Upgraded to wordpress 2.6
Out of interest I read the release notes of wordpress 2.6, which didn't have any interesting features or me, to be informed that 2.5 will not be maintained anymore.
Thanks a lot.
Fortunately upgrading went very smooth with the subversion.
Weak SSL key vulnerabilities not so funny
Yesterday evening I had the pleasure to pick up the following three security notices:
- [USN-612-1] OpenSSL vulnerability
- [USN-612-2] OpenSSH vulnerability
- [USN-612-3] OpenVPN vulnerability
I can tell you these are really not funny. They really generate a lot of work indirectly. Annoying but doable are things like regeneration SSH keys. The PITA situation is with OpenVPN, looks like we have the push new keys out to all the clients in a few setups. That really deserves a curse or two.
As a special bonus:
Once the update is applied, weak shared encryption keys and
SSL/TLS certificates will be rejected where possible (though
they cannot be detected in all cases). If you are using such
keys or certificates, OpenVPN will not start and the keys or
certificates will need to be regenerated.
Which means I am happy to read security notices. Just updating might result in a broken setup.
If anybody could give extra information on how weak those keys actually are and how easy they are to crack, I would be delighted. In the meanwhile, looking at the amount of servers, I guess I can schedule a teambuilding event where we can mass regenerate keys.
ps. I can tell you I'm quite happy that our backup machines which use SSH+RSYNC for automatic incremental backups are not vulnerable.
Wordpress is a pain
I'm happy I hardened my webserver setup a bit and all our blogs are running on a seperate virtual machine but damn, wordpress is a pain to maintain. I updated it less then a year ago and I'm already hopelessly out of date!
Also this time there are a whole lot of security updates of course. Enough fun for the weekend. I would probably have updated more often for security updates but everytime i try to get subscribed to the wordpress mailinglist i see no results (maybe it looks too much like spam;)).
We develop all new projects with Python and Django at the moment and it feels really attractive to just kick out Wordpress and swap it in with a simple django app. Ofcourse that would require some time I don't want to put in at the moment, but its definitely in my wishlist.
Going from wordpress 2.1.3 to 2.3.3 this weekend! yay!
ps. I really don't feel like to prepare dinner today! (painfully obvious when I even start blogging about wordpress)
Interesting article about PHP security
Article: http://www.securityfocus.com/columnists/432
Besides some coverage about the common PHP application vulnerabilities it gives a lot of background about the way the PHP project handles security (it sucks balls). Shines a light occurancy of security holes in php itself (so not the application developed in php) and what kind of effects this can have (stealing SSL keys for example when using mod_php). Security seems to be a bothersome by-product for the PHP folks.
So next month its "Month of PHP bugs", I guess we should keep an eye on the security advisories.
On a side note: the guy develops suhosin, would be cool to see that show up in Ubuntu.
Wordpress Akismet plugin broken with mod_chroot enabled
Since it was overly simple for Kim Chee to get his akismet thing to work (it kept telling me invalid key) it was probably a difference between webhost. I am a lazy bastard but this had to be simple, after 10 seconds my suspicions were clear. mod_chroot! I absolutely love mod_chroot, I wouldn't dare to host any php site on my servers without it. But it breaks the most nasty php apps.
And yes after disabling mod_chroot my akismet api key was found valid. Nice to know. Ofcourse I re-enabled mod_chroot by now, I am running php afterall. I just so hope it keeps working. My popularity achieved new heights today: 1098 comments. I don't like to be popular.
Important update: I already didn't like the way Akismet works, but it seemed a lazy way out of the problem, think again. When I recheck my moderation queue (even with mod_chroot disabled) it just happily tells me I'm so lucky I don't have spam. Akismet: Die.
User data from installation time stored world readable
Apparently the data which is entered during installation is stored in clear text and not removed.
https://launchpad.net/distros/ubuntu/+bug/34606/
Time to change my password! I hope you already did since your last installation. 
On my server only people with shell access would be able to see this file. But even if you don't give out shell access to others it is quite risky if you run any services that are able to read that file (think apache+php).
Basicly this a really serious bug. I guess we can expect a security update soon. The problem does not occur on dapper. On desktop machines this is obviously a much smaller risk but clearly not a wanted feature.
ps. It doesn't seem to be the case on every install but at least my installs suffer from this bug.
Update: Security update available
Update: It has hit Slashdot. Notice the title, shows how accurate their research is. After all there is no root password, must be confusing for all those /. users who were just starting to figure out everything worked with sudo. Nice though that they mention its already fixed.
Finally started GPG signing keys
I finally started to sign the keys from the What The Hack keysigning party. Obviously a bit late. Some even spammed my mailbox to pressure me, so they got the honour of first signs. 
I'm halfway there now. Using caff to automate it a bit, but still have to type my ridiculously long passphrase for every key, so definitely not effortless. I hope to finish it before I go to UBZ.
Sorry for the waiting, I hope you didn't have any sleepless nights?
Rounding up WTH
13:57h
Lots of things are selling out (Jolt, food, t-shirts) and its raining pretty bad all day. Got an OpenBSD 3.6 official CD for free (previous release). Walked around a bit. Myzt found out were on a video shot at the PGP keysigning "party". Got some penguin caffeinated peppermints for free. I'm leaving to Rotterdam around 19:30h.
15:47h
They guy we met a few days ago with the stelts gave us the chance to try it out. Couldn't resist. 
I managed to walk without help in a few minutes, quite fun.
16:05h
Movies of the stelt stuff:
First check weazle on the stelts (makes me look better), then my first steps and later me walking on it normally.
Were started packing now, so I'll be offline.
Fun @ What The Bookstore
Myzt took this picture in What The Bookstore:
The book that is sold out is titled: "Girlfriend Hacks, tips and tricks to deal with you beloved one".
Rain, rain and more rain
It rained all night and morning (still raining now). Good thing about it that I could sleep till 11:00h. Bad thing is the ground has difficulties with absorbing all the water (because it has been raining all week). So the ground is getting all soppy. I hope we don't get electrocuted.
Looking at the lecture schedule now and I will probably attend to "Watching the Watchers" and "Fun and mayhem with RFID".
Twitter: hpbos
- Gisteren the men who stare at goats gezien. :-) jeff bridges++
- @Ronald_R: Anders heb je nog Zombie Strippers! als optie.
- @Ronald_R Lesbian Vampire Killers... http://www.pajiba.com/trailers/new-lesbian-vampire-killers-trailer.php
- @joostdrijver stink voetbal, mijn reistijd naar kantoor verdubbeld in de laatste 500m.
- wie wil er vanavond "the men who stare at goats" met mij kijken? :P
- Rabobank internetbankieren is buggy as hell.
- Net film the fountain gezien. Wel mooi gemaakt maar niet mijn ding.
- Groningen binnen. Niet bijzonder. Nu coma tijd.
- Wat een kak verhaal van rouvoet. Ook met 4 procent geteld, lame.
Categories
- Advocacy
- Development
- Entertainment
- Evil
- Humor
- In the news
- Orbit Ubuntu
- Personal life
- Security
- Tech
- Travel
- Work
