Archive for August, 2008

Apple, Linux, and PHP in the Top List of Vulnerable Vendors

Cnet recently posted an article titled “Apple, Microsoft, PHP headline IBM’s list of most vulnerable software,” summarizing IBM Internet Security Systems’s X-Force 2008 Mid-Year Trend Statistics report. This report, by some strange reasoning, found it appropriate to list, among others, Apple, Joomla!, and Linux in the top ten list of vendors with the most reported security vulnerabilities. How exactly IBM Security Systems’s X-Force is capable of providing a suitable comparison between Apple and Joomla!, or how they find it appropriate to list Linux as a vendor, remains to be explained.

The IBMSSXF continued in their analysis of the top vendors with vulnerabilities:

Another commonality between these three vendors [Joomla!, Drupal, and WordPress] is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

*Sigh*

Ivo Jansch provided a pertinent reply in his blog. He mentioned that since PHP is getting blamed for these vulnerabilities, perhaps we should blame C for the vulnerabilities found in C-based software.

I realize that the IBMSSXF is trying to report hard numbers and facts. And their tables and graphs are all very pretty. But really, it comes down to this: you can’t compare apples with oranges, especially if the Apple is a vendor and the orange is a web site CMS…or an operating system…or a programming language.

Tags: , , ,
Filed under News : Comments (0) : Aug 30th, 2008

Apple Tablet on the Way?

AppleInsider has discovered a revision of a patent applied for by Apple on a multi-touch tablet. The rumors of an Apple tablet seem to start looking more like a possibility. According to the diagrams, Apple has plans for multi-touch much like the iPhone and iPod Touch, an on-screen keyboard (again, stolen from iPhone), and a virtual scroll wheel much like the one seen on the iPods (other than the Touch). Apple has been down this road before, but it seems like they’re about to make a big splash into the tablet computing market. It only makes sense that this happens given the success of the iPhone and then the introduction of multi-touch on the MacBook Air and MacBook Pros earlier this year.

The diagrams can be seen at AppleInsider’s site.

Tags: ,
Filed under News : Comments (0) : Aug 28th, 2008

SSH "Vulnerabilities"

I had to laugh when I read the comments on zdnet’s article on how compromised SSH keys are leading to rootkits in Linux systems. Okay, I’ll admit it. I’m a Linux fan and am going to be partial to defending my pet operating system, but let’s all take a minute to think about this. The first part of the attack happens when an attacker is first able to login to an SSH server with a stolen key. Once the attacker has a shell, they are using a vulnerabilities to install rootkits. Sure, that means there are vulnerabilities once a user has a shell, and I’m not about to say that Linux is impenetrable. But let’s consider what’s happening here. The attackers are using a stolen key. The attackers could just as easily use a stolen password. The same would happen if you opened up remote desktop on your Windows server to the world and gave out your password. Okay, so this was mostly a rant about some comments made, but let’s all take the time and watch what public-facing services are running on our systems. Don’t open up a service on your servers if you don’t plan on logging and auditing the service. All OS’s are vulnerable to attacks due to poor implementation and good grief, be careful with your keys!

I also had to laugh when I went to the CERT article that the zdnet article was about. Right below it, CERT issued a warning about a vulnerability in PowerPoint that allowed remote code execution with escalated privileges if a user opened a crafted file. Wow, talk about irony! Yes, I know that there’s vulnerabilities in software from pretty much every vendor so don’t flame me, but I loved the irony.

Tags: ,
Filed under Tech Trends : Comments (0) : Aug 28th, 2008

The Evolving Intuit

I’ve been noticing lately a great trend in Intuit that I never would have expected from the company. Sometime last month, Intuit announced support for the iPhone on its online service. I tried out the demo on my iPod Touch and it looks great. Quickbooks has historically been a mostly Windows vendor with very crippled versions of its software that run on Mac. In fact, at work we have one Windows desktop and a Windows virtual machine just because certain features weren’t available for the Mac software. I then read posts on their press releases about potential Linux support. Then, I found a link to thelinux411.com and almost fell off my chair. A website dedicated to Linux owned by Intuit?

So far, Intuit’s support for Linux seems like all smoke and mirrors since I was unable to find a link to information on any actual Quickbooks software that would run on Linux, but things are looking much better. As Robin Miller mentions in his Linux.com article, Intuit would do well on the Linux platform. Microsoft is starting to compete directly with Intuit with their accounting software and Microsoft wouldn’t even stand a chance on Linux. Also, as mentioned in the article, a lot of open source shops such as the company I work for, would switch and probably wouldn’t look for any other software if Quickbooks was able to run on Linux.

I am currently working in a hosting company, but came from a very heavy background so immediately my wheels started turning. One of the biggest things we struggled with when recommending Linux solutions to clients was the lack of support for a lot of software which included Quickbooks to a great extent. Quickbooks would definitely be very welcomed to the Linux platform, but a much better way to bring OS agnosticism to the software would be a SaaS model. Intuit is already part of the way there with their online offerings, but a hosted model could bring them into an even larger market with a lower up-front investment for customers and a broader OS support base.

Tags: , , ,
Filed under News, Tech Trends : Comments (0) : Aug 26th, 2008

Firefox 3.0's Killer Feature

It seems like every time I try out a new version of a piece of software that I use, there’s a feature that really makes me mad and then later I realize I can’t live without it. Firefox 3.0 was no exception. When I first started using the beta, the first thing that I noticed that was different was that it searched both the URL and the page titles of your history when typing into the address bar. I use the history in my browser to a great extent and it seemed to get in my way when I was trying to get at what I needed to and I struggled to find it.

I was really frustrated when the software didn’t react as it used to. For example, I use Webmin to a great extent both personally and at work. Whenever I wanted to webmin.com, I’d start typing ‘webmin’ in the address bar and once my history started popping up, I’d hit the down arrow, hit enter and I was there. Now, when I do the same thing I get taken to my Webmin login pages since “Webmin” is in the title of the page and I tend to go there first. That change frustrated me to no end until one day I wanted to get logged into one of my systems. Absent-mindedly, I started typing in “webmin” into the address bar, hit the down arrow and hit enter. Without even realizing it, I was brought to the place I wanted to go without typing in the address. Now, it comes second nature. In my work I use the Zimbra wiki a lot and tend to go to a lot of the same pages for reference, and I can just type in “wiki Zimbra” and then the topic I want to find the pages very easily. Even though Firefox 3 is still fairly new, I don’t know what I’d do without that feature anymore. Mozilla did a great job of giving the me what I really needed, not what I thought I needed.

Filed under Uncategorized : Comments (0) : Aug 24th, 2008

« Older Entries