, fine: Windows' interface is based upon the interface of the first installments of the OS used in the first Macs, so if you see it that way Apple has more than 90% of the market share (all of Microsoft's and it's own). Don't like it? Ok, it's understandable, Windows has changed a lot from those years, I get it. Microsoft's market share is that big because of IBM's stupid move to not make DOS it's own (they let Microsoft license it to other manufacturers), everyone saw what mighty IBM was doing so they grabbed onto it as well... it's a business strategy, and Bill's a very good business visioner. For God sakes! IBM didn't even look at DOS when they bought it, they just shove it into the users' computers who thought that it was the ONLY thing out there because, well, it was everywhere. Still don't like it? Have something else to say? Wow! You really don't shut up, do you? OK, bring it on.

Part 2.
Even though it hasn't been exploited yet, it's still a big one. I mean, really: Safari downloads a file, executes it, and, even though it can't kill the whole OS, it can delete anything the users can delete, like their own home directory.

The thing that's "new" here's that Apple is in the spotlight in security right now. Windows users (at least the anti-Apple ones) are just waiting for something to go wrong with the Mac and point "Ja! Losers!". And Apple is being tested right now in that matter: let's see how fast and well Apple responds to all this hype. I know that this isn't the first vulnerability that OS X has had (only God can write an OS so unvulnerable), but it is one of the firsts that has drawn a lot of attention, and the first one that IMO really matters. The iChat one and the Bluetooth one exploit their own propagation, not a lot of severity there (from what I've read); but this last one, if it's well used, can really cause pain.

That's all, jeje...

Studly? You there? No? Nothing? C'mon dude! I was expecting another statement of yours like "The plague back in the mid-15th century was awesome, because it had like a 85% market share in Europe", or something.

Rant 2006-03-09: Office is 10 years ahead of OpenOffice.org... my ass

Notes before reading:
*For an explanation on how this rant is organized, please: read this.
*This rant is posted in this thread.
*The discussion is about an article that is about a comment that Alan Yates, a general manager in Microsoft, said about Office being beyond OpenOffice.org in the matter of what problems it can solve.
-OO is short for OpenOffice.org
-LCS is Live Communications Server, is a local network instant messaging service, that doesn't need to communicate with the Internet to work.
-The #15 remark at the beginning is the nonstandard way to reply to a post in ActiveWin; the #15 post contained a brief list of things that Office could do.

Rant:
#15 More than half of the statements you listed are useless if you haven't also bought the server that accompanies it. Frankly, all of that "functionality" can be acheived in OO with a well structured CVS platform (to manage version of your files), Jabber for instant messaging, who knows how many open source mail servers out there, etc. Most of the "advanced features" that you and many others have mentioned aren't even in Office by itself, but needs other programs that apparently "seamingly" connect to it, all of which need a dedicated computer for doing thier job (Active Directory, IIS, Sharepoint, Exchange, etc.).
Maybe is feasible for a company to do a (not small) investment in infrastructure to make Office actually useful in those matters, but frankly, even buying Office right now (even with all that "functionality") for that purpose is just a waste of money and here's why I think so:

Yates said "Certainly, if you’re just trying to write a few notes or something, Open Office is just fine. [...] Most documents today are not done by one individual. They’re done by multiple people working on a project at once.". I've used OO for quite a few years, in my own company, in which many people contribute to one project, using the infrastructure I've explained before. Think about it: Office without all of those other programs to complement it is just as useful as OO. Yes, I know: if you put up LCS or Sharepoint, you can IM with the other person that it's editing the same document or see his status in a click of a button, but is that really worth $500? To "one-click" everything? I know that it's worth something, but $500? I mean, if it's that useful, why should I need to buy LCS so that I could IM with someone else? Why can't it connect to a Jabber server? Probably because if it did Microsoft will lose "so much of the company’s revenue [that] is derived from the product [MS Office]". It makes the user buy other products to complete Office's "functionality". If the reason for saying that Office is helpful for multiuser projects is that it comes with Outlook, then that's not at all helpful: to check others' calendars, online status, etc. Outlook it's not enough; Active Directory, Exchange and LCS are needed. Why not include an Exchange Server with Office? And why not also LCS and Sharepoint? Yeah, a whole package that comes with an Active Directory license, an Exchange license, a LCS license, a Sharepoint license, a Windows Server license (not to mention another computer), and 10 Office licenses. Does that even exists? Because if it did, THAT will be useful for a multiuser and very, very, very much above that $500 mark.

