• Home
  • Personal
  • Tech
  • Politics
  • Photography

  • Segfault in Ruby Ferret query parser

    September 13th, 2007

    Whilst working with the Ruby text search engine library Ferret, I came across a segfault in the query parser. It had already been reported and fixed, but I realised it can lead to a denial of service.

    If you use Ferret anywhere that allows users to execute queries, those users can crash the Ruby process with a specially crafted query.  This was quite serious for a number of my sites (not to mention slowing development of a current app) so I applied the fix to the released 0.11.4 source and repackaged it as 0.11.4.1.

    Obviously this isn’t in any way official, but it works for me and I’m sharing here for anyone else affected. Gem, tgz and zip here and just the patch available here (derived from the author’s changeset to trunk).

    The patch is against the release source, as the subversion repository seems to be down atm (I got the changeset from the web bases subversion viewer).

    Get upgrading!

    Tags: crash, denial-of-service, dos, ferret, rails, ruby, segfault

    Posted in Ruby on Rails, Security | No Comments »

  • Encrypted partitions with Ubuntu/Debian

    December 6th, 2006

    I figured out how to set up an encrypted partition on Ubuntu the other day. There are a bunch of ways of doing it but I found this to be the simplest. It should work on Debian too, since all the relevant packages are Debian ones anyway. In my example I’m encrypting an LVM partition (logical volume), but it should work with any device, including removable USB keys (see end notes). UPDATE: This is broken in Edgy but I figured out a simple fix, see below.

    Read the rest of this entry »

    Tags: Debian, encryption, filesystem, privacy, Security, Ubuntu

    Posted in GNU/Linux, Security, Tech, Ubuntu | 15 Comments »

  • Opt-out of centralised NHS records

    November 4th, 2006

    The government are centralising our medical information onto something called the “NHS Spine”. So our entire NHS medical histories will be moved to this system opening it up to general access for millions more employees of:

    • various government agencies including the police and social workers
    • private investigators, media organisations and other commercial entities.

    Well, you apparently have the legal right to opt out of this “data rape”:

    In June 2005, FIPR developed an opt-out letter to send to the Secretary of State. People who sent this off have been fobbed off. We now recommend that you opt out via your GP. Ask your GP to enter into your record the code 93C3 (“refused consent for upload to national shared electronic record”). You can also ask for your address and phone number to be kept off the NHS internal directory, and for your hospital records also to not be uploaded to central systems: see here for details. We encourage you to opt out even if you have nothing to hide; if only people who do have something embarrassing in their records opt out, then doing so will carry a stigma.

    • Light Blue Touch Paper: Opting out of the NHS database
    • Foundation for Information Policy Research
    • Guardian: Warning over privacy of 50m patient files
    • Guardian: Ministers to put patients’ details on central database despite objections
    Tags: health, medical, medical information, n3, nhs, privacy, spine

    Posted in Politics, Security | No Comments »

  • Referrer Securer

    August 16th, 2006

    Did you know that Firefox (and Epiphany) don’t send referrers when following a link from an SSL encrypted site? The target site cannot tell whether you clicked a link or typed the url in directly.

    I don’t know about other browsers, but this seems like a sane behaviour.

    Tags: browser, click, epiphany, firefox, http, https, link, privacy, Security, ssl

    Posted in Security, Tech | 1 Comment »

  • Windows popup spam

    September 22nd, 2005

    Whilst closely watching the traffic to a server here at work (I had a good reason, I don’t just find it fun) (yes I do) I noticed a firewall batting away a bunch of incoming Microsoft Messenger Service NetrSendMessage. These are UDP packets destined for port 1026. The contents of the messages seem to be spyware and spam tricks. “Your system needs updating, click here to purchase the patch” etc.etc.

    I’ve not come across this before, but it seems to be wide spread. In 2 hours I collected over a dozen to one particular host, all from different source IPs and nearly all with different messages and urls in them. Here are some excerpts, notice that as URLs aren’t clickable in message boxes they have to leave instructions to type the url in.

    UPDATE: For all the non-techies, these messages are NOT the result of a virus or worm or anything like that. They are just network messages sent over the internet by scammers, a bit like spam. You can safely ignore them. If you want them to go away, install some firewall software or follow the instructions by Manimo to turn off the messaging service.

