(?) The Launderette Runoff - All the laundry that's too long to print

(?) Sending a Geek on a Guilt Trip

From Raj Shekhar

(!) [Jimmy] I nicked this (with permission) from Raj's blog

One of the methods used by normal humans to send other (normal humans) on the "guilt trip" is to use the cliche "every time you do THIS or THAT god kills a kitten. Please, think of the kittens..." For an even bigger guilt-trip, you can use "every time you do THIS , somewhere a kitten gets run over by a Monster truck. given not ten minutes ago to the five year old girl standing by the side of the road, spattered, red, and crying as she fumbles with her inhaler" (Thanks to Brian Bilbrey, member of The Answer Gang for the picturesque description )

Frankly, the whole killing of the kitten part leaves me rather unmoved. Having lots of free time on my hand lately, I thought of things that would send me on a guilt trip.

  • every time you do THAT, your email id gets harvested by Mr. Joseph Adisa of Lagos, Nigeria
  • every time you do THAT, Microsoft issues ten critical updates
  • every time you do THAT, some clueless bastard says "Linux has less viruses because it is less popular " (my veins are throbbing just writing this)
  • every time you do THAT, some luser says "IE is better than Firefox since IE supports advanced features like ActiveX"
  • every time you do THAT, someone starts building a new Linux distro

I know I am not normal :-)

(!) [Jimmy] Hmm... expand the list...
Every time you do THAT:
  • Some poor admin has to configure sendmail
  • Someone decides to write a new implementation of Scheme
  • Someone writes a new "open source" licence
(Oh, and by the way, Firefox (and Mozilla) does support ActiveX. (I would say on both Linux and Windows, but it turns out that Wine requires the use of the Windows version). Konqueror also does (or, at least, did), using the reaktivate module from kdenonbeta)
(!) [Jimmy] I could add "Jimmy starts another off-topic thread"...

(?) Australian Government security...

From Jimmy O'Regan



When the first server was turned on, it booted all the way to the standard AIX login prompt. It was later discovered that the root (master account) password was indeed set to root.


Keep in mind that these servers came from the State Transit Authority of NSW, how is it possible and acceptable in this day of age that governmental servers be decommissioned and sold without wiping the contents of the drives?


(!) [Martin] Good grief how the heck did that happen... ? ;)
That is not good!

(?) Then there's the other extreme: http://www.dilbert.com/comics/dilbert/archive/images/dilbert2915650050801.gif

Of course, the message is emphasised at DEFCON:

(?) Why we need backups

From Martin J Hooper

This is why we need backups...

(?) Stallman in the Guardian

From Sluggo

http://www.guardian.co.uk/online/comment/story/0,12449,1540984,00.html RMS writes in the Guardian about software patents
"If we, the free-software proponents, had lost [the July 6 vote in the European Parliament], it would have been a final defeat in Europe. The relevant part of the European commission works hand in glove with the Business Software Alliance (BSA), and a BSA lawyer actually wrote much of the text of the draft directive the commission proposed. (We know this because they were so foolish as to publish it as a Word file, which contained information about who wrote what.)"
"Our years-long fight has shown how undemocratic the EU is."
"Bullying a whole national government appears to be easy, but there is usually no need to go that far: it suffices to convince one minister, or the minister's representative, to vote as desired. The Hungarian representative voted for software patents even as his prime minister said Hungary was against them. The German representative voted in favour even after the German parliament voted unanimously against. The Dutch government pushed software patents through the council of ministers after its parliament ordered it to reject them."

