Linux - 7

One of the biggest threats in computer security today are web applications. There's a vast number of issues found in popular web apps, mostly cross site scripting, cross site request forgery and sql injection. For a long time I had the idea of a tool scanning through webroots and looking for popular web applications, comparing them with a database of their latest security issues. In the past weeks, I finaly managed to get some code done.

It's a quite simple python-script (don't cry about the source quality, I haven't done real coding for ages), together with a database of some popular applications. I'm looking forward to hear feedback. The usage is simple, just do something like this:
freewvs /home/joe/websites/foo /home/guest/websites/bar
Typical output looks like this:
WebsiteBaker 2.4.3 (2.6.5) CVE-2007-0527 /home/hanno/freewvs/test/websitebaker
Drupal 5.1 (5.3) CVE-2007-5416 /home/hanno/freewvs/test/drupal
PhpWebGallery 1.5.1 () CVE-2007-5012 /home/hanno/freewvs/test/phpwebgallery
Mostly self explaining. The found app at the beginning, the version where the issue was fixed in brackets, the CVE-ID (or some other vulnerability id, in doubt an URL) and the path.

The biggest work to do is probably to get more applications added to the database and to keep the database updated. It's format is pretty self-explaining, so I'm waiting for your patches.

Get it here: https://freewvs.schokokeks.org/

Today I found a note about the movie The Codebreakers. It's a free-licensed (cc-by-sa) documentary about free software in development countries.

It brings up different examples about successful usage of free software in different parts of the world. Worth watching.

Recently, I did a bit of »modding« to my homeserver (an old P30 laptop, you may know that if you're regularly reading this blog).

I removed the case, which enabled me to remove some unneeded hardware to save energy. The touchpad, the internal modem and the front LEDs could easily be disconnected. The soundcard and the wireless card could also be removed, but they'll stay. The wlan will become a FreiFunk-node (stupid question: what's the english term for freifunk?). The soundcard makes it a perfect webradio player (and, for their mini-size, the quality of the speakers is quite acceptable).

Beside, the whole system now runs from a memory stick. A HD is still attached, but not used on normal operations. It tended to spin up without a reason, till I noticed that I still had smartd running. Now, the nice thing is, this device is now completely silent as long as I don't use the HD. Even if I run compile processes, the processor fan doesn't run. Seems that enough fresh air is sufficient to cool a Pentium M.

Another attractive feature is that I have three freely usable acpi-buttons, plus the three normal LEDs (caps, num, scroll). 3 LEDs, that makes 8 different LED-status combinations. My plan is now to use the three buttons, have 8 pre-programmed webradio channels and use one button for start/stop, one for switching channels. One is still left for creative purposes, volume control would be obvious, but that doesn't make much sense with one button. An idea would be to use the wlan-button and find a way to disable it's ability to switch the wlan-card on/off (at least a simple/hacky approach would be setting it back on as soon as it's switched off).
But that's not implemented yet, so don't ask for it. I'll publish it as soon as I've done that.

Diesen Schnappschuss wollte ich Euch nicht vorenthalten.

Via Nico Hofmann und die zitierte Gruppierung TOP Berlin kriegt auch nen Link, weil die auch sonst ab und an ganz sinnvolles von sich geben.

Ein guter Tag also für alle meine Blog-Leser, sich mal wieder Gedanken drüber zu machen, welche Software sie nutzen und wem sie damit eigentlich vertrauen. Ich glaub der ein oder andere fühlt sich angesprochen.

Für alle im Umkreis von Backnang sei noch gesagt, dass die LUG heute abend in die Bar »Das Wohnzimmer« einläd und über ihre Aktivitäten informiert.

I recently added some stuff to gentoo for openstreetmap and gps-related work.

For one, the java openstreetmap editor josm now has ebuilds. josm and josm-plugins, the first only installs the program itself plus language packs, the second installs most of the josm-plugins available. They can be enabled within the configuration.
I was a bit unsure how to handle it, as I first thought about adding some basic plugins to the josm-package itself. But as the opinions on what »basic« plugins are seem to differ a lot, I decided to do it this way.
Another new package is gebabbel, a gui-frontend for gpsbabel. gpsbabel is a commandline-tool that implements various proprietary gps coordinate formats and allows access to many gps-devices (e. g. garmin). Beside it can be used to filter and convert gps-tracks.

More to come. Probably also interesting stuff in portage is gpsdrive (which has some osm-stuff in svn, but not yet in a release), marble (world-view-tool for kde, osm-support is planned within the next months). Other stuff not yet in portage, I plan to make packages in the future: tiles@home, qlandkarte, mapnik and probably everything it takes to run an osm-server.

A bit offtopic, as gentoo doesn't run on mobiles (yet): Mobile Trail Explorer is the only free (as in freedom) software I found for J2ME-mobiles to create gps-tracks. It's a bit alpha, lacking some features and unstable, but it's free, so I hope it'll become better soon. It's a cheap way to get gps-tracks, assuming that you already have a java/bluetooth-mobile and you can get a gps-mouse starting at about 50 €.

If you have more suggestions for gps/osm-related stuff, feel free to open requests on the gentoo bugzilla and add me to the cc.

Die FrOSCon ging heute zu Ende.

