Recent Blog Posts
Blogs ยป Open Source
Open Sourcery
: Open Source Blog"Serious security vulnerability" in Greasemonkey
The maker of Greasemonkey, a popular extension for power users of the Firefox browser, has posted a warning of a serious security vulnerability in the current release. This vulnerability can potentially give access to any and all files stored on a system running the Greasemonkey extension in Firefox.
The Greasemonkey extension provides the facility to install and run scripts either associated with particular sites, or with all sites on the Internet. These scripts use standard JavaScript features and syntax, but the extension also provides a set of extended functions that are available to user scripts. These functions are the source of the security hole.
Once a user script is associated with a site, those extended functions become available not just to the user script, but also to any script code within the site itself. A malicious site could wait until a user came along with a Greasemonkey script enabled for that site and then use the extended functions to access private files and data stored on the user’s system. Since many Greasemonkey scripts are designed to enhance all sites on the Web (and are therefore enabled for all sites), this is a very serious problem.
The extended function that is the …
Firefox Secrets interview on Computer America
Just before I hopped on a plane to Canada last week, I was interviewed on the Computer America radio show, which is broadcast all across the United States. For the second hour of Thursday’s show, I spoke about the Firefox browser, offering up a handful of tips taken from the pages of SitePoint’s new book, Firefox Secrets.
The tips I covered included:
- HTTP Pipelining, a disabled-by-default feature of Firefox that takes advantage of HTTP/1.1 functionality to speed up browsing.
- Delete unwanted items from the location bar pop-up history with Shift-Delete.
- Bookmark an entire set of tabs at once, then open them again using the Open in Tabs item on the Bookmarks menu.
- Provide a list of sites to be opened in tabs as your browser home page.
- Set up a custom search keyword to quickly look up a site’s history on the Internet Archive.
For the next week and a half, the archived audio of the programme is available for download from the online archives. Here’s the direct link (MP3, 18MB).
I had a lot of fun doing the interview, and I only wish it had been longer–I really barely scratched the surface of the stuff that’s in the book.
The sample …
Open Source Projects Benefit from Book Sales
Packt Publishing has introduced an interesting twist into book publishing for today’s technology reader. The company has pledged to contribute portions of its royalties from publications on open source that it produces to the respective projects those books represent.
It has done so since April of this year and has already benefited popular projects such as phpmyadmin, openCMS and phpBB. The company publishes beyond the open source sphere of topics, but has stuck to its commitment and continues to develop new titles benefiting the community including releases on Plone and SpamAssassin.
Interesting concept of doing well financially while doing good and giving back to the community.
BBC Promotes Open Source to the Masses
A fascinating insight into how one organization (the BBC) is finding ways to blend open source with mass consumerism and even public service. (Thanks Stoyan!)
We talk so much about open source and applying it to our technology and business pursuits - and there is absolutely nothing wrong with that - but this is an excellent view of how one organization is taking it to the masses in a subtle way.
Rather than promoting open source directly to the public - the BBC is finding ways to incorporate it into its larger overall mission to transform itself amid rampant commercial ‘pay to play’ services in the mass media.
This is quite refreshing as it reminds me that I can explore and identify more subtle ways in which open source may benefit my customers and their clients without the fact that it is an open source solution being at the forefront. I.e. - perhaps by making it more economical to deliver statements or other content to a cosumer on the street is worth more to them than reducing software licensing costs. Thus, looking at a solution from varying perspectives can brighten the overall outlook.
I also find it plain interesting …
Open Source Accounting
I have been going through a shift in my own business and looking to grow beyond Quicken as my accounting tool. As most know - Quicken is an invaluable package for home and home office accounting - however if a small business grows Intuit would prefer the natural evolution to migrate toward Quick Books.
Initially starting out using a manual system for invoices and growing into Quicken, I needed to go to the next level. However I did not want to use a web-based app as I would likely sync details to my iBook and take details on the road and work on planes and in airports (yes I know about WiFi!). In addition, as many already know from reading Open Sourcery, I would be loading the system on my Macs running OS X.
As a bit of due diligence I begain exploring what else was available for a growing small business that has custom needs but remains largely virtual. I was pleased to ultimately select GnuCash. As of release 1.8, and perhaps earlier as it has been a long time since I revisited the program, now supports OS X (by way of Fink) as well as a PostgreSQL back …
Google Toolbar for Firefox et al
Google has released a long-awaited Firefox version of its toolbar. The toolbar runs on Windows, Mac and Linux systems.