(?) Quote of the day

From Jimmy O'Regan

From Michael Meeks's blog (http://www.gnome.org/~michael/activity.html#2005-08-03):
"Decided that the CollabNot infrastructure must have been stolen whole-sale from some bad D&D game: if ye wish to attain commit-level access for project foo, ye must first - request the 'Acolyte' role in the foo project. If approved, ye need to accumulate power-points - the path lies through stealing the magic sword of Blag and killing the evil goblin of Nurg. When ye hast won through: heft your stone of Bling, and publicly crunch the bones of Nodab (for luck) - while requesting stewardship of the Can-Commet relic. Be warned - only the few get this far, and the process must be repeated for each 'project'. Many fall at the next mighty hurdle to await you: the mind-deadening, spine chilling Specification task, with it's many difficult stages: iTeamus-formationus-from-nothingus, QAEducationus, endless-pointless-discussionus, and acutely-delayed-resultus. The real shame is Sun didn't choose Collab to help strangle their OpenSolaris baby."

(?) What Business Can Learn from Open Source

From Jimmy O'Regan

"The third big lesson we can learn from open source and blogging is that ideas can bubble up from the bottom, instead of flowing down from the top. Open source and blogging both work bottom-up: people make what they want, and the the best stuff prevails.
Does this sound familiar? It's the principle of a market economy. Ironically, though open source and blogs are done for free, those worlds resemble market economies, while most companies, for all their talk about the value of free markets, are run internally like commmunist states."

(?) Like

From Sluggo

Look Thomas, 'like' has its own wikipedia entry.

(!) [Thomas] Ugh. :) "Look, Mike, I'm like, just so like impressed."

(?) "The word like may be the only word in English that can be a noun, verb, adverb, adjective, preposition, conjunction, and interjection."

(!) [Thomas] Not in the 'Pocket Thomas Adam Dictionary'. :)

(?) I'm, like, no way! What's in your dictionary?

(!) [Thomas] Some ha'pennies. :)

(?) What they call a hedge is what I've meant by "softening" the sentence. "Like" shows a measure of doubt or approximation, and is a polite way of saying something negative. Contrast:


' He was wrong. -vs- He was, like, wrong. That dress is ugly. -vs That dress is, like, ugly. '


(!) [Thomas] Oh, sure. I understand its usage, I just... there's something about it that I don't like. It's wrong of me, I know, but whenever I read sentences written like [1] that, I can't help but read it in a flippant way. Pah. It's just me. :)
[1] There's that word again. :)

(?) "Some are pressing to have valley speak (also known as Valspeak or mallspeak) of which the uses of /like/ illustrated above are a telltale sign, recognized as an American dialect."

(!) [Thomas] Indeed. Oh, don't get me wrong, I'm just very old before my time, and don't agree with it. :)

(?) Like, bitchin.

[Warning: vulgar language ahead. Last chance to press 'delete'.]

Speaking of which, there's a hilarious shop in Seattle called High Maintenance Bitch. http://girlmeetsdog.com It's dedicated to trendy clothing products for "Girl's Best Friend" (her dog), such as this boa (a feather wreathlike thing worn around the neck): http://girlmeetsdog.com/images/furry5k.jpg http://girlmeetsdog.com/images/martini.jpg

They have now diversified into other lines of business including My Pussy and There's No Place Like Home. My Pussy is for girls with cats ("every girl wants to spoil her pussy"). http://girlmeetsdog.com/pussy.html

There's No Place Like Home is a charity for bringing boas to homeless dogs in animal shelters. No, really. It "enhances the natural beauty" of the pet, which I guess raises the pet's self esteem. http://girlmeetsdog.com/noplace.html

(!) [Thomas] Ha! A most... hmm. "American" site, is a most fitting description for it. :)
Although you have made me laugh, Mike. Hehehehe, thanks. :)

(?) Slashdot interview with the manager of MS's Linux lab

From Jimmy O'Regan

(!) [Brian] I wrote to Mr Hilf:


Subject: Your Slashdot interview...
I was pleased to see your reasonably candid responses to the moderated questions that were posed on the Slashdot "interview".
I'd like to ask a more pointed question [set] related to Question 2: Open Standards
"How does Microsoft internally deal with Open Standards and Open Document Formats?"
It strikes me that you could have interpreted the question to mean "It appears that Microsoft practices customer lock-in through proprietary data formats. What progress do you see Microsoft making on reversing these practices? Is Microsoft going to provide reasonable data- interchange tools? If so, then why would Microsoft be patenting features of their future document formats?
That would really be a stellar set of questions to hear the answer to. It's the number one reason why I can't recommend MS products to clients - data formats win out over user interface every time I lay the issues out.
Thanks again,


end of copied message. Do you think I'll get an answer? If I do, I'll let you know.

