I’m just waiting for SCO to declare itself in violation of its own trademarks, and sue itself.
TicketMaster’s Privacy Policy is a joke.
Ed Foster pointed out in a recent GripeLog entry that TicketBastard‘s privacy policy is a complete joke. To paraphrase the point of the article: If you have ever bought a ticket from TicketBastard, they have reserved the right to sell all your personal information to their "Partners" and they specifically state in their privacy policy that you may not ever opt-out of receiving spam from their "Partners".
Although we would all love to avoid TicketMaster, unfortunately they have a monopoly in this country — behold, my friends, the American Dream! Anyway, if you can’t find a patch, at least find a workaround: my workaround would be: a) Don’t buy tickets online through Ticketmaster.CA or Ticketmaster.COM; b) Pay cash when you buy Ticketmaster tickets in person at the Ticketmaster outlet; c) Give fake credentials if the ticket clerk asks you for them (although I can’t see why they would).
I’m aware that this behaviour would probably tip off the authorities in the police state we call the U.S.A., since it probably matches some kind of Terrorist Profile generated by the Abteilung der Faterland-Sicherheit. If that isn’t ironic…
FoundStone marketing weasels
If you get the Daily Dave newsletter run by Dave Aitel over at Immunity, Inc. you’ll already have seen this. In a recent message he pointed listmembers to an internal FoundStone memo forwarded to that fantastic site, InternalMemos.Com.
I really will just let that memo stand on its own. There’s hardly anything to add but to state the obvious: marketing people are weasels. (See my previous entry on July 5th for Scott Adams’ bang-on perspective on marketing drones.)
Dilbert…
… describes perfectly my thoughts about marketing weasels. (D=Dilbert, M=Marketing Weasel)
D: This product would melt the polar ice caps and doom humanity.
M: That’s okay.
D: You’re part of humanity.
M: No, I’m in marketing.
D: I won’t help you destroy the planet.
M: That’s what I said until I saw the free t-shirts.
Aside from having to sell your soul, it appears that working in marketing is a dream job. Spend the company’s money with no accountability, hire subordinates solely on the basis of breast size, and if management tries to nail you for poor sales, blame the developers.
Maybe it’s just me, but I didn’t go to school for five years to be overriden by some marketing drone whose qualifications for the job include being a clerk at Chapters, and her physical attractiveness. Period.
SQLite
I haven’t tried this yet, but it looks really cool. It’s basically an almost-SQL92 complete implementation of a database engine without a separate database process required — the databases are stored on disk as files. I’m hazarding a guess that this sprung from the limitations of Berkeley DB as a scalable, lightweight file-based database implementation.
Surprisingly the missing features list (that stop it short of full SQL92 compliance) is fairly short, which implies to me that even transactions are supported.
Seems like a great tool for small jobs where a full-blown PostgreSQL or MySQL database is just overkill.
An UNRant
I decided today that I don’t always want to sound like a crusty old coot in this journal, so I thought I should write a quick journal entry about what I consider to be fantastic pieces of software. So briefly, here are my top five nominations. Continue reading
OpenType Font File causes Windows to crash
Had a good time investigating this:
OpenType Font File causes Windows to crash.
Microsoft hasn’t acknowledged the bug’s presence, nor have they issued a fix. So right now, if you’re running Win2K or XP, you’re vulnerable. In my case I was able to lock up a Win2K machine so badly that it refused to ever boot again, claiming that some device driver was missing or corrupted.
Whee! Go Microsoft.
Update: (08/25/2003) This is repaired in Windows 2000 Service Pack 4. I can’t speak for XP.
Proliferation of Poorly-Configured Linux Boxes
Someone in ;login: magazine a few issues back talked about the proliferation of poorly-configured Linux boxes, and how the volume of these will eventually outstrip the quantity of poorly-configured Windows boxes as Linux increases in popularity. The notion that Linux is more secure than Windows falls apart when you have clueless users who willfully follow directions like those listed on Ximian‘s website to install Ximian Desktop 2.0:
There is nothing to download first, just follow the instructions below.
<snip>
- Open a terminal window.
- Using the su command, become superuser (root).
- Type the following command or cut and paste it into your terminal: wget -q -O - http://go.ximian.com |sh
Great job, Ximian. Encourage people to download a shell script, as root, and blindly execute it — no MD5 sanity check, nothing. I mean, it makes me want to compromise go.ximian.com and replace the index page with a text file containing “rm -rf /”. It’s also fabulous that they advocate using the -q (quiet) switch with wget, so that I could now hack the httpd.conf to send a redirect to my own website, which could provide a text file containing “rm -rf /” — and the 302 Temporarily Moved code would NEVER be seen by the user.
What is wrong with these people? Isn’t it blazingly obvious that this is a stupid thing to do?
I mean, you all know Microsoft blows… admit it!
At work we’ve been trying out a wonderful tool from Dave Aitel of Immunity Security called SPIKE. I haven’t tried to actually use SPIKE to generate any DCE RPC calls that would actually cause a Windows box to detonate, but partly it’s because that’s not really my job; I don’t detect the vulnerabilities, I just reproduce them. Also I really don’t give two hoots about Windows and I really couldn’t be bothered to go out there, attach a debugger to something like lsass.exe and see what fails.
Still, SPIKE seems to be a great tool if that (deciphering obscure and complex protocols) is your cup of tea. I’ll spare you the lecture on how shitty Microsoft’s protocols are, except that if you ever analyze a conversation between a bunch of Windows boxes using something like Ethereal, you’ll see how there is very nearly a status flag for everything. Clearly, protocols like LSA over DCE-RPC over SMB over NetBIOS < !!!!> were never clearly thought out by anyone, and this is the result. I joked to a colleague that the only reason we need 100Mbps Ethernet is to carry around all this excess Microsoft baggage whenever Windows boxes need to talk to each other. Honestly, Windows boxes are just as chatty as Netware machines running IPX. All you really have to do is capture the traffic on a Microsoft LAN that’s destined to the broadcast address, and you can glean an incredible amount of information.
Go get SPIKE here and enjoy yourself. (Warning: We had problems compiling under GCC 3.x. Stick to 2.x for now; 2.95.3 seemed a good choice.)
new job!
I have a new job; I’ve had it for almost a month now, actually, but since I lost my Internet access with my old job, I haven’t been able to write about it until now.
I’m now an Internetworking Security Specialist with FSC Internet Corp. of Toronto. So far, I’m having a great time. It’s nice to be working for a company where the technical people are valued.