That’s right, it’s my end of year round up! I am running the risk that nothing significant or amazing will happen to me in the next 24 hours, I know. I’ve trawled through tweets and blogs and reminded myself of the fantastic, crazy things that have happened this year. Here are just some of them, in no particular order.
There are some things I’ve done this year that have been really, really special. But I just can’t tell you about them. Sorry! They really were among the highlights of my year though.
I’ve got a feeling that 2014 will be very special too. Have a great new year….Pin It
Every Summer, I wish for a pair of sandals that are comfortable but have some style so that they can feel a bit smart as well as casual. And I’m rubbish at finding them – I don’t really like shoe-shopping at all, which doesn’t help. Enter MOHOP sandals.
I was browsing Kickstarter projects over Christmas and came across the MOHOP sandals project. Basically, you get a pair of sandal bases, some ribbon, and some design cards. You then thread the ribbons on the bases according to the design cards (or your imagination). The bases are flexible with wooden heels and are suitable for vegans and people with a range of other ethical shopping goals (inc, if you’re from the US, made in the US).
(Although the bases shown have high heels, they’re also available as flats or different heights of heel.)
They’ve apparently been going for some time (at mohop.com and on Etsy) but were struggling to meet demand. They’re taking the Kickstarter route to fund expanding their production capabilities (inc creating local jobs).
I think the sandals are a great idea. They’re fun to look at, comfy to wear (according to the reviews), and infinitely re-designable, which appeals to my crafty side. You can thread decorations on to the ribbon or replace the ribbons completely with strips of sari, shoelaces, or anything else that occurs to you.
At the moment, the cheapest pair is $45 for a pair of flats (though there are lower-cost ‘perks’ available if you just want to contribute without buying any shoes). I’ve gone for the $100 ones that have low heels. They’re looking for $50,000 of funding by the 25th January so that they can open their new production place. They’ve got some way to go yet so if you like the look of them, consider supporting this cool idea!
Here’s their video about manufacturing their shoes:
This week my small collection of sysadmin tools received a lot of attention; I've no idea what triggered it, but it ended up on the front-page of github as a "trending repository".
Otherwise I've recently spent some time "playing about" with some security stuff. My first recent report wasn't deemed worthy of a security update, but it was still a fun one. From the package description rush is described as:
GNU Rush is a restricted shell designed for sites providing only limited access to resources for remote users. The main binary executable is configurable as a user login shell, intended for users that only are allowed remote login to the system at hand.
As the description says this is primarily intended for use by remote users, but if it is installed locally you can read "any file" on the local system.
How? Well the program is setuid(root) and allows you to specify an arbitrary configuration file as input. The very very first thing I tried to do with this program was feed it an invalid and unreadable-to-me configuration file.
Helpfully there is a debugging option you can add --lint to help you setup the software. Using it is as simple as:shelob ~ $ rush --lint /etc/shadow rush: Info: /etc/shadow:1: unknown statement: root:$6$zwJQWKVo$ofoV2xwfsff...Mxo/:15884:0:99999:7::: rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:99999:7::: rush: Info: /etc/shadow:3: unknown statement: bin:*:15884:0:99999:7::: rush: Info: /etc/shadow:4: unknown statement: sys:*:15884:0:99999:7::: ..
The only mitigating factor here is that only the first token on the line is reported - In this case we've exposed /etc/shadow which doesn't contain whitespace for the interesting users, so it's enough to start cracking those password hashes.
If you maintain a setuid binary you must be trying things like this.
If you maintain a setuid binary you must be confident in the codebase.
People will be happy to stress-test, audit, examine, and help you - just ask.
Simple security issues like this are frankly embarassing.
So, I may have forgotten to write a post yesterday. And I may have forgotten to remember to write one today. I am sure this will have caused much wailing and gnashing of teeth around the intertubes.
I finished my last task before Christmas earlier today, hand delivering a photobook and disc of images. It’s not always practical to be there as my lovely clients unwrap their goodies, but it’s lovely when I can be. Watching Ted and Hayley look through their photobook with their two very, very lively boys and remembering their wedding day from the summer was wonderful.
So it’s with a fairly clear conscience that I can put my feet up for a few days, enjoy the company of my family and friends, and wish you all a very merry and magical Christmas. And a new year full of hope and light and excitement.
As the year draws to a close, so does this sixth season of the Ubuntu Podcast. We always take a break over Christmas and New Year to spend time with our families and recharge our batteries. It really does help maintain our energy and enthusiasm for doing the show.
We made quite a few changes to the format this year and generally they have gone down well. We moved from fortnightly episodes to a shorter, weekly format. We continued to stream the audio from live episodes, but have also added a video stream, thanks to Popey’s webcam and some insulation tape. We made a concerted effort to bring you more interviews and take more time to discuss news items.
We did briefly consider putting out an episode on Christmas day, but we’ve decided to round off this year with a double-length show. We’ll be breaking out the mince pies and brandy butter (chocolate mini-rolls for Mark) and maybe even mulling some wine to add the proper festive spirit to our show.
So join us live at 2030 UTC (that’s also 2030 GMT) tomorrow evening for the last episode of the Ubuntu Podcast for this year, and what we hope will be some festive fun, frolics and felicitations.Pin It
The work to make Communicado’s life as difficult as possible continues and it does seem like we’re having some success.
When I started this project, Communicado registered all their domains through DAILY mostly using faked registrant data and hiding behind the privileges granted to individual private registrants. I established a dialog with Nominet about this and it seems Nominet did take action to the point of suspending some of these domains. Communicado then suddenly switched to using ENOM for registering their domains, I don’t know and have no way of knowing if they were booted off by DAILY or just decided to switch. Either way, it made no difference, I could easily find the domains they were registering via Nominet’s PRSS tool.
As of Monday 16th, they have changed tactics again. They have apparently abandoned the .co.uk namespace (I’m sure they’ll be missed) and have gone back to using a variety of .com, .net and .org domains. Some seen in use today are:actionallegiance.com andronol.com baotao.org bigrockconsultants.com coolpress.net europacastno.com greenroses.org hourlycreative.com pidchas.com
They’re easy enough to spot in the logs, but I don’t currently have a good way of searching the whois for these TLDs. Suggestions for such a tool (non-free is fine) are welcome.
Maintaining this list and the RBL service is taking time and money. I will absolutely never be charging anyone for the list and the RBL will be free and open access for as long as it is sustainable to do so. In addition to the ways you can help mentioned in previous posts, a more direct way you can help is to donate a little money, preferably in the form of Bitcoin to 1F9Y1Gd3Pmmchxa7uGFd3zBQY9zVuX78Jd.
More news when I have it, you can follow @Excommunicado for more frequent updates.