(?) NetBSD toaster

From Sluggo

NetBSD has been ported to a toaster.
Warning: if it crashes, your toast might get burnt.
(!) [Jimmy] That's cool, but I want one of these: http://www.infoworld.com/article/05/08/10/HNusbserver_1.html (A 1.6 ounce USB powered Linux server)
Oh, and Slashdot has a story about a guy who made his own Linux-powered car computer: http://www.timekiller.org/carpc

(?) Slashdot links

From Jimmy O'Regan

Llyods of London offering insurance to open source:
Supervillians love Linux:
Flickr, for video:

(?) MS at LinuxWorld

From Sluggo

http://seattlepi.nwsource.com/business/236528_software15.html Microsofties showed up at LinuxWorld in Star Wars stormtroopers' outfits.

(?) Follow-up with Bill Hilf of Microsoft...

From Brian Bilbrey

I have been back and forth via email with Bill Hilf of Microsoft's Linux Lab, following his interview on Slashdot [1]. In question two, he was asked about Open Standards, and weaselled a bit, to my way of thinking. So I wrote and asked:


I was pleased to see your reasonably candid responses to the moderated questions that were posed on the Slashdot "interview".

I'd like to ask a more pointed question [set] related to Question 2: Open Standards

"How does Microsoft internally deal with Open Standards and Open Document Formats?"

It strikes me that you could have interpreted the question to mean "It appears that Microsoft practices customer lock-in through proprietary data formats. What progress do you see Microsoft making on reversing these practices? Is Microsoft going to provide reasonable data-interchange tools? If so, then why would Microsoft be patenting features of their future document formats?"

That would really be a stellar set of questions to hear the answer to. It's the number one reason why I can't recommend MS products to clients - data formats win out over user interface every time I lay the issues out. ***


He sent me a link to Microsoft Office Open XML Formats Overview [2], and stated "I think this is a great step forward in the right direction. -Bill"
Hmm, thinks I, after following the link and reading for a fair piece. Then I write to him again:


So, by "royalty-free" does Microsoft mean that use of the format will be licensed to all comers?

Well, open patented format is less good than open public domain format. I can hear the argument for "keeping control" of the format, but as MS is the 800 pound gorilla on this issue, I'd imagine that actual baseline control of the format would remain with the vendor who has such a large percentage of the desktops, world-wide. Hmmm. ***


Bill, game as ever, comes back with this stellar response: "[Bill Hilf] Yes, 'royalty free' means you can use it without paying us a royalty fee."
Well, color me surprised, I'd have never come to that on my own. </sarcasm>
Then I replied:


Yah, I know what royalty-free means. That's why I asked the key other question, if MS would license it to anyone (OpenOffice, Koffice, StarOffice, anyone). You didn't answer that. If you don't know the answer, that's okay. ***


Bill, ever resourceful, pops yet another link into the mix, and doesn't answer my question: "It depends on the license terms of the program - each program and license is available at MS' Shared Source Initiative.[3]
Office isn't among the "programs" listed in the Shared Source Initiative pages, so I am lead to believe that Microsoft does not in fact intend its Open XML Formats to be open in any real sense of the term. I'll desist in my game of Whack-A-Hilf, as it appears that as usual, the game is rigged.
I just thought TAG would be interested in the interchange.
[1] http://interviews.slashdot.org/article.pl?sid=05/08/08/1247220
[2] http://www.microsoft.com/office/preview/fileoverview.mspx
[3] http://www.microsoft.com/sharedsource