MS Office and Microsoft in general relies on the ignorance of the general public to force it's way into companies'/users' computers by "convincing people of the core value proposition for the product versus the competition" (Yates), we all know this: this is how Microsoft came to be; basically, creating problems to solve, instead of solving real problems: macro viruses that are still lingering, the hogging of resources that still increments with every new version of Office (which I think should be a priority in development), and the unreliability, insecurity, and unstandardized state of it's servers (that give Office it's "functionality") which make them hell to administer. So firt solve those problems, then "solve the problems that Microsoft focussed on 10 years ago" that OO has been solving for them (one being it's own price and reliability that I still think are high overrated), then we'll begin comparing who is 10 years behind of who.

Rants

On the last month, I've written around five rants that I've posted in the Internet (mainly in news.com) ... so that's around 1 every six days. Being that I (with another friend) just figured this out, I've decided to begin a "Rant of the Week" scheme in this blog. I'll still post my sad personal life stories (a lot of stuff has already being published here, and I don't have the time to begin another blog and republish all the technical stuff of this blog to the other; besides, I'm too lazy to manage two blogs... although, now that i think about it, it wouldn't be that time consuming... mmm, i'll think about it).

Anyway, for the time being, every rant title will be "Rant SQL-formed_date: title". I think the use of a SQL-formed date in the title will in some future make these rants easier to find and more easily uploaded to a database somewhere... jeje, look at me, all technical, jeje =).

The rant posts will be divided in two sections: a "Notes before reading" section which will be a list of bulleted notes given to make you better understand where the rant is coming from: a * bullet is information of where the rant was posted, or the location of the article being discussed accompanied by a brief summary; a - bullet is information about the backdrop about what was happenning in the thread that the rant was posted on and the internet slang used in the rant, like IMO is In My Opinion, or WYSIWYG is What You See Is What You Get (if for some reason I fail to explain anyone of these slang terms in this section, there's a very good web page that can help you out with that, and if it's not there, Google's very reliable jeje); I like to come back to my rants and read/change them from time to time, so this section will be very dynamic in the early publishing stages. The other section will be the "Rant" section itself, in which i will be pouring my guts out happily, probably cutting it out into several parts (all will be explained in the "Notes before reading" section of each rant, not to worry).

Enjoy the rants!

Oh, and by the way: for now I'll post two of the ones that I already have posted over the internet with their respective dates, so don't think that i'm a full-time ranter, they've just being bundling up jeje... (see? the dates on the titles are already proving their use, jeje)

New mac mini...

A friend of mine bought a mac mini. We're in Mexico, so the the new Intel ones aren't on sale yet here... or are they?

When we went to the store to pick it up, after a fifteen-minutes-before phone call telling us that we could, a person answered that they were on lunch so she didn't have clearance to give it to us. I told her that they just called us... she told me it wasn't true. I ranted, I was enfuriated, I just hate it when people call me a liar without proof.

I told her when they'll come back, she told that me around 4. "Are you sure? I don't want to come back at 4 for you to tell me that they aren't here yet." She ranted, she was infuriated, and then told me that it was probably best for me to come back at 4:30. Hmpf... showed her.

This is another reason why we should set an Apple Store here in Queretaro, Mexico... yeah, that'll be beautiful.

Calm or the center of the hurricane

It's always the same: me happy for a limited time because it always turns the other way around.

Rehearsal with Charly that ends at 9, and a date that starts at 9 (yeah, you heard right: a date, nice gal, afraid of cats, let see what happens). Seems nice, I'm just scared that I'll turn it all around again.

That last sentence was a typo, a big one... supposed to say 'I'm just scared that it'll turn all around again', but that's the way it came out. Interesting, isn't it? Very Freudian in my point of view...

