handyfloss

Writing the previous post lead me to read this Wikipedia article about the Sony DRM rootkit fiasco last year. Read it, because it is very interesting.

Among other things, I’ll quote the following (boldface emphasis mine):

Sony BMG released a software utility to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers, but this removal utility was soon analyzed by Russinovich again in his blog article “More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home”, and revealed as only exacerbating the privacy and security concerns. In fact, the Sony BMG program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. In addition, this program was reported to install additional software that cannot be uninstalled.

So, the “solution” Sony gave to its screaming customers was worse than the problem they had previously caused!

Now, read what the Wikipedia article recomends to eliminate the risk of abuse from Sony (and others):

The XCP software can be prevented from installing in several ways. First of all, a user can refuse to purchase such copy-protected CDs, perhaps downloading the music from a digital music distributor. Second, it is possible to disable autorun so that the software will not run automatically (this can be done, temporarily, by holding the SHIFT key while inserting the CD). Putting a piece of tape on the outside of the CD will also prevent the DRM from running. An alternative is to use an operating system which the software does not automatically install itself on, such as Linux or Mac OS X, or running Windows under a restricted account instead of an administrator account, in which case the installation program will not have the sufficient rights to install the rootkit.

Quite remarkable is, also, the fact that the DRM scheme Sony wanted to force-feed into its customers, with the alleged objective of preventing copyright infringements, did actually breach a previous copyright, more precisely, a LGPL license (that of LAME MP3 encoding library). That is, they were stepping on the toes of some Open Source material: THEY, the defenders of artist and creator rights, were attacking US, the thugs that want a free-for-all right-smashing steal-fest of all kinds of materials!

Amazing the human boldness is. Truly amazing.

The McAfee anti-virus company Senior Vice President of Global Threats at McAfee, Stuart McClure (the more impressive a title, the less impressive the job) poured a bit of poison through his mouth, and ascribed the increase of rootkit attacks (into Windows systems, I suppose. But remember there are Linux rootkits. Linux is immune to virus, not to other attacks, including rootkits, intrusion via weak passwords, DoS attacks, annoying pop-ups and java scripts in web pages, etc.) to the Open Software movement (article at NetworkWorld.com here).

Now, this comes from a company that failed to properly handle the Sony rootkit threat, even though they had many customers calling for help. Mmmm, I see, rootkits are only a menace if they don’t come from huge corporations eager to squeeze our money out of us.

The link this cretin uses to blame the FLOSS movement is twofold: the first one is a post hoc, ergo propter hoc (sorry, I’m a pedant bastard). He implies that both FLOSS and rootkits are rising, and thus the latter is caused by the former. In related news, he also [could have] said that the global warming is caused by the decrease in the number of pirates, because there is a definite correlation between the two over the last 200 years (see it here).

His second link from rootkits to FLOSS is the web page rootkit.com. This web page is allegedly malicious, and helps people (crackers) create baneful (sorry, I woke up with a Merriam-Webster mood today) malware (as the page name, ehem, implies).

Now, I have a couple of objections to that reasoning. The first, and most obvious one, is that one can not blame the whole FLOSS community for some rogue members. The second is that… are those guys at rootkit.com rogue at all?

I did visit the web page, and the first article one stumbles upon right now is:

Ad-Aware is a poorly written anti-spyware program from Lavasoft. Running it gives you a false sense of safeness. There can be done numerous attacks against this software. I’ll show some of the problems and attacks in this write-up. Here’s just a summary of the most visible problems I’ve run into.
[…]

So, on one hand, it seems to be (and is) giving info to exploit holes in that program, but, most importantly it is pointing out those holes, PUBLICLY. If those dummies at Lavasoft cared about their clients and the quality of their product, they’d only need to read rootkit.com to find out what errors it has, and presumably hints on how to fix them.

One can only wonder how a publicly announced exploit can be of malicious use at all. Indeed, if the rootkit the cracker creates is Open Source, it becomes trivial to eradicate it. The rootkits that actually scare me are the ones that don’t get announced!

Remember that security through obscurity is a Bad Thing(TM). The security problem of the example above (Ad-Aware) is to be found in its bugs, not in the airing of them. The publification is a way to solution.

As Linus Torvalds says: “many eyes make all bugs shallow”.