(?) Bell Labs Dept. 1127 closed

From Jimmy O'Regan


(?) Is your boss a psychopath

From Jimmy O'Regan

Off-topic, but fascinating: http://www.fastcompany.com/magazine/96/open_boss.html (Test here: http://www.fastcompany.com/magazine/96/open_boss-quiz.html)


Then Hare came out with a startling proposal. He said that the recent corporate scandals could have been prevented if CEOs were screened for psychopathic behavior. "Why wouldn't we want to screen them?" he asked. "We screen police officers, teachers. Why not people who are going to handle billions of dollars?"

It's Hare's latest contribution to the public awareness of "corporate psychopathy." He appeared in the 2003 documentary The Corporation, giving authority to the film's premise that corporations are "sociopathic" (a synonym for "psychopathic") because they ruthlessly seek their own selfish interests -- "shareholder value" -- without regard for the harms they cause to others, such as environmental damage.


(?) Classic flops

From Sluggo

http://www.npr.org/templates/story/story.php?storyId=4806498 King James Bible Not Word of God, etc...

(Apologies if the title offends anyone, but I couldn't resist.)

Radio piece about Moby Dick and the King James Bible, two classic books that weren't well regarded when they were published. The KJB was commissioned, it says, both to unite England's Protestants and Catholics,

(!) [Jimmy] Well that's just plain wrong. At the time the Catholic church considered it heresy to translate the Bible. The point of the King James Bible was to have a Church of England approved translation -- it's the King James Bible, King James was the head of the English church. (Though, IIRC, he was generally regarded as a closet Catholic, so maybe...)

(?) and because James objected to the Geneva Bible, which was strongly Calvinist and anti-monarchic.

(!) [Jimmy] Erm... I doubt it. There had already been several attempts at translating the Bible into English by then. "The Story of English" has quite a bit about the importance of English translations of the Bible and rates Tynesdale's highest.
(!) [Jimmy (again)] Whoops. The book is "The Adventure of English", the translator was Tyndale. There was an earlier attempt to translate the Bible, by John Wycliffe.
(!) [Rick] Tyndale got a rather... hot reception for it.[1]
/me halts, Austin Powers-style, to emphasise his rather laboured bon mot, and wonders where his Mod backup band went.
[1] For the historically challenged: Tyndale was burned at the stake by the Hapsburg regime in Belgium, which had arrested Tyndale there — at the urging of a rather shadowy Englishman named Henry Philips, who may have been acting on Henry VIII's behalf — as he was consulting with scholars on the Continent.
(!) [Jimmy] Hmm. That reminds me that I should have thrown in a few Wikipedia links:
http://en.wikipedia.org/wiki/William_Tyndale http://en.wikipedia.org/wiki/John_Wycliffe http://en.wikipedia.org/wiki/Wyclif%27s_Bible
(!) [Jimmy] "From within the sanctioned, clerical, deeply traditionalist honeyed walls of Oxford, Wycliffe the scholar launched a furious attack on the power and wealth of the Church, an attack which prefigured that of Martin Luther more than a hundred years later."
"[M]any familiar phrases do have their English origin in this translation: 'woe is me', 'an eye for an eye' are both in Wycliffe, as are such words as 'birthday', 'canopy', 'child-bearing', 'cock-crowing', 'communication', 'crime', 'to dishonour', 'envy', 'frying-pan', 'godly', 'graven', 'humanity', 'injury', 'jubilee', 'lecher', 'madness', 'menstruate', 'middleman', 'mountainous', 'novelty', 'Philistine', 'pollute', 'puberty', 'schism', 'to tramp', 'unfaithful' and 'zeal'."
Also mentioned are: 'humanity', 'pollute', 'profession', 'multitude', and 'glory'.
(!) [Jimmy (yet again)] Oh, while I'm at it...
"Tyndale's words and phrases influenced between sixty and eighty percent of the King James Bible of 1611 and in that second life his words and phrases circled the globe.
"We use them still: 'scapegoat', 'let there be light', 'the powers that be', 'my brother's keeper', 'filthy lucre', 'fight the good fight', 'sick unto death', 'flowing with milk and honey', 'the apple of his eye', 'a man after his own heart', 'the spirit is willing but the flesh is weak', 'signs of the times', 'ye of little faith', 'eat, drink and be merry', 'broken-hearted', 'clear-eyed'. And hundreds more: 'fisherman', 'landlady', 'sea-shore', 'stumbling-block', 'taskmaster', 'two-edged', 'viper', 'zealous' and even 'Jehovah' and 'Passover' come into English through Tyndale. 'Beautiful', a word which had meant only human beauty, was greatly widened by Tyndale, as were many others."

