scaredpoet.com

Well, seeing as lately my blog is geeking-out over Ubuntu, I may as well add this posting to the list, and it’s a doozy.

If you happen to be a Linux Geek running Ubuntu, Debian, or any of the 40+ related distributions, AND you’ve been hiding under a rock for the past 24 hours, then you should know that there’s a HUGE security vulnerability involving OpenSSL and everything related to it, including SSH. For the non-geekified: this is the stuff required for “secure” web sites to stay secure, and what people typically use to log into systems remotely without their passwords being freely scattered for any hacker to see and exploit.

The problem? The encryption keys used to keep your logins safe and private hinge around seemingly-random numbers that the system must generate. However, sometime in September 2006, a developer got a bit careless and made a revision to the software that suddenly made the random number generator, well, not-so-random. The result? The encryption keys are theoretically easy to guess and decrypt, leaving those once-believed-private transactions very vulnerable and exposed.

Here are the security notices from Debian (here and here), and Ubuntu (here, here and here), the two biggest Linux flavors affected by this security hole. The notices include fixes, and updates are available, but sysadmins need to follow the instructions to make the fix effective.

Of course, there’s are those aforementioned 40+ other known derivatives of these two major Linux distributions that are probably affected, too.

And here’s a statement I never really thought I’d find myself saying: if you use Windows, you have nothing to worry about, because all of this means nothing to you.

P.S.: Yes, this server has been patched.

The contents of this article are probably bound to give certain people in the Ubuntu linux community lots and lots of butthurt.

Oh well. It sucks to be them.

Here it is, for anyone who needs it: How to enable the root user in Ubuntu Linux Distributions.

With the Human Rights situation in Tibet making headlines just 100 days before the start of the Beijing Olympics, it’s interesting to see that this issue has become a perfect battleground for Information warfare on the web, and in particular, suspected Chinese hackers who sympathize with the State.

Right now, web site intrusions and malware attacks are seeing a particularly large spike. Part of it has to do with an ongoing SQL injection vulnerability that’s hitting an estimated half a million websites as this is being written. Some of those sites included those belonging to the United Nations, as well as numerous small businesses, nonprofits, and local and state governments. The cause? Running Microsoft’s Web Services Platform, known as IIS.

Microsoft denies blame for the problem. Though, it is kinda funny that so far ONLY Microsoft servers have proven vulnerable.

The bad news? There appears to be no patch as of yet to solve the problem.

The solution? For now, pray. Or, switch to Mac or Linux.

The same advice goes for those whoa re running pro-Tibetan web sites. Pro-open-source site Ironcove.net is distributing a document in PDF format that details an ongoing spate of hacking incidents targeting web sites sympathetic to Tibet. Ironcove also infers that the Chinese government may be involved, or sanctioning the attacks:

I can never eat at Wendy’s. Ever Again.

Check out Rufus’ mad skillz as he plays the spatula-guitar, and breaks out with his Phat Wendy’s groovelicious moves, yo. The hood ‘be down with all-beef patties. Awww yeah.

Back in 1989, this is the ridiculous stupidity that Wendy’s employees were subjected to. Just think; anyone that flipped your burger during that era was probably rapping this song to themselves, in their heads.

Even for 1989, this is pretty hacky. What the hell were the higher-ups at Wendy’s thinking? And, has Rufus the Phat Burger-Rapper since committed suicide after discovering the horrific error of his ways by appearing in this video?

I’m so lucky I managed to never work in food service. Yuck.

All right, I have to ask: how many people out there have ACTUALLY bought music from Microsoft?

Or better yet: how many people actually KNEW Microsoft had their own music store?

Well, the music store is no longer: MSN Music ceased operations in late 2006, after a botched launch and a total lack of support from MS. Way to counter that whole iTunes threat!

But, while the music store is long gone, its legacy is not coming back to bite the few actual customers in the ass. Microsoft has announced that the Digital Rights Management used to control the access to the music that was sold will expire in August of this year, meaning that the music that people THOUGHT they “owned,” will no longer be playable:

“As of August 31st, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers,” Microsoft said in an e-mail that was sent Tuesday to former MSN Music customers.

That means consumers who purchased songs from MSN Music and who want to port their library to a new device—in case of, say, a hardware failure or desire to upgrade—won’t be able to do so after the end of August.

Given the life of today’s computer hardware and mobile devices, Microsoft’s decision effectively places an expiration date of about three to five years on song libraries that MSN Music customers thought they had purchased for life.

So, because Microsoft flubbed in their first attempts at a music store, those who actually tried the service and supported it through their music-purchasing dollars are getting screwed. Thanks, Microsoft! Makes you really confident about purchasing music from their existing Zune store, right?

Too bad for Steve Ballmer, videos of the Microsoft CEO’s abject Asperger’s-induced chimp-like stupidity carry no DRM restrictions whatsoever…