Etica en la Privacidad y Seguridad de los Usuarios

Siendo un Departamento de Sistemas, el hecho de que la red que administramos sea nuestra responsabilidad hace existir un sentimiento de que dicha red sea nuestra. Hasta el mismo nombre de ‘Administrador’ que tiene el usuario con el que usualmente se hacen las tareas administrativas provoca un sentimiento de propiedad sobre los equipos e información que se ocupan. Pero la realidad es otra.

La palabra administrar es sinónimo de cuidar, limpiar, pero no de dirigir. Basicamente, el Administrador de Red es para una Red como un mayordomo es con la casa que cuida. Se encarga que la casa esté limpia, de comprar y preparar la comida, y verificar que la casa esté en buen estado, mas no es dueño de la casa. No puede decidir qué añadirle a la casa, no puede dejar entrar personas a la casa sin autorización del dueño, ni mucho menos puede entrar al cuarto del dueño de la casa (o cualquier otro que esté siendo utilizado por alguna persona) si no es para limpieza o asistencia pedida por la persona alojada en dicho cuarto. Es algo drástico y hasta se puede interpretar como irrespetuoso, pero se podría decir que un mayordomo es parte de la misma casa; igual un Departamento de Sistemas es parte de la Red.

Esto no significa que el Departamento de Sistemas es mudo, es completamente válido hacer observaciones al dueño de lo que es lo mejor para la Red (¿Quién mejor?): de hecho, un buen dueño debe tomar la opinión del Departamento de Sistemas antes de llegar a una decisión sobre alguna modificación en su red.

Aún así, es importante tomar como política de ética los siguientes lineamientos al momento de llevar acabo alguna tarea administrativa en la red, el servidor o algún equipo dentro de la red:

  1. El usuario tiene derecho (y por lo tanto, nuestra obligación) de un espacio privado de trabajo. Este espacio incluye el virtual y el físico. Los documentos creados por el usuario son propiedad del usuario y de la empresa para la que trabaja; sólo el usuario o algún superior a éste puede cambiarlos, leerlos, borrarlos, etc.
  2. Sólo podemos llegar a hacer personalmente las acciones mencionadas en el punto pasado con los archivos de algún usuario con permiso de éste o de algún superior. Al momento de hacer alguna de estas acciones, se deben utilizar las cuentas dedicadas para ello (la cuenta de Administrador del dominio no es una de estas cuentas; ver el punto 4). Sólo se debe utilizar la cuenta del usuario para estos propósitos a no ser que las circunstancias lo ameriten; si esto llegara a suceder, el usuario debe ingresar su propia contraseña, estar presente a través de todo el proceso y, antes de hacer cada y cualquier movimiento, se le debe explicar qué es lo que se está haciendo y por qué.
    • Un supuesto común erróneo es el hecho de que los usuarios no son capaces de entender lo que se está haciendo o que realmente no les importa lo que está sucediendo en sus computadoras. La realidad es casi lo contrario: dada una explicación sin términos técnicos avanzados, la gran mayoría de los usuarios no solamente llegan a entender rapidamente el problema, sino también puede llegar un momento en que el mismo usuario sepa qué hacer para evitar que el problema salga de nuevo o hasta resolver él(la) mismo(a) el problema si vuelve a suceder (dado que tenga los permisos adecuados). Para cada computadora en la red, hay una persona, un cerebro, manejándola.
  3. Al momento de restablecer alguna contraseña, se debe utilizar los medios que el sistema operativo provee para hacer que el usuario escoja una nueva contraseña. Es decir, el usuario es el único que debe conocer su contraseña. Ni siquiera su superior debe saberla, menos el Departamento de Sistemas. De la misma manera, es nuestro deber ser así de protectores con las contraseñas que se nos han dado: la seguridad de la casa que cuidamos depende de ello.
    • Puede haber ocasiones en las que el usuario no puede restablecer su contraseña (un ejemplo de esto es que no pueda entrar el dominio para restablecerla porque está fuera de la ciudad pero necesita entrar a su correo por medio del WebMail), para lo que es necesario restablecerla por él(la), pero también es necesario pedir que el usuario la restablezca cuando regrese.
  4. La cuenta de Administrador es Dios en la Red, y fuente de mucha controversia para lo que es su uso. Han habido varios debates de que si el dueño de la Red debe tener acceso a dicha cuenta, pero la respuesta más adecuada es la siguiente: si el dueño planea en estar manejando la Red él mismo junto con el Departamento de Sistemas, estar configurando el servidor para dar ciertos servicios, etc. (que es inusual, pero puede suceder) entonces sí. En cualquier otro caso, la cuenta de administrador es propiedad del Gerente de Sistemas y los que él(la) vea pertinentes; si el dueño quiere hacer alguna modificación, deberá hacer la petición al Departamento de Sistemas y que éste lo haga por él.
    • Aún así, es responsabilidad del Departamento de Sistemas dar a cada una de las cuentas de los integrantes del Departamento los privilegios mínimos para que puedan llevar acabo las tareas que se les han asignado. Si alguien se encarga de dar soporte del servidor de correo, sólo se deben de dar privilegios de Administrador de Exchange en Windows (o de Qmail, Sendmail, o Postfix en UNIX), etc. El uso del administrador es sólo para circunstancias de instalación, configuración profunda de algún servicio, o situaciones críticas.