(?) "The word 'king' appears not once in the Old Testament of the Geneva Bible. Instead it used the word 'tyrant'." Oops. By the time James's translation appeared ten years later, it was virtually ignored, and the king himself had gone on to other things.

"By the time the bible was published in 1611, King James was pretty well losing it. He'd spent so much money on his boyfriends and his palaces and his parties, and had alienated such wide branches of Puritan opinion, and he was drinking so much, that his star was waning anyway." Then after a civil war, it became an object of consolation, a reminder of an era that was lost.

(?) Willy Wonka

From Adam Engel

Hence, it must be doable and I merely can't figure out how to do it, or it's doable but not worth the time/effort and was a silly idea in the first place." On the other hand, if the numbers can be deconstructed in Perl, and reconstructed, why not? They laughed at Willy wonka, and look at him NOW.

(!) [Jimmy] Hey, as long as the snozberries still taste like snozberries, I'll be happy.
(!) [Jimmy] Dang. No snozberries, but it does have Christopher Lee!!
(!) [Jimmy] I'd like to point out that I'm partial to snozzberries after the scene in "Super Troopers".

(?) I saw his name on the opening credits, but once the movie started I forgot to look for him, and since I haven't seen him in anything but old 1960s horror movies, I probably wouldn't recognize him. But I'll give it a shot: was he the grouchy old "grandpa," the one who didn't go to the Factory but counseled young Charlie not to be a "dummy?"

(!) [Lew] Nope.
Christopher Lee was Willie Wonka's father, the dentist. It took me a few good minutes to figure that out :-)

(?) [conspire] OT (somewhat) Linux perspective on "Zotob's"

From Rick Moen

I'm going to go to Hell for this, I know, but I'm succumbing to the temptation to post about the latest Windows virus, here -- sort of. But this won't be your standard "update your $WHATEVER" MS malware advisory, I hope: I have in mind some points within spitting distance of topicality for a Linux user group.

Here's a summary of the current one-day wonder. Feel free to compare & contrast it against mass-news coverage:

Yesterday's worm, called Zotob, is an automated remote exploit against insufficiently paranoid input routines in a Win2k (& some WinXP) "Plug and Play" network daemon (in msdss.dll[1]) reachable over TCP port 445 (the "Microsoft Naked CIFS" port). This weakness in the daemon's input validation routines was discovered and disclosed four days before, in MS Security Bulletin MS05-039, which was accompanied by a binary patch to close the hole.

The exploit feeds the msdss.dll network interface aberrant data to cause a -- yes, you guessed it -- stack-based buffer overflow (failing to check the length of the network message[2] before passing it on to some buffer), found recently by Neel Mehta of ISS[3], which somehow permits the remote attacker to locally escalate privilege on the vulnerable machine and then carry out assorted mischief and attacks on additional hosts.