Von meinem OpenStreetMap-Talk gestern gibt's Folien (OpenDocument) und einen teilweisen Mitschnitt (Theora, aufgenommen mit Digikam, nur 20 Minuten, aber danach ging's nicht mehr so lang).

Bilder gibt's irgendwann hier, aber im Moment hab ich nur langsames Netz.

Heute ist der erste Tag auf der FrOSCon (Free and Open Source Conference), einem lokalen Free-Software-Event bei Bonn (Siegburg für die Ortskundigen). Vortragsprogramm ist umfangreich und interessant.

Werde um 19h noch einen kleinen Vortrag über OpenStreetMap halten. Mitschnitt wird versucht, ich kann aber noch nix versprechen.

Today I managed to map the last few streets missing in the »west«-part of my hometown. I was very active in the last days and it makes lot's of fun (and is good for my health, driving up and down the mountains).

Beside that osm can make you addicted, it also seems to be epidemic. A friend of mine started mapping the nice city Veringenstadt (ok, to be honest, I never was there) and another one can't wait to get his hands on an own gps-device to continue mapping Köchersberg.

My next plans for osm are
a) map the rest of Murrhardt (at least the inner part)
b) get some more gps/osm-related stuff into gentoo (josm, tiles@home)

I'm happy to announce that I mentored Christian Hoffmann to become a new Gentoo Developer.

Christian did some PHP-security work for Gentoo recently, which is very important due to the high amount of security issues php had recently. Welcome on board and continue your good work.

Maybe you've read that I did some coordination on relicensing the old GATOS TV-Out code to make inclusion into the radeon driver possible (gatos was gpl, while xorg uses mit-license).

Now, shortly after that Alex Deucher started implementing tv-out in the randr-1.2-branch of the ati driver based on that code. randr-1.2 is the new and shiny stuff that will make future versions of xorg manage resolutions and output connectors much better. As you can see on the picture, today I played around with the new code and got it working (get Gentoo git-ebuild here).

As a short howto, on some cards (including mine), autodetection of the connector status doesn't work yet. You'll have to manually force the connector:

xrandr --addmode S-video 800x600
xrandr --output S-video --mode 800x600

This is especially exciting as it is the last features of my laptop that was missing for »full linux-compatibility« (some minor issues left, as the cardreader only reads sd at the moment, the modem needs a binary driver).

I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.

It's an often told story that the free software community cares more about security. That it's much better because everyone can look at the code. While this may sometimes be true and I know many free software projects really care about security issues, often enough it's the exact opposite.

On 26.04., some guy called Marsu released an advisory about the GIMP. Loading files in the sunras-format can lead to a buffer overflow. Now, while it was silently fixed in svn, for a month they didn't put an advisory on their page and they didn't provide an update. Even with the release of new versions (2.2.15, 2.3.17), they somehow »forgot« to mention that it was a security-update.
Now, after looking into the NEWS-file (which is their Changelog), for 2.2.15 there's this little line:
- guard against a possible stack overflow in the Sunras loader (bug #433902)
They didn't mention the word »security«, they didn't give credits to Marsu, they didn't provide a reference to the advisory or the CVE-ID. Now, even worse, for 2.3.17, they forgot to mention that bug at all (it's probably part of the mentioned »lots of bug fixes«).

Now one might say this isn't that critical, because who uses sunras (I also never heared of that format before)? But think about this: I could mail someone a crafted sunras-file, saying it's an old image I found on some backup HD, together with the note that gimp can open it. I think it's not unlikely that someone might open it, especially with some intelligent social engineering. Beside that, EVERY SINGLE security bug should be taken serious.

Now, don't take me wrong. I love the GIMP, it's a great application. I also think that free software is an important precondition for secure software. But it's not the only thing. And as long as many people in the free software community treat security bugs like this, it's no better than those in the proprietary world.

In wenigen Stunden geht's los zur webinale open in Ludwigsburg. Dort werden wir als Linux User Group Backnang präsent sein, ebenso wird schokokeks.org sich präsentieren.

Am LUG-Stand werden wir verschiedene Projekte, unter anderem OpenStreetMap und CAcert, vorstellen, sowie Kubuntu-CDs verteilen und Compiz zeigen.

Erste Bilder

Up until recently, I had URLs of the form /item/number, which is due to the reason that this was the URL-naming-scheme of bblog, an ancient blogging software I used years back. Now serendipity supports URLs with the title (minus problematic charakters), which is much better for search engines, because they often rate words that appear in the url better. Now, changing the URL after years of blogging doesn't seem appropriate (probably hundreds of links, trackbacks, bookmarks), so I needed some migration path. Serendipity doesn't support two url schemes out of the box, so I hacked some bash to do the trick. This will generate (after changing the url) forward rules (add them to .htaccess after the s9y-stuff), which send a »moved permanently«-answer. This has do be done only once, as there won't be links on new articles with the old scheme.
It's a fast hack and it probably doesn't fit in other situations without changes, but it's a nice example how fast you get somewhere with some bash and sed magic:

for i in `seq 1 31`; do

        wget --quiet -O - http://www.hboeck.de/archives/P$i.html|grep serendipity_title | \

        sed -e 's:^.*href="\([^"]*\)">.*$:\1:g' | \

        sed -e 's:^/\w*/\(\w*\)-.*:RewriteRule ^item/\1 \0 [L,R=301]:g'

done