    Read the rest of this entry »

    Tags:

    Posted in Networks and Firewalls, Security, Tech | 11 Comments »

  • Black Hat, Amsterdam

    March 29th, 2005

    I leave for Amsterdam on Wednesday where I’m attending the Black Hat Briefings. I was at DefCon in Las Vegas a few years ago so I’m interested to see what the BHB are like in comparison. I hope it’s not just a big ugly advertis-a-thon. I’m there for a few days courtesy of work and will have photies to post when I get back I expect.

    My new Laptop arrived today too (not got it in my hands though). The ickle IBM Thinkpad X40 is very portable, but I’ve been using it for more of a desktop replacement than a portable troubleshooter, hence the new Viao one. Big 17inch widescreen LCD, crazy CPUness (for Doom3 and Half Life 2 fun), and 1G RAM. I expect it’ll weigh more than two Terri Schiavos* but I’m a big guy.

    * – Please note: topical reference.

    Tags: amsterdam, blackhat, ibm, laptop, Security

    Posted in Networks and Firewalls, Personal, Security, Tech | No Comments »

  • grsecurity and selinux

    September 28th, 2004

    I’m playing with the grsecurity patches for Linux. Unfortunately 2.6.8 changed in a way that causes major headache for the grsec team, so no planned release date for a new patch. Having some problems with strange enforcements of rlimits, potentially linked to the rlimit auditing code. I’ll hopefully get time to tinker with SELinux too.

    Tags: grsec, linux, Security, selinux

    Posted in GNU/Linux, Security, Tech | No Comments »

  • air gap switch security

    July 7th, 2003

    Whale communications have invented something very secure, and very special. To the naked non-technical eye, their marketing material seems misleading and misguided, but this is the state of the art of security technology. It does some stuff to ensure undefined things do or do not happen.

    Quote: “The patent-pending air gap switch keeps sensitive systems and data physically disconnected from untrusted networks and users, and transfers application-level data in real time. It is a high-speed, solid-state analog switch that connects a 512K memory bank to one SBC at a time via a SCSI interface. The air gap switch contains no Operating System, no TCP/IP address, no programmable units, all of which protects the appliance from being compromised. It hides internal addresses, preventing hackers’ mapping of internal network and any tunnelling threat. It protects confidential information such as private keys and configuration data by placing them behind the “air gap.”

    It’ll also apparently cure all known ailments, gives you a full head of hair, and a long life free of pain.

    Tags:

    Posted in Security, Tech | 1 Comment »

  • horribly ported

    April 26th, 2003

    My port of that pptpd exploit to Linux was apparently so horrendous that it prompted ‘r4nc0rwh0r3′ of ‘blightninjas’ to take the time to do it properly. In my defence, the original code really sucked, and I myself only needed the testing part to work (which seemed to work for me). It also compiled fine for me with gcc 3.2.3 (worksforme(tm)). And I in no way proclaim myself to be a good C programmer! Anyway, my laziness and lameness was thoroughly ridiculed by them here. Find their own fixed version here. At least I got my name on Bugtraq. Roll on fame and the big dollar.

    Tags: bugtraq, coding, linux, Security, sploit

    Posted in Security, Tech | No Comments »

  • PPTP vulnerability

    April 22nd, 2003

    A buffer overflow vulnerability has been found in the PoPToP PPTP server. The daemon is commonly run as root, therefore this can be pretty serious. A sample exploit was released for windows, and I’ve ported it to Linux (gcc). The problem on our own firewalls was mitigated because, although we have to run the crappy software to provide simple windows VPN access, we have some stack protection in our kernels.

    Tags:

    Posted in Security, Tech | No Comments »

  • John Leach

    • John Leach is a human being living in Leeds, UK.

  • Twitter

    • John Open Rights Group demo against "Digital Economy Bill" on 24th March in London: http://www.openrightsgroup.org/campaigns/disconnection 9 hrs ago
    • More twitter updates →

  • Author Stuff

    • Brightbox Rails Hosting
    • Compost This
    • ELER Web Comic
    • New World Odour
    • News Sniffer
    • Photography
    • Profile and History
    • Recycle This
    • The Gillroyd Parade
    • Things to do today
    • Website

  • Friends

    • Caius Durling
    • Deb Bassett
    • Gianni Tedesco
    • Ian Higgins
    • Louisa Parry
    • Rahoul Baruah
    • Sleepy Kev
    • Tim Waters
    • Tom Hall

  • Stuff

    • ifup
    • Media Lens
    • Mia Bambina
    • News from nowhere

  • Meta

    • Log in
    • Entries RSS
    • Comments RSS

  • Search

Creative Commons License The text of this blog is licensed under the Creative Commons BY-ND license