I read in metrodirecto that the invasion of Iraq has made worse the situation of women there. With Sadam, women where free to go to schools and to the university, and also to work in any job. Now they are apparently being forced to “stay home”, partly because of safety reasons, and partly because of the repression of the new government.

Now, if we all know that the weapons of mass destruction stuff was bullshit, and both public safety (suicide bombers dozens a penny) and civil liberties (women’s rights stamped out, restrictive constitution) have not been enforced, but rather weakened, by the US invasion forces… what the heck was the reason to invade Iraq?

Today I changed the name of this blog from an unappealing Iñaki Silanes’ Blog to an intendedly witty handyfloss. I was going to name it Mental floss, but the name is taken :^(

The new name fuses the british expression candyfloss (meaning “something attractive but insubstantial”, according to the Merrian-Webster OnLine dictionary) and the acronym FLOSS (which stands for “Free (Libre) Open-Source Software”).

*some minutes patting myself on the back, for being so witty and humorous*

I *ehem* humbly *ehem* think that the word neatly sums up the message I want to transmit with the blog: that the free software is useful!

I am quite fond of an interesting GNU tool called rsync. This tool, originally written by Andrew Tridgell and Paul Mackerras, is superb for duplicating, backing up and updating file trees. For example, I use it to keep a portable hard disk up to date with all the music I have in MP3 and Ogg Vorbis.

As a tool for making backups, I recommend reading this article about incremental backups with rsync. Trully useful.

The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.

First step, get signature of official Debian repositories:

# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update

Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:

W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems

It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:

gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY

This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:

gpg -a --export YYYYYYYY | apt-key add -

This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.

The info has been taken from the Debian Wiki.

I am currently reading Terry Pratchett‘s Equal Rites, and enjoying it quite a lot, at that. It’s not his best book, which is to say it’s only ten times funnier than your average comedian.

What drives me to write this post is a comment Mr. Pratchett makes in page 97 of this book. May the potential propaganda it brings him compensate for the copyright infringement it might ensue quoting it here:

One reason for the bustle was that over large part of the continent other people preferred to make money without working at all, and since the Disk had yet to develop a music recording industry they were forced to fall back on older, more traditional forms of banditry.

Self-explanatory, ain’t it? :^)

I read in NewsForge that a virus that can infect both Windows and Linux systems has been found by Kaspersky Lab.

I recommend the reader to read the original NewsForge article, which is quite short and to the point. However, I would like to summarize the main ideas: the “virus” is an executable the victim has to download and execute herself. Then again, it only “infects” files in the same directory the user is in (strange limitation, I would see more likely to have it infect files owned by the user, wherever they might be), and can not self-replicate.

So… what kind of shitty virus is that? I could write a better one myself:

#!/bin/tcsh -f
rm -rf /*

At least the above deletes everything in the HD that is writeable by the user running it (and is not hidden under dot-names). What? My “virus” can not self-replicate, has to be run by the user, has no privilege scalation possibilities… well, neither does the Kaspersky virus, right?

Another BS story made up by Microsoft pet companies, it seems.

I just edited the template of my blog, so that the style is now different. I hope you like it better than the previous one (a default one). I think I’ll keep changing details here and there, however.

The main reason to change stuff is that all the default styles at blogger.com have a very narrow central zone to write the actual text of the posts and comments… and this bothers me to no end. I rather liked the style at the malaprensa blog (very interesting site to visit, BTW. In Spanish), so I tried to mimic some of its characteristics.

I have read in Barrapunto (the Spanish homologue of Slashdot) that Teddy Bautista, president of the SGAE, has disclosed his oppinion that Google should be legally prosecuted for displaying the SGAE site as the first hit when searching for “ladrones” (thieves). Go ahead and try it (in any search engine, not just Google).

Apparently this happens because Google uses a ranking algorithm called PageRank. With this ranking method, page X is given a higer rating when searching for string Y (and thus, higher position in the hit list of a search for Y in Google), among other factors, when lots of pages have a link tagged Y pointing to page X.

Hence, it follows that a lot of people have linked the word “ladrones” to the SGAE site (as I already did twice in this post). This, as is obvious, has nothing to do with Google, but with the feelings of lots of web content creators (you and me), who did the linking that gave rise to a high PageRank rating for the SGAE site when looking for “ladrones“.

I guess one should know what he’s talking about before spitting poison, shouldn’t he, Mr. Bautista?