Years back, Sun was under pressure in the market. Although many users loved our core Solaris operating system, others thought it was built for high end computers, not grid systems. Our computer business had failed to keep pace with the rest of the industry — which meant our volume systems looked expensive. In combination, and with a poor track record of supporting Solaris off of Sun hardware, we gave customers one choice — leave Sun. Many did. Those were the dark days.
Here is an interesting post to Dailydave by Brad Spengler from grsecurity.net which I will duplicate in part here: Few of you may have seen my comments on the following article in RedHat magazine: What’s new in SELinux for Red Hat Enterprise Linux 5?
I think the issue deserves more widespread attention among the security community, however, since RedHat seems to be involved in a concerted effort of disinformation for both SELinux and ExecShield. Take note of their misleading (another word for completely inaccurate) diagrams, inability to understand what exactly the new additions to SELinux have to do with “buffer overflows,” and then note my several comments below, where I also comment upon some ExecShield behavior under a non-NX system. I present you with links to several previous articles on RedHat security and the official ExecShield paper, all written by developers at RedHat, who make several inaccurate/misleading statements regarding the effectiveness under ExecShield in a non-NX environment (which RedHat would have you believe does not exist anymore).
I encourage you to read all the comments, however the basic idea is that ExecShield has had problems ever since it was introduced into Fedora and then into RHEL (sometimes due to improper marking with the flawed PT_GNU_STACK which under ExecShield with no NX makes the entire address space executable, other times with bugs in the ExecShield implementation that ended up leaving over half of the services on a Fedore Core 3 system being protected improperly).
Then there’s the design issue RedHat doesn’t want you to know about:
under ExecShield with no NX, every writable mapping lower than the highest executable mapping in the address space is executable.
For PIE binaries, due to their weaker form of PaX’s ASLR, this becomes even more interesting since it produces what I call “nondeterministic security.” Since PIE binaries are treated just like libraries, they may or may not be loaded as the highest-mapped library in the system. Since there is only one PIE binary loaded and many more libraries being loaded, this means that there’s a large chance that the bss/data on the main executable will be unprotected — writable and executable.
Ingo knows about this (I mailed him privately about the problems I saw with Fedora Core 3, which resulted in an updated kernel — though I don’t believe users were really notified of the fact they were being fooled into thinking certain protection was being applied to their binaries that in fact was not), but it seems he’s not talking to anyone else at RedHat if you look at the articles that keep coming out about their “security enhancements.” In my last comment I list articles I found about ExecShield with the inaccurate statements (I couldn’t find any with an accurate discussion of them). Among them: http://www.noncombatant.org/trove/drepper-redhat-security-enhancements.pdf http://www.redhat.com/magazine/009jul05/features/execshield/ http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
I really hope I don’t see another article from RedHat about SELinux containing diagrams like:
or an article about ExecShield saying that its protection on a processor without NX is comparable to one with NX.
A massive protest rally with up to one million people taking part was held in Istanbul today in reaction to the AKP’s recent shenanigans
AKP just held a press conference which went for around 10 minutes but said very little, other then a few inflammatory comments thrown in the Military’s direction.. Should be an interesting week.
Update: Here is some of the press coverage:
Well, it looks like the good folk at the Beeb have finally reached the office, had a chat with their Turkish translation team and gotten to work. Here is the swag (currently top 4 stories on BBC website):
- EU warns Turkish army over vote
- Excerpts of Turkish army statement
- Analysis: Turkey’s tense election
- Country profile: Turkey
- Defending the secular ‘faith’
Update: Here is some additional local coverage (in English):
At 23:20 tonight (Friday night), the Turkish Military made a very strongly worded statement against the current government. This was surprising both for its extreme wording and the time (almost midnight) at which it was made. We are not expecting tanks on the streets just yet however, as if that happens it will probably not be until after the challenge of the presendential vote in the constitutional court is finished (mid week). As I can’t yet find an English translation of the military’s statement on the net (The foreign news channels have not yet picked it up) and its rather long, you will all have to wait for me to update this post as its a bit too long for me to translate myself. People who are not familiar with the “interesting” Turkish political system should note, that the Turkish Military are actually required by the constitution to “step in” whenever standard forms of government “break down”…
Update: The Beeb seems to have been the first foreign news site to pick up the story. Choice quotes from the Military include: “It should not be forgotten that the Turkish armed forces are a side in this debate and are a staunch defender of secularism” “…and will display their position and attitudes when it becomes necessary. No one should doubt that.”
Turkey held a parliamentary vote earlier today. Most of the opposition parties walked out on the vote in order to stop the ruling AKP party from having two thirds turnout required for the vote to be valid. At the last moment, several members of opposition parties entered parliament to vote (shortly after vehmently stating on TV that that had no intention of voting). It appears that the were still a few votes short of the required 367 (of 550), and the leading opposition party has launched a challenge in the constitutional court…. This was all pretty much to be expected the current government who is notorious for shady dealings behind closed doors, while claiming to be an ultra clean party… The Beeb has more info..
Here is an interesting article about a Windows power user giving SUSE Linux Enterprise Desktop 10 a trial. While the title of the article itself is a little negative, I think she gives it a pretty fair review.
Microsoft Office users now can easily import and export to the OpenDocument Format. The StarOffice 8 Conversion Technology Preview, a plug-in for Microsoft Word 2003 that allows users of Microsoft Word 2003 to read, edit and save to the OpenDocument Format (ODF) is now available from Sun Microsystems.
As a bootstrapped software company, Fog Creek couldn’t afford to hire customer service people for the first couple of years, so Michael and I did it ourselves. The time we spent helping customers took away from improving our software, but we learned a lot and now we have a much better customer service operation. Here are seven things we learned about providing remarkable customer service. I’m using the word remarkable literally—the goal is to provide customer service so good that people remark.