There are some other Google-related extensions for Firefox:
- Google Sugggest - suggests completion of search terms typed into the Firefox search bar.
- Send to Phone - sends web pages to mobile phones
For those in the know - you may have already been using the Googlebar - which is not affiliated with Google - and supports Mozilla and Firefox.
Some of my own favorite Firefox extensions:
- PDF Download - which allows for choice between downloading a PDF or viewing in browser.
- Web Developer - which we have talked about before on Open Sourcery. A phenomenal tool for any web designer/developer.
MySQL Clustering and Security
I wrote briefly about securing MySQL last week and Andrew-J2000 suggested he was looking for a bit more depth into the clustering side of the scenario. I have recommended some additional links here for night-table reading to study up on some case studies, documentation and other miscellany involved with clustering MySQL.
When it comes to MySQL - one of the best sources remains the vendor. MySQL AB has developed alot of credibility based on its extensive documentation and depth of community participants in extending tips and techniques. There are numerous links out to further resources including training.
There were some nice links here on O’Reilly. Also, a PDF presentation by Brad Fitzpatrick on Live Journal’s monstrous MySQL implementation which should help.
Finally there is also a very nice How To which includes configuration and security tips by Alex Davies.
MySQL 4.1 Binary Log name change
We recently made the jump to MySQL 4.1 at SitePoint and it’s mostly been smooth sailing. Though I have to admit that it hasn’t offered any of the performance increases that I had hoped for.
Just a heads up - as I’ve not seen this covered anywhere yet - that the default filenames created by the binary logger have changed.
In all prior versions, they were of this format:
mysql_update_log.xxx
Where xxx increments by 1 every time the logs are rotated. 001, 002, 003, etc.
(Note that the “mysql_update_log” prefix is configurable)
In MySQL 4.1, however, they are of this format:
mysql_update_log.xxxxxx
The point obviously being to cater for installations that reset the counter a lot less frequently than we do. We never get beyond 30 before a complete snapshot and a restart of update logging.
This of course broke our script that compresses these (enormous) logfiles for backup purposes and required a little Friday hack to get back on track.
No mention of this behavioural change in the 4.0 -> 4.1 upgrade FAQ.
Tighten Security with DShield
A fantastic resource was passed along to me called DShield - which bills itself as a distributed intrusion detection system.
What it is really is a powerful live reporting resource on the most attacked ports, types of attacks and who the attackers are. As the folks at DShield put it - “DShield.org is an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized. It can be used to discover trends in activity and prepare better firewall rules.”
I recently wrote about building a firewall using iptables, and with a source such as this, one can tailor packet filtering rules to block new ports and tighten the net around your servers.
The site’s home page provides a global map showing patterns of attack types as well as a “stock” ticker of ports that breakdown types of attacks by those ports and what applications commonly use the same port.
DShield also offers an “are you cracked” search function to see if a machine you use or manage has been cracked via an IP search of the group’s database.
Finally - firewall administrators can upload their logs and contribute to the coverage data DShield …
Securing MySQL (and other databases)
In light of recent news of massive intrusions into enterprise database systems holding sensitive customer information - it is obvious reminders on hardening databases is not old news. Especially considering some of the compromises were executed only because customer data was not encrypted.
Starting with MySQL - I have assembled several links I have collected over time on securing various dbs to make compromise that much more difficult. Some information is basic fundamentals - which is great for those just starting to explore these systems - along with some links to further reading.
Something to remember (and many readers have suggested they do this already) - always use ssh when administering your remote database servers. If using a GUI tool for remote admin - be sure to select an application that supports port forwarding to a secure port.
MySQL’s site has some solid basics as well as a great Security Focus article on building a strong MySQL installation.
Tips and techniques on some other popular systems include:
IBM’s DB2 - http://www.informit.com/articles/article.asp?p=102226&rl=1
Microsoft SQL Server:
1) http://www.sqlsecurity.com/DesktopDefault.aspx
2) http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
Oracle - http://www.orafaq.com/faqdbase.htm
PostgreSQL - http://www.postgresql.org/docs/8.0/interactive/admin.html
Sponsored Links
Download sample chapters of any of our popular books.
