Month: February 2008

  • It’s time for TED 2008

    Each year, some of the worlds leading thinkers gather for an extraordinary event. Attendees have called it “The ultimate brain spa,” “Davos for optimists” and “A four-day journey into the future, in the company of those creating it.”

    TED stands for Technology, Entertainment, Design — three broad subject areas that are, collectively, shaping our future. In fact, the event is broader still, showcasing ideas that matter in any discipline.

    Attendance at TED is by invitation only, and the attendees – CEOs, scientists, designers, intellectuals – are as extraordinary as the speakers, who in 2007 included Bill Clinton, Paul Simon, Isabel Allende, Phillipe Starck, Richard Branson and many others.

    TED was first held in 1984, and featured early demos of the Macintosh computer and the Sony compact disc. This year TED is asking “The Big Questions”: Who are we? What is our place in the universe? Will evil prevail? How do we create? And more. Questions that hopefully will be answered by the speakers.

    Watch this journey to the center of your mind

  • Linux kernel vmsplice root exploit

    Two strings walk into a bar. The first says, “Hello, I’d like a ciderO’y?kI’U`,E’*@???’?? ?!>A~Xx?(y’n?.” The second says, “Please excuse my friend, he’s not null-terminated.”

    If you are running Linux kernel newer than 2.6.17 but older than 2.6.24.2 or 2.6.23.16 then any local user can easily become root or at least crash your system.

    There are actually two different security issues related to vmsplice() system call and both of them could lead to local privileges escalation. This is especially bad for people who don’t fully control content on and access to their servers – e.g. web hosting companies. The other bad news is that vmsplice() is part of the core kernel and there is no configuration option to exclude it.

    Two separate exploits have been publicly released which exploit each of the two issues respectively.

    The first issue was classified as CVE-2008-0009 and CVE-2008-0010 and was fixed by linux kernels 2.6.23.15 and 2.6.24.1.

    The situation with the second issue, classified as CVE-2008-0600 was much worse. It was introduced with the initial implementation of vmsplice() and affects all kernels after 2.6.17 inclusively. There was an exploit in the wild for more than 24 hours without proper fix for the problem. I’m sure that even though there are patched versions now – linux 2.6.24.2 and 2.6.23.16 – at least 2-3 more days will pass before the number of vulnerable systems is reduced enough.

    IMHO this is one of the worst 0-day Linux kernel exploits in years. I hope it won’t happen again soon. But you should be careful because all this has happened before and will definitely happen again someday.

  • hello, world

    Did you know that the tradition of using the phrase “Hello world!” as a test message was influenced by an example program in the book The C Programming Language. The example program from that book was inherited from a 1974 Bell Laboratories internal memorandum by Brian Kernighan, Programming in C: A Tutorial.

    I’ve been in two minds about going blogging for a couple of years. I didn’t want one more thing to waste time with, especially having in mind that I’m writing challenged (actually communication challenged). Being an introvert type I’m expending great deal of mental energy trying to express myself.

    Anyway, I hope communication is skill and can be improved by practicing it, so in the long run it may turn out to be the reason to blog rather than not to.

    Another thing is that like most people I forget. Few days ago I stumbled upon a linux related mailing list archive and it was really funny to reread my own posts from like 8-9 years ago. Likewise now when I and Antonia wonder about when something has happened we just go to her blog and check it out. I hope I will have the patience and persistence to update this blog regularly so it would become a valuable database with memories.

    And last but not least: I’ll be preparing for IELTS certification soon so blogging in English is one more way to exercise.

    Originally I wanted to write about many more things in this post but I don’t want to become boring. So here I stop and as Vetinari would have said: “And now, please, I’m sure you all are very busy, don’t let me detain you”!