fak3r

This is great, Defcon16 is a mere few days away, but already, the drama has started! Of course there’s the excitement about security guru/celebrity Dan Kaminsky discovering the DNS flaw a few months back that will be revealed this week (so that folks won’t be able to reverse-engineer them to exploit the vulnerability…ahead of time at least), but now there’s a reneg by Apple that’s sure to raise a few feathers, as well as highlight how they weren’t the most forthcoming with their DNS fix (which hasn’t hit yet even though all other vendors have released patches). In an interview, Kaminsky talks about the ‘bug’ he found in DNS, “We got lucky in this particular bug, because it’s a design flaw,” Kaminsky said in an interview. “It shows up in everyone’s network, but the fix is a design fix that doesn’t point directly at what we’re improving.” After peer review it was deemed this was indeed a huge deal, and even the original developer of BIND (the dns software in question) urged everyone to patch. “It took a couple of hours to find the bug,” said Kaminsky, “and a couple of months to fix it.” Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking “by complete and total accident.” Smaller DNS flaws have been used before to “poison” the servers that send people to the numerical address of the website name they enter. [...] “This is about the integrity of the Web, this is about the integrity of e-mail,” Kaminsky said. “It’s more, but I can’t talk about how much more.” So learning more about that exploit will be very interesting, and should lead to more people investigating and deploying DNSSEC, a DNS option built with security in mind from the ground up. So there’s that, but now there’s something even more fun because it deals with a companies lack of openness in regards to their security methods. A talk at Black Hat yesterday was scrubbed at the last minute by folks over in marketing at Apple. It seems that they blocked the scheduled presentation that was, “…to give an inside look at the ultra-secretive company’s security response team. “Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,” a Black Hat organizer told IDG News.” This is unfortunate for Apple, who are reeling after a week of beatings in the ‘blogosphere’ over their handling, or non-handling, of their update for the DNS flaw we mentioned above! “Apple’s policy of saying next to nothing about how it goes about protecting its users from escalating threats is, to say the least, unfortunate. Just last week, the company said it had patched its software from a serious flaw in the net’s address lookup system. Three days after two separate researchers warned Mac clients are still vulnerable to the flaw, Apple hasn’t uttered a word, an omission that generates confusion and doubt in those who depend on the vendor. Apple’s tight-lipped policy.” Come on Apple, you preach about how you’re ‘Open Source’, but then continue along the path of the old school hide and seek ways. Hell, people are already pointing out how their methods are less open than Microsoft’s in releasing information about security. What are they so afraid of? Ah, but we’ll learn more come Thursday, I’ll be in Vegas for my third Defcon and can’t wait. Watch for updates here, or more timely ones over at our Twitter profile.

This is a big deal for me, I played with Skype back in the day, but never really used it much since it required a second client, and I have always used Gaim (which is now Pidgin) to consolidate all of my accounts into one client and didn’t want to break out of that mold, but now I don’t have to.  Using the Skype API, Eion Robb has created a Pidgin plugin called Skype API plugin for Pidgin/libpurple/Adium.  Now I just add my user to the Pidgin accounts tab and I can now chat via Skype in Pidgin just like I chat with all my other contacts.  Note that you can’t do the video of Skype on Pidgin.  Mac users note that you can use this on Adium (my fav OS X chat client), which uses libpurple, which is the backend for Pidgin, on Mac.  So now I’m using Skype again, which is a propreitary app, thanks to them providing an API for the Open Source community to latch on to.  Ah, the circle of life…

A recent study by a tech group talks about not only there being a positive monetary benefit for IT workers to know Open Source, but a more fulfilling sense of purpose as well.  While this tells me nothing I don’t already know, it’s something that’s important as the next wave of IT geeks start knocking on the doors.  “Want to make more money as an enterprise application developer? You’re in luck–if you know open source. According to a recent report from Bluewolf Consulting, enterprises increasingly deploy open-source software, and look to specialized application development on top of it, to drive business value:

The rise of open-source software in application development puts developers with a specialization in those technologies in a position to ask for a 30 (percent) or 40 percent pay increase, Kirven says. “We’ve gotten more requests from our permanent-placement division for open-source developers in the last six months than in the last five or six years combined,” he says. “It’s not as easy as getting free software; someone has to get it up and running. LAMP is everywhere now–these types of technologies no one heard of 18 months ago are all the sudden becoming a hot commodity.”

Indeed. Not only does open source bring developers more money, but it also apparently brings them more satisfaction. Jon Williams, chief technology officer of test preparation company Kaplan, made it very clear in an Infoworld podcast I recorded a month ago that open source is one of his best retention tools. Let people do interesting work, and they stick around. Make them mindlessly monitor that Windows machine, and they’ll bolt.”  I can attest to this, as can my last few contracting positions.  I was brought on to do interesting, challenging, Open Source work, but when that dried up, so did my interest in staying.  Fortunately I’ve recently left the corporate world behind and have found an Open Source position that allows me to fully utilize my skills, while building something with a purpose that’s not based on a corporations’ bottom line (and I’m loving it).  As a followup, there’s also an article about how open source drives enterprise innovation, which after my previous statement reveals, I could cover both sides of.

As a IT contractor I’m enjoying giving my opinion when asked, and sometimes even when I’m not asked; I have the confidence to be open and honest with everyone and want them to know that. Because of this I’ve been getting to do things I otherwise would not have since they would not have known I was interested or experienced in such things. One of the things I was hired for was to setup Apache on Linux to work with their web instances. It’s been fun, and while I’ve used Apache for over 10 years, there’s always new things to learn. Recently they asked for my opinion on ’support’ options for Apache. Keeping in mind, they already have support for the hardware and support for the Linux distribution, they still think they need another support channel for Apache. To me this a big waste of money and have somewhat made my case to them. While I understand their position that this support is a way to cover themselves if Apache ‘breaks’, the fact that this software is Open Source has to change the way they have traditionally considered support.

(more…)