Apple and Security

This past few weeks Apple has been on the eye of several security experts (and by their comments, probably promoted by some antivirus vendors) which have prophesized this year to be the year of the Mac OS X Virus.

Three (if I remember correctly) proof-of-concept "viruses" have supposedly appeared. One is eight months old and has been patched (although, it was harmless, it had something to do with it's proliferation through Bluetooth). Another can disperse itself through iChat, although it couldn't do anything else. The last one, nevertheless, has caught my eye, because it can be very destructive and doesn't require user intervention.

It takes advantage of some features in several applications in Mac OS X to do it's job:

  1. Safari has by default enabled an option that makes Safari execute any "safe" file when finished downloading. This includes zip or archive files, in case of which Safari also executes any "safe" files inside them.
  2. The archive handler doesn't decide which application is the preferred one to open any of the files that it contains. Rather, it let's the file impose that decision. If the file doesn't have any application as a preferred one, the archive handler defaults it to the Terminal.
  3. The way that Safari certifies a file as "safe" is by it's extension, not by the application that will open it (which would've been more reliable, in my opinion).

So imagine a guy (gals are less evil) writes a shell executable file that will erase all the files inside the home directory of a user (easy: write a text file that contains the line 'rm -r ~/*', without the quotes; that's it). He then changes the extension of that file to an inoffensive jpg by just renaming it. Later, archives it and uploads it to his website. Finally, he makes the website (via PHP or ASP) ask the browser to download his archived file (which can be done easily just going through the reference of any of these languages).

Now every Mac user that visits his webpage using Safari will NOT be asked to download this file: it will be done automatically, because Safari thinks it's safe. It will then be unarchived and the apparently inoffensive jpg file inside will also be executed. Being that it has no application linked to it, Terminal will take over. Terminal will see the line 'rm -r ~/*' and delete all the files in the users home directory. Because all the files are owned by the user, Terminal won't ask for any password or permission to do so, so the user doesn't have any chance to stop this from happenning when visiting the website.

Frankly: wow, my hat's off to the guy that came up with this. Anybody can wreak havoc on a Safari user now... well... except if the user disables the option to execute "safe" files when finished downloading or to move the Terminal application to another place other than the Applications folder, which is a very simple procedure to secure yourself. In other forums I advised many people to do this while we waited for the security update from Apple.

Microsoft always releases patches about once every month (even more so if we bring up the WMF vulnerability that showed up this past winter). Apple has already released the patch for this (and other stuff as well) for both the Panther and Tiger versions of Mac OS X (Jaguar and other older version apparently aren't affected, probably because Safari in these older versions doesn't automatically execute files when finished downloading). You can find the documentation of this security update here.

This 'bug' was brought to our attention around Feb. 20, 2006 (is impossible to really know when it was 'out there'). This security update, that does not only patch this vulnerability, but several others, was up for downloading Feb. 28, 2006 (officially, it was March 1, 2006). Also consider that a major security update (version 10.4.5) was given out Feb 14, 2006, so this wasn't a scheduled patch.

Frankly: wow, my hat's off to Apple, because that was FAST.