The news stories and "virus advisories" tell people gruesome tales about the aforementioned mischief, argue over which Win$FOO releases are and are not vulnerable, and warn to install $WHATEVER without delay, but what's invariably missing are obvious concerns like these:

  1. Why the frell are all Win2k-and-later Microsoft machines offering open network access from anywhere at all to a Plug and Play "service" (daemon) -- even on Aunt Marge's desktop box? Who exactly thought that adding network-aware capabilities to Plug and Play was a good idea? (Note that this isn't the same as Microsoft's equally worrisome but distinct "Universal PnP" architecture.)
  2. Why aren't machine admins/owners made aware that they're running such network daemons and exposing them to the entire world as attack targets? What does each of them do? How would one turn each of them off, or limit one of them to be reachable from (say) localhost only, i.e., running them bound only to the loopback network interface, or alternatively from just one's local IP subnet? What would be the consequences of disabling each of them? (I might point out that there's a frightening forest of network daemons enabled by default on such boxes, not just this one Plug and Play daemon on 445/tcp -- and Windows users are told nearly nothing about what, why, and how.)
  3. Given the eyebrow-raising assumption that such a daemon has to be left running by default and accessible outside localhost, why can't Microsoft manage to make it validate its input correctly? I mean, this isn't brain surgery, guys.
  4. And given that such a thing must be running, etc., why is the library allowed such apparently trivial access to escalate privilege? Why should it be able to escalate privilege *at all*? Haven't the Microsoft guys ever heard of role separation and dropping privilege in a process?

Linux relevance: Please note the difference in coverage and emphasis, compared to *ix vulnerabilities

99% of the news coverage -- even in the allegedly technical press -- of this "virus" (worm) included basically none of the relevant technical details about the attack mechanism, and what is being attacked, and what that is, and why that software is running in the first place... let alone what would happen if you were to turn that software off, how you would do so, etc. And my finding that information was like pulling teeth. (I eventually found most of it at SANS.)

If this were a remotely exploitable buffer overflow and privilege escalation in the *ix world -- say, in NFS's rpc.statd -- there would be copious information easily findable about all of the above matters. In fact, there is such information routinely available, when such things emerge.

[1] The filename suggests that the library probably is primarily concerned with the Microsoft Directory Synchronization Services, which are an external interface for Active Directory. But it's really rather disturbing and shocking that searching Google on this filename turns up zero hits. (It's mentioned only in a few very new articles that Google hasn't yet found.) The file's reportedly (per one recent article) not provided by the OS itself, but rather silently installed and activated when you install this-or-that additional software.

[2] There's something about SMB/NetBIOS "NULL session" information being used in this exploit. If curious, see this coverage: http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html http://www.windowsitpro.com/Windows/Article/ArticleID/44413/44413.html

[3] http://xforce.iss.net/xforce/alerts/id/202 Interesting quotation: "The Plug and Play service is a Windows DCE-RPC service that is designed to handle device installation, configuration, and notification of new devices. It starts automatically on modern versions of the Windows operating system, and runs in default configurations. On Windows 2000, this service is reachable via named pipes and a NULL session. It is not possible to disable this service without adversely affecting system operation.

This Plug and Play service contains a remotely exploitable stack-based overflow. It has been proven to be trivially exploitable...."

(!) [Deirdre Saoirse Moen]
From the Google translation of wakwak.com:
We inform about circumstance below from the trend micro corporation, in regard to the Troy wooden horse type virus TSPY_BANCOS.ANM which is announced on July 8th of 2005. 1. TSPY_BANCOS.ANM The TSPY_BANCOS.ANM with the virus which is classified into Troy wooden horse type, being something which transmits the information which from the personal computer which is infected is inputted with the online bank of specification, to the URL of specification, it does.
From other sites (auto-translated from Japanese) over the last day:
[probably about buying domain names]
Internet is enjoyed 100 times! To the name store which with the television hides from the prestige store of topic the decoy of the cake and the harmony candy
[probably about phishing]
Information leakage from the personal computer which it abolishes is prevented, concerning the data method of elimination.
I love auto translations.


Copyright © 2005, . Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 118 of Linux Gazette, September 2005